1 / 80

COEN 250 Computer Forensics

COEN 250 Computer Forensics. Windows Life Analysis. Extracting Evidence from a Life System. Degrees of Volatility of Data. Gathering more volatile data versus Safer forensics procedures. Extracting Evidence from a Life System. Life Examination is done: To quickly access the situation

jarvis
Download Presentation

COEN 250 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 250 Computer Forensics Windows Life Analysis

  2. Extracting Evidence from a Life System Degrees of Volatility of Data. • Gathering more volatile data versus • Safer forensics procedures.

  3. Extracting Evidence from a Life System Life Examination is done: • To quickly access the situation • Confirmation of incident. • To retrieve volatile data • Such as network connections, running processes, etc.

  4. Extracting Evidence from a Life System Initial response must not destroy potential evidence. • Use only trusted tools on a response toolkit. • Document results. • Notebook  • Hard Drive of target system  • Removable media connected to target drive  • Other system using netcat or cryptcat 

  5. Extracting Evidence from a Life System • Plan investigation. • Evidence gathering differs according to incidence: • Unacceptable web-surfing. • Intellectual property rights theft. • Compromised system.

  6. Extracting Evidence from a Life System • Response Toolkit • Collection of Trusted Tools. • Stored on removable media. • Floppies (write-protected) • CD • Thumbdrive (write-protected)

  7. Response Toolkit • Determine the tools needed. • Create Toolkit. • Check dependencies on DLL and other files. Include those in toolkit. • Include a file authentication tool such as MD5.

  8. Tools

  9. Response Toolkit: cmd.exe Built-in command prompt should be included in the toolkit.

  10. Response Toolkit • Tool Collection • System & Time • Logged on Users • Process Information • Network and Port Information

  11. Response Toolkit: Time and date • Built-in: • date /t • time /t • Systeminfo.exe gives uptime with a lot of other details. • Perl: • print localtime(time) “\n”;

  12. Response Toolkit • Logged on / remotely logged on users: • PsLoggedOn (see below) • Netusers from Somarsoft • Net session (native to windows) • rasusers (see below)

  13. Response Toolkit rasusers • Which users have remote access privileges on the target system.

  14. Response Toolkit PsLoggedOn

  15. Response Toolkit • Process Information

  16. Response Toolkit • Pulist (from resource kit) • PsList

  17. Response Toolkit • ListDLL

  18. Response Toolkit Handle gives all handles

  19. Response Toolkit Tlist is part of the Microsoft debugging tools.

  20. Response Toolkit • Cmdline from Diamond CS displays all processes with their arguments.

  21. Response Toolkit PmDump dumps memory of a process.

  22. Response Toolkit • dd for windows dumps the contents of main memory into a file.

  23. Response Toolkit Clipboard contents can be dumped with a small perl script: use Win32::Clipboard; print Win32::Clipboard->Get(), "\n";

  24. Response Toolkit • Doskey /history

  25. Response Toolkit • SC.exe communicates with the NT Service Controller

  26. Response Toolkit • Windows has “protected storage”. • Use PStoreView to access it.

  27. Response Toolkit • PsService views services:

  28. Response Toolkit • PsInfo contains interesting system data including the uptime

  29. Resource Toolkit: kill • Get it from the Windows NT Resource Kit. • Terminates processes via process number.

  30. Response Toolkit • Network and Port Information

  31. Response Toolkit netstat • Enumerates all listening ports and all connections to those ports.

  32. Response Toolkit Fport • Finds open TCP/IP and UDP ports and maps them to the owning application

  33. Response Toolkit ipconfig

  34. Response Toolkit • Promiscdetect • Figures out whether network card is in promiscuous mode.

  35. Resource Toolkit: nbtstat

  36. Response Toolkit • psfile

  37. Response Toolkit • openports

  38. Resource Toolkit: arp

  39. Recourse Toolkit: md5sum • Creates MD5 hashes for a file.

  40. Resource Toolkit: PsLogList • Dumps the event log list.

  41. Resource Toolkit: PsInfo Local System built.

  42. Remote Toolkit: PsFile

  43. Resource Toolkit: PsService

  44. Resource Toolkit • Analyzing files • String.exe • Bintext.exe • Dependency Walker • File Date Time Extractor for Windows Word • …

  45. Resource Toolkit: regdump

  46. Preparing the Toolkit

  47. Preparing the Toolkit • Label the toolkit. • Check for dependencies with Filemon or ListDLL. • Lots of dependencies  lots of MAC changes. • Lots of dependencies  easy to run into a trojaned utility • Create an MD5 of the toolkit. • Write protect any floppies.

  48. Using the Toolkit

  49. Storing Obtained Data • Save data on the hard drive of target.  (Modifies System.) • Record data by hand.  • Save data on removable media.  • Includes USB storage. • Save data on a remote system with netcat or cryptcat. 

  50. Storing Obtained Data with netcat • Quick on, quick off target system. • Allows offline review. • Establish a netcat listener on the forensic workstation. Redirect into a file. • Establish a netcat funneler on the target system to the forensic workstation. • Cryptcat does the same, but protects against sniffing.

More Related