1 / 34

Live Data Collection from Windows System

Live Data Collection from Windows System. Outline. Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response. Outline. Preface Creating a Response Toolkit

libby
Download Presentation

Live Data Collection from Windows System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Live Data Collection from Windows System

  2. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  3. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  4. Preface • The goal of an initial response: • Confirm there is an incident • Retrieve the system’s volatile data • OS: • Windows NT/2000/XP

  5. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  6. What is important • Don’t affecting any potential evidence • Prepare a complete response toolkit • A live investigation is not the time to create or test your toolkit for the first time!!!

  7. The Utility (I)

  8. The Utility (II)

  9. Preparing the Toolkit • Label the response toolkit media • Case number • Time and date • Name of the investigator who created the response media • Name of the investigator using the response media

  10. Preparing the toolkit • Check for dependencies with Filemon • Determine which DLLs and files your response tools depend on • Create a checksum for the response toolkit • md5sum • Write-protect any toolkit floppies

  11. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  12. Prelim • “live”: power on • Four options when retrieving information from a live system • The hard drive of the target system • In a notebook • Response floppy disk or other removable media • Remote forensic system using netcat or cryptcat

  13. Transferring Data with netcat • Two advantage • Get on and off the target system quickly • Perform an offline review

  14. Transferring Data with netcat 2 3 1 Time date loggedon fport pslist nbtstat -c NT System Forensic System 1: Run trusted commands on NT Server 2: Send output to forensics box via netcat 3: Perform off-line review md5sum output files

  15. Transferring Data with netcat • Forensic workstation • Target system

  16. Encrypting Data with cryptcat • Has the same syntax and functions as the netcat command • Sniffer cannot compromise the information you obtain • Eliminates the risk of contamination or injection of data • Two-man integrity rule

  17. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  18. Collect the important information • At minimum, volatile data prior to forensic duplication • System date and time • A list of the users who are currently logged on • Time/date stamps for the entire file system • A list of the currently running processes • A list of the currently open sockets • The applications listening on open sockets • A list of the systems that have current or had recent connections to the system

  19. Organizing and Documenting Your Investigation

  20. Collecting Volatile Data • Top-ten list of the steps to use for data collection • Execute a trusted cmd.exe • Record the system time and date • Determine who is logged in to the system (and remote-access users, if applicable) • PsLoggedOn • rasusers • Record modification, creation, and access times of all files • dir /?

  21. Collecting Volatile Data • Determine open ports • netstat • List applications associated with open ports • Fport • winpop.exeNetbus trojan • windll.exeGirlFriend trojan • List all running processes • Pslist • List current and recent connections • netstat • arp • nbtstat

  22. Collecting Volatile Data • Record the system time and date • Sandwich your data-retrieval commands between time and date commands • Document the commands used during initial response • doskey /history • Scripting your initial response

  23. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  24. Don’t affect your system • Find evidence and properly remove rogue programs without disrupting any services

  25. Creating an In-Depth Response Toolkit

  26. Collecting Live Response Data • Two key sources of evidence on Windows NT/2000 • The event logs • The Registry • Four approach to obtain quite a bit of information • Review the event logs • Review the Registry • Obtain system passwords • Dump system RAM

  27. Review the event logs • auditpol • NTLast • dumpel

  28. Successful logons

  29. Enumerate failed console logons

  30. List all successful logons from remote systems

  31. Review the Registry • regdump • Create an enormous text file of the Registry • reg query • Extract just the Registry key values of interest

  32. Obtaining System Passwords • pwdump3e • Dump the passwords from the Security Accounts Manager (SAM) database

  33. Dumping System RAM • userdump.exe (MS OEM Support Tools) • Two types of memory • User mode (application) memory • Full-system memory

More Related