510 likes | 933 Views
Live Data Collection from Windows System. Outline. Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response. Outline. Preface Creating a Response Toolkit
E N D
Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response
Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response
Preface • The goal of an initial response: • Confirm there is an incident • Retrieve the system’s volatile data • OS: • Windows NT/2000/XP
Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response
What is important • Don’t affecting any potential evidence • Prepare a complete response toolkit • A live investigation is not the time to create or test your toolkit for the first time!!!
Preparing the Toolkit • Label the response toolkit media • Case number • Time and date • Name of the investigator who created the response media • Name of the investigator using the response media
Preparing the toolkit • Check for dependencies with Filemon • Determine which DLLs and files your response tools depend on • Create a checksum for the response toolkit • md5sum • Write-protect any toolkit floppies
Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response
Prelim • “live”: power on • Four options when retrieving information from a live system • The hard drive of the target system • In a notebook • Response floppy disk or other removable media • Remote forensic system using netcat or cryptcat
Transferring Data with netcat • Two advantage • Get on and off the target system quickly • Perform an offline review
Transferring Data with netcat 2 3 1 Time date loggedon fport pslist nbtstat -c NT System Forensic System 1: Run trusted commands on NT Server 2: Send output to forensics box via netcat 3: Perform off-line review md5sum output files
Transferring Data with netcat • Forensic workstation • Target system
Encrypting Data with cryptcat • Has the same syntax and functions as the netcat command • Sniffer cannot compromise the information you obtain • Eliminates the risk of contamination or injection of data • Two-man integrity rule
Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response
Collect the important information • At minimum, volatile data prior to forensic duplication • System date and time • A list of the users who are currently logged on • Time/date stamps for the entire file system • A list of the currently running processes • A list of the currently open sockets • The applications listening on open sockets • A list of the systems that have current or had recent connections to the system
Collecting Volatile Data • Top-ten list of the steps to use for data collection • Execute a trusted cmd.exe • Record the system time and date • Determine who is logged in to the system (and remote-access users, if applicable) • PsLoggedOn • rasusers • Record modification, creation, and access times of all files • dir /?
Collecting Volatile Data • Determine open ports • netstat • List applications associated with open ports • Fport • winpop.exeNetbus trojan • windll.exeGirlFriend trojan • List all running processes • Pslist • List current and recent connections • netstat • arp • nbtstat
Collecting Volatile Data • Record the system time and date • Sandwich your data-retrieval commands between time and date commands • Document the commands used during initial response • doskey /history • Scripting your initial response
Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response
Don’t affect your system • Find evidence and properly remove rogue programs without disrupting any services
Collecting Live Response Data • Two key sources of evidence on Windows NT/2000 • The event logs • The Registry • Four approach to obtain quite a bit of information • Review the event logs • Review the Registry • Obtain system passwords • Dump system RAM
Review the event logs • auditpol • NTLast • dumpel
Review the Registry • regdump • Create an enormous text file of the Registry • reg query • Extract just the Registry key values of interest
Obtaining System Passwords • pwdump3e • Dump the passwords from the Security Accounts Manager (SAM) database
Dumping System RAM • userdump.exe (MS OEM Support Tools) • Two types of memory • User mode (application) memory • Full-system memory