1 / 49

Windows Forensics

2. Main Objectives. Understand Windows file systemsComprehend the Windows account controlsUnderstand Active DirectoryFamiliarize Microsoft boot tasksUnderstand MS-DOS startup tasks. 3. 10.1 Windows Evidence Acquisition Boot Disk. Avoid data contamination or modification; when examining or previ

zarita
Download Presentation

Windows Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Windows Forensics Instructor: LT Dan Finnegan Spring 2011

    2. 2 Main Objectives Understand Windows file systems Comprehend the Windows account controls Understand Active Directory Familiarize Microsoft boot tasks Understand MS-DOS startup tasks

    3. 3 10.1 Windows Evidence Acquisition Boot Disk Avoid data contamination or modification; when examining or previewing a system, bypass the computer’s operating system to avoid altering evidence Creating a “Windows Evidence Acquisition Boot Disk:” Modify “command.com” and “io.sys” to prevent it from accessing system components on the drive Delete the “drivespace.bin” file Alternatively, boot the system from a Linux floppy or CD-ROM Write Protecting a Hard Disk Need to control/block “INTH13h” functions that control disk access (read, write, format) This can be done with software or a hardware write blocker

    4. 4 10.1 Windows Evidence Acquisition Boot Disk (Cont.) Make sure that if you use an Ethernet card or large Zip drive to transfer data to a collection disk, you have the drivers stored on the boot disk. Use FAT32 on collection disks to allow saving of large data files. Always virus check the boot disk to avoid damaging the computer!

    5. 5 10.2 File Systems Simplest Windows file systems are: FAT12 – uses 12 bit files for each entry in the FAT (mainly used for floppies). FAT16 – uses 16 bit fields. FAT32 – uses 28 bit fields (with 4 reserved). FAT systems record only the last accessed date, not last accessed time. The FAT can be thought of as a list with one entry for each cluster in a volume. Clusters containing a zero are free for allocation.

    6. 6 10.2 File Systems (Cont.) Opening a file in a subdirectory: OS goes to root directory, determines which cluster has the subdirectory, and uses directory information in the cluster to determine the starting cluster of the file.

    7. 7 10.2 File Systems (cont.) NTFS. Stores information in a Master File Table (MFT). The MFT is a list of records that contain information to find data on a disk. Records contain created, last modified, and last accessed dates and times. Directories are called “entries.” NTFS created MFT entries as needed. Recovering deleted files in NTFS are complicated because: Unused entries in the MFT are reused before new ones are created, and Directory entries are sorted by name.

    8. 8 10.2 File Systems (Cont.) NTFS is a journaling file system – retains a record of file system operations that can be used to repair damage caused by a system crash.

    9. 9 10.3 Overview of Digital Evidence Processing Tools Searching many computers – most efficient to boot with an evidence acquisition boot disk and run a disk search utility (i.e. EnCase, DiskSearch Pro) from the DOS prompt. Booting from a floppy, Safeback can make an exact copy of a drive and preserve its integrity. You ccan also use EnCase, Forensic Toolkit, SnapBack DatArrest, Byte Back. Some software calculates integrity checks of acquired data separately, some acquire data along with integrity checks at regular intervals. Courts are generally satisfied with both methods. Many of these software titles can either use information from the BIOS or bypass the BIOS to ensure no false information.

    10. 10 FAT Directory Entries Deleted folder entry First available

    11. 11

    12. 12 The Sleuthkit: Viewing MFT Shows low-level information

    13. 13 Reformatted Recovery Before recovery Re-formatted on 02/20/07 After recovery Metadata visible Contents may be overwritten

    14. 14 File Deletion Process MFT entry marked as available MFT $BITMAP updated Parent Folder Index entry removed Folder contents resorted alphabetically $BITMAP attribute updated

    15. 15 Remnants of File Deletion File system entries Last accessed date Entry modified date INFO file date Recycle Bin records Search unallocated Data on disk May be recoverable

    16. 16 File Recovery Search entire disk for filename and file records NTFS uses MFT records starting with “FILE0” or “FILE*” Interpret the file record MFT: filename, dates, location, and sometimes data Resident versus non-resident data Non-resident MFT has “runlist” of clusters Check the location on disk for data Different tools present information differently

    17. 17 Deleted MFT Entries

    18. 18 Basic MFT Entry Attributes

    19. 19 The Sleuthkit: Viewing MFT Shows low-level information

    20. 20 Reading a Deleted MFT Entry Identify the FILE record header

    21. 21 10.3 Overview of Digital Evidence Processing Tools (Cont.) Two main approaches to viewing data – physically or logically. Physical – involves examining raw data using a text editor; data generally shown in hexadecimal form on the left and plain text on the right. Limitations: keyword search will not find occurrences that are broken across non-adjacent sectors. Logical – examining data on a disk as it is represented by the file system. Limitations: areas of the disk not represented by the file system such a file slack and unallocated space. Always advisable to verify all findings to check accuracy!

    22. 22 10.4 Data Recovery Two main forms of data recovery in FAT systems: recovering deleted data from unallocated space and recovering data from slack space. Unallocated space – can try recovering data by reconnecting links in the chain. This works best if file was stored in contiguous clusters. All tools assume that all clusters in a file are sequential. Some tools will recover deleted files from NTFS volumes. This process must be performed on a copy of the evidentiary disk because data on the disk is altered.

    23. 23 10.4.1 Windows-Based Recovery Tools Tools such as EnCase and FTK can use a bitstream copy of a disk to display a virtual reconstruction of the file system, including deleted files. Does this without modifying the FAT. Tools recover files on FAT systems by assuming all clusters in a file are sequential. Fragmented files must be recovered manually. Windows-based tools (EnCase and FTK) can be used to recover deleted files on NTFS volumes.

    24. 24 Understanding the Boot Sequence Make sure computer boots from a floppy disk (other media) Modify CMOS Accessing CMOS depends on the BIOS Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12

    25. 25 10.4.2 Unix-based Recovery Tools Linux can be used to perform basic examinations of FAT and NTFS systems. Fatback, The Sleuth Kit, and SMART can be used for recovering deleted files from a FAT system. Sleuth Kit combined with the Autopsy Forensic browser can be used to examine and recover deleted files on FAT systems. Sleuth Kit and the Autopsy Forensic browser can be used to examine and recover files from an NTFS system. Sleuth Kit can also recover slack space.

    26. 26 10.4.3 File Carving With Windows Another approach to recovering deleted files is to examine unallocated space, swap files, and other digital objects for class characteristics like headers and footers. This process is like carving files out of the blob-like amalgam of data in unallocated space. File carving tools include DataLifter, Easy-Recovery Pro, WinHex, and EnCase e-scripts. NTI’s Graphic Image File Extractor can extract images, including those stored in Word documents.

    27. 27 10.4.3 File Carving With Windows (Cont.) These tools are generally limited because they rely on files that have intact headers. Slack space contains fragmented data that can be recovered, but rarely can be reconstituted into complete files. If a small file overwrites a large file, it may be possible to recover the majority of the large file from slack space. It is easier to recover textual data from slack space because it is recognizable to the human eye.

    28. 28 10.4.4 Dealing With Password Protection and Encryption Possible to use a hexadecimal editor like Winhex to remove a password from a file. More specialized tools to bypass or recover passwords include NTI, Lostpassword.com, Russian Password Crackers, and others.

    29. 29 10.4.4 Dealing With Password Protection and Encryption (Cont.) If necessary to bypass the logon password use a program like ntpasswd or ERD Commander. LC4 can attempt to guess older NT passwords. The most powerful and versatile password recovery programs are PRTK and DNA from Access Data. Access Data’s Distributed Network Attack can brute force Adobe Acrobat and Word/Excel files encrypted with 40 bit encryption. Microsoft EFS generally uses 128-bit keys.

    30. 30 10.5 Log Files Attribution is a major goal; log files can record which account was used to access a system at any given time. User accounts allow two forms of access to computers: interactive login and access to shared resources. System log files can contain the information about user accounts that were used to commit a crime and can show that a user account might have been stolen. Utility from Windows NT and 2000 to process log files is called “dumpel.” A detailed procedure for examining log files can be found in the Handbook of Computer Crime investigation.”

    31. 31 LogParser: NT Event Logs C:\>LogParser "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Username FROM 'SecEvent.Evt' WHERE EventID NOT IN (541;542;543) AND EventType = 8 AND EventCategory = 2 AND Username NOT LIKE 'IUSR_%'“ LogonDate Username ------------------- ------------- 2002-05-06 21:03:31 esmith 2002-05-09 17:42:06 adoe 2002-05-09 19:56:53 esmith 2002-05-12 00:12:32 esmith Unofficial LogParser support site: http://www.logparser.com/Unofficial LogParser support site: http://www.logparser.com/

    32. 32 NT Event Log Example Unauthorized access Clock backdating The system time was changed. Process ID: 300 Process Name: C:\WINDOWS\System32\RUNDLL32.EXE Primary User Name: Owner Primary Domain: EOWYN Primary Logon ID: (0x0,0x14AA8) Client User Name: Owner Client Domain: EOWYN Client Logon ID: (0x0,0x14AA8) Previous Time: 4:20:03 PM 2/13/2004 New Time: 4:20:03 PM 12/11/2004

    33. 33 Preservation Scenario Day 1: Sys admin sees unauthorized logon attempts No network-level to determine scope of attack Attacker machine name captured in event logs

    34. 34 Preservation Scenario Sys admin searches security event logs Two servers with successful logons from attacker Takes screenshots of unauthorized logons Does not preserve full log

    35. 35 Preservation Scenario Day 2: Another attacker machine name is observed Security event logs clearer (reason unknown) Not possible to look back in time for new name

    36. 36 10.6 File System Traces An individual’s actions on a computer can leave many traces that can be used by digital investigators. Moving a file within a volume does not change file times; the original deleted directory entry is identical to the new directory entry. This allows investigators to determine where files were moved from as long as the original directory entry exists.

    37. 37 NTFS Behavior (consistent inconsistencies)

    38. 38 Reading Windows FILETIME 64-bit Windows FILETIME 100-nanosecond intervals since January 1, 1600 Contract originally created 0x00 0xEA 0x4A 0xF2 0x6A 0xD2 0xC6 0x01

    39. 39 10.6 File System Traces (Cont.) Date-time stamp phenomenon. File copied within a volume or moved from hard drive to floppy, the created and last accessed date-time stamps are updated but the last modified date-time stamp stays the same. This also occurs when a file is downloaded from certain types of file servers on the Internet.

    40. 40 10.6 File System Traces (Cont.) Metadata. Information retained in Microsoft Office documents. Includes location where a file was stored on disk, the printer, and original creation date and time. Date-time stamps embedded in the file can be useful for analysis. Date-time stamps can be affected by external influences (I.e., files from a compressed Zip archive).

    41. 41 10.7 Windows Registry Used to store system configuration and usage details in what are called “keys.” Win 95 & 98 registry files (called “hives”) are named “system .dat” and “user.dat.” Registry for Windows NT/2000/XP has a hive file named “ntuser.dat” for each user account. Registry files recovered from an evidentiary system can be viewed by using “regedt32;” on an examination system using the Load Hive option on the Registry menu. Some keys are stored in ASCII, but can be saved as a text file.

    42. 42 10.8 Internet Traces Accessing the Internet leaves a wide variety of information including web sites, contents viewed, and newsgroups accessed. Some Windows systems keep a log of when the modem was used. Some Internet dial-up services maintain connection logs.

    43. 43 10.8.1 Web Browsing The first time a web page is viewed the browser caches the page on disk. When the same site is accessed again, the cached file is accessed. Some web browsers track the number of times a site is accessed. Netscape maintains a database of websites visited in “Netscape.hst.” Entries marked as deleted can be recovered with EnCase of E-Script. Internet Explorer has similar information in files named “index.dat.”

    44. 44 10.8.1 Web Browsing (Cont.) Mozilla maintains a file named “_CACHE_001_” that shows HTTP responses containing the current date and time according to the Web server clock. Netscape stores cookies in the cookies.txt file, while IE maintains cookies in the Windows\Cookies directory. The presence of a cookie does not necessarily prove that a person intentionally accessed a particular web site.

    45. 45 10.8.2 Usenet Access Web browsers track which Usenet newsgroups have be accessed. Netscape stores information in a file with a “rc.” extension. MS Internet News stores information about newsgroup activities in the news directory.

    46. 46 10.8.3 E-Mail Plain text files: Netscape and Eudora Proprietary formats: Outlook, Outlook Express, AOL FTK can be used to interpret a variety of proprietary formats. In some cases it is possible to recover messages that have been deleted but not yet purged.

    47. 47 10.8.4 Other Applications Yahoo Pager, AOL IM, and other Instant Messaging programs do not retain archives of messages by default but may be configured to log chat sessions. Peer-to-peer file sharing programs may retain a list of hosts that were contacted or files that were accessed. The best chance of obtaining information relating to these applications is to search parts of the hard drive where data may have been stored temporarily, or to monitor network traffic from computer while the programs are in use.

    48. 48 10.8.5 Network Storage One of the most common remote storage locations in an individual’s ISP. Also, search for traces of file transfer applications. WS-FTP creates small log files showing file locations, FTP server names, and times of transfer. CRT and SSH can be configured to maintain individual configuration files for each computer that a user connects to frequently Shared network drives are another example of remote storage. Remnants of network file sharing may be found in various registry keys.

    49. 49 10.9 Program Analysis Three primary approaches are: examine source code, view the program in compiled form, run the program in a test environment. Can use VMWare to create a virtual machine for testing purposes. Programs including Regsnap and Tripwire can be used to create a system baseline to show alterations during testing. Details about processes and network connections can be observed by using tools from Sysinternals.com.

More Related