windows forensics 24 jan 2008 tcss431: network security stephen rondeau institute of technology lab...
TRANSCRIPT
![Page 1: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/1.jpg)
Windows Forensics
24 Jan 2008TCSS431: Network Security
Stephen RondeauInstitute of Technology
Lab Administrator
![Page 2: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/2.jpg)
Agenda
Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration
![Page 3: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/3.jpg)
Forensics Background
Inspection of computer system for evidence of: crime unauthorized use
Evidence gathering/preservation techniques for admissibility in court of law
Consideration of suspect's level of expertise Avoidance of data destruction or compromise
![Page 4: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/4.jpg)
Operating System Review
What does an OS do?
![Page 5: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/5.jpg)
Operating System Review
What does an OS do? starts itself low-level management of:
interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.)
higher-level management of: file system, users, user interface, apps
addresses issues of fairness, efficiency, data protection/access, workload balancing
![Page 6: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/6.jpg)
Select Windows Features
Kernel vs. User Mode Kernel features (architecture)
device drivers installable file system object security
Services User accounts, passwords and privileged groups Security policies
![Page 7: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/7.jpg)
Computing Devices: Simplistic
Computing Device takes some input processes it
OS, services, applications
provides some output Network
connects device Data
ComputingDevice
input output
Hub
![Page 8: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/8.jpg)
Computing Devices: Reality
HumanK/M/touch,etc.
DataScanner/GPS
DataStorage Device, PC/Express Card,Network, Printer, Etc.
In
Out
In/Out
HumanA/V
![Page 9: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/9.jpg)
Computing Devices: Connections
removable media floppy,CD/DVD,flash,microdrive
PC/Express Card wired
serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS twisted pair
wireless radio (802.11, cellular, Bluetooth) Infrared (IR) Ultrasound
![Page 10: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/10.jpg)
Vectors and Payloads
Vector: route used to gain entry to computer via a device without human intervention via an unsuspecting or willing person's actions
Payload: what is delivered via the vector malicious code may be multiple payloads spyware, rootkits, keystroke loggers, bots, illegal
software, spamming, etc.
![Page 11: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/11.jpg)
Forensics Process
Assess (after permission is granted) determine how to approach affected system(s) inspect physical environment watch out for anti-forensics, booby-traps consider how to stop computer processing
Acquire capture volatile data copy hard drive
Analyze
![Page 12: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/12.jpg)
Volatile Data
All of RAM, plus paging area Logged on users Processes (regular and services) Process memory Buffers Clipboard Network Information (incoming and outgoing) Command history
![Page 13: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/13.jpg)
Nonvolatile Data
Partitions Files
hidden, streams Registry Keys Recycle Bin Scheduled Tasks User Account and Group Information Logs
![Page 14: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/14.jpg)
What to Look For
Know baseline system: what to expect of good system Malware Footprint
in logs on file system (changed dates/sizes, hidden) in registry in startup areas in services list in network connections
Abnormality: function, performance, traffic patterns Cross-check with multiple tools
![Page 15: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/15.jpg)
Microsoft Tools
Basic Prevent: Windows Update, Time Service, Routing and Remote Access,
LocalService, NetworkService, Runas Inspect: net user/group/localgroup, Active Directory Users and Groups,
Event Viewer, EventCombMT, systeminfo, auditpol, Security Configuration Manager
Fix: Malicious Software Removal, Security Configuration Manager Network tools
netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig File
dir /ah, dir /od, dir /tc, findstr, cacls Services
net start/stop, sc, services.msc Process:
tasklist, taskkill, schtasks
![Page 16: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/16.jpg)
External Tools
www.sysinternals.com variety of Windows tools to monitor and analyze
www.e-fense.com: Helix Windows tools
Windows Forensics Toolkit™ trusted commands RAM/disk imaging, password recovery tools some www.sysinternals.com tools
bootable to Knoppix with many file system tools www.rootkit.com
![Page 17: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/17.jpg)
Advice
For your systems: Prevent:
update, monitor, block, isolate, backup Analyze:
find vectors and payloads Recover:
off-network restore, re-install or re-image block vectors and/or payload effects before going on-
network
![Page 18: Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator](https://reader035.vdocuments.net/reader035/viewer/2022072015/56649eb75503460f94bc0e7c/html5/thumbnails/18.jpg)
References
Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005
Windows Forensic Analysis DVD Toolkit , Harlan Carvey, Syngress 2007
File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005
Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006