Windows Forensics 24 Jan 2008 TCSS 431 Network

  • Slides: 18
Download presentation
Windows Forensics 24 Jan 2008 TCSS 431: Network Security Stephen Rondeau Institute of Technology

Windows Forensics 24 Jan 2008 TCSS 431: Network Security Stephen Rondeau Institute of Technology Lab Administrator

Agenda Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process

Agenda Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration

Forensics Background Inspection of computer system for evidence of: crime unauthorized use Evidence gathering/preservation

Forensics Background Inspection of computer system for evidence of: crime unauthorized use Evidence gathering/preservation techniques for admissibility in court of law Consideration of suspect's level of expertise Avoidance of data destruction or compromise

Operating System Review What does an OS do?

Operating System Review What does an OS do?

Operating System Review What does an OS do? starts itself low-level management of: higher-level

Operating System Review What does an OS do? starts itself low-level management of: higher-level management of: interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc. ) file system, users, user interface, apps addresses issues of fairness, efficiency, data protection/access, workload balancing

Select Windows Features Kernel vs. User Mode Kernel features (architecture) device drivers installable file

Select Windows Features Kernel vs. User Mode Kernel features (architecture) device drivers installable file system object security Services User accounts, passwords and privileged groups Security policies

Computing Devices: Simplistic Computing Device takes some input processes it provides some output connects

Computing Devices: Simplistic Computing Device takes some input processes it provides some output connects device Data Computing Device OS, services, applications Network input Hub output

Computing Devices: Reality In Human K/M/touch, etc. Data Scanner/GPS Out Human A/V In/Out Data

Computing Devices: Reality In Human K/M/touch, etc. Data Scanner/GPS Out Human A/V In/Out Data Storage Device, PC/Express Card, Network, Printer, Etc.

Computing Devices: Connections removable media PC/Express Card wired floppy, CD/DVD, flash, microdrive serial/parallel, USB,

Computing Devices: Connections removable media PC/Express Card wired floppy, CD/DVD, flash, microdrive serial/parallel, USB, Firewire, IDE/SATA, SCSI/SAS twisted pair wireless radio (802. 11, cellular, Bluetooth) Infrared (IR) Ultrasound

Vectors and Payloads Vector: route used to gain entry to computer via a device

Vectors and Payloads Vector: route used to gain entry to computer via a device without human intervention via an unsuspecting or willing person's actions Payload: what is delivered via the vector malicious code may be multiple payloads spyware, rootkits, keystroke loggers, bots, illegal software, spamming, etc.

Forensics Process Assess (after permission is granted) Acquire determine how to approach affected system(s)

Forensics Process Assess (after permission is granted) Acquire determine how to approach affected system(s) inspect physical environment watch out for anti-forensics, booby-traps consider how to stop computer processing capture volatile data copy hard drive Analyze

Volatile Data All of RAM, plus paging area Logged on users Processes (regular and

Volatile Data All of RAM, plus paging area Logged on users Processes (regular and services) Process memory Buffers Clipboard Network Information (incoming and outgoing) Command history

Nonvolatile Data Partitions Files hidden, streams Registry Keys Recycle Bin Scheduled Tasks User Account

Nonvolatile Data Partitions Files hidden, streams Registry Keys Recycle Bin Scheduled Tasks User Account and Group Information Logs

What to Look For Know baseline system: what to expect of good system Malware

What to Look For Know baseline system: what to expect of good system Malware Footprint in logs on file system (changed dates/sizes, hidden) in registry in startup areas in services list in network connections Abnormality: function, performance, traffic patterns Cross-check with multiple tools

Microsoft Tools Basic Network tools netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig dir

Microsoft Tools Basic Network tools netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig dir /ah, dir /od, dir /tc, findstr, cacls File Services Prevent: Windows Update, Time Service, Routing and Remote Access, Local. Service, Network. Service, Runas Inspect: net user/group/localgroup, Active Directory Users and Groups, Event Viewer, Event. Comb. MT, systeminfo, auditpol, Security Configuration Manager Fix: Malicious Software Removal, Security Configuration Manager net start/stop, sc, services. msc Process: tasklist, taskkill, schtasks

External Tools www. sysinternals. com variety of Windows tools to monitor and analyze www.

External Tools www. sysinternals. com variety of Windows tools to monitor and analyze www. e-fense. com: Helix Windows tools Windows Forensics Toolkit™ trusted commands RAM/disk imaging, password recovery tools some www. sysinternals. com tools bootable to Knoppix with many file system tools www. rootkit. com

Advice For your systems: Prevent: Analyze: update, monitor, block, isolate, backup find vectors and

Advice For your systems: Prevent: Analyze: update, monitor, block, isolate, backup find vectors and payloads Recover: off-network restore, re-install or re-image block vectors and/or payload effects before going onnetwork

References Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 Windows Forensic Analysis DVD

References Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 Windows Forensic Analysis DVD Toolkit , Harlan Carvey, Syngress 2007 File System Forensic Analysis, Brian Carrier, Addison-Wesley 2005 Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006