Embed Size (px)
Citation preview
Forensic Analysis of a Windows 2000 Server Operating System
Joshua Young
CS585F – Fall 2002
Scenario
• Computer is still in its original environment
• Computer is on
• Computer appears connected to the internet.
• Computer and room have not yet been touched
• Evidence handling procedures are already in place
Take Pictures…(Video if possible)
Lots and Lots of Pictures…
Intro to WinHex
• Hex Editor Plus• Many Forensic Uses, especially for the novice
– Disk Cloning, Ram Capture, Hex Searches, Spanned Files
• Small (can fit on a floppy)• Inexpensive
– Free limited trial Version– $100 for full version (with variations in between)
• http://www.winhex.com
Ram Capture Before Unplugging
RAM Export
Get Password Hashes
• Use PWDUMP from floppy to floppy
• While this causes a small change to the disk, the hashes are not easily recovered once the machine is off– Win 2000 encrypts the hashes. Even if you
use a boot disk to access the NTFS partition and recover the SAM file, password crackers will not be able to break it.
LophtCrack 4 Foiled
PWDump2
• Any changes to the Hard Disk would be minor.
• Source Code is available, so the impact could be independently verified
• Only works if the person logged on has administrative rights
PWDump2 to the rescue
Freeze the System
• Once we have the RAM….
• And the Password Hashes…..
• Pull the plug
Don’t Forget Other Media
• Collect all other media for analysis (similar analysis to Hard Disk)– Floppies– CDRoms– Zip Disks– Smart Cards / Memory Sticks
• If media has software on it, record name, serial number, and whether it was original media or not.
• If possible, check serial numbers with vendors to see if any of it violates copyright law.
Computer
• Used Linux Bootable Toolbox 2.0– Genuine Intel Pentium II– Speed: 348.49 Mhz– Cache: 512Kb– Flags: fpu vme de pse tsc msr …etc
• Memory– Main 129,835,008
• FdiskDevice Boot Start End Blocks ID System
/dev/hda1 * 1 832 6289888+ 7 HPFS/NTFS
Prep Destination disk(s)
• To be on the safe side, before cloning the hard disk, it is a good idea to wipe the drive that will house the clone. This helps eliminate any question that data found on the disk could have originated on your system.
• I used QuickWiper as an example
QuickWiper
Clone the Hard Disk(bit for bit copy)
Create Hash of Disk (2 or more different types if possible)
Time Stamp the Evidence
• Using a service such as digistamp, it is a good idea to timestamp the evidence to help prove that you made no additional changes to the media.
Begin the Analysis
• Never work on the original media. Always use the copy.
• I conducted my analysis within windows itself.
• First I cracked the passwords so I could log in.
LophtCrack 2.5
Map Files
• Use known good version of cmd.exe file• Pipe lists to text files• Get several files
– By date (creation, last access, last write, etc.)– By extension (pics, docs, zips, etc. )– By type (hidden, system, read-only, etc.)
• Import into excel or database for analysis• Notepad is not adequate for large text
files. I used TextPad to view, search, etc.
Dir Command
• Dir c: /Q /S /TA >d:FileList1.txt
• Q displays owner
• S causes recursive list
• TA displays last access time
• Took about 5 minutes to run
• Produced a 4.5 Meg File
Objective
• Focus on typical use of the computer• Focus on possible illegal activities
– Illegal Material (Piracy and/or outlawed content)– Hacking– Unauthorized Data
• Focus on Information Collection– Contacts– Account Numbers– Passwords
I searched for 4 types of data• Configuration
– System Information– Networking Parameters– Installed Programs
• Regular– documents, email, keyword, zipped, etc.
• Deleted– Recycle Bin– Marked for deletion but still recoverable– Left Over Registry Entries
• Hidden– Slack/Free Space– Steganalysis– Encrypted– Altered File Types– Streams
System Info
• On top of data obtained by the Linux Bootable Toolkit (shown before), the information contained under the start menu/settings/control panel details the system– All Administrative tools are there– Date/Time, System, Hardware Settings– Disk Tools– Computer Management Application
Specific things to look for in configuration
• Web Site(s)
• FTP Site(s)
• Terminal Services
• DNS or Mail Services Running
• Log Files– EventViewer– C:\WINNT\system32\LogFiles\
Network Parameters
• Simple IPConfig command
• Windows Network Dialog– Start Menu/Settings/Network and Dialup
Connections
IPConfig
Specific things to look for in network settings
• Dial-Up Accounts (to contact for logs)
• VPN’s set up
• Whether it’s got multiple IP’s
• Protocols Installed
• Sharing Configuration
Installed Programs
• Add/Remove Programs• Hard Disk
– List files by .exe, .com, .bat, .zip, .msi
• Services• Registry
– Regedit– Deleted Apps may leave key values or
Components installed
• Programs that run at start up
Dir *.msi /s(Microsoft Installer Files)
Regedit Search for ‘Transcender’
Start Up Programs
• Start Menu For each user
• Regkey:– HKEY_LOCAL_MACHINE– HKEY_CURRENT_USER
• Software/microsoft/windows/currentversion– Run– Runonce– Runonceex
Specific things to look for in Installed Programs
• Hacking/Cracking Tools– Encryption– Data Hiding– Sniffers– Password Crackers
• Illegal Software– Bootleg Software
• Registered Software• Development Tools• Financial Software
Regular Data
• Pictures• Office Docs (Word, Wordperfect, Excel, etc.)• Emails• Wav Files• Movie Files• PDF Files• Search for ‘Common File Types’ on
www.google.com returns many sites that list common extensions and their viewers.
Finding and Viewing Data
• Dir or Windows Search• Some Apps contain recent file lists• Regedit search• Some must be viewed individually, but some can
be viewed all at once– Example, lview pro for images
• Be sure to include hidden files– Search parameter – Attrib command
• Be sure to check attachments folder for email
Advantages to Lview
• Opens all common image files• Presents in many formats (slideshow,
contact sheet, etc.)• Preview pane• Can pass a file list from command line
(obtained by something like the Dir command)
• Does not rely on extension– Will open .jpg file even if extension is wrong
If Docs are encrypted…
• Several Inexpensive utilities can break passwords on many common files.– AccessData– Cain
• Keys may be found written down or stored electronically in plaintext (via textfiles)
Deleted Data
• Recycle Bin• Marked For Delete but recoverable
– Trial Version of Norton doesn’t work on NT– WinHex will list deleted files, but has limited
recovery capability (fragmentation hinders it).
• Registry Search– Keys are often left over
• Important to do on an unaltered copy of the drive
Web Info
• History
• Cache
• Cookies
• Tools I tried didn’t work
Hidden Data
• Important to do these tests on an unaltered copy of the drive
• Free/Slack/Swap Space
• Staganalysis
• Encryption
• Altered File Types
• Streams
Free/Slack/Swap Space
• Swap Space is a file on Windows
• Free Space is space marked available to write to in Windows
• Slack Space is unused space at the end of a file
• Used WinHex
Free Space
Altered File Types
• Software can detect files via their headers
• Most apps will open their own files correctly if pointed to them directly
• Some applications serve as multipurpose. For example, word opens most document types. LViewPro opens most image types.
Alternate Data Streams
• Originated to provide compatibility with Macintosh Hierarchical File System (HFS)
• Invisible using standard windows browsing utilities.
• Free program Lads will display all streams
Steganalysis and Encryption
• Both very effective at hiding data, especially when used together.
• Detection is difficult, but actually recovering the data can be unfeasible for most analysts.
• Most common means of detection is the presence of software utilities used for Steganography or Encryption
• Most common means of recovery is poor password security. Either passwords are found via other applications or written down.
Conclusion
• Was able to accumulate a considerable amount of information from a default Windows 2000 Server machine
• Several tools and techniques didn’t work as described in research. Windows is getting better.
• If secured correctly, I don’t know that I would have been able to recover much information at all.
