Embed Size (px)
Citation preview
Hands-On Computer Forensics
April 12, 2010Pac IT Pros, Microsoft San Francisco
Who are we?Arsenal ConsultingComputer Forensics ExpertsChelsea Naval MagazineLaw Firms, Corporations, Government
ExpectationsYou will not be ready to practice computer forensics after this class
You will gain some experience using computer forensics tools and learn new terminology
You will benefit from being exposed to someone who has practiced computer forensics for over a decade in both law-enforcement and the private sector
You will have a much better idea of whether computer forensics is a specialty you want to pursue
We will have problems - some we will be able to fix, some we won’t and we will just have to move on
I will try to focus on applications in the following order today - open source, free, evaluation, commercial
Housekeeping
Create 3 folders off the root of the Microsoft Windows XP installation you prepared for class
Tools
Evidence
Output
Copy contents of “Tools” and “Evidence” from file server to the folders you just created
You are not allowed to leave the room for the entire day
Just kidding, but introduce yourself to your neighbors so you can help each other out, especially if one of you must leave for a bit
Computer Forensics in 20 Minutes
Hands-On Computer Forensics
Pac IT Pros, Microsoft San Francisco
April 12, 2010
What is Computer Forensics?
• Preservation and analysis of electronic data using methods acceptable in courts of law
• Identification, Preservation, Analysis, Reporting
Identification
Preservation
• Documentation
• Chain-Of-Custody
• Acquisition
• Goal: Preserve w/o Impact
• Reality: Understand impact
• Write-block when possible
• Live systems & networks
Analysis
• Data carving
• Internet history
• Removable storage activity
• Document metadata
• Evidence spoliation
• Malware identification
• Date and Time Manipulation
Reporting
• Narrative reports
• Explain technical issues in layman’s terms
• Focus on facts rather than advocacy
• Rule 26(A)(2) reports
• All opinions that will be offered at trial
• Index of material used to formulate opinions
• Exhibits to be used, etc.
Data AcquisitionPac IT Pros, Microsoft San FranciscoApril 12, 2010
Traditional Methods
Evidence to Write Block
Tableau (www.tableau.com)
Evidence to Stand Alone
Talon (www.logicubeforensics.com)
Safe Boot evidence to external storage
Raptor (www.raptorforensics.com)
Software Write Block
ForensicSoft (www.forensicsoft.com)
Network Capture
NetWitness (www.netwitness.com)
Advanced Methods
Live Agent to external storage
ProDiscover IR (www.techpathways.com)
Memory Capture to external storage
MoonSols Windows Memory Toolkit Community Edition (moonsols.com)
Cloud Capture
Teleport Ultra (www.tenmax.com)
Mobile Capture
CelleBrite (www.cellebrite.com)
Hands-On
Build TrueCrypt volume on target storage
www.truecrypt.org
Connect target storage to forensic workstation
Mount TrueCrypt volume on target storage
Connect evidence to write block
Connect write block to forensic workstation
Obtain forensic image (send directly to TrueCrypt volume) using FTK Imager
www.accessdata.com
Note - FTK Imager 2.9 now supports encryption!
Forensic Image Navigation
April 12, 2010Pac IT Pros, Microsoft San Francisco
Outline
Surgical
FTK Imager (Free)
Computer Forensics Suite
ProDiscover Basic (Free)
Loopback
GetData Mount Image Pro ($299)
Virtual Machine
Live View (Open Source) & VMware Server (Free)
Hands-On
FTK Imager
Mount and navigate your forensic image
Mount and navigate NIST forensic image
ProDiscover Basic
Mount and navigate NIST forensic image
Mount Image Pro
Mount and navigate NIST forensic image
Data Carving
Hands-On Computer Forensics
Pac IT Pros, Microsoft San Francisco
April 12, 2010
Data Carving
• See www.forensicswiki.org/wiki/File_Carving
• Standard (All Open Source)
• PhotoRec (www.cgsecurity.org/wiki/PhotoRec)
• Foremost (foremost.sourceforge.net)
• Scalpel (www.digitalforensicssolutions.com/Scalpel)
• Advanced (SmartCarving)
• Adroit (digital-assembly.com) $499
Hands-On
• Photorec
• Carve NIST and your forensic images for JPGs
• Take note of all the PhotoRec file formats
• photorec_win (Path to dd forensic image)
• Adroit
• Carve NIST and your forensic images for JPGs
Windows Live Memory Acquisition & Analysis
Hands-On Computer Forensics
Pac IT Pros, Microsoft San Francisco
April 12, 2010
RAM Acquisition
• MoonSols Windows Memory Toolkit Community Edition - Free
• moonsols.com
• ProDiscover Incident Response - ($8,995)
• www.techpathways.com/ProDiscoverIR.htm
• HBGary FastDump Pro - ($100)
• www.hbgary.com/products-services/fastdump/
• Passware Kit Forensic - ($795)
• www.lostpassword.com/kit-forensic.htm
• Microsoft Windows Sysinternals ShellRunas - Free
• technet.microsoft.com/en-us/sysinternals/cc300361.aspx
• (Or just run command prompt as administrator)
MoonSols
• Supports RAW memory dumps of:
• Win2K (32), WinXP (32/64), Win2K3 (32/64), Win Vista (32/64), W2K8 (32/64), Win7 (32/64), Win2K8R2 (32/64)
• win32dd /s 2 /f physmem.dd (or win64dd)
• creates a raw memory dump with MD5 hash
RAM Analysis
• Volatility - Open Source
• www.volatilesystems.com/default/volatility
• HBGary Responder Field Edition - $1,324
• www.hbgary.com/products-services/responder-field-edition
• HBGary Responder Pro - $15,300
• www.hbgary.com/products-services/responder-pro/
• Mandiant Memoryze - Free
• www.mandiant.com/software/memoryze.htm
Hands-on
• Examples below assume you are in the relevant tool folder!
• Acquire live memory from your system with MoonSols
• E.g. win32dd /s 2 /f c:\Evidence\myphysmem.dd
• Run Volatility against acquired memory
• E.g. c:\python26\python volatility files C:\Evidence\myphysmem.dd
• Also see www.cc.gatech.edu/~brendan/volatility, e.g. VolReg
• Run PhotoRec against Acquired memory
• E.g. Photorec_win c:\Evidence\myphysmem.dd
• Run Volatility and PhotoRec against NIST memory
• xp-laptop-2005-07-04-1430.img
• Extra credit - Break a 64mb TrueCrypt volume
Metadata HuntingPac IT Pros, Microsoft San FranciscoApril 12, 2010
Tools
Metadata Assistant ($80)
www.payneconsulting.com/products/metadataretail/
Also Harlan Carvey’s Perl scripts on CPAN
CD/DVD Inspector ($649)
www.infinadyne.com
Hands-On
Review metadata in a variety of Microsoft Word documents using Metadata Assistant
Review metadata on a variety of CDs and DVDs using CD/DVD Inspector
Email Databases
April 12, 2010Pac IT Pros, Microsoft San Francisco
Tools
Paraben’s Network Email Examiner (NEMX)($799)
Microsoft Exchange
5.0, 5.5, 2K, 2K3, 2K7
Notes/Domino
4.0, 5.0, 6.0, 8
GroupWise
Up to 7.03
www.paraben.com
Hands-On
Mount sample Microsoft Exchange database with NEMX, browse contents, and become familiar with NEMX features
Windows Registry
Hands-On Computer Forensics
Pac IT Pros, Microsoft San Francisco
April 12, 2010
Tools
• AccessData Registry Viewer (Evaluation)
• www.accessdata.com
• Harlan Carvey’s RegRipper and RipXP (Open Source)
• www.regripper.net
• UserAssist (Open Source)
• blog.didierstevens.com/programs/userassist/
What is the registry?
• Microsoft Windows database that stores configuration information for:
• Windows
• Hardware
• Software
• Per-user settings
• Found in System Root/System32/config & User’s Root
• system, software, SAM, security & NTUSER.DAT
• Keys, subkeys, values, ASCII, HEX, ROT13
Interesting Areas
• Protected storage system provider (PSSP)
• UserAssist
• DeviceClasses
• Most Recently Used (MRU)
PSSP
• NTUSER.DAT\Software\Microsoft\Protected Storage System Provider\
• Internet Explorer, Outlook, Outlook Express passwords and more
• See www.nirsoft.net/articles/saved_password_location.html
for more password locations
UserAssist
• Tracks programs executed on Microsoft Windows, by user
• includes number of executions and last date/time
• Values are ROT13 encoded, use UserAssist to view
DeviceClasses
• Allows us to identify first time storage devices were connected during last Windows boot
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
• Just scratching the surface in terms of storage devices... see blogs.sans.org/computer-forensics/2009/09/09/usb-key-analysis-vs-usb-drive-enclosure-analysis/
MRUs
• Most Recently Used lists (MRUs)
• Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
• Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
• Software\Microsoft\Search Assistant\ACMru\5603 (And 5001, 5647)
• Software\Microsoft\Terminal Server Client\Default (MRUnumber)
Hands-On
• Use FTK Imager to copy your live NTUSER.DAT and system registry files to evidence folder
• Copy NTUSER.DAT and system registry files out of NIST forensic image into evidence folder
• Run UserAssist against the NTUSER.DAT files
• Run Registry Viewer against system files
• PSSP & (CurrentControlSet)\Enum\USBStor
Password RecoveryPac IT Pros, Microsoft San FranciscoApril 12, 2010
Methods
Brute Force
Dictionary
Rainbow Table
Memory and Registry Surfing
Tools
ophcrack (Open Source)
ophcrack.sourceforge.net
Password Recovery Toolkit (Call)
www.accessdata.com
Passware Kit Forensic - ($795)
Decrypt TrueCrypt & BitLocker (live memory req’d)
www.lostpassword.com/kit-forensic.htm
Hands-On
Extract system and SAM files from your live system using FTK Imager
Create a couple user accounts with passwords if you do not currently have any
Extract system and SAM files from NIST forensic image
Load each set of files into ophcrack and begin
Virtual Machines (VMs)
Hands-On Computer Forensics
Pac IT Pros, Microsoft San Francisco
April 12, 2010
Tools
• Live View (Open Source)
• liveview.sourceforge.net
• VMware Server 1.x (Free, Windows XP only)
• VMware Workstation ($189)
Why?
• Interact with the system as the user had
• Run problematic applications (legacy, etc.)
• Perform live malware analysis
• Loopback volumes in forensic images
• Forensic analysis environments
VM Environments
• VMware Workstation, Server, etc.
• SUN VirtualBox
• Microsoft Windows XP Mode, Windows Virtual PC
Hands-On
• Register for a VMware support account and get a serial for VMware Server or VMware Workstation
• Use Live View to create a VMware configuration for the NIST forensic image
• Boot the virtual machine in VMWare Server 1.x or VMWare Workstation evaluation
