Windows Forensics

24 Jan 2008TCSS431: Network Security

Stephen RondeauInstitute of Technology

Lab Administrator

Agenda

Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration

Forensics Background

Inspection of computer system for evidence of: crime unauthorized use

Evidence gathering/preservation techniques for admissibility in court of law

Consideration of suspect's level of expertise Avoidance of data destruction or compromise

Operating System Review

What does an OS do?

Operating System Review

What does an OS do? starts itself low-level management of:

interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.)

higher-level management of: file system, users, user interface, apps

addresses issues of fairness, efficiency, data protection/access, workload balancing

Select Windows Features

Kernel vs. User Mode Kernel features (architecture)

device drivers installable file system object security

Services User accounts, passwords and privileged groups Security policies

Computing Devices: Simplistic

Computing Device takes some input processes it

OS, services, applications

provides some output Network

connects device Data

ComputingDevice

input output

Hub

Computing Devices: Reality

HumanK/M/touch,etc.

DataScanner/GPS

DataStorage Device, PC/Express Card,Network, Printer, Etc.

In

Out

In/Out

HumanA/V

Computing Devices: Connections

removable media floppy,CD/DVD,flash,microdrive

PC/Express Card wired

serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS twisted pair

wireless radio (802.11, cellular, Bluetooth) Infrared (IR) Ultrasound

Vectors and Payloads

Vector: route used to gain entry to computer via a device without human intervention via an unsuspecting or willing person's actions

Payload: what is delivered via the vector malicious code may be multiple payloads spyware, rootkits, keystroke loggers, bots, illegal

software, spamming, etc.

Forensics Process

Assess (after permission is granted) determine how to approach affected system(s) inspect physical environment watch out for anti-forensics, booby-traps consider how to stop computer processing

Acquire capture volatile data copy hard drive

Analyze

Volatile Data

All of RAM, plus paging area Logged on users Processes (regular and services) Process memory Buffers Clipboard Network Information (incoming and outgoing) Command history

Nonvolatile Data

Partitions Files

hidden, streams Registry Keys Recycle Bin Scheduled Tasks User Account and Group Information Logs

What to Look For

Know baseline system: what to expect of good system Malware Footprint

in logs on file system (changed dates/sizes, hidden) in registry in startup areas in services list in network connections

Abnormality: function, performance, traffic patterns Cross-check with multiple tools

Microsoft Tools

Basic Prevent: Windows Update, Time Service, Routing and Remote Access,

LocalService, NetworkService, Runas Inspect: net user/group/localgroup, Active Directory Users and Groups,

Event Viewer, EventCombMT, systeminfo, auditpol, Security Configuration Manager

Fix: Malicious Software Removal, Security Configuration Manager Network tools

netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig File

dir /ah, dir /od, dir /tc, findstr, cacls Services

net start/stop, sc, services.msc Process:

tasklist, taskkill, schtasks

External Tools

www.sysinternals.com variety of Windows tools to monitor and analyze

www.e-fense.com: Helix Windows tools

Windows Forensics Toolkit™ trusted commands RAM/disk imaging, password recovery tools some www.sysinternals.com tools

bootable to Knoppix with many file system tools www.rootkit.com

Advice

For your systems: Prevent:

update, monitor, block, isolate, backup Analyze:

find vectors and payloads Recover:

off-network restore, re-install or re-image block vectors and/or payload effects before going on-

network

References

Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005

Windows Forensic Analysis DVD Toolkit , Harlan Carvey, Syngress 2007

File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005

Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006