7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 1/74
1
CNS 320 COMPUTER FORENSICS &INCIDENT RESPONSE
Week 4 Lecture
Copyright © 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 2/74
Quiz 1
Any questions from last weekbefore the quiz?
2
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 3/74
Technical Material for this week
Missing slide from week 2
Malware Identification Using MemoryAnalysis
Windows Event Logs
Application Metadata
Thumbnails
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 4/74
Missing week 2 slide:
DATA Attributes
Normally hold file content data
NTFS Files may have more than one
Those after the 1st are referred to as
Alternate Data Streams
They have a short header before the filedata, containing the stream’s
identifier/name Feature added primarily for Mac support,
and poorly supported until Win7
Used maliciously for data hiding 4
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 5/74
Windows Malware Identification &
Analysis Procedures & Tools
5
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 6/74
Overview Suspicious host identified via anomalous network traffic, AV
logs, or other security alerts
Memory & disk images extracted from host• Memory images can be extracted directly using various tools
EnCase Enterprise or LiveResponse (commercial, via network)
Moonsols Dumpit
ManTech Mdd
Mandiant Memoryze
AcessData FTK Imager
• Memory images can also be extracted from hibernation files orvia firewire using tools such as Inception
Memory image examined using Memoryze/Auditviewer. Offending process typically identified by searching for strings
related to original alert
Auditviewer also has heuristics to highlight certain suspiciousbehaviors or characteristics
Files relating to offending process extracted from disk image
Static & dynamic analysis of malicious binaries done in VMusing various tools, if necessary
6
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 7/74
Run Auditviewer/Memoryze (select
‘Configure Memoryze’ as initial option)
7
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 8/74
Specify Output Folder
8
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 9/74
Specify UnErased Image File
9
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 10/74
Select all Analysis Options
10
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 11/74
No Process or Driver Acquisition
11
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 12/74
Select all Process Enumeration
Options
12
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 13/74
Select all Driver Enumeration options
13
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 14/74
Select all Hook Enumeration Options
14
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 15/74
When Processing Completes, the Memory
Image Browser will Open
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 16/74
Suspicious Behavior Heuristics
Processes with possible injectedDLLs displayed in red (several falsepositive mechanisms & doesn’tcatch all methods)
Malware rating Index (MRI) Rulescause numeric ranking to be
displayed
16
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 17/74
MRI Rules
17
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 18/74
Process Username Verification
18
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 19/74
Argument Verification
19
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 20/74
Process Path Verification
20
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 21/74
Suspicious Handles
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 22/74
Suspicious Imports
22
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 23/74
Heuristic Report on EnCase
Enterprise Servlet
23
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 24/74
Searching
24
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 25/74
Search Results
25
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 26/74
Other Information Per process
Handles
Files, Folders, processes, Reg keys,Semaphores, Mutexes, Events, Memory
Sections
Memory Sections
DLLs
Strings Network ports
26
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 27/74
Driver Information
Drivers Enumerated by Scanning
Root Drivers
All Drivers
Drivers Enumerated by Walking List
Driver information includes all associated
strings
27
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 28/74
Hooks
System Service Descriptor (SSD)Table Hooks
Interrupt Descriptor Table Hooks Driver IRP Hooks
Keystroke Logger Detection
28
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 29/74
Other AuditViewer Functionality
Similar functionality to Red Curtainalso rolled into Auditviewer, butrequires the application to be run ontarget host rather than on amemory image.
29
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 30/74
Other Methods of Malware Detection
Known Good Hash Elimination (NSRL,FileAdvisor)
Red Curtain Rule-Based Analysis
Upload to VirusTotal.com
Manually examine persistence mechanismsfor suspicious patterns
Search for suspicious file/folder namesamong binaries associated with runningprocesses or scheduled jobs
Manual examination of binaries associatedwith running processes or scheduled jobs
30
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 31/74
Windows Event Logs
NT/2K/XP/2K3 .evt files
%systemroot%\System32\config
SecEvent.evt, Appevent.evt, Sysevent.evt,
sometimes others Vista/7/2K8
.evtx files
%systemroot%\System32\winevt\logs
SecEvent.evtx, Appevent.evtx, Sysevent.evtx,
many others Logs can be sent to a remote log collector
File locations can be changed in the registry
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 32/74
Event Log (.evt) File Header Structure
(first 48 bytes of a valid Event Log file )
Offset Size Description 0 4 bytes Size of the record; for an .evt file header, the size
is 0x30 (48) bytes. Event record sizes are 56bytes
4 4 bytes Magic number (LfLe)
16 4 bytes Offset within the .evt file of the oldest eventrecord
20 4 bytes Offset within the .evt file to the next event recordto be written
24 4 bytes ID of the next event record 28 4 bytes ID of the oldest event record
32 4 bytes Maximum size of the .evt file (from the Registry) 40 4 bytes Retention time of event records (from the
Registry) 44 4 bytes Size of the record (repeat of DWORD at offset 0)
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 33/74
Event Log (.evt) Record Header Structure
(First 56 bytes of Event Record)
Offset Size Description 0 4 bytes Length of the event record, or size of the record in bytes 4 4 bytes Reserved; magic number LfLe
8 4 bytes Record number 12 4 bytes Time generated; measured in UNIX time, or the number of seconds
elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time(UTC)
16 4 bytes Time written; measured in UNIX time, or the number of secondelapsed since 00:00:00 1 Jan 1970, in UTC
20 4 bytes Event ID, which is specific to the event source and uniquelyidentifies the event; the event ID is used along with the sourcename to locate the appropriate description string within themessage file for the event source
24 2 bytes Event type (0x01 = Error; 0x10 = Failure; 0x08 = Success; 0x04 =Information; 0x02 = Warning)
26 2 bytes Number of strings 28 2 bytes Event category 30 2 bytes Reserved flags 32 4 bytes Closing record number 36 4 bytes String offset; offset to the description strings within this event record 40 4 bytes Length of the user Security Identifier (SID); size of the user SID in bytes
(if 0, no user SID is provided) 44 4 bytes Offset to the user SID within this event record 48 4 bytes Data length; length of the binary data associated with this event record 52 4 bytes Offset to the data
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 34/74
Data Stored for a Given Event is
Dependant on the Event Type
Typically stored as a list of null-terminated strings
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 35/74
EVTX Record Structure
(Less useful because of binary encoding)
Offset Type Meaning0x00 char[4] Magic, const 0x2a, 0x2a, 0x00, 0x00
(two asterisks followed by twonull bytes)
0x04 uint32 Length1 (whole record's size, from the
magic string to the trailing length indicator)0x08 int64 NumLogRecord (record number, relative to
the log channel. The log channel may consistof several log files which are consecutivelywritten to)
0x10 FILETIME TimeCreated
var. char[] BinXmlStream (complex binary structure)var. uint32 Length2
NumLogRecord & TimeCreated values also included inBinXmlStream
This is less useful because the various event strings are binary
encoded and so won’t be found in normal searching
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 36/74
Great Windows Security Event
Reference
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/def ault.aspx
demo
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 37/74
Useful Windows Event Log Tools
Event Log Explorer (commercial, butfree for private use. 3.4 supports evtx)
FixEvt
Lsevt (Carvey) – Available in the ‘extras’ of Windows Forensic Analysis
PsLogList (Sysinternals)
Evtx_parser (Schuster) Grokevt (Linux only, but can parse
events out of unallocated space)
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 38/74
Windows Event Log Types
Security (most useful for forensics, butdon’t ignore the others) Access control & security settings
Audit & group policy
System Services, system components, drivers,
resources, etc.
Application Software events unrelated to the OS
Custom Custom application logs
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 39/74
Event Types
Error
Warning
Information Success Audit
Failure Audit
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 40/74
Security Event Categories
Account Logon – Stored on system that authorizedlogin
Account Mgmt – Changes to accounts Directory Service – Attempted access of AD objects Logon Events – Instances of logon/logoff for local
system Object Access – Access to objects specified in ACLs Policy Change – Change to user rights, or audit or trust
policies Privilege Use – Instances of accounts exercising user
rights
Process Tracking – Process start/end, handles, acess toobjects
System Events – System start/shutdown, security logmanipulation
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 41/74
Changes from NT/2K/XP/2K3 to Vista/7/2K8
Event IDs were changed Where there’s a direct one-to-one mapping, new ID
usually (but not always!) = Old ID + 4096
Some groups of old event IDs were collapsed to a single
new event ID 528,540 (Successful Logon) -> 4624
529-537,539 (Login Failure) -> 4625
Some old IDs were broken out into multiple new IDs
672 (auth ticket granted) -> 4768 (requested), 4772(failed)
673 (service ticket granted) -> 4769 (requested), 4773(failed)
A significant number of new events and log files wereadded. Logging capabilities & defaults are generallysomewhat better on Vista/7/2K8 than previously.
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 42/74
Configurable Security Logging
See ‘Administrative Tools’ \ ‘Local SecurityPolicy’, and examine ‘Audit Policy’ These settings are stored in the registry’s Security
hive, and can be extracted using regripper.
Non-Domain Workstations have most settingsdisabled by default
Non-Domain Servers aren’t much better
Recommended baseline is to log Success/Failure formost categories, Failure for Privilege Use, and nonefor Process Tracking
Windows 2K8 adds more categories of log
Some events (672, 673) can be found on theauthenticating domain controller for domainworkstations
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 43/74
Account Logon Security Events
(logged on authenticating system)
672/4768,4772 - Authentication Ticket Granted
673/4769,4773 - Service Ticket Granted
674/4770 - Ticket Granted Renewed
675/4771 - Pre-authentication failed
676/4768 - Authentication Ticket Request Failed 677 - Service Ticket Request Failed
678/4774 - Account Mapped for Logon by
679/4775 - The name: %2 could not be mappedfor logon by: %1
680/4776 - Account Used for Logon by 681/4776 - The logon to account: %2 by: %1
from workstation: %3 failed.
4777 - The domain controller failed tovalidate the credentials for an
account
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 44/74
Event ID 672: Authentication Ticket Granted
(initial user authentication to domain)
Data Fields: User Name: %1 Supplied Realm Name: %2 User ID: %3 Service Name: %4 Service ID: %5 Ticket Options: %6 Result Code: (For an explanation of result/failure codes see the
chart on event ID 675) Ticket Encryption Type: %8 Pre-Authentication Type: %9 Client Address: %10 (source from which user authenticated) Certificate Issuer Name: %11
Certificate Serial Number: %12 Certificate Thumbprint: %13
Also logged when a computer authenticates to domain, suchas on boot. These events have hostname$ for User Name.
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 45/74
Event ID 673: Service Ticket Granted
(domain access to another host)
Data Fields: User Name: %1
User Domain: %2
Service Name: %3 (computer name of the
server the user accessed ) Service ID: %4
Ticket Options: %5
Ticket Encryption Type: %6
Client Address: %7 (IP from which user
authenticated) Failure Code: %8
Logon GUID: %9
Transited Services: %10
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 46/74
Logon/Logoff Security Events
(logged on local system) 528/4624 - Successful Logon 529/4625 - Logon Failure - Unknown user name or bad password 530/4625 - Logon Failure - Account logon time restriction violation 531/4625 - Logon Failure - Account currently disabled 532/4625 - Logon Failure - The specified user account has expired 533/4625 - Logon Failure - User not allowed to logon at this computer 534 /4625 - Logon Failure - The user has not been granted the requested logon
type at this machine 535/4625 - Logon Failure - The specified account's password has expired
536/4625 - Logon Failure - The NetLogon component is not active 537/4625 - Logon failure - The logon attempt failed for other reasons. 538/4634 - User Logoff 539/4625 - Logon Failure - Account locked out 540/4624 - Successful Network Logon 551/4647 - User initiated logoff 552/4648 - Logon attempt using explicit credentials 576/4672 - Special privileges assigned to new logon 682/4778 - Session reconnected to winstation 683/4779 - Session disconnected from winstation 4646 - IKE DoS-prevention mode started. 4649 - A replay attack was detected 4650 - An IPsec Main Mode security association was established 4651 - An IPsec Main Mode security association was established 4652 - An IPsec Main Mode negotiation failed 4653 - An IPsec Main Mode negotiation failed 4654 - An IPsec Quick Mode negotiation failed
4655 - An IPsec Main Mode security association ended
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 47/74
More Logon/Logoff Security Events
(logged on local system)
4675 - SIDs were filtered 4800 - The workstation was locked 4801 - The workstation was unlocked 4802 - The screen saver was invoked 4803 - The screen saver was dismissed 4964 - Special groups have been assigned to a new logon 4976 - During Main Mode negotiation, IPsec received an invalid negotiation packet. 4977 - During Quick Mode negotiation, IPsec received an invalid negotiation packet. 4978 - During Extended Mode negotiation, IPsec received an invalid negotiation packet. 4979 - IPsec Main Mode and Extended Mode security associations were established. 4980 - IPsec Main Mode and Extended Mode security associations were established
4981 - IPsec Main Mode and Extended Mode security associations were established 4982 - IPsec Main Mode and Extended Mode security associations were established 4983 - An IPsec Extended Mode negotiation failed 4984 - An IPsec Extended Mode negotiation failed 5451 - An IPsec Quick Mode security association was established 5452 - An IPsec Quick Mode security association ended 5453 - An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules
(IKEEXT) service is not started 5632 - A request was made to authenticate to a wireless network 5633 - A request was made to authenticate to a wired network 6272 - Network Policy Server granted access to a user 6273 - Network Policy Server denied access to a user
6274 - Network Policy Server discarded the request for a user 6275 - Network Policy Server discarded the accounting request for a user 6276 - Network Policy Server quarantined a user 6277 - Network Policy Server granted access to a user but put it on probation because the host did not meet
the defined health policy 6278 - Network Policy Server granted full access to a user because the host met the defined health policy 6279 - Network Policy Server locked the user account due to repeated failed authentication attempts 6280 - Network Policy Server unlocked the user account
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 48/74
Logon Types
2 Interactive (logon at keyboard and screen of system) Windows2000 records Terminal Services logon as this type rather thanType 10.
3 Network (i.e. connection to shared folder on this computerfrom elsewhere on network or IIS logon - Never logged by528 on W2k and forward. See event 540)
4 Batch (i.e. scheduled task) 5 Service (Service startup) 7 Unlock (i.e. unnattended workstation with password protected
screen saver) 8 NetworkCleartext (Logon with credentials sent in clear text.
Most often indicates a logon to IIS with "basic authentication") 9 NewCredentials
10 RemoteInteractive (Terminal Services, Remote Desktop orRemote Assistance) 11 CachedInteractive (logon with cached domain credentials such
as when logging on to a laptop when away from the network)
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 49/74
Kerberos Failure Codes
1 0x1 Client's entry in database has expired 2 0x2 Server's entry in database has expired 3 0x3 Requested protocol version # not supported 4 0x4 Client's key encrypted in old master key 5 0x5 Server's key encrypted in old master key 6 0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not
replicated to DC yet (common) 7 0x7 Server not found in Kerberos database New computer account has not replicated yet or
computer is pre-w2k (common) 8 0x8 Multiple principal entries in database 9 0x9 The client or server has a null key administrator should reset the password on the account 10 0xA Ticket not eligible for postdating 11 0xB Requested start time is later than end time 12 0xC KDC policy rejects request Workstation/logon time restriction (common) 13 0xD KDC cannot accommodate requested option 14 0xE KDC has no support for encryption type 15 0xF KDC has no support for checksum type 16 0x10 KDC has no support for padata type
17 0x11 KDC has no support for transited type 18 0x12 Clients credentials have been revoked Account disabled, expired, or locked out.
(common) 19 0x13 Credentials for server have been revoked 20 0x14 TGT has been revoked 21 0x15 Client not yet valid - try again later 22 0x16 Server not yet valid - try again later 23 0x17 Password has expired The users password has expired. (common) 24 0x18 Pre-authentication information was invalid Usually means bad password (common) 25 0x19 Additional pre-authentication required*
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 50/74
More Kerberos Failure Codes
31 0x1F Integrity check on decrypted field failed 32 0x20 Ticket expired Frequently logged by computer accounts 33 0x21 Ticket not yet valid 33 0x21 Ticket not yet valid 34 0x22 Request is a replay 35 0x23 The ticket isn't for us 36 0x24 Ticket and authenticator don't match
37 0x25 Clock skew too great Workstations clock too far out of sync with the DCs (common) 38 0x26 Incorrect net address IP address change?
39 0x27 Protocol version mismatch 40 0x28 Invalid msg type 41 0x29 Message stream modified 42 0x2A Message out of order 44 0x2C Specified version of key is not available 45 0x2D Service key not available 46 0x2E Mutual authentication failed may be a memory allocation failure 47 0x2F Incorrect message direction 48 0x30 Alternative authentication method required* 49 0x31 Incorrect sequence number in message 50 0x32 Inappropriate type of checksum in message 60 0x3C Generic error (description in e-text) 61 0x3D Field is too long for this implementation
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 51/74
NTLM Error Codes
Decimal Hex Reason 3221225572 C0000064 user name does not exist 3221225578 C000006A user name is correct but the
password is wrong 3221226036 C0000234 user is currently locked out
3221225586 C0000072 account is currently disabled 3221225583 C000006F user tried to logon outside his day
of week or time of day restrictions 3221225584 C0000070 workstation restriction 3221225875 C0000193 account expiration 3221225585 C0000071 expired password
3221226020 C0000224 user is required to change passwordat next logon 3221226021 C0000225 evidently a bug in Windows and not
a risk
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 52/74
Useful Well Known Account SIDs
LOCAL_SYSTEM S-1-5-18
IUSR S-1-5-17
LOCAL_SERVICE S-1-5-19 NETWORK_SERVICE S-1-5-20
Local Administrator S-1-5-*-500
Local Guest S-1-5-*-501
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 53/74
Event Log Security Events
516/4612 Internal resources allocated forthe queuing of audit messageshave been exhausted, leading tothe loss of some audits
517/1102 The audit log was cleared (specifies
clearing user) 1100 The event logging service has
shut down 1101 Audit events have been dropped by the
transport.
1104 The security Log is now full 1105 Event log automatic backup 1108 The event logging service encountered
an error
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 54/74
Other Security Events of Particular Interest
512/4608 - Windows NT is starting up513/4609 - Windows is shutting down520/4616 - The system time was changed592/4688 - A new process has been created
593/4689 - A process has exited560/4656 - Object Open (accessed)564/4660 - Object Deleted567/4657,4653 - Object Access Attempt (permissions
exercised: read, write, delete, …) 601/4697 - Attempt to install service
602/4698,4699,4700,4701,4702 - Scheduled Task created4618 - A monitored security event pattern has
occurredVarious account management events
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 55/74
Example Scenario: Domain user logs in to
workstation and maps network file share
Domain user (Kerberos authentication, Win2K3server environment) logs in to workstation andmaps a network file share to a file server
Events Logged: Workstation
528 – successful logon Domain Controller
672 – authentication ticket granted 673 – service ticket granted (workstation) 673 – service ticket granted (domain controller) 540 - Successful Network Logon 538 – User Logoff 673 – service ticket granted (file server)
File Server 540 - Successful Network Logon 538 – User Logoff
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 56/74
Events of Particular Interest in Sysevt.evt
7034 – Service Crashed Unexpectedly
7035 – Service sent a Stop/Startcontrol
7036 – Service Started or Stopped
7040 – Start Type Changed(boot/manual/disabled)
20001 - Plug and Play driver installattempted (Vista/Win7only, contains uniquedevice ID)
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 57/74
Events of Interest in Appevt.evt
1033 – Installation Complete (success/fail)
1034 – Application Deinstall complete(success/fail)
11707 – Install Successful
11708 – Install Failed 11724 – Deinstall Successful
No log entry is created for failure to install due tolack of admin rights.
In Win7, application install information is logged toSetup.evtx.
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 58/74
Wireless Network Logging in Win7
WLAN-Autoconfig.evtx Event IDs 11000 Wireless Network Association
Started
8001 Successful connection towireless network
8002 Failed connection to wirelessnetwork
These events record the BSSID (WirelessMAC) of the associated AP, potentiallyenabling geolocation of the event.
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 59/74
Windows Text Logs
%windir%\Setuplog.txt - records information during Windows setup %windir%\Setupact.log - actions that occurred during graphical
portion of Windows setup process %windor%\Setupapi.log - device, service pack, and hotfix
installations (including plug and play devices) %windir%\debug\Netsetup.log – workgroup & domain membership
changes %windir%\schedlgu.txt – Task Scheduler Log (Unicode) %windir%\pfirewall.log – Windows firewall log (doesn’t exist by
default) %windir%\debug\Mrt.log - Malicious Software Removal Tool install,
update & scan results
%windir%\logs\cbs\Cbs.log–
Vista/2K8 package manager %WinDir%\System32\LogFiles\* - IIS (note that these entries havetext timestamps in GMT)
C:\Documents and Settings\All Users\Application Data\Microsoft\DrWatson\drwatson32.log – program crashes (can sometimes flagexploitation)
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 60/74
Text Log Examination
Mandiant Highlighter is an excellent toolfor review of text logs Free from Mandiant
Histogram view shows line length distributionwithin file. This can immediately pinpointanomalies, as in IIS logs
Allows graphical highlighting & hit counts of search results
Allows lines matching specified patterns to be
eliminated from vies Can parse timestamps and plot events on a
timeline
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 61/74
Application Metadata
Many different file types contain assortedmetadata values
JPG images (example: iPhone Geolocation)
MS Office Documents (doc, docx, xls, xlsx, etc.) PDF Documents
Portable Executables (exe, sys, dll)
Some document formats support embedded
files - these may in turn contain metadata Best generic & well-maintained tool for
extraction is Phil Harvey’s exiftool
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 62/74
Office Default Metadata Values
Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date
Creation date Last save time Total editing time Number of pages Number of words Number of characters
Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes
Number of hidden Slides Number of multimedia
clips Hyperlink base Number of characters
(with spaces)
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 63/74
Old Office Metadata
Old Office versions (I believe 2K3and previous) stored the last tenaccount names to update the
document. These can be extractedthe document’s OLE metadatastream using Pinpoint Metaviewer.
Also in early Word 97 and previous,
the MAC address of the system usedto create a document was stored. Std part of system’s GUID
M l E i i f N (XML)
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 64/74
Manual Examination of New (XML)
Office Files (docx, xlsx, pptx)
Unzip the file
Result will be a folder
Examine the file docProps\app.xmlunder that extracted folder
Metadata values will be encoded inXML
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 65/74
PDF Metadata
Typical XMP PDF Metadata Tags Author Copyright CreationDate Creator (application name) Keywords
Marked (boolean value) ModDate PDFVersion Producer (application name) Subject Title Trapped
The official XMP specification defines only Keywords,PDFVersion, Producer and Trapped. The other tags areincluded because they have been observed in PDF files
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 66/74
Metadata in JPG Images
Newer digital cameras & phones oftengeotag images with GPS coordinates
Can also potentially identify the
specific camera that took a picture Lots of data about specific camera
settings at the time the picture wastaken
Can sometimes identify photo editingsoftware used to alter the image
Some images carry an internal
thumbnail which can be extracted
T i l M t d t i P t bl
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 67/74
Typical Metadata in a Portable
Executable File (exe/sys/dll)
Machine Type Time Stamp (compiled) PE Type Linker Version Code Size
Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask
File Flags File OS Object File Type (app/dll) File Subtype Language Code
Character Set Company Name File Description File Version Internal Name Legal Copyright Original Filename Product Name Product Version Product Date
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 68/74
Metadata Extraction Tools
Exiftool (Phil Harvey)
Free
Immensely capable multiformat
extraction
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 69/74
Thumbnails
Mechanism for creating and storingthumbnail images of pictures & firstpages of documents for use in
folder previews Pre-Vista: Thumbs.db
Vista+: Thumbcache
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 70/74
Pre-Vista: Thumbs.db
Populated in any folder which has been at onetime set to show thumbnails of includedimages & documents
Hidden file, not viewed by most users and notcleaned out when files are removed from thefolder
Uses OLE compound document format (similar
to Office 2K3 and previous) to store: thumbnail picture of original image or first page of
document
last modification time
original filename
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 71/74
Thumbs.db Analysis
Binary format is a mess. Sector based,devised in the days of floppy disks.
Free Tool: Mitec Windows File Analyzer
Another one: Vinetto (open sourcepython script – also does Vistathumbcache)
Format is also parsed directly byEnCase and FTK
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 72/74
Vista+: Thumbcache
Single, centrally stored file for each user Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large)
Thumbcache_idx.db Thumbcache_sr.db
Located in<profile>\AppData\Local\Microsoft\Windows\Explorer
All created when a folder is switched to thumbnailmode or views pictures in a slideshow
Even stores thumbnails for pictures/docs/media onremovable media, network shares, or encryptedcontainers
Numbered files store actual images, linking to files isdone by idx file.
Purpose of sr file not yet determined
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 73/74
Reading Assignment for Next Week
The remaining sections in Chapter 4 of the Carvey book
Chapters 3 (Volume Shadow Copies) & 7
(Timeline Analysis) in the Carvey book I didn’t assign chapter 6 for this week,
but I probably should have. You mightwant to scan through that briefly
73
7/28/2019 CNS 320 Week4 Lecture
http://slidepdf.com/reader/full/cns-320-week4-lecture 74/74
Questions?
Recommended