COEN 250 Computer Forensics Windows Life Analysis

COEN 250 Computer Forensics

Windows Life Analysis

Extracting Evidence from a Life System

Degrees of Volatility of Data. Gathering more volatile data

versus Safer forensics procedures.

Extracting Evidence from a Life System

Life Examination is done: To quickly access the situation

Confirmation of incident. To retrieve volatile data

Such as network connections, running processes, etc.

Extracting Evidence from a Life System

Initial response must not destroy potential evidence.

Use only trusted tools on a response toolkit.

Document results. Notebook Hard Drive of target system Removable media connected to target drive Other system using netcat or cryptcat

Extracting Evidence from a Life System

Plan investigation. Evidence gathering differs

according to incidence: Unacceptable web-surfing. Intellectual property rights theft. Compromised system.

Extracting Evidence from a Life System

Response Toolkit Collection of Trusted Tools. Stored on removable media.

Floppies (write-protected) CD Thumbdrive (write-protected)

Response Toolkit

Determine the tools needed. Create Toolkit. Check dependencies on DLL and

other files. Include those in toolkit. Include file authentication tool

such as MD5.

Response Toolkit: cmd.exe

Built-in command prompt.

Response Toolkit

netstat Enumerates all

listening ports and all connections to those ports.

Suspicious connection? (No, windows messenger.)

Response Toolkit

rasusers Which users have remote access

privileges on the target system.

Response Toolkit

Fport Finds open TCP/IP and UDP ports and maps

them to the owning application

Response Toolkit: pslist

Resource Tools ListDLLs

Resource Toolkit: nbtstat

Resource Toolkit: arp

Resource Toolkit: kill

Get it from the Windows NT Resource Kit.

Terminates processes via process number.

Recourse Toolkit: md5sum Creates MD5 hashes for a file.

Resource Toolkit: PsLogList Dumps the event log list.

Resource Toolkit: PsInfo

Local System built.

Remote Toolkit: PsFile

Remote Toolkit: PsLoggedOn

Resource Toolkit: PsService

Resource Toolkit: regdump

Preparing the Toolkit

Label the toolkit. Check for dependencies with

Filemon. Lots of dependencies => lots of MAC

changes. Create an MD5 of the toolkit. Write protect any floppies.

Storing Obtained Data

Save data on the hard drive of target. (Modifies System.)

Record data by hand. Save data on removable media.

Includes USB storage.

Save data on a remote system with netcat or cryptcat.

Storing Obtained Data with netcat

Quick on, quick off target system. Allows offline review.

Establish a netcat listener on the forensic workstation. Redirect into a file.

Establish a netcat funneler on the target system to the forensic workstation.

Cryptcat does the same, but protects against sniffing.

Obtaining Volatile Data

Store at least System date and time. List of current users. List of current processes. List of currently open sockets. Applications listed on open socket. List of systems with current or recent

connections to the system.

Obtaining Volatile Data: Procedure

Execute a trusted cmd.exe Record system time and date. Determine who is logged on. Record file MAC. Determine open ports. List all apps associated with open

ports.

Obtaining Volatile Data: Procedure

List all running processes. List current and recent

connections. Record the system time and date. Document the commands used

during initial response.

Recording System Time

Determining Logons

Determining File MAC

Determining Open Ports

Listing Applications with Open Ports

Listing all running processes

List current connections

List current connections

Documenting history

Scripting the response

Scripting the response

Examples Use Fport to look at open ports. Use a list of ports to find suspicious

ports, i.e. those used by known Trojans, sniffers or spyware.

www.doshelp.com/trojanports.htm

Examples If at your home system, fport shows a

suspicious port use and netstat shows a current connection to this port, then kill the process.

Examples

Knowing what processes are running does not do you any good.

You need to know what they are doing.

At least, know the typical processes.

Examples

Access the registry with RegDump Then study it with regedit on the

forensic system.

Examples

Assume generic monitoring of systems.Look for Unusual resource utilization or

process behavior. Missing processes. Added processes. Processes with unusual user

identification.

Examples The windows task manager can be

very helpful.

Examples: Detecting and Deleting Trojans

Use port scanning tools, either on host machine or remote machine. Fport (Windows) Superscan (Windows) Nmap

netstat (for open connections)

Examples: Detecting and Deleting Trojans

Identify the Trojan on the disk. Find out how it is being initiated

and prevent the process. Reboot the machine and delete the

Trojan.

Example

Run superscan on local host to check for open ports.

What is happening at port 5000?

Example

Port 5000?

Example Run fport. Connected to process 1260.

Example Use pllist to find out what this is. Connected to a process called svchost.

Example

Do an internet search on svchost. Process checks the service portion

of the registry to start services that need to run.

Use Tasklist /SVC in a command prompt

Example

Example

Nothing serious here. At least not on the surface.