COEN 250 Computer ForensicsWindows Life Analysis
Extracting Evidence from a Life SystemDegrees of Volatility of
Data.Gathering more volatile data versusSafer forensics
Extracting Evidence from a Life SystemLife Examination is
done:To quickly access the situationConfirmation of incident.To
retrieve volatile dataSuch as network connections, running
Extracting Evidence from a Life SystemInitial response must not
destroy potential evidence.Use only trusted tools on a response
toolkit.Document results.Notebook Hard Drive of target system
Removable media connected to target drive Other system using netcat
Extracting Evidence from a Life SystemPlan
investigation.Evidence gathering differs according to
incidence:Unacceptable web-surfing.Intellectual property rights
Extracting Evidence from a Life SystemResponse ToolkitCollection
of Trusted Tools.Stored on removable media.Floppies
Response ToolkitDetermine the tools needed.Create Toolkit.Check
dependencies on DLL and other files. Include those in
toolkit.Include file authentication tool such as MD5.
Response Toolkit: cmd.exeBuilt-in command prompt.
Response ToolkitnetstatEnumerates all listening ports and all
connections to those ports.Suspicious connection? (No, windows
Response ToolkitrasusersWhich users have remote access
privileges on the target system.
Response ToolkitFport Finds open TCP/IP and UDP ports and maps
them to the owning application
Response Toolkit: pslist
Resource Tools ListDLLs
Resource Toolkit: nbtstat
Resource Toolkit: arp
Resource Toolkit: killGet it from the Windows NT Resource
Kit.Terminates processes via process number.
Recourse Toolkit: md5sumCreates MD5 hashes for a file.
Resource Toolkit: PsLogListDumps the event log list.
Resource Toolkit: PsInfoLocal System built.
Remote Toolkit: PsFile
Remote Toolkit: PsLoggedOn
Resource Toolkit: PsService
Resource Toolkit: regdump
Preparing the ToolkitLabel the toolkit. Check for dependencies
with Filemon.Lots of dependencies => lots of MAC changes.Create
an MD5 of the toolkit.Write protect any floppies.
Storing Obtained DataSave data on the hard drive of target.
(Modifies System.)Record data by hand. Save data on removable
media. Includes USB storage.Save data on a remote system with
netcat or cryptcat.
Storing Obtained Data with netcatQuick on, quick off target
system.Allows offline review.Establish a netcat listener on the
forensic workstation. Redirect into a file.Establish a netcat
funneler on the target system to the forensic workstation.Cryptcat
does the same, but protects against sniffing.
Obtaining Volatile DataStore at leastSystem date and time.List
of current users.List of current processes.List of currently open
sockets.Applications listed on open socket.List of systems with
current or recent connections to the system.
Obtaining Volatile Data: ProcedureExecute a trusted
cmd.exeRecord system time and date.Determine who is logged
on.Record file MAC.Determine open ports.List all apps associated
with open ports.
Obtaining Volatile Data: ProcedureList all running
processes.List current and recent connections.Record the system
time and date.Document the commands used during initial
Recording System Time
Determining File MAC
Determining Open Ports
Listing Applications with Open Ports
Listing all running processes
List current connections
List current connections
Scripting the response
Scripting the response
ExamplesUse Fport to look at open ports.Use a list of ports to
find suspicious ports, i.e. those used by known Trojans, sniffers
ExamplesIf at your home system, fport shows a suspicious port
use and netstat shows a current connection to this port, then kill
ExamplesKnowing what processes are running does not do you any
good.You need to know what they are doing.At least, know the
ExamplesAccess the registry with RegDumpThen study it with
regedit on the forensic system.
ExamplesAssume generic monitoring of systems.Look for Unusual
resource utilization or process behavior.Missing processes.Added
processes.Processes with unusual user identification.
ExamplesThe windows task manager can be very helpful.
Examples: Detecting and Deleting TrojansUse port scanning tools,
either on host machine or remote machine.Fport (Windows)Superscan
(Windows)Nmapnetstat (for open connections)
Examples: Detecting and Deleting TrojansIdentify the Trojan on
the disk.Find out how it is being initiated and prevent the
process.Reboot the machine and delete the Trojan.
ExampleRun superscan on local host to check for open ports.What
is happening at port 5000?
ExampleRun fport.Connected to process 1260.
ExampleUse pllist to find out what this is.Connected to a
process called svchost.
ExampleDo an internet search on svchost.Process checks the
service portion of the registry to start services that need to
run.Use Tasklist /SVC in a command prompt
ExampleNothing serious here.At least not on the surface.