Transcript Chapter 3

Computer Forensics
Chapter 3
Understanding the Windows
Registry
*
Understanding the Windows Registry
• Registry
– A database that stores hardware and software
configuration information, network connections, user
preferences, and setup information
• For investigative purposes, the Registry can
contain valuable evidence
• To view the Registry, you can use:
– Regedit (Registry Editor) program for Windows 9x
systems
– Regedt32 for Windows 2000 and XP
Exploring the Organization of the
Windows Registry
• Registry terminology:
–
–
–
–
–
–
–
–
–
Registry
Registry Editor
HKEY
Key
Subkey
Branch
Value
Default value
Hives
Exploring the Organization of the
Windows Registry (continued)
Exploring the Organization of the
Windows Registry (continued)
Understanding Microsoft
Startup Tasks
*
Understanding Microsoft Startup
Tasks
• Learn what files are accessed when Windows
starts
• This information helps you determine when a
suspect’s computer was last accessed
– Important with computers that might have been used
after an incident was reported
Startup in Windows NT and Later
• All Windows NT computers perform the following
steps when the computer is turned on:
–
–
–
–
–
–
Power-on self test (POST)
Initial startup
Boot loader
Hardware detection and configuration
Kernel loading
User logon
Startup Process for Windows Vista
• Uses the new Extensible Firmware Interface ( EFI)
as well as the older BIOS sys-tem.
• NT Loader (NTLDR) has been replaced by three
boot utilities
– Bootmgr.exe—displays list of operating systems
– Winload.exe—loads kernel, HAL, and drivers
– Winresume.exe—restarts Vista after hibernation
• See link Ch 6g
Startup Files for Windows XP
•
•
•
•
•
•
•
•
•
NT Loader (NTLDR)
Boot.ini
BootSect.dos
NTDetect.com
NTBootdd.sys
Ntoskrnl.exe
Hal.dll
Pagefile.sys
Device drivers
Startup in Windows NT and Later
(continued)
• Windows XP System Files
Startup in Windows NT and Later
(continued)
• Contamination Concerns with Windows XP
– When you start a Windows XP NTFS workstation,
several files are accessed immediately
• The last access date and time stamp for the files
change to the current date and time
– Destroys any potential evidence
• That shows when a Windows XP workstation was last
used
Startup in Windows 9x/Me
• System files in Windows 9x/Me containing valuable
information can be altered easily during startup
• Windows 9x and Windows Me have similar boot
processes
• Windows 9x OSs have two modes:
– DOS protected-mode interface (DPMI)
– Protected-mode GUI
Startup in Windows 9x/Me (continued)
• The system files used by Windows 9x have their
origin in MS-DOS 6.22
– Io.sys communicates between a computer’s BIOS,
the hardware, and the OS kernel
• If F8 is pressed during startup, Io.sys loads the
Windows Startup menu
– Msdos.sys is a hidden text file containing startup
options for Windows 9x
– Command.com provides a command prompt when
booting to MS-DOS mode (DPMI)
Understanding MS-DOS
Startup Tasks
*
Understanding MS-DOS Startup Tasks
• Two files are used to configure MS-DOS at startup:
– Config.sys
• A text file containing commands that typically run only
at system startup to enhance the computer’s DOS
configuration
– Autoexec.bat
• A batch file containing customized settings for MSDOS that runs automatically
• Io.sys is the first file loaded after the ROM
bootstrap loader finds the disk drive
Understanding MS-DOS Startup Tasks
(continued)
• Msdos.sys is the second program to load into RAM
immediately after Io.sys
– It looks for the Config.sys file to configure device
drivers and other settings
• Msdos.sys then loads Command.com
• As the loading of Command.com nears completion,
Msdos.sys looks for and loads Autoexec.bat
Other Disk Operating Systems
• Control Program for Microprocessors (CP/M)
– First nonspecific microcomputer OS
– Created by Digital Research in 1970
– 8-inch floppy drives; no support for hard drives
• Digital Research Disk Operating System (DR-DOS)
– Developed in 1988 to compete with MS-DOS
– Used FAT12 and FAT16 and had a richer command
environment
Other Disk Operating Systems
(continued)
• Personal Computer Disk Operating System (PCDOS)
– Created by Microsoft under contract for IBM
– PC-DOS works much like MS-DOS
Determining What Data to
Collect and Analyze
*
Determining What Data to Collect and
Analyze
• Examining and analyzing digital evidence depends
on:
–
–
–
–
Nature of the case
Amount of data to process
Search warrants and court orders
Company policies
• Scope creep
– Investigation expands beyond the original description
• Right of full discovery of digital evidence
Approaching Computer Forensics
Cases
• Some basic principles apply to almost all computer
forensics cases
– The approach you take depends largely on the
specific type of case you’re investigating
• Basic steps for all computer forensics
investigations
– For target drives, use only recently wiped media that
have been reformatted
• And inspected for computer viruses
Approaching Computer Forensics
Cases (continued)
• Basic steps for all computer forensics
investigations (continued)
– Inventory the hardware on the suspect’s computer
and note the condition of the computer when seized
– Remove the original drive from the computer
• Check date and time values in the system’s CMOS
– Record how you acquired data from the suspect
drive
– Process the data methodically and logically
Approaching Computer Forensics
Cases (continued)
• Basic steps for all computer forensics
investigations (continued)
– List all folders and files on the image or drive
– If possible, examine the contents of all data files in
all folders
• Starting at the root directory of the volume partition
– For all password-protected files that might be related
to the investigation
• Make your best effort to recover file contents
Approaching Computer Forensics
Cases (continued)
• Basic steps for all computer forensics
investigations (continued)
– Identify the function of every executable (binary or
.exe) file that doesn’t match known hash values
– Maintain control of all evidence and findings, and
document everything as you progress through your
examination
Refining and Modifying the
Investigation Plan
• Considerations
–
–
–
–
Determine the scope of the investigation
Determine what the case requires
Whether you should collect all information
What to do in case of scope creep
• The key is to start with a plan but remain flexible in
the face of new evidence
Using AccessData Forensic Toolkit to
Analyze Data
• Supported file systems: FAT12/16/32, NTFS,
Ext2fs, and Ext3fs
• FTK can analyze data from several sources,
including image files from other vendors
• FTK produces a case log file
• Searching for keywords
– Indexed search
– Live search
– Supports options and advanced searching
techniques, such as stemming
Using AccessData Forensic Toolkit to
Analyze Data (continued)
Using AccessData Forensic Toolkit to
Analyze Data (continued)
Using AccessData Forensic Toolkit to
Analyze Data (continued)
• Analyzes compressed files
• You can generate reports
– Using bookmarks
Using AccessData Forensic Toolkit to
Analyze Data (continued)
Locating and Recovering
Graphics Files
*
Locating and Recovering Graphics
Files
• Operating system tools
– Time consuming
– Results are difficult to verify
• Computer forensics tools
– Image headers
• Compare them with good header samples
• Use header information to create a baseline analysis
– Reconstruct fragmented image files
• Identify data patterns and modified headers
Identifying Graphics File Fragments
• Carving or salvaging
– Recovering all file fragments
• Computer forensics tools
– Carve from slack and free space
– Help identify image files fragments and put them
together
Repairing Damaged Headers
• Use good header samples
• Each image file has a unique file header
– JPEG: FF D8 FF E0 00 10
– Most JPEG files also include JFIF string
• Exercise:
– Investigate a possible intellectual property theft by a
contract employee of Exotic Mountain Tour Service
(EMTS)
Searching for and Carving Data from
Unallocated Space
Searching for and Carving Data from
Unallocated Space (continued)
Searching for and Carving Data from
Unallocated Space (continued)
• Steps
– Planning your examination
– Searching for and recovering digital photograph
evidence
• Use ProDiscover to search for and extract (recover)
possible evidence of JPEG files
• False hits are referred to as false positives
Searching for and Carving Data from
Unallocated Space (continued)
Searching for and Carving Data from
Unallocated Space (continued)
Searching for and Carving Data from
Unallocated Space (continued)
Searching for and Carving Data from
Unallocated Space (continued)
Searching for and Carving Data from
Unallocated Space (continued)
Rebuilding File Headers
• Try to open the file first and follow steps if you can’t
see its content
• Steps
– Recover more pieces of file if needed
– Examine file header
• Compare with a good header sample
• Manually insert correct hexadecimal values
– Test corrected file
Rebuilding File Headers (continued)
Rebuilding File Headers (continued)
Rebuilding File Headers (continued)
Reconstructing File Fragments
• Locate the starting and ending clusters
– For each fragmented group of clusters in the file
• Steps
– Locate and export all clusters of the fragmented file
– Determine the starting and ending cluster numbers
for each fragmented group of clusters
– Copy each fragmented group of clusters in their
proper sequence to a recovery file
– Rebuild the corrupted file’s header to make it
readable in a graphics viewer
Reconstructing File Fragments
(continued)
Reconstructing File Fragments
(continued)
Reconstructing File Fragments
(continued)
Reconstructing File Fragments
(continued)
Reconstructing File Fragments
(continued)
• Remember to save the updated recovered data
with a .jpg extension
• Sometimes suspects intentionally corrupt cluster
links in a disk’s FAT
– Bad clusters appear with a zero value on a disk
editor
Reconstructing File Fragments
(continued)
Reconstructing File Fragments
(continued)
Network Forensics Overview
Network Forensics Overview
• Network forensics
– Systematic tracking of incoming and outgoing traffic
• To ascertain how an attack was carried out or how an
event occurred on a network
• Intruders leave trail behind
• Determine the cause of the abnormal traffic
– Internal bug
– Attackers
Securing a Network
• Layered network defense strategy
– Sets up layers of protection to hide the most
valuable data at the innermost part of the network
• Defense in depth (DiD)
– Similar approach developed by the NSA
– Modes of protection
• People (hiring and treatment)
• Technology (firewalls, IDSs, etc.)
• Operations (patches, updates)
Securing a Network (continued)
• Testing networks is as important as testing servers
• You need to be up to date on the latest methods
intruders use to infiltrate networks
– As well as methods internal employees use to
sabotage networks
Performing Live Acquisitions
Performing Live Acquisitions
• Live acquisitions are especially useful when you’re
dealing with active network intrusions or attacks
• Live acquisitions done before taking a system
offline are also becoming a necessity
– Because attacks might leave footprints only in
running processes or RAM
• Live acquisitions don’t follow typical forensics
procedures
• Order of volatility (OOV)
– How long a piece of information lasts on a system
Performing Live Acquisitions
(continued)
• Steps
– Create or download a live-acquisition forensic CD
– Make sure you keep a log of all your actions
– A network drive is ideal as a place to send the
information you collect; an alternative is a USB disk
– Copy the physical memory (RAM)
– The next step varies: search for rootkits, check
firmware, image the drive over the network, or shut
down for later static acquisition
– Be sure to get a forensic hash value of all files you
recover during the live acquisition
Performing a Live Acquisition in
Windows
• Several tools are available to capture the RAM.
–
–
–
–
Mantech Memory DD
Win32dd
winen.exe from Guidance Software
BackTrack
Developing Standard
Procedures for Network
Forensics
*
Developing Standard Procedures for
Network Forensics
• Long, tedious process
• Standard procedure
– Always use a standard installation image for
systems on a network
– Close any way in after an attack
– Attempt to retrieve all volatile data
– Acquire all compromised drives
– Compare files on the forensic image to the original
installation image
Developing Standard Procedures for
Network Forensics (continued)
• Computer forensics
– Work from the image to find what has changed
• Network forensics
– Restore drives to understand attack
• Work on an isolated system
– Prevents malware from affecting other systems
Reviewing Network Logs
• Record ingoing and outgoing traffic
– Network servers
– Routers
– Firewalls
• Tcpdump tool for examining network traffic
– Can generate top 10 lists
– Can identify patterns
• Attacks might include other companies
– Do not reveal information discovered about other
companies
Using Network Tools
Using Network Tools
• Sysinternals
– A collection of free tools for examining Windows
products
• Examples of the Sysinternals tools:
–
–
–
–
RegMon shows Registry data in real time
Process Explorer shows what is loaded
Handle shows open files and processes using them
Filemon shows file system activity
SysInternals
• Link Ch 11b
Using Network Tools (continued)
• Tools from PsTools suite created by Sysinternals
–
–
–
–
–
–
–
–
–
PsExec runs processes remotely
PsGetSid displays security identifier (SID)
PsKill kills process by name or ID
PsList lists details about a process
PsLoggedOn shows who’s logged locally
PsPasswd changes account passwords
PsService controls and views services
PsShutdown shuts down and restarts PCs
PsSuspend suspends processes
Using UNIX/Linux Tools
• Knoppix Security Tools Distribution (STD)
– Bootable Linux CD intended for computer and
network forensics
• Knoppix-STD tools
–
–
–
–
–
Dcfldd, the U.S. DoD dd version
memfetch forces a memory dump
photorec grabs files from a digital camera
snort, an intrusion detection system
oinkmaster helps manage your snort rules
Using UNIX/Linux Tools (continued)
• Knoppix-STD tools (continued)
– john
– chntpw resets passwords on a Windows PC
– tcpdump and ethereal are packet sniffers
• With the Knoppix STD tools on a portable CD
– You can examine almost any network system
Using UNIX/Linux Tools (continued)
• BackTrack
– Contains more than 300 tools for network scanning,
brute-force attacks, Bluetooth and wireless
networks, and more
– Includes forensics tools, such as Autopsy and Sleuth
Kit
– Easy to use and frequently updated
Using Packet Sniffers
• Packet sniffers
– Devices or software that monitor network traffic
– Most work at layer 2 or 3 of the OSI model
• Most tools follow the PCAP format
• Some packets can be identified by examining the
flags in their TCP headers
TCP Header
• From Wikipedia
Tools
• Tcpdump (command-line packet capture)
• Tethereal (command-line version of Ethereal)
• Wireshark (formerly Ethereal)
– Graphical packet capture analysis
• Snort (intrusion detection)
• Tcpslice
– Extracts information from one or more tcpdump files
by time frame
Tools
•
•
•
•
•
•
Tcpreplay (replays packets)
Tcpdstat (near-realtime traffic statistics)
Ngrep (pattern-matching for pcap captures)
Etherape (views network traffic graphically)
Netdude (GUI tool to analyze pcap files)
Argus (analyzes packet flows)
Examining the Honeynet Project
• Attempt to thwart Internet and network hackers
– Provides information about attacks methods
• Objectives are awareness, information, and tools
• Distributed denial-of-service (DDoS) attacks
– A recent major threat
– Hundreds or even thousands of machines
(zombies) can be used
Examining the Honeynet Project
(continued)
Examining the Honeynet Project
(continued)
• Zero day attacks
– Another major threat
– Attackers look for holes in networks and OSs and
exploit these weaknesses before patches are
available
• Honeypot
– Normal looking computer that lures attackers to it
• Honeywalls
– Monitor what’s happening to honeypots on your
network and record what attackers are doing
Examining the Honeynet Project
(continued)
• Its legality has been questioned
– Cannot be used in court
– Can be used to learn about attacks
• Manuka Project
– Used the Honeynet Project’s principles
• To create a usable database for students to examine
compromised honeypots
• Honeynet Challenges
– You can try to ascertain what an attacker did and
then post your results online