Transcript Responder_Forensic_TrainingV1x 2.71 MiB

Memory Forensics
Training
HBGary, Inc.
www.hbgary.com
Agenda
• Introduction
• Windows memory basics
• Collecting memory images
• Recover and analyze data
• Identify suspicious activity
• Generate Report
Introductions
• Trainers
– Rich Cummings
• Participants: introduce yourselves to the class
–
–
–
–
–
Name
Experience in Computer Forensics
What tools do you use?
Why are you here?
What would you like to learn in this class?
NOTE: All trademarks referenced in this presentation are the property of their respective owners.
What You’ll Learn
• Windows Memory Basics
• Live Memory Collection – good, bad, ugly
– Best practices for memory preservation
– Options for preserving memory
– Preparing media for collection
• Analysis Of Memory
–
–
–
–
Rebuilding the state of the machine
Recovering Data
Searching for artifacts
Methodology and approach for various investigation situations
• Generating a Report
Today’s Schedule/Agenda
• How Windows Memory Works (basics)
• How to Prepare a Memory Forensic Toolkit
– Software
• Live Memory Collection – good, bad, ugly
– Best practices for memory preservation
– Options for preserving memory
– Preparing media for collection
• Analysis Of Memory
– Rebuilding the state of the machine
– Searching for artifacts
– Methodology and approach for various investigation situations
• Final Exam
Disclaimer
This 1 day class will not cover:
1.
2.
3.
4.
Disk Based Forensics
Reverse Engineering Malware
Assembly Language tutorial
Live Incident Response - tomorrow
Class Structure
•
•
•
•
Lecture for each section - Concepts
Demonstration/Movie
Hands-on Lab Exercises
Final Exam last 2 hours
• Focus: Computer Forensic Investigations
Applications we’ll investigate
•
•
•
•
•
•
•
Microsoft Internet Explorer
Microsoft Outlook 2007
Skype
Yahoo instant messenger
Webmail – Gmail
Webmail – yahoo
Poison Ivy –
Goals, Content to Recover
•
•
•
•
•
•
•
•
Passwords for webmail – internet explorer
Password for Hushmail – internet explorer
Outlook 2007 - IMAP
Encryption Software
Encrypted Chat sessions – Skype
File names transferred through Skype
Dates and time stamps of messages sent via Skype
Internet Explorer – Browser Helper Objects
Labs Exercises
1.
2.
3.
Collect and Preserve Windows Memory
Analyze Memory Images off-line
Forensic Investigation Cases
–
4.
3 Different Scenarios
Generate Report
Key
The start of a new training section or concept
Movie that illustrates the concept
Instructor demo
Class exercise
A helpful analysis hint
Class Admin Stuff
• Receive
– Responder Installation CD
– Numbered HASP key
– Class DVD
• Install VMware (if it’s not on your machine)
• Install Responder
• Copy DVD contents to your local hard
drive
– C:\XXXXXX\
CONCEPT 1:
How Windows
Memory Works
How Windows Works
• Because we don’t trust operating system, can’t use it
• Responder must manually do everything the OS would do
• Windows is very complex
– Understatement
• Thousands of structures
– Can change between versions
– Mostly undocumented
• Hacks on top of short cuts on top of optimizations on top of
millions of lines of code...
How Windows Works
• Who knows?
– Not many people
– Sysinternals – Microsoft bought them...
– Greg, Martin, and Shawn from HBGary.
Windows Memory Model
0xFFFFFFFF
Kernel
0x80000000
User
0x00000000
Windows Memory Model
0xFFFFFFFF
Kernel
Each process has its own 2GB
Solitaire.exe
Skype.exe
Truecrypte.exe
0x00000000
Winword.exe
0x80000000
Windows Memory Model
0xFFFFFFFF
0xC0000000
Kernel
Windows 2003 Server
/3GB boot switch
User
0x00000000
Windows Architecture
System
Support
Processes
Service
Processes
User
Applications
Subsystem DLL’s
Environment
Subsystems
User Mode
Kernel Mode
Executive
Kernel
Device Drivers
Windowing
and
Graphics
Hardware Abstraction Layer
Source: Windows Internals , 4th Edition
Windows Architecture
System Processes
Service
control Mgr
Services
OS/2
Explorer
SpoolSv.exe
Session
manager
Windows
Task Mgr
WinMgt.exe
Winlogon
Environment
Subsystems
Service
control Mgr
SvcHost.exe
LSASS
Posix
User
Applications
Services.exe
Windows DLL’s
NTDLL.DLL
User Mode
Kernel Mode
Applications
System
Threads
System Service Dispatcher
System Service Dispatcher
I/O
MGR
Device
&
File sys
Drivers
File
System
Cache
Object
Manager
Plug &
Play
Mgr
Security
Referenc
e Monitor
Virtual
Memory
Processes
& Threads
Kernel
Hardware Abstraction Layer (HAL)
Windows
User, GDI
Config
Mgr
(registry)
Local
Procedure
Call
Graphics
Drivers
Address Translation Process
Source: Microsoft Windows Internals, 4th Edition
Address Translation Process
Source: Microsoft Windows Internals, 4th Edition
Virtual to Physical Mappings
• Logical Data – better than strings...
Virtual Memory
Physical Memory
Virtual to Physical Mappings
• Include Pagefile.sys = More Data
Virtual Memory
Paging File
Memory Image
Process Information
• EPROCESS
– Contains KPROCESS
• Start and Termination times (we’ll recover these soon)
• PID and Parent PID
• Heaps
– Points to PEB
• BeingDebugged
• Path to executable
• Command Line arguments
• Loaded Modules (DLLs)
– Points to ETHREAD, other EPROCESS
Finding the Processes
• Active Process Links
Process Relationships
Idle
System (pid 0)
Smss
(pid xyz) (ppid 0)
Csrss
(pid xyz1) (ppid xyz)
Winlogon (and so on…)
alg
Services
svchost
Lsass
Userinit
(exits after Explorer starts)
Explorer
Process Information
•
•
•
•
•
•
•
Full name and path
Command line arguments
Process ID number (PID)
Parent PID
Current working directory
Window Title
Handles
– Files, devices, drivers
• List of loaded modules
– DLLs
Process information
• System processes have defined parents
– cmd.exe should not be the parent of lsass.exe
• Most user processes are started by Explorer.exe
• It’s suspicious when they’re not
– Maybe started from a command prompt
– Orphaned process –
• no PPID or Parent!
• Some system processes should never start programs
– lsass.exe should not start cmd.exe
Process information
• List of DLLs for each process
– Responder gets the name, path, and size of each
• What is solitaire.exe doing with wsock32.dll?
• What is iexplore doing with c:\temp\WS2_32.dll?
• What if there is no path information or memory mapped
files?
– Injected code!
– Possible Rootkit
– Where is it on the disk?
Process Information
• Suspicious program names
– Parishilton.exe
• Suspicious command lines
– C:\TEMP\solitaire –L –p 1029 -e cmd.exe
– c:\windows\system32\cmd.exe
CONCEPT 2:
Why Memory
Forensics?
Memory Forensics is…
Random Access Memory (RAM)
• It’s the state of the computer
– Very far down into the weeds
Strings is not enough…
• Find all ASCII and Unicode Strings
–
–
–
–
Old School – since 2002
Answers "what" (sometimes)
Don't know when, who, where, or why
Only Physical Search –
• cannot tie the content to a process and then to user....
Strings is not enough…
• Produces HUGE amounts of data
– Sometimes more than 1,000,000 ASCII strings – OMG!
– No contextual information
• Lots of good info
–
–
–
–
–
Mostly on-screen messages
Open documents
Program names
Passwords
Network Connection info
Why Memory Forensics?
• Encryption Keys*
• BitLocker, PGP Whole Disk Encryption, etc.
• What was happening on the system...
• Running programs, open documents
• Unpacked contents of packed programs
• Network connections
• What was really happening on the system
• Not the sanitized (lying) version from the OS
• Hidden programs, rootkits, injected code
• Destroying the Hacker Defense
• What was really happening on the system
• What was running ten minutes before the knock and talk
Why Memory Forensics?
A more
Complete
Investigation
To execute must exist in RAM
Traditional Forensics & Security Software
Why Live Memory Forensics?
• Today it’s Easy!
• Mission-critical systems
– 99.999999% availability
• Anti-forensic techniques used by bad guys
– Hax0rs
– Cyber spies
– Cybercriminals
• Valuable info in RAM cannot be found on disk
– Passwords, encryption keys
– Network packets, screen shots
– Private chat sessions, unencrypted data, unsaved documents, etc.
Why Offline Analysis?
• No more operating system to be fooled
– Rootkits and malware “lie”
– Operating system cannot be trusted! Can’t Use it!
• Everything is recreated from the bottom up
– Physical layer
– Replicates disk forensics approach
• Can Detect Malware that Anti-Virus cannot
• Can Detect Malware that Host Based IDS/IPS cannot
• Verify the “Run-Time” state of the system
– Proactively
Useful Information in RAM
Processes and Drivers
Loaded Modules
Network Socket Info
Passwords
Encryption Keys
Decrypted files
Order of execution
Runtime State
Information
Rootkits
Configuration Information
Logged in Users
NDIS buffers
Open Files
Unsaved Documents
Live Registry
Video Buffers – screen
shots
BIOS Memory
VOIP Phone calls
Advanced Malware
Instant Messenger chat
Bad Guys use Memory Tricks
• Memory injection attacks never touch the disk
• Public and commercial hacker tools have used
these techniques for over 3 years
– Metasploit Framework
www.metasploit.com
– Canvas
www.immunitysec.com
– Core Impact
www.coresecurity.com
• No good software detection mechanism without
physical memory preservation and offline analysis
– Remember: you cannot trust the operating system!
History Of Memory Analysis
• Relatively New
– There are some imagers, but nothing solid for analysis
• Freeware Scene – started in 2003
– DFRWS community, Kornblum, Carvey, others
• Academic Scene – Jan. 2008
– The Princeton Video “frozen memory”
• Open Source & Academic Projects
–
–
–
–
Perl scripts
Hex editors
Strings.exe, grep searches, manual carving
Volatility framework
Defeat the Trojan Defense
• “I didn’t do it, the Trojan horse did!”
– “the hacker controlling my PC did”
• Used in the UK - 2003
– Plausible deniability because Law Enforcement didn’t
image physical memory
– Law Enforcement destroyed 4 GB of “evidence”
• 4GB is equivalent to 1,048,576 pages of paper
• That's about 2,097 reams of paper
– Goal: “to prove the negative”
• “No, your Honor, there was no Trojan or any other software
running on the defendant’s machine at the time in question
with the capabilities claimed by the defense…”
Live Memory Forensics Risks
• RAM Collection software relies on the host OS
– Can be subverted
• Some software more invasive than others
– Usually load about 10 modules from the operating
system
Live Memory Forensics Risks
• Rootkits
– User Mode
• Can modify system commands (netstat, ipconfig)
– Kernel Mode
• Can hide and modify low level blocks of memory/disk
• Can subvert software dumping of RAM
• That’s why we’re working on ICEDUMP
– Similar to the Princeton approach
** Countermeasures to kernel-mode rootkits:
– VMware Snapshot Files: pause the processor
–
Hiberfil.sys: contents of RAM are written to non-volatile
storage before the system is powered down.
Counter-Measures
• Pause the Processor – Virtual Machines
• Existing Memory Images (made by Windows)
– Hibernation Files – file system
– Crash Dumps – file system
Hibernation
• Saves system state to disk for faster resume
• Compress physical memory and write it to c:\hiberfil.sys
– Space reserved when hibernation enabled
– Not cleared, contains disk free space
Compressed
Memory
Disk Data
Size of Physical Memory
• No data if enabled but never used
• Once used, always some data maintained
Hibernation
• Not enabled by default* until Windows Vista
– Now called Sleep
Hibernation
• Header
– Wiped upon successful restore
• Free Pages
• Page Tables
• Compressed Data
CONCEPT 3:
Memory Collection
Memory Collection
• Software Memory Imagers
–
–
–
–
–
FastDump Pro – HBGary
WinHex – X-Ways
DD derivatives (FAU, DD from Garner, NiGilent32, Helix)
Winen – Guidance Software
MDD – Mantech
• Hardware Memory Imagers
– Firewire “Tribble”, other projects online
– Princeton Video: freeze the RAM
Memory Collection – Best Practices
• Goal: Be “Minimally Invasive” to suspect machine
• DO NOT acquire RAM to the local system hard drive
– Invasive – possibly destroy important data
• Use external thumb drive • Image the RAM to sterile media
– Freshly wiped drive preferably with all Zero’s.
– Reformat the drive to NTFS –
• FAT 32 File system has 2GB file size limitation
• FDPro cannot split up the file into chunks yet…
– Generate MD-5 hash at time of collection – save with
memory image
• Used to verify integrity of file
“Smear” Image
• Software creates a “smear” image
– Not a “true” duplicate image
– This process is not reproducible
• In order to create a “true” image
– Hardware is required
– Virtualization can “pause” the processor
– Crash Dump
– Hibernation File (hiberfil.sys)
HBGary FastDump™
• Software used to dump physical RAM
• Works on Windows Operating Systems
– Windows 2000 – 2008 Server
– 32 and 64 Bit
– PAE and Non-PAE
Fastdump Pro
Memory Collection Video
• Collecting the physical memory
• Movie: FDPro_RAM1.wmv
Movie: FDPro_RAM1.wmv
Exercise 1:
Memory Collection
Memory Collection Exercise
• Location of Fastdump Pro :
– C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\
1. Copy FDPro to USB 2.0 Drive
2. Create a Memory Snapshot
– E:\FDPro.exe RAMdump.bin
– Fdpro writes the memory snapshot to the
location where FDPro was run from unless you
specify a separate path.
• Ex: E:\fdpro X:\Memory.bin
– Take 10 – 15 minutes
CONCEPT 4:
Memory & Pagefile
Collection
Virtual to Physical Mapping
• Partial Address Translation – No Pagefile.sys
Virtual Memory
Memory Image
Virtual to Physical Mappings
• Robust Address Translation = More Data
Virtual Memory
Memory Image
Prototype
Paging File
Why Collect Pagefile?
More accurate recovery of data
More complete Memory Investigation
• HBGary Testing:
•
•
•
•
Memory Image – 70,000 URL’s
Same Memory with Pagefile.sys – 500,000 URL’s
Memory Image – no passwords found
Memory Image with Pagefile.sys – Domain Administrator PW
Memory & Pagefile Collection
Video
• Collect physical memory & pagefile.sys
Movie: FDPro_RAM_Pagefile1.wmv
Exercise 2:
Memory & Pagefile
Collection
Memory & Pagefile Exercise:
• Location of Fastdump Pro :
– C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\
1. Copy FDPro to USB 2.0 Drive
2. Create a Memory Snapshot with Pagefile.sys
– E:\fdpro.exe
RAMdump_Pagefile.hpak
Take 15 – 20 minutes
CONCEPT 5:
Memory Collection with
Process Probe
Goal of Process Probe
• GOAL of Process Probe: To force all executable code
into RAM for one or all processes on the system. This
includes code that is swapped out to the Pagefile.sys
and also code that is still contained in the executable on
disk but not in use, this code will also be called into RAM
prior to acquisition of physical memory.
Why Process Probe?
Because Process Probe will often times provide the investigator with a
much more accurate and complete picture of the executable code and
the data.
Process Probe Feature Detail: The process probe feature allows you
to control what memory is “paged-in” to RAM from SWAP AND the File
System before FDPro performs RAM acquisition. When you use the –
probe smart feature FDPro.exe will walk the entire process list and
make sure *all* code is called into RAM. The result is that we’re able
to recover almost 100% of the user-land process memory by causing
these pages to be activated & paged in on the fly. The Probe feature
will even force code from the file system into RAM for a specific
process.
The Process Probe feature can dramatically improve the quality and
thoroughness of Live Windows Memory Forensic Investigations and
Malware Analysis.
Why Process Probe?
When would I use the Process Probe feature?
During any “LIVE” network intrusion investigation, malware analysis
case, or computer forensic investigation where the running applications
on the computer could play a role. You’re going to want to get any and
all possible information relative to the applications running on the
computer that are pertinent to your investigation. Examples of these
applications include instant messengers, IP Telephony, internet
browsers, malware, encryption applications, a database, media
players, and other applications. Examples of data you can get access
to is encrypted data, passwords, unencrypted chat
sessions, documents, emails, internet searches, internet postings,
password protected websites, etc.
Process Probe Best
Practices
Forensic best practices dictate that an investigator or analyst should
always acquire RAM first (and the Pagefile too) without running the
Probe Feature.
After “freezing the current state” of the RAM the investigator/analyst
should run FDPro again, this time using the Probe Feature. Even
when grabbing the pagefile, the probe feature can force code from the
file system not being used into RAM
Process Probe Best
Practices
Example Steps:
•
Arrive at server or workstation suspected in the computer incident
or forensic investigation
1. Collect RAM to “freeze the runtime state of the machine”. This is a
full RAM image with Pagefile
If you’re doing any sort of malware analysis, Reverse Engineering, or
know for a fact that you will never have to use the RAM acquisition in
litigation then you can go ahead and probe –smart on your very first
image to save you time but you should know that this technique will
instrument a larger footprint in RAM than only performing a memory
acquisition
Memory Collection with
Process Probe Video
• Collecting physical memory with Process Probe
Movie: FDPro_Probe1.wmv
Exercise 3:
Memory Collection
with Process Probe
Memory Collection with Process
Probe Exercise
• Location of Fastdump Pro :
– C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\
1. Copy FDPro to USB 2.0 Drive
2. Create a Memory Snapshot using the following commands
– E:\fdpro.exe
– E:\fdpro.exe
– E:\fdpro.exe
RAMdump_Process_Probe.bin –probe all
RAMdump_Process_Probe.bin –probe smart
RAMdump_Process_Probe.bin –probe pid #
CONCEPT 6:
HBGary Responder™
Overview
Responder Overview
Responder Professional
Live Physical
Memory
Forensics
Computer
Forensics
Computer
Intrusions
Runtime &
Binary Forensics
Rootkit
Detection
Malware
Analysis
Computer
Forensics
Computer
Intrusions
HBGary Responder Pro™
• Embodies the HBGary IR Methodology
• Complements disk forensic investigations
• Commercial shipping product to analyze
RAM images
• “Windows without Windows”
– Carves all Windows Memory images for
Win2k, XP, 2003, Vista, 2008 Server
• All service packs
• 32 & 64 bit
Creating a Project
Wizard walks you through project creation
• Two basic types
– Physical Memory Snapshot
• Live memory analysis (all running processes)
– Static PE Import
*** Not part of Field Edition
• Binary import and analysis
• Project details
– Why you are analyzing this machine
– Date & Timestamps
Importing a Snapshot
• File → Import → Physical Memory Snapshot
– Select Snapshot File
– Add Details About the Snapshot
• Why is it of interest?
– Select Post-Import Options
• Extract and Analyze all Suspicious Binaries
• Generate the Malware Analysis report
• Same steps when importing a static binary
– File → Import → Import Executable Binary
The Scanning Process
• Import Memory Snapshot
–
–
–
–
–
–
–
–
–
Validate the Page Table layout and size
Identify PAE/Non PAE
Identify OS and Service pack
Reconstruct Object Manager
Rebuild EPROCESS Blocks
Rebuild the VAD Tree
Scan for Rootkits
Scan for patterns
Scan for Digital DNA
CONCEPT 7:
Responder
User Interface
User Interface: Project Panel
• Shows all harvested objects
– Processes, Modules, Drivers
– Strings, Symbols
• Macroscopic view of object data
– Allows drill-down on most objects
• Context-sensitive right-click menu
• Status icons
Responder Object Schema
• Project
– Memory Image
• Hardware
– IDT
• Operating System
–
–
–
–
–
–
–
–
SSDT
Processes
Drivers
Open Files
Network Socket Information
Open Registry
Analyzed Binary Strings
Analyzed Symbols
Project type
Top level folders
Leaf-node folders –
double click these to
see details view of the
folder
Table – double click this to see
contents of table.
Expandable folders –
single click these to
expand contents of the
folder
UI: Report Panel
• Provides a repository for documenting
your findings
• You can edit the description fields in the
Report Panel
• Descriptions are inserted into the final
report
• You can choose which report items will be
included in the final report
UI: Report Panel
UI: Detail Panels
• Provide detailed information about the selected category
in the Project Panel
• Data can be searched
• Data can be exported to a variety of formats
- PDF
- HTML
- RTF
- XLS
- Image
- CSV
- Text
• Panel contents can be “locked”
• Additional columns are available (per panel)
UI: Detail Panels
•
•
•
•
•
•
Functions
Strings
Symbols
Samples
Files
Registry






SSDT
IDT
Processes
Modules
Drivers
Network
Leaf-node folders:
double-click these to see
the detail panel of the
folder
Detail
Panel
Right click on header
to get column chooser
Search the Detail
Panel, which filters
the panel’s contents
to only those entries
that match the search
criteria
1. Lock the window after filtering
2. Double click the
“All Open Registry
Keys” folder again.
Since the default
window (the Registry
Panel) is locked, a new
(unfiltered) Registry
View window is
created.
You can lock as
many as you choose
Context-Sensitive Actions
• Every panel has a right-click context menu
– Menu choices based on selected object(s)
• Most common options
– Send to report: creates entry in the Report Pane for
the selected item
– Google™ Text Search: uses Google™ search engine
to find Internet references to the selected item
– Google™ Code Search: uses Google™ search
engine to find source code that uses the selected
item (typically a string or symbol)
Exercise 4:
Import RAM
walk thru Interface
User Interface Exercise
•
•
•
•
•
Details
Take 15 minutes and walk through all data
Test the different buttons, right clicks, etc.
Instructor will be driving through the UI
Please ask questions
Saving Search Hits
• Export to:
– excel file
– Csv, txt, pdf
• Cannot easily add to report..
– This will be fixed soon
Report - Bookmarks
• Try Right-Click send to Report
• If that doesn’t work you might have to
export to disk then manually add to report
CONCEPT 8:
Baserules.txt
What is BaseRules.txt?
• Malware identification file
• Can Auto-Magically analyze “hits”
–
–
–
–
–
Sometime’s auto-magic is good sometimes not…
Searches for suspicious behaviors
Customizable by the end-user
Add in Strings & Pattern Searches
Flagged binaries can be automatically extracted &
disassembled for further diagnosis
Baserules
•
•
•
•
•
•
Suspicious Strings
API calls
Bytes
Assembly
*Wildcards
Example
Exercise 5:
Baserules file
Edit Baserules
•
•
# General rule description:
# <Type>:<Version>:<Weight>:<Text/Arg>:<Group>:<Description>
•
•
•
•
•
•
•
•
•
•
•
•
•
# <Type>
#
The rule type
# <Version>
#
Rule version, 1.0
# <Weight>
#
0 (benign) to 255 (critical): Severity of a match on this rule
# <Text/Arg>
#
Varies by rule type. Used by the rule to determine a match
#
Some rule types may have multiple arguments
# <Group>
#
Group for this rule (KERNELMODE, USERMODE, KEYBOARD, ALL, etc)
# <Description>
#
Text description for this rule
Edit Baserules
• Example – Storm virus which spreads via
email
• Trojan-Downloader.Win32.Small.dam,
Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13
• Known process names to search for
– FullClip.exe - GreetingCard.exe
GreetingPostcard.exe - MoreHere.exe - FlashPostcard.exe
• Dropper process
– wincom32.exe
Edit Baserules 2
•
•
•
•
•
•
•
•
•
###################################
### Blacklisted Modules - Alert ###
###################################
# ADDED ENTRY – Dropper for Storm eMail Worm
SuspiciousModule:1.0:100:wincom32.exe:KERNELMODE:SuspiciousModule
– wincom32.exe, Dropper for Storm email worm
# ADDED ENTRY – Executable for Storm eMail Worm
SuspiciousModule:1.0:100:fullclip.exe:USERMODE:SuspiciousModule –
fullclip.exe, executable for Storm email worm
# ADDED ENTRY – Executable for Storm eMail Worm
SuspiciousModule:1.0:100:greetingcard.exe:USERMODE:SuspiciousModule
– greetingcard.exe, executable for Storm email worm
CONCEPT 9:
Investigating
Applications
Investigating Applications
• Goal: identify artifacts that lead you to other
pieces of information…
– Finding bread crumbs
– Following the bread crumbs…
Investigating Applications
– Try to find objects and artifacts that can tell
you:
• Who, What, Where, When, Why, How
*
Investigating Applications
• Approach:
– Knowledge is helpful…
•
•
•
•
•
Google: “skype”
What is it?
How is it used? How does it work?
Why is my suspect using it?
Is there data in memory that might not be available
by performing disk based forensics?
Investigation Preparation
Who?
• Names of People
•Email addresses
What?
Carefully
create a
search term
list
Spending time
upfront can save
lots of time on
the back end
When?
Where?
How?
•Project Names
•Filenames
•File format(s)
•Usernames
•Passwords
• Dates
• Times
• Domain’s
• URL’s
Investigating Applications
• Create a list of things you know…
• Names involved in the investigation
–
–
–
–
Domain names
Project names
Filenames
Website
• Applications in question
–
–
–
–
Office Applications?
Internet Browser
Encryption?
Chat
CONCEPT 10:
Webmail investigations
Webmail… where do I start?
• The Web Browsers…
– Internet Explorer
– Firefox
– Opera
• Browser Artifacts
– Web sites visited
– Files downloaded
– Dates and timestamps
Webmail… things to consider
• Web Server Apps act differently
– Gmail stores passwords differently than
hushmail
Webmail Search Terms
•
•
•
•
•
@gmail.com
@hotmail.com
@yahoo.com
@hushmail.com
Attachment
Webmail Specific Search Terms
• &passwd=
• &login=
• Others…
DEMO
Webmail Investigations - Gmail
Exercise 6:
Webmail
Investigation
Web Mail Exercise
Focus
Type
Description
Time
Intellectual Property Investigation
Private Company Data sent Via Email
Search for indications of files, email
addresses, and other related info data theft
30 minutes
Key Search Concept
Link Pieces of Information Together
1.
2.
3.
4.
Follow the bread crumbs
How can time stamps help us?
Look for relationships
Look at Meta Data
Search Steps
• Beginning a search based on suspicion
– Press release from competitor having similar data
• FIRST - Search for content we know
– We know we are looking for “Pluripotent”
• Searching for email addresses to corroborate
suspicion
– Search terms (@gmail.com, gmailchat=
• Understanding search hits
– Process name/module/unidentified
• SECOND - Search for content we learn
• Adding webmail data/artifacts to the report
Web Mail Questions
1. Search for “Pluripotent”
1.
Can you find related files to “pluripotent”
2. Where is it located on file system?
3. Who sent this file? What is the email address?
4. Who received this file? What is the email
address?
5. What other important file name is mentioned in
the thread?
6. What is the date associated?
7. How else could you find this?
8. Put your artifacts into the report
Web Mail Answers
1.
2.
3.
4.
5.
6.
7.
Pluripotent.pdf
C:\temp\plutipotent.pdf
Lori Hanson, [email protected]
Lance Kline, [email protected]
I5867.doc
Fri, July 10 2009 at 3:22pm
Make search term from nearby tags
1. Example – “forwarded message”
CONCEPT 10:
Skype
Skype – Where do I start?
Questions to answer:
• What is Skype?
– secure instant messenger
– free phone online telephony
• Why are bad guys using it?
– anti-forensics
– secure comm’s
• What are the disk anti-forensic capabilities and uses of Skype?
• Why is Skype not liked by IT Security?
– Encrypted communications…
Investigating Skype
Process list - are there chat programs listed
there?
Name harvesting
Look to open files, sort, go to skype
Notice
C:\Documents and Settings\username\Application Data\Skype\skype
username.
Take note of 'Username', Take note of 'Skypename'
Here we have username john smith but with skype name lance kline
May be different identity, may be same identity
Investigating Skype 2
Name search to get other names
- now we search memory to find other names being chatted to
- look for something unique, which might only exist once in
memory
1.
2.
speech, common expressions
"wazup"
You might try a few search to see which ones give the fewest hits
Example:
pass = 1,000+
need something more specific
Exercise 7:
Skype
Investigation
Skype Chat Exercise
Focus
Type
Description
Time
Name of File
Intellectual Property Investigation
Private Company Data sent Via Chat
Search for indications of files, email
addresses, and other related info data theft
30 minutes
StudentForensic1.bin
The Scenario
• Beginning a search based on suspicion
– Press release from competitor having similar data
• Searching for references to private content
• WHAT DO WE SEARCH FOR? LETS MAKE A
LIST
– What do people say in conversation?
• Adding chat data/artifacts to the report
Key Search Concept
Link Pieces of Information
Together
1. How can time stamps help us?
2. How can something we already
know find something we don’t
know?
Search Steps
• Beginning a search based on something we
know to find something we don’t know.
• FIRST - Search for content we know
– Email names? Too many hits?
– Search for word “research”
Chat Questions
1. Search for “Research”, what email address
do you find?
2. What is his associated name? Could it be
real?
3. What is he willing to pay for?
4. What is the name of the document he is
looking for?
5. Has this document been read into memory?
How do you know?
6. Who else got this file sent to them?
7. How was the file sent?
Any Questions before the
Final Exam?