PPTX

Download Report

Transcript PPTX 

Computer Forensic Tools
Computer Forensics: A Brief Overview
• Scientific process of preserving, identifying,
extracting, documenting, and interpreting data on
computer
• The field of computer forensics began to evolve
more than 30 years ago in the United States.
• With the growth of the Internet and increasing usage
of technology devices connected to the Internet,
computer crimes are increasing at a great speed.
Computer Crimes
Pure computer
crime
Computer
crimes
Computer is the
medium of a
crime
Computer
content related
crime
•Illegal access to a system or
network
•Illegal transmission of data
•Data deletion, damage, alteration
•Serious hindrance to computer
•Identity theft
•Fraud
•E-theft
•Incriminating information stored in
computer
•Child pornography
•Information that unleashes
hostility/violence
Tools for Computer Forensics
Integrated GUI
based tools
Computer
forensic
tools
Specialized
single task tools
•Process information
•Network connection information
• List of processes
•Process to port mapping
•Service/driver information
•Registry analysis
•Executable file analysis
Integrated GUI Based Tools
• Advantages:
– More effective for analyzing content related crime
– Useful for searching storage devices, for retrieving
deleted files and folder, reconstructing graphic
files
• Disadvantages:
– Very expensive
– Very complex in design, uses up a lot of resources
– Requires trained professionals to use the tools
Specialized Single Task Tools
• Advantages:
– More effective for investigating malware attacks,
intrusion etc
– Useful for live response and live analysis
– Simple in design, most tools can be used from
command line
– Inexpensive, easy to learn and use
– Very effective for pedagogical purposes
– Can be modified/customized
Specialized Single Task Tools
• Disadvantage:
– Has compatibility issues with different versions of
operating systems
Windows Forensic Analysis
• Windows Forensic Analysis by
Harlan Carvey
– Teaches simple but effective
analysis techniques for
investigating malware attacks
– Provides CLI based tools for
complete analysis of Windows
Operating Systems
Compatibility Issues with Newer
Windows Operating System
Tool
Windows XP
Yes
Vista
No
Windows 7
No
Bonus\srv_sort.exe
ch3\code\lspd.exe
ch3\code\lspi.exe
Yes
Yes
Yes
No
No
No
No
retrieve Service key info raw Registry/System file, sorting the output based on LastWrite time;
automatically determines which of the available ControlSets is marked "current"
parse process details from a Windows 2000 phys. memory/RAM dump,
parse process image from a Windows 2000 phys. memory/RAM dump
ch3\code\lspm.exe
ch3\code\lsproc.exe
Yes
Yes
No
No
dump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump,
parse Windows 2000 phys. memory/RAM dump, looking for processes.
ch4\code\pref_ver.exe
ch4\code\sr.exe
ch4\code\old\bho.exe
ch4\code\old\pnu.exe
Yes
Yes
Yes
Yes
No
No
No
No
Perl script to parse the contents of the XP layout.ini file, locate executables (.exe, .dll, .sys) and locate
those files and then extract any file version information
Use WMI to get Restore point settings from XP (local or remote)
retrieve listing of installed BHOs from a local system
list the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time
ch4\code\old\regp.exe
ch4\code\old\sam_parse.exe
ch4\code\jt\regslack.exe
ch4\code\RegRipper\rip.exe
ch4\code\RegRipper\rr.exe
ch5\code\lscl.exe
ch5\code\pdfdmp.exe
ch5\code\pdfmeta.exe
ch5\code\sr.exe
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
Bonus\poladt.exe
Description
Parse the raw Security file and display the audit policy
Comment
raw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from
NT/2K/XP/2K3 systems.
retrieve user information from a raw Registry/SAM file
No DOS
Use this utility to run a plugins file or a single plugin against a Reg# hive file.
Parse a Registry hive file for data pertinent to an investigation
read/parse restore point change logs for data
Attempt to extract metadata from PDF files
Attempt to extract metadata from PDF files
ch5\code\EVT\evt2xls.exe
Yes
No
Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel
spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login
type is added to the event ID), suitable for entry into eventid.net
ch5\code\EVT\evtrpt.exe
ch5\code\EVT\evtstats.exe
Yes
Yes
No
No
Tool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of
event ID frequencies and date ranges of the records.
parse the contents of Event Log files and display statistics
No plugins
• About 50% tools are not compatible with
Windows XP and Vista
Compatibility Issues with Windows
Forensic Tools
Windows XP
Vista
Windows 7
Description
Bonus\poladt.exe
Tool
Yes
No
No
Bonus\srv_sort.exe
Yes
No
No
Parse the raw Security file and display the audit policy
retrieve Service key info raw Registry/System file, sorting the output based on
LastWrite time; automatically determines which of the available ControlSets is
marked "current"
ch3\code\lspd.exe
Yes
No
parse process details from a Windows 2000 phys. memory/RAM dump,
ch3\code\lspi.exe
Yes
No
parse process image from a Windows 2000 phys. memory/RAM dump
ch3\code\lspm.exe
Yes
No
dump the memory pages used by a process from a Windows 2000 phys.
memory/RAM dump,
ch3\code\lsproc.exe
Yes
No
ch4\code\pref_ver.exe
Yes
No
parse Windows 2000 phys. memory/RAM dump, looking for processes.
Perl script to parse the contents of the XP layout.ini file, locate executables
(.exe, .dll, .sys) and locate those files and then extract any file version
information
ch4\code\sr.exe
Yes
No
Use WMI to get Restore point settings from XP (local or remote)
ch4\code\old\bho.exe
Yes
No
ch4\code\old\pnu.exe
Yes
No
retrieve listing of installed BHOs from a local system
list the contents of one of the UserAssist\GUID\Count keys, sorted by most
recent time
ch4\code\old\regp.exe
Yes
No
raw Windows Registry files (ntuser.dat, system32\config\system,
system32\config\software) from NT/2K/XP/2K3 systems.
ch4\code\old\sam_parse.exe
Yes
No
retrieve user information from a raw Registry/SAM file
ch4\code\jt\regslack.exe
Yes
No
ch4\code\RegRipper\rip.exe
Yes
No
Use this utility to run a plugins file or a single plugin against a Reg# hive file.
ch4\code\RegRipper\rr.exe
Yes
No
Parse a Registry hive file for data pertinent to an investigation
ch5\code\lscl.exe
Yes
No
read/parse restore point change logs for data
ch5\code\pdfdmp.exe
Yes
No
Attempt to extract metadata from PDF files
ch5\code\pdfmeta.exe
Yes
No
Attempt to extract metadata from PDF files
ch5\code\sr.exe
Yes
No
Comment
No DOS
ch5\code\EVT\evt2xls.exe
Yes
No
ch5\code\EVT\evtrpt.exe
Yes
No
Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the
eventrecords into an Excel spreadsheet; can also generate a report showing
event source/ID frequencies (for Security Event Log, login type is added to the
event ID), suitable for entry into eventid.net
Tool to translate the binary contents of Windows 2000, XP, and 2003 Event
Logs, and generate a report of event ID frequencies and date ranges of the
records.
ch5\code\EVT\evtstats.exe
Yes
No
parse the contents of Event Log files and display statistics
No plugins