Mining Digital Evidence in Microsoft Windows
Download
Report
Transcript Mining Digital Evidence in Microsoft Windows
Advance Digital Forensic
Agenda
What is Computer Forensic?
Gathering evidence from windows memory
Advance registry forensic.
Analyzing network data to collect evidence
2
Computer Forensics – the laws
First Law of Computer Forensics
There is evidence of every action.
Harlan Carvey’s Corollary :
Once you understand what actions or
conditions create or modify an artifact, then
the absence of that artifact is itself an
artifact.
3
Tip of the “Digital” Iceberg
Data as seen by a casual observer
using common tools (Explorer Window,
cmd shell, web browser etc. )
Data as seen by Forensic
Investigators using his
sophisticated toolkit. May include
deleted data, hidden data,
unauthorized information and
records of illegal activity!
4
Windows Memory Forensic
Extracting windows login credentials from
RAM image.
Extracting running processes.
Extracting user assist keys from RAM
Viewing registry keys for all open process.
5
Extracting windows login credentials from RAM image.
Volatility modules used
1. hivescan {python volatility hivescan -f
<filename>}
2. hivelist {python volatility hivelist -f
<filename> -o <offset value>
3. Hashdump {volatility hashdump -f
<filename> (-y System Hive Offset)(-s SAM
Hive Offset)
Use of CAIN & Abel to crack the hashes
obtained.
6
Extracting user assist keys from RAM
Load the image in Encase and search for the
keyword HRZR_EHACNGU {which is
“UEME_RUNPATH”}. Keywords are
HRZR_EHACNGU.*[\.]rkr
HRZR_EHACNGU.*[\.]yax
Decrypt the results using ROT13-decryptor.
7
Advance Registry Forensic
Windows Registry
Registry files are essentially databases containing information and
settings for
Hardware
Software
Users
Preferences
A registry hive is a group of keys, subkeys, and values in the
registry that has a set of supporting files containing backups of its
data.
In Windows 98, the registry files are named User.dat and
System.dat.
In Windows Millennium Edition, the registry files are named
Classes.dat, User.dat, and System.dat.
In Win XP, the registry files are available in
C:\windows\system32\config folder
9
Mining Windows Registry
Multiple forensic avenues in the registry!
System and User-specific settings
UserAssist
MuiCache
MRU Lists
ProgramsCache
StreamMRU
Shellbags
Usbstor
IE passwords
and many more!
10
Mining Windows Registry
Multiple forensic avenues in the registry!
System and User-specific settings- NTUSER.DAT
UserAssist HKCU/software/microsoft/windows/currentversion/Explorer/UserAssist
MuiCache - HKCU/Software/Microsoft/Windows/ShellNoRoam/MUICache
MRU Lists HKCU/software/microsoft/windows/currentversion/Explorer/RunMRU
ProgramsCache –
HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/StartPage
StreamMRU HKCU/software/microsoft/windows/currentversion/Explorer/StreamMRU
Shellbags – HKCU/Software/Microsoft/Windows/Shell/BagMRU
Usbstor - HKLM/System/CurrentControlSet/Enum/USBStor
and many more!
Demo
11
Tools to analyze registry
Regripper {open source tool. Developed by Harlen
Carvey. Coding is done in PERL language}
Windows registry analyzer
Windows registry recovery.
Timestamp Dcode.
12
Network Forensic
The Security Process and Network Forensics
14
Overall approach
Study the network architecture.
Determine network traffic capture mechanisms at
appropriate points and get a copy of the capture file.
Determine devices that should/could be generating logs,
especially those that are pertinent to case in hand.
Determine vendors of these devices.
Determine logging functionality, and logging
configuration.
Assemble appropriate log analysis tools, and objectives
of the analysis
String searches
Pattern searches
15
Tools for analyzing captured network traffic
Network Miner
Netwitness
Wireshark
Winhex
16
Case study of Network Forensic
18
Thank you!
Questions and Answers!!
Kush Wadhwa, EnCE, CEH, RHCE
Contact Number : +919717188544
Email Address: - [email protected]
19