Transcript Windows Forensics - University of Washington

Windows Forensics
10 Apr 2007
TCSS431: Network Security
Stephen Rondeau
Institute of Technology
Lab Administrator
Agenda

Forensics Background

Operating Systems Review

Select Windows Features

Vectors and Payloads

Forensics Process

Forensics Tools Demonstration
Forensics Background


Inspection of computer system for evidence of:

crime

unauthorized use
Evidence gathering/preservation techniques for
admissibility in court of law

Consideration of suspect's level of expertise

Avoidance of data destruction or compromise
Operating System Review

What does an OS do?
Operating System Review

What does an OS do?

starts itself

low-level management of:


higher-level management of:


interrupts, time, memory, processes, devices (storage,
communication, keyboard, display, etc.)
file system, users, user interface, apps
addresses issues of fairness, efficiency, data
protection/access, workload balancing
Select Windows Features

Kernel vs. User Mode

Kernel features (architecture)


device drivers

installable file system

object security
Services
Computing Devices: Simplistic

Computing Device


takes some input
processes it





provides some output
connects device
Data
?
Computing
Device
OS, services,
applications
Network

input
Hub
output
Computing Devices: Reality
In
Human
K/M/touch,etc.
Data
Scanner/GPS
Out
Human
A/V
In/Out
Data
Storage Device, PC Card,
Network, Printer, Etc.
Computing Devices: Connections

removable media



PC Card
wired


floppy,CD/DVD,flash,microdrive
serial/parallel,USB,Firewire,IDE,SCSI,twisted pair
wireless



radio (802.11, cellular, Bluetooth)
Infrared (IR)
Ultrasound
Vectors and Payloads


Vector: route used to gain entry to computer

via a device without human intervention

via an unsuspecting or willing person's actions
Payload: what is delivered via the vector

malicious code

may be multiple payloads

spyware, rootkits, keystroke loggers, bots, illegals
software, spamming, etc.
Forensics Process

Assess





Acquire



after permission is granted
determine how to approach affected system(s)
watch out for anti-forensics
how to stop computer processing?
capture volatile data
copy hard drive
Analyze
Volatile Data

All of RAM, plus paging area

Logged on users

Processes (regular and services)

Process memory

Buffers

Clipboard

Network Information

Command history
Nonvolatile Data

Partitions

Files

hidden, streams

Registry Keys

Recycle Bin

Scheduled Tasks

User information

Logs
What to Look For

Know baseline system: what to expect of good system

Malware Footprint






in logs
on file system (changed dates/sizes)
in registry
in startup areas
in service list
in network connections

Abnormalcy – functionality, performance, traffic patterns

Cross-check with multiple tools
Microsoft Tools

Basic




Network tools

netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig

dir /ah, dir /od, dir /tc, findstr, cacls
File
Services


Windows Update, Malicious Software Removal, Baseline Security
Analyzer, Time Service, Routing and Remote Access, Event Viewer,
EventCombMT, LocalService, NetworkService, Runas, systeminfo,
auditpol
net start/stop, sc
Process:

tasklist, taskkill, schtasks
External Tools

antivirus

backup

www.sysinternals.com


RootKitRevealer, ProcessExplorer, WinObj, Autoruns

PSTools: pslist, psexec, psservice, psgetsid, etc.
www.e-fense.com: Helix


statically-linked tools, variety of other tools
Bart’s PE
References




Windows Forensics and Incident Recovery,
Harlan Carvey, Addison-Wesley 2005
Windows Forensic Analysis DVD Toolkit ,
Harlan Carvey, Syngress 2007
File System Forensic Analysis,Brian Carrier,
Addison-Wesley 2005
Rootkits, Greg Hoglund and James Butler,
Addison-Wesley 2006