Windows Forensics - University of Washington
Download
Report
Transcript Windows Forensics - University of Washington
Windows Forensics
10 Apr 2007
TCSS431: Network Security
Stephen Rondeau
Institute of Technology
Lab Administrator
Agenda
Forensics Background
Operating Systems Review
Select Windows Features
Vectors and Payloads
Forensics Process
Forensics Tools Demonstration
Forensics Background
Inspection of computer system for evidence of:
crime
unauthorized use
Evidence gathering/preservation techniques for
admissibility in court of law
Consideration of suspect's level of expertise
Avoidance of data destruction or compromise
Operating System Review
What does an OS do?
Operating System Review
What does an OS do?
starts itself
low-level management of:
higher-level management of:
interrupts, time, memory, processes, devices (storage,
communication, keyboard, display, etc.)
file system, users, user interface, apps
addresses issues of fairness, efficiency, data
protection/access, workload balancing
Select Windows Features
Kernel vs. User Mode
Kernel features (architecture)
device drivers
installable file system
object security
Services
Computing Devices: Simplistic
Computing Device
takes some input
processes it
provides some output
connects device
Data
?
Computing
Device
OS, services,
applications
Network
input
Hub
output
Computing Devices: Reality
In
Human
K/M/touch,etc.
Data
Scanner/GPS
Out
Human
A/V
In/Out
Data
Storage Device, PC Card,
Network, Printer, Etc.
Computing Devices: Connections
removable media
PC Card
wired
floppy,CD/DVD,flash,microdrive
serial/parallel,USB,Firewire,IDE,SCSI,twisted pair
wireless
radio (802.11, cellular, Bluetooth)
Infrared (IR)
Ultrasound
Vectors and Payloads
Vector: route used to gain entry to computer
via a device without human intervention
via an unsuspecting or willing person's actions
Payload: what is delivered via the vector
malicious code
may be multiple payloads
spyware, rootkits, keystroke loggers, bots, illegals
software, spamming, etc.
Forensics Process
Assess
Acquire
after permission is granted
determine how to approach affected system(s)
watch out for anti-forensics
how to stop computer processing?
capture volatile data
copy hard drive
Analyze
Volatile Data
All of RAM, plus paging area
Logged on users
Processes (regular and services)
Process memory
Buffers
Clipboard
Network Information
Command history
Nonvolatile Data
Partitions
Files
hidden, streams
Registry Keys
Recycle Bin
Scheduled Tasks
User information
Logs
What to Look For
Know baseline system: what to expect of good system
Malware Footprint
in logs
on file system (changed dates/sizes)
in registry
in startup areas
in service list
in network connections
Abnormalcy – functionality, performance, traffic patterns
Cross-check with multiple tools
Microsoft Tools
Basic
Network tools
netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig
dir /ah, dir /od, dir /tc, findstr, cacls
File
Services
Windows Update, Malicious Software Removal, Baseline Security
Analyzer, Time Service, Routing and Remote Access, Event Viewer,
EventCombMT, LocalService, NetworkService, Runas, systeminfo,
auditpol
net start/stop, sc
Process:
tasklist, taskkill, schtasks
External Tools
antivirus
backup
www.sysinternals.com
RootKitRevealer, ProcessExplorer, WinObj, Autoruns
PSTools: pslist, psexec, psservice, psgetsid, etc.
www.e-fense.com: Helix
statically-linked tools, variety of other tools
Bart’s PE
References
Windows Forensics and Incident Recovery,
Harlan Carvey, Addison-Wesley 2005
Windows Forensic Analysis DVD Toolkit ,
Harlan Carvey, Syngress 2007
File System Forensic Analysis,Brian Carrier,
Addison-Wesley 2005
Rootkits, Greg Hoglund and James Butler,
Addison-Wesley 2006