investigating windows
Download
Report
Transcript investigating windows
Investigating
Windows Systems
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
[email protected]
Session Outline
•
•
•
•
•
•
Forensic Mindset
Investigative Questions
Common File Systems Type
Investigating Windows Systems
Windows Registry
Investigative and Case Management Tools
Learning Objectives
At the end of this module you will be able to:
• Describe the importance of the forensic mindset
• Describe common investigative questions
• Explain the basic steps in the forensic analysis
process
• Discuss the forensic importance of the Windows
Registry
• Demonstrate the case management functions of
EnCASE and FTK
Forensic Mindset
• Digital Forensic Mindset – Condensed Definition:
- Using your skills to determine what has occurred or,
- What most likely occurred as opposed to what is possible
- You do NOT work for anyone but the TRUTH!
• The tools used are not nearly important as the
person using them!
• The examination should not occur in a vacuum.
• Find out all you can about what is already known.
Organizing the Investigation
• Use your knowledge to examine the system
to answer; could it have happened that way
or not?
• Don’t make it more complicated than it has
to be – start with the obvious!
• Examples:
– Check for programs that will cause you aggravation –
encryption (PGP, Magic Folders, File Vault, EFS,
etc.)
– http://www.iopus.com/guides/efs.htm
Organizing the Investigation
• MAC information – what was happening
on the system during the time frame you
are interested in?
• What was being “written”, “changed” or
“accessed”?
Investigative Questions
• One of most common questions is:
Where on the Internet was it surfing. In
absence of managed server logs. Use
??????
• A great product (LE or Corp Security
only is IEHistory by Scott Ponder of
Phillips Ponder Company)
-http://www.phillipsponder.com/histviewer.htm
Questions/Requests
• Another very common request is to gather up the all the
e-mails, including the deleted ones for the investigator to
read.
• As always, this is done on the image or with hardware
write protect.
• Any communication is usually requested and chat is
being used more and more.
• MSN Chat does not by default store it’s chat’s. Newer
versions do!
• AOL Instant Messenger. Encryption
• Yahoo Messenger stores them on the local drive but they
are encrypted. Any ideas how to get around this?
Passwords & Encryption
• #1 rule – if you don’t know the password, ask
the person who does!
• Are they lazy, is there an easily obtained
password that is used in both circumstances.
• Access Data software (Password Recovery/
Ultimate Tool Kit)
• Is there a corporation that you can pay to have it
done for you?
Where Do We Start?
• Verify integrity of image
– MD5, SHA1 etc.
• Recover deleted files & folders
• Determine keyword list
– What are you searching for
• Determine time lines
– What is the time zone setting of the suspect system
– What time frame is of importance
– Graphical representation is very useful
Where Do We Start?
• Examine directory tree
– What looks out of place
– Stego tools installed
– Evidence Scrubbers
• Perform keyword searches
– Indexed
– Slack & unallocated space
Where Do We Start?
• Search for relevant evidence types
– Hash sets can be useful
– Graphics
– Spreadsheets
– Hacking tools
– Etc.
• Look for the obvious first
• When is enough enough??
Common File System Types
FAT (File Allocation Table):
• FAT 16: DOS; Windows 3.X; Windows 95.
• FAT 32: Windows 95 release 2, Windows 98,
Windows Me, Windows 2000, Windows XP,
Server 2003.
• NTFS (New Technology File systems):
Windows NT; Windows 2000; Window XP;
Server 2003.
FAT 16
•
•
•
•
•
Use 16 bits in the file allocation table (FAT)
Two FAT (Primary and Backup)
Support up to 4GB of volume space
Maximum file size of 2GB
Support two partitions and 3 logical drives in the
second partition.
• Use 8.3 file naming convention
• “/”, “\”, “[“, “]”, “|”, “<“, “>”, “+”, “=“, “;”, “*” and
“?” are illegal or invalid characteristics
NTFS
•
•
•
•
Long file name support
Ability to handle large storage devices
Built-in security controls
POSIX support.
http://www.pcguide.com/ref/hdd/file/ntfs/otherPOSIX-c.html
• Volume striping
• File compression
• Master file table (MFT)
Investigating Windows Systems
User/Systems/Data: (Intentionally)
•
•
•
•
User profiles
Program files
Temporary files (temp files)
Special application-level files. Internet history, e-mail.
Artifacts: (Generated by the Systems)
•
•
•
•
•
•
Metadata
Windows system registry
Event logs or log files
Swap files
Printer spool
Recycle bin
Windows Registry
• A central hierarchical database to store information
necessary to configure the system for one or more
users, applications and hardware devices.
• Replaces AUTOEXEC.BAT, CONFIG.SYS and
INI files
• First introduced in Windows 3.1 for storing OLE
Settings (pre 1995).
- http://en.wikipedia.org/wiki/ActiveX
Windows Registry
Wealth of investigative information
• Registered Owner
• Registered Organization
• Shutdown Time
• Recent DOCS
• Most Recent Used (MRU) List
• Typed URLs
• Previous Devices Mounted
• Software Installed
Registry Tools
• Registry Reader: Access Data
• Encase
• Windows
– Regedit
– Regedt32
• Freeware tools
– Never work on the original
– Make a copy
Windows Registry
There are five root keys:
(HKCR)
(HKCU)
(HKLM)
(HKU)
(HKCC)
Registry Architecture
Two are “Master” keys:
• HKEY_LOCAL_MACHINE
Configuration data describing
hardware and software
installed on the computer
• HKEY_USERS
Configuration data for each
user that logs into the
computer
Master
Keys
HKLM
HKU
Registry Architecture
Three are derived from “Master” keys
• HKEY_CLASSES_ROOT
File Associations and OLE
• HKEY_CURRENT_USER
Currently logged on user
• HKEY_CURRENT_CONFIG
Current hardware profile
HKEY_CLASSES_ROOT
From HKLM\Software\Classes
HKEY_CURRENT_USER
From HKU\SID of current user
HKEY_CURRENT_CONFIG
HKLM\System\CurrentControlSet\Hardware Profiles\Current
The Windows Registry
Dial-up Accounts:
• HKEY_CURRENT_USER\RemoteAccess\Addresses
Dial-up Account Usernames:
• HKEY_CURRENT_USER\RemoteAccess\Profile\[isp_name]
• RegisteredOwner/Organization, Version, VersionNumber, ProductKey,
ProductID, ProductName
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
MSN Messenger Info:
• HKEY_CURRENT_USER\Identities\{string}\Software\Microsoft\Messenger
Service
• HKEY_CURRENT_USER\Software\Microsoft\MessengerService
The Windows Registry
Outlook Express User Info (e-mail, newsgroups, etc):
• HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Account Manager\Accounts
• HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Account Manager\Accounts\0000000x
Internet Explorer History settings length:
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Internet Settings\URLHistory
Automated Tools
• Easier case management
• Keyword searching includes slack\residue and other
unallocated areas of disk space.
• Ability to use hash sets of known system files to minimize
keyword search times.
• Ability to use hash sets to search for known files such as
child porn, root kits or whatever you want to hash and find
quickly.
• Unicode and ANSI compatible
– Unicode provides a unique number for every character, no matter what the
platform, no matter what the program, no matter what the language.
– Needed for foreign language support
•
Etc.
Encase Forensic Tools
• Supports “bit stream acquisitions” in three
ways:
• #1 – drive to drive in a DOS environment
loading it’s own drive lock TSR.
• #2 – drive to drive in a Windows
environment using a hardware drive locker
– “Fastbloc” or others.
Encase Forensic Tools
Encase Forensic Tools
• #3 – computer via computer using a cross
over network cable. Encase for Dos loaded
from a diskette with write protect software
on suspect’s computer, Encase for
Windows on Forensic examiner’s
computer.
Forensic Toolkit: Access Data
Forensic Toolkit
Forensic Toolkit
Summary
• Computer Forensics is not a piece of software.
• Forensic mindset is paramount
• The windows registry is a treasure chest of
forensics information
• You will need several tools in your forensic
tool box.