Transcript NT-Forensics-by-Gittings-Keith-Lunny

Forensic Evaluation of
Windows NT ++
Scott Ferguson
Keith Gittings
Casey Lunny
Overview
•
•
•
•
Handling of Physical Evidence
Gathering Evidence
Gathering and Discovering Passwords
Investigating the File System
International Organization on
Computer Evidence
• www.ioce.org
• Key concepts
– Documentation
– Preservation
• IOCE proposes a set of principles to be
followed during a forensic investigation
IOCE Principles
1.
2.
3.
4.
5.
6.
When dealing with digital evidence, all of the general forensic and
procedural principles must be applied
Upon seizing digital evidence, actions taken should not change that
evidence.
When it is necessary for a person to access original digital evidence, that
person should be trained for the purpose.
All activity relating to the seizure, access, storage or transfer of digital
evidence must be fully documented, preserved and available for review.
An Individual is responsible for all actions taken with respect to digital
evidence whilst the digital evidence is in their possession.
Any agency, which is responsible for seizing, accessing, storing or
transferring digital evidence is responsible for compliance with these
principles.
Handling of Physical Evidence:
Documentation
• Documentation
– Begin at start of investigation
– Allow no gaps
• Can lead to entire case being called into question
• Cases may take years
– Record everything
• Including System Time
– CMOS Internal ClocK
» May Affect Document Search
» GetTime (http://www.forensics-intl.com/gettime.html)
Handling of Physical Evidence:
Documentation
• Work with Partner
– Allows for dedicated note-taker
– Tape Recorder can serve as partner
• Remember Tape Recorder may be subpoenaed
• Transportation
– Transport suspect equipment and documents
to secure location
Handling of Physical Evidence:
Chain of Custody
• Chain of Custody
– Document everyone who comes in contact
– Limit Access only to highly trained
investigators
– Safeguard physical machine
• Limit Access
– Use a product such as “Seized”
• http://www.forensics-intl.com/seized.html
Handling of Physical Evidence:
Collection
• Collection
– Collect in order of volatility
registers, cache
routing table, arp cache, process table, kernel statistics,
memory
temporary file systems
disk
remote logging and monitoring data that is relevant to the
system in question
physical configuration, network topology
archival media
Handling of Physical Evidence:
Collection
•
Options for powering off computer
1. Live System
–
Least Effective
2. Pull the Plug
–
–
–
Provides Clear Image of System State
Prevents Malicious Code
Possible System Corruption
3. Administrative Shut Down
–
–
–
Provides Proper System Shut Down
Prevents System Corruption
Possible Malicious Code
Handling of Physical Evidence:
Collection
• Collect Everything
– Floppies
– CD-Rs, CD-RWs
– DVD-Rs
– Tapes
Handling of Physical Evidence:
Equipment
• Forensic Equipment
– Use dedicated machine (preferably)
• Free of unneeded programs
– Avoid Embarrassment
• Use legal version of software
• Register shareware
Gathering Evidence:
Copy, Copy, Copy
•
Create Copy of Data
– Never work with original data
•
Work with the copy
– Prevents against
•
•
•
Changing data (intentionally or unintentionally)
Contaminating data
Destroying data
Gathering Evidence:
Making the Copy
• Hard Drive
– Remove from suspect
machine
– Create bit stream copy
• Image MaSSter
(http://www.icsiq.com)
Image MASSter Solo-2
Forensic system ($1,450.00)
Gathering Evidence:
Fingerprint and Timestamp
• Fingerprint and Timestamp Copy
– Authenticates Copy
• Tools
– CRCMD5
– MD5
– CRC
Gathering and Discovering Passwords:
The Scene
• All passwords are valuable
– People often reuse passwords
– Encrypted files with no value may have
password of immense value
• Investigate the scene
– Common locations
•
•
•
•
Under Mouse Pad
Desk Drawers
Rolodex
Magazines
Gathering and Discovering Passwords:
The suspect
• Interviewing the Suspect
– Ask for password
• Many suspects are willing to divulge password
– Coercive
• Offer of computer return
• Rubber hose method
– Gather information
• Common words
• Common things
– Pets Name
– Children
– Interests
Gathering and Discovering Passwords:
Obtaining the password
• Breaking the Encryption
– Administration Passwords
• Windows password crackers
– L0phtcrak (www.atstake.com)
– CAIN
– Password Encrypted Files
• AcessData (www.accessdata.com)
Gathering and Discovering Passwords:
L0phtcrack
• L0phtCrack is designed to
recover passwords for
Windows NT
– takes the hashes of passwords
and generate the clear text
passwords
– Uses two methods
• Dictionary Cracking
• Brute Force Cracking
Gathering and Discovering Passwords:
AccessData Password Recovery Toolkit
Access
ACT!
Ami Pro
Approach
ARJ
Ascend
Backup
BestCrypt
Bullet Proof FTP
Cute FTP
DataPerfect
dBase
Encrypt Magic Fldr
Excel
FoxBase
File Maker Pro
Lotus 1-2-3
Mail (MS)
MS Money
MYOB
My Personal check
Writer
Norton Secret Stuff
Organizer
Outlook
Palm
Paradox
PGP Disk File 4.0
PGP Secret Key Ring
Pro Write
Project (MS)
WinZip & Generic
Zippers
Q&A
Quattro Pro
QuickBooks
Quicken
WinRAR
Scheduler+
Symphony
VersaCheck
Word
WordPerfect
Word Pro
Adobe PDF
Win95/Win98 PWL Files
IE Content Advisor
WE_FTP
Netscape Mail
Source Safe
PC-Encrypt
Gathering and Discovering Passwords:
Circumventing Passwords
• Plaintext Version of Encrypted Files
– Some applications store backup copy
• Microsoft Word
• .wbk extension
Investigating the File System
Hiding Data
• Changing File Extensions
– Easy Method
– Ex. (.jpg to .doc)
– Don’t use Windows Explorer to locate files
– Jasc Quick View Plus (www.jasc.com)
• Identifies files without use of file extension
– Encase (www.encase.com)
• Can Identify files that were intentionally mislabeled
Investigating the File System
Hiding Data
• Hiding Directories and
Files
– Windows allows users
to set files as hidden
• Prevents accidental
altering of file
• Enables user to hide
any file or directory
• Solution:
– Make sure Windows
Explorer is set to
show hidden files
Investigating the File System
Hiding Data
• NT Streams
– Arbitrary data associated with a file
• Used to associate new data objects with file
– Available with Windows NT, XP, 2000
• Can not be detected by Windows Explorer or Most
GUI-based programs
• Can be detected with SFind (Forensic Toolkit from
Foundstone)
Investigating the File System
The Forensic Toolkit
• The Forensic Toolkit (www.foundstone.com)
– Contains several Win32 Command line tools that can help you
examine the files on a NTFS disk partition for unauthorized
activity.
• AFind
– lists files by their last access time without tampering the data the way
that right-clicking on file properties in Explorer will. AFind allows you to
search for access times between certain time frames, coordinating this
with logon info provided from ntlast, you can to begin determine user
activity even if file logging has not been enabled.
• HFind
– scans the disk for hidden files. It will find files that have either the
hidden attribute set, or NT's unique and painful way of hiding things by
using the directory/system attribute combination. This is the method
that IE uses to hide data. HFind lists the last access times.
• SFind
– scans the disk for hidden data streams and lists the last access times.
Investigating the File System
Hiding Data
• The Network
– File servers at work
– Internet sites providing free storage
– Clues to existence
• File Cache
• Internet history
• Network Neighborhood
Investigating the File System
Hiding Data
• Steganography
– “to hide in plain sight”
– Computer cryptography called “stego”
• Data is hidden in “carriers”
• Common carriers are multimedia files
• Time consuming
– Difficult to find “stegoed” files
• Clues
– Stego software such as S-Tools found on computer
– Images appear altered (if poor carrier chosen)
Investigating the File System
Hiding Data
• Altering the System Environment
–
–
–
–
Mislead examiner about system
Always avoid investigating on actual system
More common on Unix systems
Methods
• Alter specific binary
• Alter the entire kernel
– Affects multiple binaries
• DLLs
– Enable commonly used code routines to be updated
– Altering DLLs will effect many programs
– Tripwire (www.tripwire.com)
• Can detect changes to system environment
Investigating the File System
Nontraditional Computer Storage
• Ambient Data
– “data stored in non-traditional computer
storage areas and formats”
– File Slack
– Swap Files
– Unallocated Space
Investigating the File System
Nontraditional Computer Storage
• File Slack
– File size must be divisible by cluster size (512 bytes
on Windows).
– Clusters are made up of sectors (number varies)
– RAM data used to pad to end of sector
– Hard drive data used to pad to end of cluster
– Example:
• Hello+++++++++++++++++++|------------------------(EOF)
– RAM Slack is indicated by "+“
– Drive Slack is indicated by "-"
Investigating the File System
Nontraditional Computer Storage
• Unallocated Space
– Clusters that are not allocated to a directory
or file but possibly still contain data the user
has thought long since erased
– AccessData Forensic Data
• Examines Slackspace
Investigating the File System
AccessData Forensic Toolkit
Investigating the File System
AccessData Forensic Toolkit
Investigating Windows
Computers
• The Microsoft Corporation has been providing a
steady supply of operating systems, each of
which builds on the previous version.
• Since newer releases of Windows are based on
its predecessor, backwards compatibility with
previous versions is provided.
Investigating Windows
Computers
• An investigator must be aware of the built-in
tools that the Windows operating systems
provide.
–
–
–
–
–
–
Globally Unique Identifiers
Windows Registry
Recycle Bin
Scandisk Log files
Find Program
Windows Email
Globally Unique Identifiers
• PID_GUID values are an essential component of
Microsoft’s architecture and can be found in:
– Word Document files
– Cookies
– Windows Registry
• The PID_GUID contains a serial number than
can identify which computer a file was created
on.
Locating GUID in Word
Documents
• Open Microsoft Word and create a new
text file.
• Save the file as a Word 97 document,
which should be the default (note: this will
not work under Office 2000.)
• Use Quick View Plus to open the
document and search for the string
‘PID_GUID.’
• The program should find a string similar to this:
– PID_GUID_{36FDE49B-5EFC-4DD6-A282Abc1234567890}
– The last 12 hexadecimal characters at the end of this
string represent the MAC address of the originating
computer.
Limitations
• This technique is limited because :
– It assumes that the suspect has not changed
the Ethernet card in his/her computer.
– The PID_GUID is no longer included in
documents created with newer versions of
Microsoft Word.
Locating PID_GUID in Cookies
• Explore the Windows Cookies directory
and search for a file ending in
“microsoft.txt.”
• Within the file you should see a string
similar to this:
– MC1V=2&GUID=b0ea5322ab004da78116a0a
10 microsoft.com
Locating PID_GUID in Windows
Registry
• In the Registry Editor search for
“MachineGUID”
• regedit should return a value similar to this
in the data column:
– 950f31d7-3d5s-4576-a939-1b2f68a3cddf.
Locating PID_GUID in Windows
Registry
Once again, the last 12 digits are from the Network card
that was installed in the computer.
Other Uses of the Windows
Registry
• The Windows registry is a comprehensive
database containing information on every
Windows-compatible program that has been
installed on the PC.
• The Registry contains information about:
–
–
–
–
Users
Their preferences
Information on the hardware
Network information
Working with the Registry
• The Registry is a database of values that control the behavior
of Windows, including any hosted applications and services.
• The Registry is not an exhaustive collection of configuration
settings and parameters; instead, it is a collection of
exceptions.
• When an item is listed in the Registry, it defines an exception
or a different value for parameters that the process uses instead
of its known defaults.
Registry Keys
•
HKEY_LOCAL_MACHINE — This Registry subtree contains the configuration
parameters pertaining to the local computer system, including both hardware
devices and operating system components.
•
HKEY_CURRENT_CONFIG — This Registry subtree contains configuration
settings for the currently active hardware profile. It is rebuilt each time NT is
booted.
•
HKEY_CURRENT_USER — This Registry subtree contains configuration and
profile information pertaining to the currently logged on user. It is built each time a
user successfully logs onto the system.
•
HKEY_USERS — This Registry subtree contains the configuration and profile
information pertaining to all users of this computer, plus the default profile.
Investigating the Registry
• By exploring the keys within HKEY_CURRENT_USER Software/Microsoft/Internet Explorer/ you can find all
of the current settings, past URL searches, security
preferences, download folder settings, and even the
startup home page for the current user.
• By searching the TypedURLs directory a list of recently
searched web addresses is supplied.
TypedURLs
Explorer/RunMRU
• This key contains a list of the most recent
programs launched from the Run window.
HKEY_LOCAL_MACHINE
• HKEY_LOCAL_MACHINE contains the Network/Logon
key, which displays the last username used to log onto a
network.
• Stores all of the information related to:
–
–
–
–
Hardware
Security Account Manager
Software
System
Other Windows Tools
• The Recycle bin is a good place to search for
evidence.
• Many users forget that deleted files are placed in
the Recycle Bin until they are deliberately
emptied or until it fills up and begins overwriting
files.
Other Windows Tools
• Scandisk .chk files may contain information a
suspect has tried to delete.
• The Scandisk utility will attempt to restore files
that it believes have been inadvertently deleted.
• Since Scandisk files can contain pieces of
deleted files, useful information that may
otherwise be lost is sometimes still sitting in a
.chk file.
Other Windows Tools
• The easiest way to find files in Windows is
using the built-in Find program.
• The Find tool allows you to sort by name,
file type, and date of last modification.
• The Find program in Windows 2000/XP
allows you to search for a specific string
within a file.
Windows Email
• Email is often a rich source of information
about a suspect’s activities.
• Email files in Microsoft systems are not
easy to analyze.
– Users may download all emails or store them
remotely on a server.
– Many different mail applications have their
own file formats and conventions.
Windows Email
• Mail is like any other application in that it uses temporary
files and swap space.
• Check the hard drive for messages or check the slack
space for remnants of original emails.
• Check the suspects Web history and see is any past
sites appear to be an email site.
• You can then use your forensics analysis tool to search
for fragments containing the domain of that email
provider.