Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator Agenda Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration Forensics Background Inspection of computer system for evidence of: crime unauthorized use Evidence gathering/preservation techniques for admissibility in court of law Consideration of suspect's level of expertise Avoidance of data destruction or compromise Operating System Review What does an OS do? Operating System Review What does an OS do? starts itself low-level management of: higher-level management of: interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.) file system, users, user interface, apps addresses issues of fairness, efficiency, data protection/access, workload balancing Select Windows Features Kernel vs. User Mode Kernel features (architecture) device drivers installable file system object security Services User accounts, passwords and privileged groups Security policies Computing Devices: Simplistic Computing Device takes some input processes it provides some output connects device Data Computing Device OS, services, applications Network input Hub output Computing Devices: Reality In Human K/M/touch,etc. Data Scanner/GPS Out Human A/V In/Out Data Storage Device, PC/Express Card, Network, Printer, Etc. Computing Devices: Connections removable media PC/Express Card wired floppy,CD/DVD,flash,microdrive serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS twisted pair wireless radio (802.11, cellular, Bluetooth) Infrared (IR) Ultrasound Vectors and Payloads Vector: route used to gain entry to computer via a device without human intervention via an unsuspecting or willing person's actions Payload: what is delivered via the vector malicious code may be multiple payloads spyware, rootkits, keystroke loggers, bots, illegal software, spamming, etc. Forensics Process Assess (after permission is granted) Acquire determine how to approach affected system(s) inspect physical environment watch out for anti-forensics, booby-traps consider how to stop computer processing capture volatile data copy hard drive Analyze Volatile Data All of RAM, plus paging area Logged on users Processes (regular and services) Process memory Buffers Clipboard Network Information (incoming and outgoing) Command history Nonvolatile Data Partitions Files hidden, streams Registry Keys Recycle Bin Scheduled Tasks User Account and Group Information Logs What to Look For Know baseline system: what to expect of good system Malware Footprint in logs on file system (changed dates/sizes, hidden) in registry in startup areas in services list in network connections Abnormality: function, performance, traffic patterns Cross-check with multiple tools Microsoft Tools Basic Network tools netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig dir /ah, dir /od, dir /tc, findstr, cacls File Services Prevent: Windows Update, Time Service, Routing and Remote Access, LocalService, NetworkService, Runas Inspect: net user/group/localgroup, Active Directory Users and Groups, Event Viewer, EventCombMT, systeminfo, auditpol, Security Configuration Manager Fix: Malicious Software Removal, Security Configuration Manager net start/stop, sc, services.msc Process: tasklist, taskkill, schtasks External Tools www.sysinternals.com variety of Windows tools to monitor and analyze www.e-fense.com: Helix Windows tools Windows Forensics Toolkit™ trusted commands RAM/disk imaging, password recovery tools some www.sysinternals.com tools bootable to Knoppix with many file system tools www.rootkit.com Advice For your systems: Prevent: Analyze: update, monitor, block, isolate, backup find vectors and payloads Recover: off-network restore, re-install or re-image block vectors and/or payload effects before going onnetwork References Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 Windows Forensic Analysis DVD Toolkit , Harlan Carvey, Syngress 2007 File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005 Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006