Download Windows Forensics - University of Washington

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Windows Phone 8.1 wikipedia, lookup

Process management (computing) wikipedia, lookup

Spring (operating system) wikipedia, lookup

Plan 9 from Bell Labs wikipedia, lookup

Distributed operating system wikipedia, lookup

CP/M wikipedia, lookup

Security-focused operating system wikipedia, lookup

Burroughs MCP wikipedia, lookup

VS/9 wikipedia, lookup

Unix security wikipedia, lookup

Transcript
Windows Forensics
10 Apr 2007
TCSS431: Network Security
Stephen Rondeau
Institute of Technology
Lab Administrator
Agenda

Forensics Background

Operating Systems Review

Select Windows Features

Vectors and Payloads

Forensics Process

Forensics Tools Demonstration
Forensics Background


Inspection of computer system for evidence of:

crime

unauthorized use
Evidence gathering/preservation techniques for
admissibility in court of law

Consideration of suspect's level of expertise

Avoidance of data destruction or compromise
Operating System Review

What does an OS do?
Operating System Review

What does an OS do?

starts itself

low-level management of:


higher-level management of:


interrupts, time, memory, processes, devices (storage,
communication, keyboard, display, etc.)
file system, users, user interface, apps
addresses issues of fairness, efficiency, data
protection/access, workload balancing
Select Windows Features

Kernel vs. User Mode

Kernel features (architecture)


device drivers

installable file system

object security
Services
Computing Devices: Simplistic

Computing Device


takes some input
processes it





provides some output
connects device
Data
?
Computing
Device
OS, services,
applications
Network

input
Hub
output
Computing Devices: Reality
In
Human
K/M/touch,etc.
Data
Scanner/GPS
Out
Human
A/V
In/Out
Data
Storage Device, PC Card,
Network, Printer, Etc.
Computing Devices: Connections

removable media



PC Card
wired


floppy,CD/DVD,flash,microdrive
serial/parallel,USB,Firewire,IDE,SCSI,twisted pair
wireless



radio (802.11, cellular, Bluetooth)
Infrared (IR)
Ultrasound
Vectors and Payloads


Vector: route used to gain entry to computer

via a device without human intervention

via an unsuspecting or willing person's actions
Payload: what is delivered via the vector

malicious code

may be multiple payloads

spyware, rootkits, keystroke loggers, bots, illegals
software, spamming, etc.
Forensics Process

Assess





Acquire



after permission is granted
determine how to approach affected system(s)
watch out for anti-forensics
how to stop computer processing?
capture volatile data
copy hard drive
Analyze
Volatile Data

All of RAM, plus paging area

Logged on users

Processes (regular and services)

Process memory

Buffers

Clipboard

Network Information

Command history
Nonvolatile Data

Partitions

Files

hidden, streams

Registry Keys

Recycle Bin

Scheduled Tasks

User information

Logs
What to Look For

Know baseline system: what to expect of good system

Malware Footprint






in logs
on file system (changed dates/sizes)
in registry
in startup areas
in service list
in network connections

Abnormalcy – functionality, performance, traffic patterns

Cross-check with multiple tools
Microsoft Tools

Basic




Network tools

netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig

dir /ah, dir /od, dir /tc, findstr, cacls
File
Services


Windows Update, Malicious Software Removal, Baseline Security
Analyzer, Time Service, Routing and Remote Access, Event Viewer,
EventCombMT, LocalService, NetworkService, Runas, systeminfo,
auditpol
net start/stop, sc
Process:

tasklist, taskkill, schtasks
External Tools

antivirus

backup

www.sysinternals.com


RootKitRevealer, ProcessExplorer, WinObj, Autoruns

PSTools: pslist, psexec, psservice, psgetsid, etc.
www.e-fense.com: Helix


statically-linked tools, variety of other tools
Bart’s PE
References




Windows Forensics and Incident Recovery,
Harlan Carvey, Addison-Wesley 2005
Windows Forensic Analysis DVD Toolkit ,
Harlan Carvey, Syngress 2007
File System Forensic Analysis,Brian Carrier,
Addison-Wesley 2005
Rootkits, Greg Hoglund and James Butler,
Addison-Wesley 2006