Download Windows Forensics - University of Washington

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts

Distributed operating system wikipedia , lookup

Process management (computing) wikipedia , lookup

Plan 9 from Bell Labs wikipedia , lookup

OS-tan wikipedia , lookup

Spring (operating system) wikipedia , lookup

Windows Phone 8.1 wikipedia , lookup

CP/M wikipedia , lookup

Burroughs MCP wikipedia , lookup

Security-focused operating system wikipedia , lookup

Windows NT startup process wikipedia , lookup

VS/9 wikipedia , lookup

Unix security wikipedia , lookup

Transcript 
Windows Forensics
24 Jan 2008
TCSS431: Network Security
Stephen Rondeau
Institute of Technology
Lab Administrator
Agenda

Forensics Background

Operating Systems Review

Select Windows Features

Vectors and Payloads

Forensics Process

Forensics Tools Demonstration
Forensics Background


Inspection of computer system for evidence of:

crime

unauthorized use
Evidence gathering/preservation techniques for
admissibility in court of law

Consideration of suspect's level of expertise

Avoidance of data destruction or compromise
Operating System Review

What does an OS do?
Operating System Review

What does an OS do?

starts itself

low-level management of:


higher-level management of:


interrupts, time, memory, processes, devices (storage,
communication, keyboard, display, etc.)
file system, users, user interface, apps
addresses issues of fairness, efficiency, data
protection/access, workload balancing
Select Windows Features

Kernel vs. User Mode

Kernel features (architecture)

device drivers

installable file system

object security

Services

User accounts, passwords and privileged groups

Security policies
Computing Devices: Simplistic

Computing Device


takes some input
processes it




provides some output
connects device
Data
Computing
Device
OS, services,
applications
Network

input
Hub
output
Computing Devices: Reality
In
Human
K/M/touch,etc.
Data
Scanner/GPS
Out
Human
A/V
In/Out
Data
Storage Device, PC/Express Card,
Network, Printer, Etc.
Computing Devices: Connections

removable media



PC/Express Card
wired



floppy,CD/DVD,flash,microdrive
serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS
twisted pair
wireless



radio (802.11, cellular, Bluetooth)
Infrared (IR)
Ultrasound
Vectors and Payloads


Vector: route used to gain entry to computer

via a device without human intervention

via an unsuspecting or willing person's actions
Payload: what is delivered via the vector

malicious code

may be multiple payloads

spyware, rootkits, keystroke loggers, bots, illegal
software, spamming, etc.
Forensics Process

Assess (after permission is granted)





Acquire



determine how to approach affected system(s)
inspect physical environment
watch out for anti-forensics, booby-traps
consider how to stop computer processing
capture volatile data
copy hard drive
Analyze
Volatile Data

All of RAM, plus paging area

Logged on users

Processes (regular and services)

Process memory

Buffers

Clipboard

Network Information (incoming and outgoing)

Command history
Nonvolatile Data

Partitions

Files

hidden, streams

Registry Keys

Recycle Bin

Scheduled Tasks

User Account and Group Information

Logs
What to Look For

Know baseline system: what to expect of good system

Malware Footprint






in logs
on file system (changed dates/sizes, hidden)
in registry
in startup areas
in services list
in network connections

Abnormality: function, performance, traffic patterns

Cross-check with multiple tools
Microsoft Tools

Basic






Network tools

netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig

dir /ah, dir /od, dir /tc, findstr, cacls
File
Services


Prevent: Windows Update, Time Service, Routing and Remote Access,
LocalService, NetworkService, Runas
Inspect: net user/group/localgroup, Active Directory Users and Groups,
Event Viewer, EventCombMT, systeminfo, auditpol, Security
Configuration Manager
Fix: Malicious Software Removal, Security Configuration Manager
net start/stop, sc, services.msc
Process:

tasklist, taskkill, schtasks
External Tools

www.sysinternals.com


variety of Windows tools to monitor and analyze
www.e-fense.com: Helix

Windows tools






Windows Forensics Toolkit™
trusted commands
RAM/disk imaging, password recovery tools
some www.sysinternals.com tools
bootable to Knoppix with many file system tools
www.rootkit.com
Advice

For your systems:

Prevent:


Analyze:


update, monitor, block, isolate, backup
find vectors and payloads
Recover:


off-network restore, re-install or re-image
block vectors and/or payload effects before going onnetwork
References




Windows Forensics and Incident Recovery,
Harlan Carvey, Addison-Wesley 2005
Windows Forensic Analysis DVD Toolkit ,
Harlan Carvey, Syngress 2007
File System Forensic Analysis,Brian Carrier,
Addison-Wesley 2005
Rootkits, Greg Hoglund and James Butler,
Addison-Wesley 2006
Related documents
Windows Forensics - University of Washington
Windows Forensics - University of Washington
FORENSICS Computer Forensics
FORENSICS Computer Forensics
Introduction to Forensics
Introduction to Forensics
Digital Investigation Support Services
Digital Investigation Support Services
Network Forensics
Network Forensics
here
here
COEN 152 Computer Forensics
COEN 152 Computer Forensics
COEN 152 Computer Forensics
COEN 152 Computer Forensics
Biotech cards - Cabarrus County Schools
Biotech cards - Cabarrus County Schools
Introduction to Computer Forensics
Introduction to Computer Forensics
Uniqua Consulting Gmbh - Data Mining Analyst
Uniqua Consulting Gmbh - Data Mining Analyst
Learning Science Through Forensics Activities
Learning Science Through Forensics Activities
Computer Forensics - FSU Computer Science
Computer Forensics - FSU Computer Science
COEN 152 Computer Forensics - Santa Clara University's
COEN 152 Computer Forensics - Santa Clara University's
Example: Data Mining for the NBA - The University of Texas at Dallas
Example: Data Mining for the NBA - The University of Texas at Dallas
Lecture 1 - The University of Texas at Dallas
Lecture 1 - The University of Texas at Dallas
Instructor`s Manual to Accompany
Instructor`s Manual to Accompany
What is Computer Forensics?
What is Computer Forensics?
IRP 4 Forensics
IRP 4 Forensics
Computer Forensics
Computer Forensics
Reynaldo Anzaldua
Reynaldo Anzaldua
Lecture21 - The University of Texas at Dallas
Lecture21 - The University of Texas at Dallas