Post on 17-Jan-2016
Mastering Windows Network Forensics and Investigation
Chapter 10: Tool Analysis
April 21, 2023© Wiley Inc. 2007. All Rights Reserved 2
Chapter Topics:
• Purpose of tool analysis
• Tools & Techniques
Purpose of Tool Analysis
• Understand the tool used by attacker - what it is doing and how it works
• Understand impact or damage done to target system
• Be able to demonstrate later in court how intrusion occurred
• Enables detailing of damage done to system & connected systems
Tools & Techniques
• Use various antivirus / spyware detection tools first
• Strings– Enables extraction & viewing of plain-text
strings from within executables, DLL’s, etc
• Dependency Walker– Shows on which modules the attacker’s
code depends– Assists with understanding what the code
is doing
Tools & Techniques
• Monitoring the code when it runs– Create clone system (VMWare,
Shadow Drive, restored copy)– Keep in sandbox – isolate on
network– Setup monitoring tools
• Regmon• Filemon• InCtrl5
Tools & Techniques
• Install live analysis tools– PsList– Netstat– Tasklist (tlist)– Fport– Whoami
• Setup network traffic monitoring tool (Wireshark)
– Use whatever tools you would use for a live response to analyze the impact & function of the bad code
InCtrl5 Results
FileMon Results
RegMon Results
Forensic Exam of “Compromised Clone”
• After you’ve run the bad code on test machine, forensically examine it
• If cloned, examine clone device• If VMWare, create full clone of
comprised VMWare image• Examine the compromised full
clone image with forensic tool such as EnCase
EnCase View of VMWare Image
Examine Results of Network Traffic
• When test host compromised, what network traffic resulted from bad code during and after installation?
• Wireshark (formerly Ethereal) network monitoring tool
Ethereal View of Bad Code Attempting to Contact an FTP Server
Do External Port Scan & Compare to Netstat Results
• Root kit can hide open ports and processes from user
• By comparing netstat results with those on external port scan, you can often detect presence of root kit
Results of “netstat –an”
Results?
• Netstat showed 9 open TCP ports?
• SuperScan showed 10 open TCP ports?
• Why?
• Root kit is hiding one of the TCP ports and netstat can’t be relied upon to be accurate!
Results of SuperScan