COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
COEN 250 Computer Forensics Windows Life Analysis.
-
Upload
jordan-bishop -
Category
Documents
-
view
220 -
download
0
Transcript of COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics
Windows Life Analysis
Extracting Evidence from a Life System
Degrees of Volatility of Data. Gathering more volatile data
versus Safer forensics procedures.
Extracting Evidence from a Life System
Life Examination is done: To quickly access the situation
Confirmation of incident. To retrieve volatile data
Such as network connections, running processes, etc.
Extracting Evidence from a Life System
Initial response must not destroy potential evidence.
Use only trusted tools on a response toolkit.
Document results. Notebook Hard Drive of target system Removable media connected to target drive Other system using netcat or cryptcat
Extracting Evidence from a Life System
Plan investigation. Evidence gathering differs
according to incidence: Unacceptable web-surfing. Intellectual property rights theft. Compromised system.
Extracting Evidence from a Life System
Response Toolkit Collection of Trusted Tools. Stored on removable media.
Floppies (write-protected) CD Thumbdrive (write-protected)
Response Toolkit
Determine the tools needed. Create Toolkit. Check dependencies on DLL and
other files. Include those in toolkit. Include file authentication tool
such as MD5.
Response Toolkit: cmd.exe
Built-in command prompt.
Response Toolkit
netstat Enumerates all
listening ports and all connections to those ports.
Suspicious connection? (No, windows messenger.)
Response Toolkit
rasusers Which users have remote access
privileges on the target system.
Response Toolkit
Fport Finds open TCP/IP and UDP ports and maps
them to the owning application
Response Toolkit: pslist
Resource Tools ListDLLs
Resource Toolkit: nbtstat
Resource Toolkit: arp
Resource Toolkit: kill
Get it from the Windows NT Resource Kit.
Terminates processes via process number.
Recourse Toolkit: md5sum Creates MD5 hashes for a file.
Resource Toolkit: PsLogList Dumps the event log list.
Resource Toolkit: PsInfo
Local System built.
Remote Toolkit: PsFile
Remote Toolkit: PsLoggedOn
Resource Toolkit: PsService
Resource Toolkit: regdump
Preparing the Toolkit
Label the toolkit. Check for dependencies with
Filemon. Lots of dependencies => lots of MAC
changes. Create an MD5 of the toolkit. Write protect any floppies.
Storing Obtained Data
Save data on the hard drive of target. (Modifies System.)
Record data by hand. Save data on removable media.
Includes USB storage.
Save data on a remote system with netcat or cryptcat.
Storing Obtained Data with netcat
Quick on, quick off target system. Allows offline review.
Establish a netcat listener on the forensic workstation. Redirect into a file.
Establish a netcat funneler on the target system to the forensic workstation.
Cryptcat does the same, but protects against sniffing.
Obtaining Volatile Data
Store at least System date and time. List of current users. List of current processes. List of currently open sockets. Applications listed on open socket. List of systems with current or recent
connections to the system.
Obtaining Volatile Data: Procedure
Execute a trusted cmd.exe Record system time and date. Determine who is logged on. Record file MAC. Determine open ports. List all apps associated with open
ports.
Obtaining Volatile Data: Procedure
List all running processes. List current and recent
connections. Record the system time and date. Document the commands used
during initial response.
Recording System Time
Determining Logons
Determining File MAC
Determining Open Ports
Listing Applications with Open Ports
Listing all running processes
List current connections
List current connections
Documenting history
Scripting the response
Scripting the response
Examples Use Fport to look at open ports. Use a list of ports to find suspicious
ports, i.e. those used by known Trojans, sniffers or spyware.
www.doshelp.com/trojanports.htm
Examples If at your home system, fport shows a
suspicious port use and netstat shows a current connection to this port, then kill the process.
Examples
Knowing what processes are running does not do you any good.
You need to know what they are doing.
At least, know the typical processes.
Examples
Access the registry with RegDump Then study it with regedit on the
forensic system.
Examples
Assume generic monitoring of systems.Look for Unusual resource utilization or
process behavior. Missing processes. Added processes. Processes with unusual user
identification.
Examples The windows task manager can be
very helpful.
Examples: Detecting and Deleting Trojans
Use port scanning tools, either on host machine or remote machine. Fport (Windows) Superscan (Windows) Nmap
netstat (for open connections)
Examples: Detecting and Deleting Trojans
Identify the Trojan on the disk. Find out how it is being initiated
and prevent the process. Reboot the machine and delete the
Trojan.
Example
Run superscan on local host to check for open ports.
What is happening at port 5000?
Example
Port 5000?
Example Run fport. Connected to process 1260.
Example Use pllist to find out what this is. Connected to a process called svchost.
Example
Do an internet search on svchost. Process checks the service portion
of the registry to start services that need to run.
Use Tasklist /SVC in a command prompt
Example
Example
Nothing serious here. At least not on the surface.