Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving,...
-
Upload
roderick-higgins -
Category
Documents
-
view
213 -
download
1
Transcript of Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving,...
Computer Forensic Tools
Computer Forensics: A Brief Overview• Scientific process of preserving, identifying,
extracting, documenting, and interpreting data on computer
• The field of computer forensics began to evolve more than 30 years ago in the United States.
• With the growth of the Internet and increasing usage of technology devices connected to the Internet, computer crimes are increasing at a great speed.
Computer Crimes
Computer crimes
Pure computer crime
Computer is the medium of a
crime
Computer content related
crime
• Illegal access to a system or network
• Illegal transmission of data• Data deletion, damage, alteration • Serious hindrance to computer
• Identity theft• Fraud• E-theft
• Incriminating information stored in computer
• Child pornography• Information that unleashes
hostility/violence
Tools for Computer Forensics
Computer forensic
tools
Integrated GUI based tools
Specialized single task tools
• Process information• Network connection information
• List of processes• Process to port mapping• Service/driver information
• Registry analysis• Executable file analysis
Integrated GUI Based Tools
• Advantages:– More effective for analyzing content related crime– Useful for searching storage devices, for retrieving
deleted files and folder, reconstructing graphic files
• Disadvantages: – Very expensive– Very complex in design, uses up a lot of resources– Requires trained professionals to use the tools
Specialized Single Task Tools
• Advantages:– More effective for investigating malware attacks,
intrusion etc– Useful for live response and live analysis– Simple in design, most tools can be used from
command line– Inexpensive, easy to learn and use– Very effective for pedagogical purposes– Can be modified/customized
Specialized Single Task Tools
• Disadvantage:– Has compatibility issues with different versions of
operating systems
Windows Forensic Analysis
• Windows Forensic Analysis by Harlan Carvey– Teaches simple but effective
analysis techniques for investigating malware attacks
– Provides CLI based tools for complete analysis of Windows Operating Systems
Compatibility Issues with Newer Windows Operating System
• About 50% tools are not compatible with Windows XP and Vista
Tool Windows XP Vista Windows 7 Description CommentBonus\poladt.exe Yes No No Parse the raw Security file and display the audit policy
Bonus\srv_sort.exe Yes No Noretrieve Service key info raw Registry/System file, sorting the output based on LastWrite time; automatically determines which of the available ControlSets is marked "current"
ch3\code\lspd.exe Yes No parse process details from a Windows 2000 phys. memory/RAM dump,ch3\code\lspi.exe Yes No parse process image from a Windows 2000 phys. memory/RAM dump
ch3\code\lspm.exe Yes No dump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump,ch3\code\lsproc.exe Yes No parse Windows 2000 phys. memory/RAM dump, looking for processes.
ch4\code\pref_ver.exe Yes NoPerl script to parse the contents of the XP layout.ini file, locate executables (.exe, .dll, .sys) and locate those files and then extract any file version information
ch4\code\sr.exe Yes No Use WMI to get Restore point settings from XP (local or remote)ch4\code\old\bho.exe Yes No retrieve listing of installed BHOs from a local systemch4\code\old\pnu.exe Yes No list the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time
ch4\code\old\regp.exe Yes Noraw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from NT/2K/XP/2K3 systems.
ch4\code\old\sam_parse.exe Yes No retrieve user information from a raw Registry/SAM filech4\code\jt\regslack.exe Yes No No DOSch4\code\RegRipper\rip.exe Yes No Use this utility to run a plugins file or a single plugin against a Reg# hive file.ch4\code\RegRipper\rr.exe Yes No Parse a Registry hive file for data pertinent to an investigation No pluginsch5\code\lscl.exe Yes No read/parse restore point change logs for datach5\code\pdfdmp.exe Yes No Attempt to extract metadata from PDF filesch5\code\pdfmeta.exe Yes No Attempt to extract metadata from PDF filesch5\code\sr.exe Yes No
ch5\code\EVT\evt2xls.exe Yes No
Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login type is added to the event ID), suitable for entry into eventid.net
ch5\code\EVT\evtrpt.exe Yes NoTool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of event ID frequencies and date ranges of the records.
ch5\code\EVT\evtstats.exe Yes No parse the contents of Event Log files and display statistics
Compatibility Issues with Windows Forensic Tools
Tool Windows XP Vista Windows 7 Description Comment
Bonus\poladt.exe Yes No No Parse the raw Security file and display the audit policy
Bonus\srv_sort.exe Yes No No
retrieve Service key info raw Registry/System file, sorting the output based on LastWrite time; automatically determines which of the available ControlSets is marked "current"
ch3\code\lspd.exe Yes No parse process details from a Windows 2000 phys. memory/RAM dump,
ch3\code\lspi.exe Yes No parse process image from a Windows 2000 phys. memory/RAM dump
ch3\code\lspm.exe Yes Nodump the memory pages used by a process from a Windows 2000 phys. memory/RAM dump,
ch3\code\lsproc.exe Yes No parse Windows 2000 phys. memory/RAM dump, looking for processes.
ch4\code\pref_ver.exe Yes No
Perl script to parse the contents of the XP layout.ini file, locate executables (.exe, .dll, .sys) and locate those files and then extract any file version information
ch4\code\sr.exe Yes No Use WMI to get Restore point settings from XP (local or remote)
ch4\code\old\bho.exe Yes No retrieve listing of installed BHOs from a local system
ch4\code\old\pnu.exe Yes Nolist the contents of one of the UserAssist\GUID\Count keys, sorted by most recent time
ch4\code\old\regp.exe Yes Noraw Windows Registry files (ntuser.dat, system32\config\system, system32\config\software) from NT/2K/XP/2K3 systems.
ch4\code\old\sam_parse.exe Yes No retrieve user information from a raw Registry/SAM file
ch4\code\jt\regslack.exe Yes No No DOS
ch4\code\RegRipper\rip.exe Yes No Use this utility to run a plugins file or a single plugin against a Reg# hive file.
ch4\code\RegRipper\rr.exe Yes No Parse a Registry hive file for data pertinent to an investigation No plugins
ch5\code\lscl.exe Yes No read/parse restore point change logs for data
ch5\code\pdfdmp.exe Yes No Attempt to extract metadata from PDF files
ch5\code\pdfmeta.exe Yes No Attempt to extract metadata from PDF files
ch5\code\sr.exe Yes No
ch5\code\EVT\evt2xls.exe Yes No
Parse Windows 2000, XP, 2003 EventLog files in binary format, putting the eventrecords into an Excel spreadsheet; can also generate a report showing event source/ID frequencies (for Security Event Log, login type is added to the event ID), suitable for entry into eventid.net
ch5\code\EVT\evtrpt.exe Yes No
Tool to translate the binary contents of Windows 2000, XP, and 2003 Event Logs, and generate a report of event ID frequencies and date ranges of the records.
ch5\code\EVT\evtstats.exe Yes No parse the contents of Event Log files and display statistics