File000126
-
Upload
desmond-devendran -
Category
Technology
-
view
173 -
download
1
Transcript of File000126
![Page 1: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/1.jpg)
Module XIII – Windows Forensics II
![Page 2: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/2.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Vista Encryption ‘No Threat’ to Computer Forensics
Source: http://www.theregister.co.uk/2007/02/02/computer_forensics_vista/
![Page 3: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/3.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Collecting Volatile and Non-volatile Information• Windows Memory Analysis• Window Registry Analysis• Window File Analysis• Text-Based Logs• Other Audit Events• Forensic Analysis of Event Logs• Tool Analysis• Windows Password Issues
This module will familiarize you with:
![Page 4: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/4.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password Issues
Window File Analysis
Window Registry Analysis
Other Audit EventsForensic Analysis of
Event Logs
Metadata Investigation Text Based Logs
MD5 CalculationCache, Cookie and History Analysis
Window Memory Analysis
Collecting Non-Volatile Information
Collecting Volatile Information
Forensics Tools
Module Flow
![Page 5: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/5.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Understanding Events
Event logs record a variety of day-to-day events that occur on the Window’s systems
Some events are recorded by default and some audit configuration are maintained in the PolAdEvt Registry key
The Registry key which maintains the Event log configuration:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<Event Log>
![Page 6: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/6.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Understanding Events (cont’d)
Event logon types are shown below:
Logon Type Title Description
2 InteractiveThis logon type indicates that the user is logged in at the console
3Network
A user/computer logged into this computer from the network, such as via net use, accessing a network share, or a successful net view directed at a network share
4 BatchReserved for applications that run as batches
5 Service Service logon
![Page 7: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/7.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Understanding Events (cont’d)
Logon Type Title Description
6 Proxy Not supported
7 Unlock The user unlocked the workstation
8 NetworkClearTextA user logged onto a network, and the user’s credentials were passed in an unencrypted form
9 NewCredentialsA process or thread cloned its current token but specified new credentials for outbound connections
10RemoteInteractive Logon using Terminal Services or a
Remote Desktop connection
![Page 8: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/8.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Understanding Events (cont’d)
Logon Type Title Description
11 CachedInteractive
A user logged onto the computer with credentials that were stored locally on the computer
12 CachedRemote InteractiveSame as RemoteInteractive, used internally for auditing purposes
13CachedUnlock The logon attempt is to
unlock a workstation
![Page 9: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/9.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Event Record Structure
The basic header for an event record weighs 56 bytes
Details of the content of the first 56 bytes of an event record are as shown below:
Offset Size Description
04 bytes Length of the event record, or size of the record in
bytes
44 bytes
Reserved; magic number
84 bytes
Record number
![Page 10: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/10.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Event Record Structure (cont’d)
Offset Size Description
124 bytes
Time generated; measured in Unix time, or the number of seconds elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time (UTC)
164 bytes
Time written; measured in Unix time, or the number of seconds elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time (UTC)
204 bytes
Event ID, which is specific to the event source and uniquely identifies the event; the event ID is used along with the source’s name to locate the appropriate description string within the message file for the event source
![Page 11: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/11.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Event Record Structure (cont’d)
Offset Size Description
24 2 bytesEvent type (0x01 = Error; 0x10 = Failure; 0x08 = Success; 0x04 = Information; 0x02 = Warning)
26 2 bytes Number of strings
282 bytes
Event category
302 bytes
Reserved flags
32 4 bytes Closing record number
36 4 bytesString offset; offset to the description strings within this event record
40 4 bytesLength of the user’s SID; size of the user’s SID in bytes (if 0, no user SID is provided)
![Page 12: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/12.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Event Record Structure (cont’d)
Offset Size Description
44 4 bytesOffset to the user’s SID within this event record
48 4 bytesData length; length of the binary data associated with this event record
52 4 bytes Offset to the data
![Page 13: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/13.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vista Event Logs
Vista uses an XML format for storing events and it supports central collection of the event records
Use wevtutil command to retrieve information about the Windows Event Log
Command to display a list of available Event Logs on the system:
• C:\>wevtutil el
Command to list configuration information about a specific Event Log:
• C:\>wevtutil gl log name
Information displayed by this command is also available in the following key on a Vista system:
• HKEY_LOCAL_MACHINE\System\ControlSet00x\Services\EventLog\log name
![Page 14: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/14.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vista Event Logs: Screenshots
Output of wevtutil el
Output of wevtutil gl system
![Page 15: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/15.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IIS Logs
Use the web server generated logs for the exploitation of attacks on IIS web server
The IIS web server logs are maintained in the %WinDir%\System32\LogFiles directory
The log files are ASCII text format which implies that they are easily opened and searchable
Parse each entry of the log for relevant information using the column headers as a key
![Page 16: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/16.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing IIS Logs
Manage and configure IIS through the IIS Management Console only on a system that has IIS installed and running
Access the console by choosing:
•Start → Run→ type either iis.msc or inetmgr
• Start → Control Panel → Administrative Tools → Internet Services Manager
Search the logs stored in the format exyymmdd.log and are created daily by default,where:
•yymmdd stands for year, month, and day
•Ex refers to the extended format
Each field name of the log is prefixed with letters meaning as follows:
• c = client actions• s = server actions• cs = client to server actions• sc = server to client actions
![Page 17: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/17.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing IIS Logs (cont’d)
IIS log fields used in W3C extended log file format are as shown below:
Field Name Description Logged by Default
date Date on which the activity occurred Yes
timeTime at which the activity occurred, expressed in UTC (GMT)
Yes
c-ip IP address of the client making the request Yes
cs-username Username of the authenticated user who accessed the server. Anonymous users are annotated by a hyphen
Yes
![Page 18: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/18.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing IIS Logs (cont’d)
Field Name Description Logged by Default
s-sitenameInternet service name and instance number that was serving the request
No
s-computernameName of the server generating the log entry
No
s-ipIP address of the server on which the log file was generated
Yes
s-port Server port number that is used for the connection
Yes
cs-method Requested action requested by the client, most often GET method
Yes
cs-uri-stem Target of the client’s action (default.htm, index.htm, etc.)
Yes
![Page 19: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/19.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing IIS Logs (cont’d)
Field Name Description Logged by Default
cs-uri-query Query, if any, requested by the client (Used when sending data to a server-side script)
Yes
sc-status HTTP status code sent by the server to the client
Yes
sc-win32-status Windows status code returned by the server No
sc-bytes Number of bytes the server sent to the client No
cs-bytes Number of bytes the server received from the client
No
time-taken Length of the time the requested action took, expressed in milliseconds
No
![Page 20: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/20.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing IIS Logs (cont’d)
Field Name Description Logged by Default
cs-version Protocol version (HTTP or FTP) the client used
No
cs-host Host’s header name, if any No
cs(User-Agent) Browser type used by the client Yes
cs(Cookie) Content of cookie (sent or received), if any No
cs(Referrer)Site last visited by the user. This site provided a link to this current server
No
sc-substatus Substatus error code Yes
![Page 21: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/21.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing FTP Logs
FTP stands for File Transfer Protocol and an FTP server sends and receives files using FTP
FTP logs do not record the following fields as compared to IIS logs:
• cs-uri-query• cs-host• cs(User-Agent) • cs(Cookie) • cs(Referrer) • sc-substatus
FTP logs are stored in:
•%WinDir%\System32\LogFiles\MSFTPSVC1\exyymmdd.log
![Page 22: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/22.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing FTP Logs (cont’d)
FTP sc-status Codes are as shown in the table:
Error Code Description
1xx Positive Preliminary Replies
120 Service ready in nnn minutes
125 Data connection already open-transfer starting
150 File status okay-about to open data connection
2xx Positive Completion Replies
202 Command not implemented-superfluous at this site
211 System status or system help reply
212 Directory status
213 File status
![Page 23: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/23.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing FTP Logs (cont’d)
Error Code Description
214 Help message
215NAME system type, where NAME is an official system name from the list in the Assigned Numbers document
220 Service ready for the new user
221 Service closing control connection. Logged out if appropriate
225 Data connection open-no transfer in progress
226Closing data connection. Requested file action successful (example, file transfer and so on)
227 Entering passive mode
230 User logged in-proceed
250 Requested file action okay-completed
![Page 24: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/24.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing DHCP Server Logs
In DHCP, an IP address is dynamically assigned upon request by a host’s machine
The server provides the DHCP-assigned IP address for a period called a lease
DHCP service activity logs are stored in the following location by default:
• C:\%SystemRoot%\System32\DHCP
Logs are stored on a daily basis in the following format:
• DhcpSrvLog-XXX.log
![Page 25: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/25.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing DHCP Server Logs (cont’d)
DHCP Log Format is as shown in the table below:
Field Description
ID DHCP server event ID code
Date Date on which this record entry was logged by the DHCP service
TimeTime at which this record entry was logged by the DHCP service (stored in local system time zone)
Description Description of this particular DHCP server event
IP Address IP address leased to client
Host Name Host name of the DHCP client to which the IP address is leased
MAC Address Media access control address (MAC) used by the network adapter (NIC) of the client to which the IP address is leased
![Page 26: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/26.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing Windows Firewall Logs
The firewall logs are present in the %SystemRoot%\pfirewall
It stores data in the objects.data file
It is located in:
• %SystemRoot%\System32\wbem\Repository\FS\
The log file contains header at the top that describes the software and version, the time format, and the fields
![Page 27: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/27.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Using the Microsoft Log Parser
Use Log Parser tool to extract log files, XML files, and CSV files
The command used for the Log Parser is:
•LogParser.exe -o:DATAGRID “select * from system”
• The first is the input type, or -i:• The second is the output type, or -o:• The third is the query
Every Log Parser command query has three parts:
![Page 28: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/28.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Log Parser: Screenshot
Log Parser output (command prompt)
![Page 29: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/29.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Log Parser: Screenshot
Log Parser output (GUI)
![Page 30: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/30.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password Issues
Window File Analysis
Window Registry Analysis
Other Audit EventsForensic Analysis of
Event Logs
Metadata Investigation Text Based Logs
MD5 CalculationCache, Cookie, and History Analysis
Window Memory Analysis
Collecting Non-Volatile Information
Collecting Volatile Information
Forensics Tools
![Page 31: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/31.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evaluating Account Management Events
Account management events record the changes made to accounts and group membership
• Creation• Deletion• Disabling of accounts• Modifying which accounts belong to which groups• Account lockouts• Account reactivations
This includes:
Activate auditing for the account management events on a Windows system, to detect activities, attackers perform after gaining access to a system
![Page 32: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/32.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evaluating Account Management Events (cont’d)
• Summary of the type of action• The account that performed the action is listed in the Caller User
Name field• The account added or removed is shown in the Member ID field• The group affected is listed as the target account name
The description of an event consists of:
![Page 33: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/33.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evaluating Account Management Events (cont’d)
Event ID Action Indicated
632 Member added to global security group
633 Member removed from global security group
636 Member added to local security group
637 Member removed from local security group
650 Member added to local distribution group
651 Member removed from local distribution group
655 Member added to global distribution group
656 Member removed from global distribution group
660 Member added to universal security group
661 Member removed from universal security group
665 Member added to universal distribution group
666 Member removed from universal distribution group
![Page 34: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/34.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examining Audit Policy Change Events
Modifications to the audit policy are recorded as entries of Event ID 612
Locate the audit policies at:
• Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
The ‘+’ symbols indicate which events are audited, whereas the ‘–’ symbols show which audit categories are not audited
![Page 35: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/35.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examining System Log Entries
System log contains analysis relevant to the network investigation
• Operating system• Hardware configuration• Device driver installation• Starting and stopping of services
System log contains changes made to the:
![Page 36: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/36.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examining Application Log Entries
The Application event log contains messages from the operating system and various programs
Use a program logevent.exe to send the custom messages to the Application event log
Command to Navigate the Application Log Entries:
• Start → Setting→ Control Panel →Administrative Tools→ Event Viewer →Application
![Page 37: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/37.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password Issues
Window File Analysis
Window Registry Analysis
Other Audit EventsForensic Analysis of
Event Logs
Metadata Investigation Text Based Logs
MD5 CalculationCache, Cookie and History Analysis
Window Memory Analysis
Collecting Non-Volatile Information
Collecting Volatile Information
Forensics Tools
![Page 38: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/38.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Using EnCase to Examine Windows Event Log Files
EnCase can be used to parse Window’s event log files using EnScript
• It helps to keep the processed information within the forensic environment
• It does not rely on the Windows API to process the event logs• It can process event logs that are reported as “corrupt”
Reasons to use EnCase are:
![Page 39: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/39.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EnCase: Screenshot
![Page 40: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/40.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Event Log Files Internals
The Windows event logs files are databases with the records related to the system, security, and applications
The database related to system are stored in a file named SysEvent.evt
The database related to security are stored in a file named SecEvent.evt
The database related to Applications are stored in the file named AppEvent.evt
Windows event logs are stored in:
• %SystemRoot%\system32\config\
![Page 41: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/41.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Event Log Files Internals (cont’d)
Windows event log file field names are as shown in the table:
Field Name Data Pulled From
EventLog Name of the file or the other source being queried
RecordNumber Event file entry – field 2
TimeGenerated Event file entry – field 3, converted to local system time
TimeWritten Event file entry – field 4, converted to local system time
EventID Event file entry – field 5
EventType Event file entry – field 8
EventTypeName Generated by looking up the associated Event Type number
EventCategory Event file entry – field 10
![Page 42: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/42.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Event Log Files Internals (cont’d)
Field Name Data Pulled From
EventCategoryName Generated by looking up the associated Event Category number
SourceName Event file entry – field 12
StringsEvent file entry – field 17, but replaces the separator 0x0000with the pipe symbol
ComputerName Event file entry – field 13
SID Event file entry – fields 14–16
MessageGenerated from the data in the Strings section and informationcontained within DLLs
Data Event file entry – field 18
![Page 43: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/43.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password Issues
Window File Analysis
Window Registry Analysis
Other Audit EventsForensic Analysis of
Event Logs
Metadata Investigation Text Based Logs
MD5 CalculationCache, Cookie, and History Analysis
Window Memory Analysis
Collecting Non-Volatile Information
Collecting Volatile Information
Forensics Tools
![Page 44: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/44.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Understanding Windows Password Storage
Windows systems store the user’s account and password data in:
• Security Account Manager (SAM) file or• Active Directory
SAM files are located in the %SystemRoot%\System32\Config folder
A password is run through a specific algorithm and converted into a numeric value (Hash)
Windows operating systems use two different hash functions and store two different hash values:
• NT LanMan (NTLM) hash• LanMan (LM) hash
![Page 45: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/45.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Understanding Windows Password Storage (cont’d)
![Page 46: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/46.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cracking Windows Passwords Stored on Running Systems
Password cracking refers to the process of taking a password hash and attempting to determine what the associated password will be
• Guessing a possible password• Generating a password hash of the guess using the same hashing
algorithm used by the target system• Comparing the hash of the guess to the hash of the target account• If the match is found, stop the process otherwise start over
The process includes:
![Page 47: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/47.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cracking Windows Passwords Stored on Running Systems (cont’d)
![Page 48: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/48.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Exploring Windows Authentication Mechanisms
Windows systems use the below mentioned authentication mechanisms to access the remote computers:
• Relies on hash to determine whether a remote user has provided a valid username/password combination
LanMan authentication:
• Is calculated across the entire, case-sensitive password, resulting in a 16-byte hash
NTLM authentication:
• Verification of the user’s identity takes place between the Domain Controller and the client
Kerberos:
![Page 49: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/49.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sniffing and Cracking Windows Authentication Exchanges
If an attacker is able to monitor communication between the victim’s system and the remote system, he/she can sniff the authentication and use it to crack the user’s password
Windows systems use Server Message Block (SMB) protocol to share files across the network
![Page 50: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/50.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cracking Offline Passwords
Use tools to extract the password data from the SAM files and feed it to the password cracker
Files with the encrypted attribute selected are encrypted before being stored
These techniques are used for defeating Windows Encrypting File System (EFS)
![Page 51: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/51.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password Issues
Window File Analysis
Window Registry Analysis
Other Audit EventsForensic Analysis of
Event Logs
Metadata Investigation Text Based Logs
MD5 CalculationCache, Cookie, and History Analysis
Window Memory Analysis
Collecting Non-Volatile Information
Collecting Volatile Information
Forensics Tools
![Page 52: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/52.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Forensics Tool: Helix
Helix is a customized distribution of the Knoppix Live Linux CD
You can still boot into a customized Linux environment that includes the customized Linux kernels, excellent hardware detection, and many applications dedicated to Incident Response and Forensics
Helix has a special Windows autorun side for Incident Response and Forensics
Helix focuses on Incident Response and Forensics tools
![Page 53: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/53.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Forensics Tool: Helix (cont’d)
Helix operates in two different modes –Windows and Linux
In the Windows Mode, it runs as a standard windows application used to collect information from “live” (still turned on and logged in) Windows system
![Page 54: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/54.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools Present in Helix CD for Windows Forensics
Windows Forensics Toolchest (WFT)
Incident Response Collection Report (IRCR2)
First Responder’s Evidence Disk (FRED)
First Responder Utility (FRU)
Security Reports (SecReport)
Md5 Generator
Command Shell
File Recovery – recover deleted files
Rootkit Revealer
VNC Server
Putty SSH
Screen Capture
Messenger Password
Mail Password Viewer
Protected Storage Viewer
Network Password Viewer
Registry Viewer
Asterisk Logger
IE History Viewer
IE Cookie Viewer
Mozilla Cookie Viewer
![Page 55: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/55.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 1
![Page 56: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/56.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 2
![Page 57: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/57.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 3
![Page 58: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/58.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 4
![Page 59: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/59.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 5
![Page 60: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/60.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Helix Tool: SecReport
• Network Configuration• Audit Policy• Event Log Configuration• Services• Applications• Hotfixes• Ports Open• Page File Settings• Hardware• Processors• Fixed Disks
The report generated by SecReport shows the following information:
It is a small suite of two command-line tools for collecting security-related information from Windows-based system (SecReport) and comparing any two reports either from any two systems or from the same system after some time (Delta)
![Page 61: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/61.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Helix Tool: Windows Forensic Toolchest (WFT)
The Windows Forensic Toolchest (WFT) was written to provide an automated incident response on a Windows system and collect security-relevant information from the system
It is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports
WFT should be run from a CD to ensure the forensic integrity of the evidence it collects
![Page 62: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/62.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 1
![Page 63: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/63.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 2
![Page 64: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/64.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 3
It logs every action and takes as part of running commands
![Page 65: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/65.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 4
WFT saves a copy of every tool's raw output in addition to the HTML reports it generates
![Page 66: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/66.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
A program that displays all the unsigned drivers and related files in the computer
A signed file indicates the authenticity and quality associated to a file from its manufacturer
Any unsigned files can indicate presence of infected driver files placed by attackers
Most of the driver files are signed by the operating system manufacturer such as Microsoft
Helps in finding the unsigned files present in the system
Built-in Tool: Sigverif
![Page 67: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/67.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Word Extractor
Forensic tool that interprets human words from machine language
Helps in many ways such as finding a cheat in a game, finding hidden text, or passwords in a file (exe, bin, dll), etc.
![Page 68: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/68.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Viewer Tool: RegScanner
RegScanner is a small utility that allows you to scan the Registry, find the desired Registry values that match the specified search criteria, and display them in one list
• It displays the entire search result at once, so you do not have to press F3 in order to find the next value
• In addition to the standard string search, RegScanner can also find Registry values by data length, value type (REG_SZ, REG_DWORD etc.), and by modified date of the key
• It can find a unicode string located inside a binary value• It allows you to make a case sensitive search • While scanning the Registry, it displays the current scanned Registry key
Features:
![Page 69: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/69.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 1
![Page 70: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/70.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot 2
![Page 71: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/71.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Pmdump
• A tool that dumps the memory contents of processor to a file without stopping the process
• Stands for Post Mortem Dump• The dump information is saved on some secondary storage medium
such as magnetic tape or disk
PMDump
![Page 72: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/72.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: System Scanner
System scanner has the ability to fetch more specific information about the processes such as the IDs of all the threads, handles to DLLs, ability to suspend specific threads of a specific process and, finally, an ability to view the process’ virtual memory
User can either dump virtual memory or draw a memory map
![Page 73: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/73.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot
![Page 74: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/74.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Integrated Windows Forensics Software: X-Ways Forensics
• Views and dumps physical RAM and the virtual memory of the running processes
• Clones and images disk, even under DOS with X-Ways Replica • Examines the complete directory structure inside raw image files, even
spanned over several segments • Native support for FAT, NTFS, Ext2/3, CDFS, and UDF • Various data recovery techniques and file carving (hundreds of file
signatures can be imported from FileSig) • Gathering slack space, free space, inter-partition space, and generic text
from drives and images
Features:
X-Ways Forensics is an advanced work environment for computer forensic examiners
![Page 75: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/75.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot
![Page 76: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/76.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool - Traces Viewer
Traces Viewer is a tool that allows you to view all images, flash movies, pages, and other media files cached by Internet Explorer browser
It can remove all the web-traces made by Internet Explorer on your computer
![Page 77: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/77.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traces Viewer: Images
![Page 78: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/78.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traces Viewer: Pages
![Page 79: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/79.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traces Viewer: Other
![Page 80: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/80.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traces Viewer: Cookies
![Page 81: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/81.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CD-ROM Bootable Windows XP
The methods to create Bootable CD-ROM for Windows XP:
• Bart PE (Bart Preinstalled Environment)• Provides a complete Win32 environment with network support• Rescues files to a network share, virus scan etc
• Ultimate Boot CD• Provides shared Internet access• Can modify NTFS volumes • Recovers deleted files• Creates new NTFS volumes, scanning viruses etc.
![Page 82: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/82.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Bart PE Screenshot
![Page 83: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/83.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ultimate Boot CD-ROM
![Page 84: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/84.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Tools in UB CD-ROM
![Page 85: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/85.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Tools in UB CD-ROM (cont’d)
![Page 86: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/86.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Tools in UB CD-ROM (cont’d)
![Page 87: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/87.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Tools in UB CD-ROM (cont’d)
![Page 88: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/88.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Tools in UB CD-ROM (cont’d)
![Page 89: File000126](https://reader035.fdocuments.in/reader035/viewer/2022062418/555b66f9d8b42a66338b508f/html5/thumbnails/89.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Live system activity notification is important for responders and investors
In live response, the data is collected which is going to change in a short span of time
Several Registry values and settings could impact the forensic analysis
Analyzing the contents of RAM will help the investigator to find what has been hidden
pmdump.exe tool allows dumping the contents of the process memory without stopping the process
Registry Analysis provides more information to the investigator during live response
The logs generated by the web server are used for the exploitation of attacks on IIS web server