Your SlideShare is downloading. ×
0
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Msra 2011 windows7 forensics-troyla

1,511

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,511
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
131
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.
  • 2. If a Bear Breaks into Your Computer, and No One Is There to See It, Does It Leave A Clue? Incident Response, Forensics, and Looking for Bear Tracks.<br />Troy Larson, Principal Forensics Program ManagerNetwork Security—Investigations <br />March 29, 2011<br />
  • 3. About This Presentation<br />Overview<br />Some forensic fundamentals.<br />Dissecting Windows 7 for malware, compromise and intrusions.<br />
  • 4. What is Digital Forensics? <br />The identification, preservation, collection, analysis, examination, . . . , and presentation of digital data in a reliable manner.<br />To collect admissible evidence.<br />Authentication.<br />Complete.<br />To answer questions about data or files.<br />Metadata.<br />Context.<br />To determine what has occurred on a system.<br />
  • 5. Digital Forensics in the Enterprise<br />At least two general types of forensics work:<br />Content focused.<br />Find email, documents, graphics, or other types of files that match some criteria.<br />eDiscoveryand litigation support.<br />Activity focused.<br />Determine what somebody or something did on a computer system.<br />Unauthorized activity.<br />Malware.<br />Compromise or intrusion.<br />
  • 6. Digital Forensics in the Enterprise<br />When trust is questioned.<br />Can this _______ still be trusted?<br />
  • 7. Forensics from XP to Vista<br /><ul><li>Hard links. WinSxS.*
  • 8. Default settings-NTFS, change journal.
  • 9. Recycle Bin, no info2.
  • 10. Built in volume and disk wiping.
  • 11. SuperFetch & prefetch files.
  • 12. Profile based thumbcaches.*
  • 13. Office file format changes .docx, .pptx, .xlsx.
  • 14. New Office files—InfoPath, Grove, OneNote.
  • 15. EFS encrypted pagefile.
  • 16. Windows 2008 Hyper-V.
  • 17. Built in Defender.
  • 18. Changed location of boot sector.
  • 19. BitLocker, unlocking, imaging, preservation.
  • 20. EXFAT. Transactional NTFS.
  • 21. Event Logging changed.
  • 22. New format-.evtx.
  • 23. New system for collecting and displaying events.
  • 24. New security event numbering.
  • 25. New directory tree for account profiles.
  • 26. Symbolic links. “Virtual” folders.
  • 27. “Virtual” registries.
  • 28. Volume Shadow Copies and difference files.
  • 29. User Account Control.
  • 30. Enforced Signed Drivers x64.</li></li></ul><li>Forensics from Vista to Windows 7<br /><ul><li>Changed volume header for BitLocker volumes.
  • 31. Updated BitLocker, multiple volumes, Smartcard keys, not backwardly compatible.
  • 32. BitLocker To Go.
  • 33. Virtual Hard drives—Boot from, mount as “Disks.”
  • 34. Virtual PC—integrated into the OS.
  • 35. XP Mode.
  • 36. Flash Media Enhancements.
  • 37. Libraries, Sticky Notes, Jump Lists.
  • 38. Service and Driver triggers.
  • 39. Fewer Services on default startup.
  • 40. I.E. 8, InPrivate Browsing, Tab and Session Recovery.
  • 41. Changes in Volume Shadow Copy behavior.
  • 42. New registry-like files.
  • 43. Different WebDAV.
  • 44. More x64 clients. X64 Windows 2008 R2 (server).
  • 45. Changes in Hyper-V.
  • 46. Office 2010 file format changes—OneNote.
  • 47. Thumbnail Cache.
  • 48. Virtual Servers, thin clients.
  • 49. Direct Access (IPSec).
  • 50. Windows Search.</li></li></ul><li>Forensics in Incident Response<br />When trust is questioned.<br />Can this system still be trusted?<br />
  • 51. Forensics in Incident Response<br />Incident response immediate goals:<br />Technical assessment—what happened, when, how, etc.?<br />Risk assessment—what systems or data at risk?<br />Containment.<br />Incident Response end goals:<br />Remediation.<br />Compliance.<br />Prevention.<br />Prosecution or litigation.<br />
  • 52. Forensics in Incident Response<br />Applications<br />RAM<br />Processes<br />Services<br />Drivers<br />Ports<br />Network<br />OS Artifacts<br />File Systems<br />Fvevol.sys<br />Partition & Volume Managers<br />Disk<br />
  • 53. Forensics in Incident Response<br />Digital vivisection —collecting “live” data from a Windows system to determine what happened, when, and how.<br />Memory dump.<br />Processes.<br />Services.<br />Drivers.<br />Logged on users.<br />Ports.<br />System reports on itself.<br />
  • 54. Forensics in Incident Response<br />Digital autopsy—dissecting an offline Windows system to determine what happened, when, and how.<br />File systems and file metadata.<br />File signatures.<br />Registry.<br />Shell: links, jump lists.<br />Wininet.<br />Prefetch.<br />Shadow Copies.<br />Event and other logs.<br />
  • 55. Forensics in Incident Response<br />Digital forensics heuristics.<br />Any action on a computer changes something.<br />Memory—programs, drivers, data, etc.<br />Media—files and metadata.<br />This includes the actions of incident responders.<br />Not all changes persist, and those that do don’t have to persist forever.<br />Data preservation should generally follow the order of volatility.<br />There are rules governing the ways things work on any platform.<br />Win32 APIs, NTFS, Security, etc.<br />These rules generate artifacts—indicators of compromise.<br />
  • 56. Forensics in Incident Response.<br />
  • 57. Forensics in Incident Response<br />Digital forensics practical heuristics.<br />Compare memory dump to Windows own self-reporting.<br />Compare memory dump and self-reports to on disk sources.<br />Identify unknown files, mismatched files, and packed executables.<br />Examine ASEPs for unexpected items.<br />Examine Shell and Wininet data for indicators and correlations.<br />Examine prefetch files for program launches and dependencies.<br />Difference shadow copies to identify hidden files and infection times.<br />Review event and other logs, particularly those reporting on states of applications and system.<br />
  • 58. Forensics in Incident Response<br />Memory dumps<br />Sometimes, it is easy.<br />All Microsoft code should have symbols.*<br />8d793000 8d79d000   nsiproxy   (private pdb symbols)  C:Debuggerssymnsiproxy.pdbC05F47CD56124B77BD71E3DFB669D4FF1nsiproxy.pdb<br />8d79d000 8d79e680   msvmmouf   (private pdb symbols)  C:Debuggerssymmsvmmouf.pdb1234775836E14C2B869818BF740FE8DE1msvmmouf.pdb<br />8d79f000 8d7a9000   mssmbios   (private pdb symbols)  C:Debuggerssymmssmbios.pdbB9453B9B745D45DE974BA45D910B78481mssmbios.pdb<br />8d7a9000 8d7ab980   mrxnet     (no symbols)                              <br />8d7ac000 8d7b0d80   mrxcls     (no symbols)                              <br />8d7b1000 8d7bd000   discache   (private pdb symbols)  C:Debuggerssymdiscache.pdb1F3066C30EA34CC381D3006454C11BD11discache.pdb<br />8d7bd000 8d7ca000   CompositeBus (private pdb symbols)  C:DebuggerssymCompositeBus.pdbF0E80E78F49541FDB4CF0AEB667653381CompositeBus.pdb<br />8d7ca000 8d7dc000   AgileVpn   (private pdb symbols)  C:DebuggerssymAgileVpn.pdbF9ABC733237047E898B7404203D52EDE1AgileVpn.pdb<br />8d7dc000 8d7f4000   rasl2tp    (private pdb symbols)  C:Debuggerssymrasl2tp.pdb6F6760EF4A3149DC9C430CE8A37585B12rasl2tp.pdb<br />http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf<br />
  • 59. Forensics in Incident Response<br />Compare memory dumps to self-reported information.<br />
  • 60. Forensics in Incident Response<br />Compare memory dumps and self-reported information to on disk sources.<br />
  • 61. Forensics in Incident Response<br />Memory dumps and self-reported information should be examined for the unknown.<br />Unknown processes.<br />Unknown services.<br />Unknown drivers.<br />Unknown ports.<br />Etc.<br />Which unfortunately begs the question, what is unknown?<br />Good to build familiarity.<br />Baseline.<br />
  • 62. Forensics in Incident Response<br />To the media:<br />Identify and exclude known good files.<br />Industry standard: MD5 hash values of the operating system and application files.<br />
  • 63. Forensics in Incident Response<br />Known good file hashes?<br />http://www.nsrl.nist.gov/<br />Make as needed, based on standard load images, patched and updated as needed.<br />Pre-incident shadow copies. (Technically, not “known good,” but good enough to use for finding new, potentially bad files.)<br />
  • 64. Forensics in Incident Response<br />Recovery and scan of all files. <br />Undelete.<br />Check the file signatures for all files to identify mismatched signatures.<br />Also known as a file signature/extension comparison.<br />Scan for binaries with “packed” code.<br />
  • 65. Forensics in Incident Response<br />Using file system date and time information:<br />Follow an event of interest (this is the starting point).<br />Sort on created dates and times. This is when files came to exist on the media.<br />Sort on last modified dates and times. This is when files where last written to.<br />Sort on entry modified (NTFS) for any changes in metadata or named streams.<br />Correlate—for each important finding, examine contemporaneous events. Especially important on exploits and downloaders.<br />Cross check date and time of significant files by comparing date and time from standard attributes to those in the name attribute.<br />Corroborate event times with corresponding events. E.g., event logs, internal metadata, shadow copies.<br />Build a time line.<br />
  • 66. Forensics in Incident Response<br />
  • 67. Forensics in Incident Response<br />
  • 68. Forensics in Incident Response<br />
  • 69. Forensics in Incident Response<br />
  • 70. Forensics in Incident Response<br />
  • 71. Forensics in Incident Response<br />
  • 72. Forensics in Incident Response<br />
  • 73. Forensics in Incident Response<br />Examine the registry for ASEPS:<br />Auto-start Extensibility Points.<br />http://www.usenix.org/event/lisa04/tech/full_papers/wang/wang.pdf<br /> Autoruns, either online or offline.<br />http://technet.microsoft.com/en-us/sysinternals/bb963902<br />
  • 74. Forensics in Incident Response<br />When user activity may have contributed to the infection or compromise:<br />Registry “MRU” lists.<br />
  • 75. Forensics in Incident Response<br />When user activity may have contributed to the infection or compromise:<br />Registry, UserAssist.<br />Ntuser.dat.<br />Usrclass.dat.<br />
  • 76. Forensics in Incident Response<br />When user activity may have contributed to the infection or compromise:<br />Shell artifacts: Link files (also known as shortcuts).<br />
  • 77. Forensics in Incident Response<br />When user activity may have contributed to the infection or compromise:<br />Shell artifacts:<br />A malformed link file.<br />
  • 78. Forensics in Incident Response<br />The link points to a file, ~wtr4141.tmp, which is this: <br />
  • 79. Forensics in Incident Response<br />When user activity may have contributed to the infection or compromise:<br />Shell artifacts:<br />Jump lists.<br />
  • 80. Forensics in Incident Response<br />When user activity may have contributed to the infection or compromise:<br />Shell artifacts: Jump lists.<br />
  • 81. Forensics in Incident Response<br />Wininet: Internet history.<br />Can expose browser exploit URLs and downloads.<br />Can indicate intruder downloads.<br />First appearance of intruder tools in the history and cache for the Default account.<br />Multiple data sources:<br />Internet history files (index.dat), and all fragments or deleted history files.<br />Browser cache folders.<br />Recovery files.<br />Jump lists.<br />
  • 82. Forensics in Incident Response<br />
  • 83. Forensics in Incident Response<br />Cache folders<br />
  • 84. Forensics in Incident Response<br />Recovery folders<br />
  • 85. Forensics in Incident Response<br />Recover file<br />
  • 86. Forensics in Incident Response<br />Records of programs being run, and their dependencies, are found in prefetch files.<br />WindowsPrefetch<br />The existence of a prefetch file indicates that the application named by the prefetch file was run.<br />The creation date of a prefetch file can indicate when the named application was first run.<br />The modification date of a prefetch file can indicate when the named application was last run.<br />Prefetch file internals show last launch time, number of times run, and files called during launch.<br />
  • 87. Forensics in Incident Response<br />
  • 88. Forensics in Incident Response<br />Prefetch internals parsed.<br />
  • 89. Forensics in Incident Response<br />Shadow copies.<br />Snapshot of a volume at point in time.<br />Can show files added, modified, or deleted over time.<br />
  • 90. Forensics in Incident Response<br />Shadow copies.<br />Can be mounted as volumes, for scanning.<br />The command string below will mount expose each shadow copy on a volume as a symbolic link.<br />This command will follow each symbolic link and produce a file list of all files in the shadow copy.<br />for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for /f "tokens=4 delims=" %g in ("%f") do @mklink /d %SYSTEMDRIVE%%g %f<br />for /f "tokens=1" %f in ('dir C: /B /A:D ^| findstr HarddiskVolumeShadowCopy') do @dir C:%f /B /O:N /S > E:%f-fileList.txt<br />
  • 91. Forensics in Incident Response<br />
  • 92. Forensics in Incident Response<br />
  • 93. Forensics in Incident Response<br />Differencing shadow copies file lists makes malware files stand out:<br />
  • 94. Forensics in Incident Response<br />Events and other logs.<br />Often not the best entry point into an investigation.<br />System event log can show problems impacting system components.<br />Unexpected shutdowns<br />Port reassignment.<br />Application logs can show problems impacting various applications.<br />Unexpected terminations.<br />Errors and failures.<br />Value of the security event log depends on auditing policy settings.<br />Can be noisy.<br />
  • 95. Forensics in Incident Response<br />Events and other logs.<br />
  • 96. Forensics in Incident Response<br />Events and other logs.<br />
  • 97. Forensics in Incident Response<br />Events and other logs.<br />
  • 98. Q&A<br />
  • 99. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />

×