File000126
Upcoming SlideShare
Loading in...5
×
 

File000126

on

  • 111 views

 

Statistics

Views

Total Views
111
Views on SlideShare
111
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

File000126 File000126 Presentation Transcript

  • Module XIII – Windows Forensics II
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Vista Encryption ‘No Threat’ to Computer Forensics Source: http://www.theregister.co.uk/2007/02/02/computer_forensics_vista/
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Collecting Volatile and Non-volatile Information • Windows Memory Analysis • Window Registry Analysis • Window File Analysis • Text-Based Logs • Other Audit Events • Forensic Analysis of Event Logs • Tool Analysis • Windows Password Issues This module will familiarize you with:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools Module Flow
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Events Event logs record a variety of day-to-day events that occur on the Window’s systems Some events are recorded by default and some audit configuration are maintained in the PolAdEvt Registry key The Registry key which maintains the Event log configuration: • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlog <Event Log>
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Events (cont’d) Event logon types are shown below: Logon Type Title Description 2 Interactive This logon type indicates that the user is logged in at the console 3 Network A user/computer logged into this computer from the network, such as via net use, accessing a network share, or a successful net view directed at a network share 4 Batch Reserved for applications that run as batches 5 Service Service logon
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Events (cont’d) Logon Type Title Description 6 Proxy Not supported 7 Unlock The user unlocked the workstation 8 NetworkClearText A user logged onto a network, and the user’s credentials were passed in an unencrypted form 9 NewCredentials A process or thread cloned its current token but specified new credentials for outbound connections 10 RemoteInteractive Logon using Terminal Services or a Remote Desktop connection
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Events (cont’d) Logon Type Title Description 11 CachedInteractive A user logged onto the computer with credentials that were stored locally on the computer 12 CachedRemote Interactive Same as RemoteInteractive, used internally for auditing purposes 13 CachedUnlock The logon attempt is to unlock a workstation
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event Record Structure The basic header for an event record weighs 56 bytes Details of the content of the first 56 bytes of an event record are as shown below: Offset Size Description 0 4 bytes Length of the event record, or size of the record in bytes 4 4 bytes Reserved; magic number 8 4 bytes Record number
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event Record Structure (cont’d) Offset Size Description 12 4 bytes Time generated; measured in Unix time, or the number of seconds elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time (UTC) 16 4 bytes Time written; measured in Unix time, or the number of seconds elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time (UTC) 20 4 bytes Event ID, which is specific to the event source and uniquely identifies the event; the event ID is used along with the source’s name to locate the appropriate description string within the message file for the event source
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event Record Structure (cont’d) Offset Size Description 24 2 bytes Event type (0x01 = Error; 0x10 = Failure; 0x08 = Success; 0x04 = Information; 0x02 = Warning) 26 2 bytes Number of strings 28 2 bytes Event category 30 2 bytes Reserved flags 32 4 bytes Closing record number 36 4 bytes String offset; offset to the description strings within this event record 40 4 bytes Length of the user’s SID; size of the user’s SID in bytes (if 0, no user SID is provided)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event Record Structure (cont’d) Offset Size Description 44 4 bytes Offset to the user’s SID within this event record 48 4 bytes Data length; length of the binary data associated with this event record 52 4 bytes Offset to the data
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vista Event Logs Vista uses an XML format for storing events and it supports central collection of the event records Use wevtutil command to retrieve information about the Windows Event Log Command to display a list of available Event Logs on the system: • C:>wevtutil el Command to list configuration information about a specific Event Log: • C:>wevtutil gl log name Information displayed by this command is also available in the following key on a Vista system: • HKEY_LOCAL_MACHINESystemControlSet00xServicesEventLoglog name
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vista Event Logs: Screenshots Output of wevtutil el Output of wevtutil gl system
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IIS Logs Use the web server generated logs for the exploitation of attacks on IIS web server The IIS web server logs are maintained in the %WinDir%System32LogFiles directory The log files are ASCII text format which implies that they are easily opened and searchable Parse each entry of the log for relevant information using the column headers as a key
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing IIS Logs Manage and configure IIS through the IIS Management Console only on a system that has IIS installed and running Access the console by choosing: •Start → Run→ type either iis.msc or inetmgr • Start → Control Panel → Administrative Tools → Internet Services Manager Search the logs stored in the format exyymmdd.log and are created daily by default,where: •yymmdd stands for year, month, and day •Ex refers to the extended format Each field name of the log is prefixed with letters meaning as follows: • c = client actions • s = server actions • cs = client to server actions • sc = server to client actions
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing IIS Logs (cont’d) IIS log fields used in W3C extended log file format are as shown below: Field Name Description Logged by Default date Date on which the activity occurred Yes time Time at which the activity occurred, expressed in UTC (GMT) Yes c-ip IP address of the client making the request Yes cs-username Username of the authenticated user who accessed the server. Anonymous users are annotated by a hyphen Yes
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing IIS Logs (cont’d) Field Name Description Logged by Default s-sitename Internet service name and instance number that was serving the request No s-computername Name of the server generating the log entry No s-ip IP address of the server on which the log file was generated Yes s-port Server port number that is used for the connection Yes cs-method Requested action requested by the client, most often GET method Yes cs-uri-stem Target of the client’s action (default.htm, index.htm, etc.) Yes
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing IIS Logs (cont’d) Field Name Description Logged by Default cs-uri-query Query, if any, requested by the client (Used when sending data to a server-side script) Yes sc-status HTTP status code sent by the server to the client Yes sc-win32-status Windows status code returned by the server No sc-bytes Number of bytes the server sent to the client No cs-bytes Number of bytes the server received from the client No time-taken Length of the time the requested action took, expressed in milliseconds No
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing IIS Logs (cont’d) Field Name Description Logged by Default cs-version Protocol version (HTTP or FTP) the client used No cs-host Host’s header name, if any No cs(User-Agent) Browser type used by the client Yes cs(Cookie) Content of cookie (sent or received), if any No cs(Referrer) Site last visited by the user. This site provided a link to this current server No sc-substatus Substatus error code Yes
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing FTP Logs FTP stands for File Transfer Protocol and an FTP server sends and receives files using FTP FTP logs do not record the following fields as compared to IIS logs: • cs-uri-query • cs-host • cs(User-Agent) • cs(Cookie) • cs(Referrer) • sc-substatus FTP logs are stored in: • %WinDir%System32LogFilesMSFTPSVC1exyymmdd.log
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing FTP Logs (cont’d) FTP sc-status Codes are as shown in the table: Error Code Description 1xx Positive Preliminary Replies 120 Service ready in nnn minutes 125 Data connection already open-transfer starting 150 File status okay-about to open data connection 2xx Positive Completion Replies 202 Command not implemented-superfluous at this site 211 System status or system help reply 212 Directory status 213 File status
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing FTP Logs (cont’d) Error Code Description 214 Help message 215 NAME system type, where NAME is an official system name from the list in the Assigned Numbers document 220 Service ready for the new user 221 Service closing control connection. Logged out if appropriate 225 Data connection open-no transfer in progress 226 Closing data connection. Requested file action successful (example, file transfer and so on) 227 Entering passive mode 230 User logged in-proceed 250 Requested file action okay-completed
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing DHCP Server Logs In DHCP, an IP address is dynamically assigned upon request by a host’s machine The server provides the DHCP-assigned IP address for a period called a lease DHCP service activity logs are stored in the following location by default: • C:%SystemRoot%System32DHCP Logs are stored on a daily basis in the following format: • DhcpSrvLog-XXX.log
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing DHCP Server Logs (cont’d) DHCP Log Format is as shown in the table below: Field Description ID DHCP server event ID code Date Date on which this record entry was logged by the DHCP service Time Time at which this record entry was logged by the DHCP service (stored in local system time zone) Description Description of this particular DHCP server event IP Address IP address leased to client Host Name Host name of the DHCP client to which the IP address is leased MAC Address Media access control address (MAC) used by the network adapter (NIC) of the client to which the IP address is leased
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing Windows Firewall Logs The firewall logs are present in the %SystemRoot%pfirewall It stores data in the objects.data file It is located in: • %SystemRoot%System32wbemRepositoryFS The log file contains header at the top that describes the software and version, the time format, and the fields
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using the Microsoft Log Parser Use Log Parser tool to extract log files, XML files, and CSV files The command used for the Log Parser is: • LogParser.exe -o:DATAGRID “select * from system” • The first is the input type, or -i: • The second is the output type, or -o: • The third is the query Every Log Parser command query has three parts:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log Parser: Screenshot Log Parser output (command prompt)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log Parser: Screenshot Log Parser output (GUI)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie, and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evaluating Account Management Events Account management events record the changes made to accounts and group membership • Creation • Deletion • Disabling of accounts • Modifying which accounts belong to which groups • Account lockouts • Account reactivations This includes: Activate auditing for the account management events on a Windows system, to detect activities, attackers perform after gaining access to a system
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evaluating Account Management Events (cont’d) • Summary of the type of action • The account that performed the action is listed in the Caller User Name field • The account added or removed is shown in the Member ID field • The group affected is listed as the target account name The description of an event consists of:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evaluating Account Management Events (cont’d) Event ID Action Indicated 632 Member added to global security group 633 Member removed from global security group 636 Member added to local security group 637 Member removed from local security group 650 Member added to local distribution group 651 Member removed from local distribution group 655 Member added to global distribution group 656 Member removed from global distribution group 660 Member added to universal security group 661 Member removed from universal security group 665 Member added to universal distribution group 666 Member removed from universal distribution group
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examining Audit Policy Change Events Modifications to the audit policy are recorded as entries of Event ID 612 Locate the audit policies at: • Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy The ‘+’ symbols indicate which events are audited, whereas the ‘–’ symbols show which audit categories are not audited
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examining System Log Entries System log contains analysis relevant to the network investigation • Operating system • Hardware configuration • Device driver installation • Starting and stopping of services System log contains changes made to the:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examining Application Log Entries The Application event log contains messages from the operating system and various programs Use a program logevent.exe to send the custom messages to the Application event log Command to Navigate the Application Log Entries: • Start → Setting→ Control Panel →Administrative Tools→ Event Viewer → Application
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using EnCase to Examine Windows Event Log Files EnCase can be used to parse Window’s event log files using EnScript • It helps to keep the processed information within the forensic environment • It does not rely on the Windows API to process the event logs • It can process event logs that are reported as “corrupt” Reasons to use EnCase are:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EnCase: Screenshot
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Event Log Files Internals The Windows event logs files are databases with the records related to the system, security, and applications The database related to system are stored in a file named SysEvent.evt The database related to security are stored in a file named SecEvent.evt The database related to Applications are stored in the file named AppEvent.evt Windows event logs are stored in: • %SystemRoot%system32config
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Event Log Files Internals (cont’d) Windows event log file field names are as shown in the table: Field Name Data Pulled From EventLog Name of the file or the other source being queried RecordNumber Event file entry – field 2 TimeGenerated Event file entry – field 3, converted to local system time TimeWritten Event file entry – field 4, converted to local system time EventID Event file entry – field 5 EventType Event file entry – field 8 EventTypeName Generated by looking up the associated Event Type number EventCategory Event file entry – field 10
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Event Log Files Internals (cont’d) Field Name Data Pulled From EventCategoryName Generated by looking up the associated Event Category number SourceName Event file entry – field 12 Strings Event file entry – field 17, but replaces the separator 0x0000 with the pipe symbol ComputerName Event file entry – field 13 SID Event file entry – fields 14–16 Message Generated from the data in the Strings section and information contained within DLLs Data Event file entry – field 18
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie, and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Windows Password Storage Windows systems store the user’s account and password data in: • Security Account Manager (SAM) file or • Active Directory SAM files are located in the %SystemRoot%System32Config folder A password is run through a specific algorithm and converted into a numeric value (Hash) Windows operating systems use two different hash functions and store two different hash values: • NT LanMan (NTLM) hash • LanMan (LM) hash
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Windows Password Storage (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cracking Windows Passwords Stored on Running Systems Password cracking refers to the process of taking a password hash and attempting to determine what the associated password will be • Guessing a possible password • Generating a password hash of the guess using the same hashing algorithm used by the target system • Comparing the hash of the guess to the hash of the target account • If the match is found, stop the process otherwise start over The process includes:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cracking Windows Passwords Stored on Running Systems (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exploring Windows Authentication Mechanisms Windows systems use the below mentioned authentication mechanisms to access the remote computers: • Relies on hash to determine whether a remote user has provided a valid username/password combination LanMan authentication: • Is calculated across the entire, case-sensitive password, resulting in a 16- byte hash NTLM authentication: • Verification of the user’s identity takes place between the Domain Controller and the client Kerberos:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sniffing and Cracking Windows Authentication Exchanges If an attacker is able to monitor communication between the victim’s system and the remote system, he/she can sniff the authentication and use it to crack the user’s password Windows systems use Server Message Block (SMB) protocol to share files across the network
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cracking Offline Passwords Use tools to extract the password data from the SAM files and feed it to the password cracker Files with the encrypted attribute selected are encrypted before being stored These techniques are used for defeating Windows Encrypting File System (EFS)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie, and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Forensics Tool: Helix Helix is a customized distribution of the Knoppix Live Linux CD You can still boot into a customized Linux environment that includes the customized Linux kernels, excellent hardware detection, and many applications dedicated to Incident Response and Forensics Helix has a special Windows autorun side for Incident Response and Forensics Helix focuses on Incident Response and Forensics tools
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Forensics Tool: Helix (cont’d) Helix operates in two different modes – Windows and Linux In the Windows Mode, it runs as a standard windows application used to collect information from “live” (still turned on and logged in) Windows system
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools Present in Helix CD for Windows Forensics Windows Forensics Toolchest (WFT) Incident Response Collection Report (IRCR2) First Responder’s Evidence Disk (FRED) First Responder Utility (FRU) Security Reports (SecReport) Md5 Generator Command Shell File Recovery – recover deleted files Rootkit Revealer VNC Server Putty SSH Screen Capture Messenger Password Mail Password Viewer Protected Storage Viewer Network Password Viewer Registry Viewer Asterisk Logger IE History Viewer IE Cookie Viewer Mozilla Cookie Viewer
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 1
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 2
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 3
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 4
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 5
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Helix Tool: SecReport • Network Configuration • Audit Policy • Event Log Configuration • Services • Applications • Hotfixes • Ports Open • Page File Settings • Hardware • Processors • Fixed Disks The report generated by SecReport shows the following information: It is a small suite of two command-line tools for collecting security-related information from Windows-based system (SecReport) and comparing any two reports either from any two systems or from the same system after some time (Delta)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Helix Tool: Windows Forensic Toolchest (WFT) The Windows Forensic Toolchest (WFT) was written to provide an automated incident response on a Windows system and collect security-relevant information from the system It is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports WFT should be run from a CD to ensure the forensic integrity of the evidence it collects
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 1
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 2
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 3 It logs every action and takes as part of running commands
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 4 WFT saves a copy of every tool's raw output in addition to the HTML reports it generates
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited A program that displays all the unsigned drivers and related files in the computer A signed file indicates the authenticity and quality associated to a file from its manufacturer Any unsigned files can indicate presence of infected driver files placed by attackers Most of the driver files are signed by the operating system manufacturer such as Microsoft Helps in finding the unsigned files present in the system Built-in Tool: Sigverif
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Extractor Forensic tool that interprets human words from machine language Helps in many ways such as finding a cheat in a game, finding hidden text, or passwords in a file (exe, bin, dll), etc.
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Viewer Tool: RegScanner RegScanner is a small utility that allows you to scan the Registry, find the desired Registry values that match the specified search criteria, and display them in one list • It displays the entire search result at once, so you do not have to press F3 in order to find the next value • In addition to the standard string search, RegScanner can also find Registry values by data length, value type (REG_SZ, REG_DWORD etc.), and by modified date of the key • It can find a unicode string located inside a binary value • It allows you to make a case sensitive search • While scanning the Registry, it displays the current scanned Registry key Features:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 1
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot 2
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Pmdump • A tool that dumps the memory contents of processor to a file without stopping the process • Stands for Post Mortem Dump • The dump information is saved on some secondary storage medium such as magnetic tape or disk PMDump
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: System Scanner System scanner has the ability to fetch more specific information about the processes such as the IDs of all the threads, handles to DLLs, ability to suspend specific threads of a specific process and, finally, an ability to view the process’ virtual memory User can either dump virtual memory or draw a memory map
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Integrated Windows Forensics Software: X-Ways Forensics • Views and dumps physical RAM and the virtual memory of the running processes • Clones and images disk, even under DOS with X-Ways Replica • Examines the complete directory structure inside raw image files, even spanned over several segments • Native support for FAT, NTFS, Ext2/3, CDFS, and UDF • Various data recovery techniques and file carving (hundreds of file signatures can be imported from FileSig) • Gathering slack space, free space, inter-partition space, and generic text from drives and images Features: X-Ways Forensics is an advanced work environment for computer forensic examiners
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool - Traces Viewer Traces Viewer is a tool that allows you to view all images, flash movies, pages, and other media files cached by Internet Explorer browser It can remove all the web-traces made by Internet Explorer on your computer
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traces Viewer: Images
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traces Viewer: Pages
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traces Viewer: Other
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Traces Viewer: Cookies
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CD-ROM Bootable Windows XP The methods to create Bootable CD-ROM for Windows XP: • Bart PE (Bart Preinstalled Environment) • Provides a complete Win32 environment with network support • Rescues files to a network share, virus scan etc • Ultimate Boot CD • Provides shared Internet access • Can modify NTFS volumes • Recovers deleted files • Creates new NTFS volumes, scanning viruses etc.
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bart PE Screenshot
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ultimate Boot CD-ROM
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Tools in UB CD-ROM
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Tools in UB CD-ROM (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Tools in UB CD-ROM (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Tools in UB CD-ROM (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Tools in UB CD-ROM (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Live system activity notification is important for responders and investors In live response, the data is collected which is going to change in a short span of time Several Registry values and settings could impact the forensic analysis Analyzing the contents of RAM will help the investigator to find what has been hidden pmdump.exe tool allows dumping the contents of the process memory without stopping the process Registry Analysis provides more information to the investigator during live response The logs generated by the web server are used for the exploitation of attacks on IIS web server