Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009

  1. 1. Advance Digital Forensic
  2. 2. Agenda <ul><li>What is Computer Forensic? </li></ul><ul><li>Gathering evidence from windows memory </li></ul><ul><li>Advance registry forensic. </li></ul><ul><li>Analyzing network data to collect evidence </li></ul>
  3. 3. Computer Forensics – the laws <ul><li>First Law of Computer Forensics </li></ul><ul><li>There is evidence of every action. </li></ul><ul><li>Harlan Carvey’s Corollary : Once you understand what actions or conditions create or modify an artifact, then the absence of that artifact is itself an artifact. </li></ul>
  4. 4. Tip of the “Digital” Iceberg Data as seen by a casual observer using common tools (Explorer Window, cmd shell, web browser etc. ) Data as seen by Forensic Investigators using his sophisticated toolkit. May include deleted data, hidden data, unauthorized information and records of illegal activity!
  5. 5. Windows Memory Forensic <ul><li>Extracting windows login credentials from RAM image. </li></ul><ul><li>Extracting running processes. </li></ul><ul><li>Extracting user assist keys from RAM </li></ul><ul><li>Viewing registry keys for all open process. </li></ul>
  6. 6. <ul><li>Volatility modules used </li></ul><ul><li>hivescan {python volatility hivescan -f <filename>} </li></ul><ul><li>hivelist {python volatility hivelist -f <filename> -o <offset value> </li></ul><ul><li>Hashdump {volatility hashdump -f <filename> (-y System Hive Offset)(-s SAM Hive Offset) </li></ul><ul><li>Use of CAIN & Abel to crack the hashes obtained. </li></ul>Extracting windows login credentials from RAM image.
  7. 7. Extracting user assist keys from RAM <ul><li>Load the image in Encase and search for the keyword HRZR_EHACNGU {which is “UEME_RUNPATH”}. Keywords are HRZR_EHACNGU.*[.]rkr </li></ul><ul><li>HRZR_EHACNGU.*[.]yax </li></ul><ul><li>Decrypt the results using ROT13-decryptor. </li></ul>
  8. 8. Advance Registry Forensic
  9. 9. Windows Registry <ul><li>Registry files are essentially databases containing information and settings for </li></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>Software </li></ul></ul><ul><ul><li>Users </li></ul></ul><ul><ul><li>Preferences </li></ul></ul><ul><li>A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. </li></ul><ul><li>In Windows 98, the registry files are named User.dat and System.dat. </li></ul><ul><li>In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat. </li></ul><ul><li>In Win XP, the registry files are available in C:windowssystem32config folder </li></ul>
  10. 10. Mining Windows Registry <ul><li>Multiple forensic avenues in the registry! </li></ul><ul><ul><li>System and User-specific settings </li></ul></ul><ul><ul><li>UserAssist </li></ul></ul><ul><ul><li>MuiCache </li></ul></ul><ul><ul><li>MRU Lists </li></ul></ul><ul><ul><li>ProgramsCache </li></ul></ul><ul><ul><li>StreamMRU </li></ul></ul><ul><ul><li>Shellbags </li></ul></ul><ul><ul><li>Usbstor </li></ul></ul><ul><ul><li>IE passwords </li></ul></ul><ul><ul><li>and many more! </li></ul></ul>
  11. 11. Mining Windows Registry <ul><li>Multiple forensic avenues in the registry! </li></ul><ul><ul><li>System and User-specific settings- NTUSER.DAT </li></ul></ul><ul><ul><li>UserAssist - HKCU/software/microsoft/windows/currentversion/Explorer/UserAssist </li></ul></ul><ul><ul><li>MuiCache - HKCU/Software/Microsoft/Windows/ShellNoRoam/MUICache </li></ul></ul><ul><ul><li>MRU Lists - HKCU/software/microsoft/windows/currentversion/Explorer/RunMRU </li></ul></ul><ul><ul><li>ProgramsCache – HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/StartPage </li></ul></ul><ul><ul><li>StreamMRU - HKCU/software/microsoft/windows/currentversion/Explorer/StreamMRU </li></ul></ul><ul><ul><li>Shellbags – HKCU/Software/Microsoft/Windows/Shell/BagMRU </li></ul></ul><ul><ul><li>Usbstor - HKLM/System/CurrentControlSet/Enum/USBStor </li></ul></ul><ul><ul><li>and many more! </li></ul></ul><ul><li>Demo </li></ul>
  12. 12. Tools to analyze registry <ul><li>Regripper {open source tool. Developed by Harlen Carvey. Coding is done in PERL language} </li></ul><ul><li>Windows registry analyzer </li></ul><ul><li>Windows registry recovery. </li></ul><ul><li>Timestamp Dcode. </li></ul>
  13. 13. Network Forensic
  14. 14. The Security Process and Network Forensics
  15. 15. Overall approach <ul><li>Study the network architecture. </li></ul><ul><li>Determine network traffic capture mechanisms at appropriate points and get a copy of the capture file. </li></ul><ul><li>Determine devices that should/could be generating logs, especially those that are pertinent to case in hand. </li></ul><ul><li>Determine vendors of these devices. </li></ul><ul><li>Determine logging functionality, and logging configuration. </li></ul><ul><li>Assemble appropriate log analysis tools, and objectives of the analysis </li></ul><ul><ul><li>String searches </li></ul></ul><ul><ul><li>Pattern searches </li></ul></ul>
  16. 16. Tools for analyzing captured network traffic <ul><li>Network Miner </li></ul><ul><li>Netwitness </li></ul><ul><li>Wireshark </li></ul><ul><li>Winhex </li></ul>
  17. 17. Case study of Network Forensic
  18. 19. <ul><li>Thank you! </li></ul><ul><li>Questions and Answers!! </li></ul><ul><li>Kush Wadhwa, EnCE, CEH, RHCE </li></ul><ul><li>Contact Number : +919717188544 </li></ul><ul><li>Email Address: - kushwadhwa@gmail.com </li></ul>