SlideShare a Scribd company logo

Msra 2011 windows7 forensics-troyla

Download as PPTX, PDF
CTIN
CTIN
Technology
1 of 58
If a Bear Breaks into Your Computer, and No One Is There to See It, Does It Leave A Clue? Incident Response, Forensics, and Looking for Bear Tracks. Troy Larson, Principal Forensics Program ManagerNetwork Security—Investigations March 29, 2011
About This Presentation Overview Some forensic fundamentals. Dissecting Windows 7 for malware, compromise and intrusions.
What is Digital Forensics? The identification, preservation, collection, analysis, examination, . . . , and presentation of digital data in a reliable manner. To collect admissible evidence. Authentication. Complete. To answer questions about data or files. Metadata. Context. To determine what has occurred on a system.
Digital Forensics in the Enterprise At least two general types of forensics work: Content focused. Find email, documents, graphics, or other types of files that match some criteria. eDiscoveryand litigation support. Activity focused. Determine what somebody or something did on a computer system. Unauthorized activity. Malware. Compromise or intrusion.
Digital Forensics in the Enterprise When trust is questioned. Can this _______ still be trusted?
Forensics from XP to Vista ,[object Object]
Default settings-NTFS, change journal.
Recycle Bin, no info2.
Built in volume and disk wiping.
SuperFetch & prefetch files.
Profile based thumbcaches.*
Office file format changes .docx, .pptx, .xlsx.
New Office files—InfoPath, Grove, OneNote.
EFS encrypted pagefile.
Windows 2008 Hyper-V.
Built in Defender.
Changed location of boot sector.
BitLocker, unlocking, imaging, preservation.
EXFAT. Transactional NTFS.
Event Logging changed.
New format-.evtx.
New system for collecting and displaying events.
New security event numbering.
New directory tree for account profiles.
Symbolic links. “Virtual” folders.
“Virtual” registries.
Volume Shadow Copies and difference files.
User Account Control.
Enforced Signed Drivers x64.,[object Object]
Updated BitLocker, multiple volumes, Smartcard keys, not backwardly compatible.
BitLocker To Go.
Virtual Hard drives—Boot from, mount as “Disks.”
Virtual PC—integrated into the OS.
XP Mode.
Flash Media Enhancements.
Libraries, Sticky Notes, Jump Lists.
Service and Driver triggers.
Fewer Services on default startup.
I.E. 8, InPrivate Browsing, Tab and Session Recovery.
Changes in Volume Shadow Copy behavior.
New registry-like files.
Different WebDAV.
More x64 clients. X64 Windows 2008 R2 (server).
Changes in Hyper-V.
Office 2010 file format changes—OneNote.
Thumbnail Cache.
Virtual Servers, thin clients.
Direct Access (IPSec).
Windows Search.,[object Object]
Forensics in Incident Response Incident response immediate goals: Technical assessment—what happened, when, how, etc.? Risk assessment—what systems or data at risk? Containment. Incident Response end goals: Remediation. Compliance. Prevention. Prosecution or litigation.
Forensics in Incident Response Applications RAM Processes Services Drivers Ports Network OS Artifacts File Systems Fvevol.sys Partition & Volume Managers Disk
Forensics in Incident Response Digital vivisection —collecting “live” data from a Windows system to determine what happened, when, and how. Memory dump. Processes. Services. Drivers. Logged on users. Ports. System reports on itself.
Forensics in Incident Response Digital autopsy—dissecting an offline Windows system to determine what happened, when, and how. File systems and file metadata. File signatures. Registry. Shell: links, jump lists. Wininet. Prefetch. Shadow Copies. Event and other logs.
Forensics in Incident Response Digital forensics heuristics. Any action on a computer changes something. Memory—programs, drivers, data, etc. Media—files and metadata. This includes the actions of incident responders. Not all changes persist, and those that do don’t have to persist forever. Data preservation should generally follow the order of volatility. There are rules governing the ways things work on any platform. Win32 APIs, NTFS, Security, etc. These rules generate artifacts—indicators of compromise.
Forensics in Incident Response.
Forensics in Incident Response Digital forensics practical heuristics. Compare memory dump to Windows own self-reporting. Compare memory dump and self-reports to on disk sources. Identify unknown files, mismatched files, and packed executables. Examine ASEPs for unexpected items. Examine Shell and Wininet data for indicators and correlations. Examine prefetch files for program launches and dependencies. Difference shadow copies to identify hidden files and infection times. Review event and other logs, particularly those reporting on states of applications and system.
Forensics in Incident Response Memory dumps Sometimes, it is easy. All Microsoft code should have symbols.* 8d793000 8d79d000   nsiproxy   (private pdb symbols)  C:ebuggersymsiproxy.pdb05F47CD56124B77BD71E3DFB669D4FF1siproxy.pdb 8d79d000 8d79e680   msvmmouf   (private pdb symbols)  C:ebuggersymsvmmouf.pdb234775836E14C2B869818BF740FE8DE1svmmouf.pdb 8d79f000 8d7a9000   mssmbios   (private pdb symbols)  C:ebuggersymssmbios.pdb9453B9B745D45DE974BA45D910B78481ssmbios.pdb 8d7a9000 8d7ab980   mrxnet     (no symbols)                               8d7ac000 8d7b0d80   mrxcls     (no symbols)                               8d7b1000 8d7bd000   discache   (private pdb symbols)  C:ebuggersymiscache.pdbF3066C30EA34CC381D3006454C11BD11iscache.pdb 8d7bd000 8d7ca000   CompositeBus (private pdb symbols)  C:ebuggersymompositeBus.pdb0E80E78F49541FDB4CF0AEB667653381ompositeBus.pdb 8d7ca000 8d7dc000   AgileVpn   (private pdb symbols)  C:ebuggersymgileVpn.pdb9ABC733237047E898B7404203D52EDE1gileVpn.pdb 8d7dc000 8d7f4000   rasl2tp    (private pdb symbols)  C:ebuggersymasl2tp.pdbF6760EF4A3149DC9C430CE8A37585B12asl2tp.pdb http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf

Recommended

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
CTIN
 

Recommended

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
CTIN
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
primeteacher32
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
Brent Muir
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
Sam Bowne
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
Tom Nipravsky
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
n|u - The Open Security Community
 

More Related Content

What's hot

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
Tom Nipravsky
 

What's hot (20)

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 

Viewers also liked

Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
F Database
F DatabaseF Database
F Database
CTIN
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
CTIN
 
Edrm
EdrmEdrm
Edrm
CTIN
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
Eduardo Chavarro
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
CTIN
 
Raidprep
RaidprepRaidprep
Raidprep
CTIN
 

Viewers also liked (20)

Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
F Database
F DatabaseF Database
F Database
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Edrm
EdrmEdrm
Edrm
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensics
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management Presentation
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Citrix
CitrixCitrix
Citrix
 
File carving tools
File carving toolsFile carving tools
File carving tools
 
Raidprep
RaidprepRaidprep
Raidprep
 

Similar to Msra 2011 windows7 forensics-troyla

computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 

Similar to Msra 2011 windows7 forensics-troyla (20)

Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Logging "BrainBox" Short Article
Logging "BrainBox" Short ArticleLogging "BrainBox" Short Article
Logging "BrainBox" Short Article
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Au...
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Regan, Keller, SF State Securing the vendor mr&ak
Regan, Keller, SF State Securing the vendor mr&akRegan, Keller, SF State Securing the vendor mr&ak
Regan, Keller, SF State Securing the vendor mr&ak
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 

More from CTIN

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Nra
NraNra
Nra
CTIN
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
CTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
CTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
CTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
CTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
CTIN
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
CTIN
 
M Compevid
M CompevidM Compevid
M Compevid
CTIN
 
L Scope
L ScopeL Scope
L Scope
CTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
CTIN
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
CTIN
 
K Ai
K AiK Ai
K Ai
CTIN
 
July132000
July132000July132000
July132000
CTIN
 
Investigative Team
Investigative TeamInvestigative Team
Investigative Team
CTIN
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
CTIN
 

More from CTIN (18)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Nra
NraNra
Nra
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
 
M Compevid
M CompevidM Compevid
M Compevid
 
L Scope
L ScopeL Scope
L Scope
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
 
K Ai
K AiK Ai
K Ai
 
July132000
July132000July132000
July132000
 
Investigative Team
Investigative TeamInvestigative Team
Investigative Team
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Msra 2011 windows7 forensics-troyla

  • 1.
  • 2. If a Bear Breaks into Your Computer, and No One Is There to See It, Does It Leave A Clue? Incident Response, Forensics, and Looking for Bear Tracks. Troy Larson, Principal Forensics Program ManagerNetwork Security—Investigations March 29, 2011
  • 3. About This Presentation Overview Some forensic fundamentals. Dissecting Windows 7 for malware, compromise and intrusions.
  • 4. What is Digital Forensics? The identification, preservation, collection, analysis, examination, . . . , and presentation of digital data in a reliable manner. To collect admissible evidence. Authentication. Complete. To answer questions about data or files. Metadata. Context. To determine what has occurred on a system.
  • 5. Digital Forensics in the Enterprise At least two general types of forensics work: Content focused. Find email, documents, graphics, or other types of files that match some criteria. eDiscoveryand litigation support. Activity focused. Determine what somebody or something did on a computer system. Unauthorized activity. Malware. Compromise or intrusion.
  • 6. Digital Forensics in the Enterprise When trust is questioned. Can this _______ still be trusted?
  • 7.
  • 10. Built in volume and disk wiping.
  • 13. Office file format changes .docx, .pptx, .xlsx.
  • 18. Changed location of boot sector.
  • 23. New system for collecting and displaying events.
  • 24. New security event numbering.
  • 25. New directory tree for account profiles.
  • 28. Volume Shadow Copies and difference files.
  • 30.
  • 31. Updated BitLocker, multiple volumes, Smartcard keys, not backwardly compatible.
  • 33. Virtual Hard drives—Boot from, mount as “Disks.”
  • 38. Service and Driver triggers.
  • 39. Fewer Services on default startup.
  • 40. I.E. 8, InPrivate Browsing, Tab and Session Recovery.
  • 41. Changes in Volume Shadow Copy behavior.
  • 44. More x64 clients. X64 Windows 2008 R2 (server).
  • 46. Office 2010 file format changes—OneNote.
  • 50.
  • 51. Forensics in Incident Response Incident response immediate goals: Technical assessment—what happened, when, how, etc.? Risk assessment—what systems or data at risk? Containment. Incident Response end goals: Remediation. Compliance. Prevention. Prosecution or litigation.
  • 52. Forensics in Incident Response Applications RAM Processes Services Drivers Ports Network OS Artifacts File Systems Fvevol.sys Partition & Volume Managers Disk
  • 53. Forensics in Incident Response Digital vivisection —collecting “live” data from a Windows system to determine what happened, when, and how. Memory dump. Processes. Services. Drivers. Logged on users. Ports. System reports on itself.
  • 54. Forensics in Incident Response Digital autopsy—dissecting an offline Windows system to determine what happened, when, and how. File systems and file metadata. File signatures. Registry. Shell: links, jump lists. Wininet. Prefetch. Shadow Copies. Event and other logs.
  • 55. Forensics in Incident Response Digital forensics heuristics. Any action on a computer changes something. Memory—programs, drivers, data, etc. Media—files and metadata. This includes the actions of incident responders. Not all changes persist, and those that do don’t have to persist forever. Data preservation should generally follow the order of volatility. There are rules governing the ways things work on any platform. Win32 APIs, NTFS, Security, etc. These rules generate artifacts—indicators of compromise.
  • 57. Forensics in Incident Response Digital forensics practical heuristics. Compare memory dump to Windows own self-reporting. Compare memory dump and self-reports to on disk sources. Identify unknown files, mismatched files, and packed executables. Examine ASEPs for unexpected items. Examine Shell and Wininet data for indicators and correlations. Examine prefetch files for program launches and dependencies. Difference shadow copies to identify hidden files and infection times. Review event and other logs, particularly those reporting on states of applications and system.
  • 58. Forensics in Incident Response Memory dumps Sometimes, it is easy. All Microsoft code should have symbols.* 8d793000 8d79d000   nsiproxy   (private pdb symbols)  C:ebuggersymsiproxy.pdb05F47CD56124B77BD71E3DFB669D4FF1siproxy.pdb 8d79d000 8d79e680   msvmmouf   (private pdb symbols)  C:ebuggersymsvmmouf.pdb234775836E14C2B869818BF740FE8DE1svmmouf.pdb 8d79f000 8d7a9000   mssmbios   (private pdb symbols)  C:ebuggersymssmbios.pdb9453B9B745D45DE974BA45D910B78481ssmbios.pdb 8d7a9000 8d7ab980   mrxnet     (no symbols)                               8d7ac000 8d7b0d80   mrxcls     (no symbols)                               8d7b1000 8d7bd000   discache   (private pdb symbols)  C:ebuggersymiscache.pdbF3066C30EA34CC381D3006454C11BD11iscache.pdb 8d7bd000 8d7ca000   CompositeBus (private pdb symbols)  C:ebuggersymompositeBus.pdb0E80E78F49541FDB4CF0AEB667653381ompositeBus.pdb 8d7ca000 8d7dc000   AgileVpn   (private pdb symbols)  C:ebuggersymgileVpn.pdb9ABC733237047E898B7404203D52EDE1gileVpn.pdb 8d7dc000 8d7f4000   rasl2tp    (private pdb symbols)  C:ebuggersymasl2tp.pdbF6760EF4A3149DC9C430CE8A37585B12asl2tp.pdb http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf
  • 59. Forensics in Incident Response Compare memory dumps to self-reported information.
  • 60. Forensics in Incident Response Compare memory dumps and self-reported information to on disk sources.
  • 61. Forensics in Incident Response Memory dumps and self-reported information should be examined for the unknown. Unknown processes. Unknown services. Unknown drivers. Unknown ports. Etc. Which unfortunately begs the question, what is unknown? Good to build familiarity. Baseline.
  • 62. Forensics in Incident Response To the media: Identify and exclude known good files. Industry standard: MD5 hash values of the operating system and application files.
  • 63. Forensics in Incident Response Known good file hashes? http://www.nsrl.nist.gov/ Make as needed, based on standard load images, patched and updated as needed. Pre-incident shadow copies. (Technically, not “known good,” but good enough to use for finding new, potentially bad files.)
  • 64. Forensics in Incident Response Recovery and scan of all files. Undelete. Check the file signatures for all files to identify mismatched signatures. Also known as a file signature/extension comparison. Scan for binaries with “packed” code.
  • 65. Forensics in Incident Response Using file system date and time information: Follow an event of interest (this is the starting point). Sort on created dates and times. This is when files came to exist on the media. Sort on last modified dates and times. This is when files where last written to. Sort on entry modified (NTFS) for any changes in metadata or named streams. Correlate—for each important finding, examine contemporaneous events. Especially important on exploits and downloaders. Cross check date and time of significant files by comparing date and time from standard attributes to those in the name attribute. Corroborate event times with corresponding events. E.g., event logs, internal metadata, shadow copies. Build a time line.
  • 73. Forensics in Incident Response Examine the registry for ASEPS: Auto-start Extensibility Points. http://www.usenix.org/event/lisa04/tech/full_papers/wang/wang.pdf Autoruns, either online or offline. http://technet.microsoft.com/en-us/sysinternals/bb963902
  • 74. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Registry “MRU” lists.
  • 75. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Registry, UserAssist. Ntuser.dat. Usrclass.dat.
  • 76. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Shell artifacts: Link files (also known as shortcuts).
  • 77. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Shell artifacts: A malformed link file.
  • 78. Forensics in Incident Response The link points to a file, ~wtr4141.tmp, which is this:
  • 79. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Shell artifacts: Jump lists.
  • 80. Forensics in Incident Response When user activity may have contributed to the infection or compromise: Shell artifacts: Jump lists.
  • 81. Forensics in Incident Response Wininet: Internet history. Can expose browser exploit URLs and downloads. Can indicate intruder downloads. First appearance of intruder tools in the history and cache for the Default account. Multiple data sources: Internet history files (index.dat), and all fragments or deleted history files. Browser cache folders. Recovery files. Jump lists.
  • 83. Forensics in Incident Response Cache folders
  • 84. Forensics in Incident Response Recovery folders
  • 85. Forensics in Incident Response Recover file
  • 86. Forensics in Incident Response Records of programs being run, and their dependencies, are found in prefetch files. indowsrefetch The existence of a prefetch file indicates that the application named by the prefetch file was run. The creation date of a prefetch file can indicate when the named application was first run. The modification date of a prefetch file can indicate when the named application was last run. Prefetch file internals show last launch time, number of times run, and files called during launch.
  • 88. Forensics in Incident Response Prefetch internals parsed.
  • 89. Forensics in Incident Response Shadow copies. Snapshot of a volume at point in time. Can show files added, modified, or deleted over time.
  • 90. Forensics in Incident Response Shadow copies. Can be mounted as volumes, for scanning. The command string below will mount expose each shadow copy on a volume as a symbolic link. This command will follow each symbolic link and produce a file list of all files in the shadow copy. for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for /f "tokens=4 delims=quot; %g in ("%f") do @mklink /d %SYSTEMDRIVE%g %fbr />for /f "tokens=1" %f in ('dir C:/B /A:D ^| findstr HarddiskVolumeShadowCopy') do @dir C:f /B /O:N /S > E:f-fileList.txt
  • 93. Forensics in Incident Response Differencing shadow copies file lists makes malware files stand out:
  • 94. Forensics in Incident Response Events and other logs. Often not the best entry point into an investigation. System event log can show problems impacting system components. Unexpected shutdowns Port reassignment. Application logs can show problems impacting various applications. Unexpected terminations. Errors and failures. Value of the security event log depends on auditing policy settings. Can be noisy.
  • 95. Forensics in Incident Response Events and other logs.
  • 96. Forensics in Incident Response Events and other logs.
  • 97. Forensics in Incident Response Events and other logs.
  • 98. Q&A
  • 99. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.