Module XII – Windows Forensics I
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Passware Exposes Priva...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Collectin...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Collecting Volat...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Volatile Information
Volatil...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Non-volatile Information
Non...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password
Issues
Windo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Time
System time give...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logged-on Users
Collect the ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logged-on Users (cont’d)
• I...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logged-on Users (cont’d)
• I...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logged-on Users (cont’d)
• I...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Open Files
Collect the infor...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Net File Command
Net file co...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Psfile Tool
Use the Psfile t...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Openfiles Command
Use the Op...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetBIOS Name Table Cache
Net...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Connections
Collect ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netstat with –ano Switch:
Sc...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netstat with the –r Switch:
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process Information
Investig...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Task Manager: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process Information (cont’d)...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tlist Tool
Tlist is included...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tasklist Command
Tasklist is...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tasklist with the /v Switch:...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pslist Tool
Pslist displays ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Listdlls Tool
Listdlls tool ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Handle Tool
The handle tool ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process-to-Port Mapping
Proc...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netstat Command
Netstat comm...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Fport Tool
Fport tool obtain...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Openports Tool
Openports too...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Status
• Ipconfig co...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ipconfig Command
Use /all sw...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Promiscdetect Tool
Promiscde...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Promqry Tool
Promqry tool is...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Other Important Information
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Other Important Information
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password
Issues
Windo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Non-volatile
Info...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Run dir /o:d under c:/%syste...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Settings
Use Reg.ex...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Settings (cont’d)
•...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Settings (cont’d)
•...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Microsoft Security ID
Micros...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Event Logs
Event logs change...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Index.dat File
Index.dat fil...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Index.dat File (cont’d)
Comm...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Text View of an Index.dat Fi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Devices and Other Informatio...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DevCon Screenshot
The output...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DevCon Screenshot
Output of ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Slack Space
Slack space is t...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Slack Space Information Coll...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Virtual Memory
Virtual (or l...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: DriveSpy
DriveSpy acce...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Swap File
A swap file is a s...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Search Index
Windows...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Search Index Examiner
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Hidden Partition
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Partition Logic: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hidden ADS Streams
Alternate...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating ADS Streams
AD...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password
Issues
Windo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Memory Analysis
Anal...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Importance of Memory Dump
Me...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EProcess Structure
Each proc...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EProcess Structure (cont’d)
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process Creation Mechanism
•...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing Memory Contents
• Li...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing Memory Contents
(con...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parsing Process Memory
Use s...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extracting the Process Image...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Process Memory
Co...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password
Issues
Windo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Inside the Registry
An Admin...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Editor: Screenshot
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Inside the Registry (cont’d)...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Structure within a
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Registry Analysis
During liv...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Information
CurrentCo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Time Zone Information
Find i...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Shares
Windows 2000, XP, 200...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Policy
A system’s audi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless SSIDs
On live syste...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autostart Locations
Autostar...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autostart Locations: Screens...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Boot
Malware can be l...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
User Login
When a user logs ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
User Activity
Autostart Regi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Enumerating Autostart Regist...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USB Removable Storage Device...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USB Removable Storage Device...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mounted Devices
The MountedD...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Finding Users
Information ab...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tracking User Activity
Regis...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The UserAssist Keys
For more...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The UserAssist Keys (cont’d)...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MRU Lists
Applications maint...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MRU Lists (cont’d)
Another M...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Search Assistant
The files a...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Connecting to Other Systems
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analyzing Restore Point Regi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analyzing Restore Point Regi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Restore: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining the Startup
Loca...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining the Startup Loca...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining the Startup Loca...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining the Startup Loca...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining the Startup Loca...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining the Startup Loca...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password
Issues
Windo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cache, Cookie, and History
A...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cache, Cookie, and History
A...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Browsing Analysis Tool: Pasc...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: IE Cache View
IE Cache...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: IE Cache View (cont’d)...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Tool: Cache Monitor...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool - IE History Viewer
Thi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IE Cookie Analysis
• Cookie ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IE Cookie Analysis (cont’d)
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IE Cookie Analysis (cont’d)
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Internet Trace...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool – IECookiesView
Display...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool- IE Sniffer
IE Sniffer ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: IE Sniffer
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password
Issues
Windo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MD5 Calculation
Message-Dige...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MD5 Algorithm
MD5 processes ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MD5 Pseudocode
//Note: All v...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MD5 Generator: Chaos MD5
Cha...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chaos MD5: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Secure Hash Signature
Genera...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MD5 Generator: Mat-MD5
Mat-M...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mat-MD5: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MD5 Checksum Verifier
MD5 Ch...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password
Issues
Windo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recycle Bin
The Recycle Bin ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Restore Points
• Rp.l...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prefetch Files
The data afte...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Shortcut Files
Shortcuts are...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Searching with Event Viewer
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Event Viewer: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Word Documents
Word document...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDF Documents
Portable docum...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image Files
Image files like...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
File Signature Analysis
Anal...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NTFS Alternate Data Streams
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Executable File Analysis
• S...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Before Analysi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Static Analysis Process
Scan...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Search Strings
Run suspiciou...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: BinText
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PE Header Analysis
A file si...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: PEview
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Import Table Analysis
Inform...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Dependency Walker
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Export Table Analysis
DLLs p...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dynamic Analysis Process
Cre...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Creating Test Environment
Ru...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Information Using...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dynamic Analysis Steps
1 • E...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Window Password
Issues
Windo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Metadata
The term metadata r...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Metadata Example: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Metadata
Metadata i...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Metadata (cont’d)
T...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Metadata in Different File S...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Metadata in Different File
S...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Metadata
Metadata ca...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MetaViewer
Metaviewer allows...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Metadata Analyzer
Metadata A...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
iScrub
iScrub extracts the i...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Live system activity...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Upcoming SlideShare
Loading in …5
×

File000125

535 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

File000125

  1. 1. Module XII – Windows Forensics I
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Passware Exposes Private Data Indexed by Windows Search New evidence discovery software extracts all users' data from a Windows Search Database. MOUNTAIN VIEW, Calif., Nov. 12 / / - Passware, Inc., the expert in cryptanalysis, introduces a new evidence discovery solution for Windows Vista, XP, and Server 2003. Passware Search Index Examiner makes all the data indexed by Windows Search instantly accessible to computer forensics and IT professionals. Search Index Examiner lists all the documents, emails, and spreadsheets, as well as provides creation and modification dates, author, recipients, summary content, and other information for each item. The only data it needs from the target computer is a Windows Search database. A quick scan of a Windows Search Database can find documents relevant to a case, and even a preview of files and items which have been deleted, deliberately or not. It takes under 10 minutes to perform a full scan -- extracting over 150,000 items. As an average personal computer stores far fewer items, a typical extraction is almost instant. The wizard interface makes the process easy as ABC. Source: http://news.thomasnet.com/
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Collecting volatile and Non-volatile Information • Windows Memory Analysis • Window Registry Analysis • Window File Analysis • Text-Based Logs • Other Audit Events • Forensic Analysis of Event Logs • Tool Analysis • Windows Password Issues This module will familiarize you with:
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Collecting Volatile & Non-volatile Information Windows Memory Analysis Window Registry Analysis Window File Analysis Text-Based Logs Other Audit Events Forensic Analysis of Event Logs Tool Analysis Windows Password Issues
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Volatile Information Volatile information can be easily modified or lost It helps you to determine a logical timeline of the security incident and the users who would be responsible Volatile Information • System time • Logged-on user(s) • Open files • Network information • Network connections • Process information • Process-to-port mapping • Process memory • Network status • Clipboard contents • Service/driver information • Command history • Mapped drives • Shares
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Non-volatile Information Non-volatile information is used for the secondary storage, and is long-term persisting It is non-perishable and can be collected after the volatile data collection Non-Volatile Information: Hidden Files Slack space Swap file Index.dat files Metadata Hidden ADS streams Windows Search Index Unallocated clusters Unused partitions Hidden partitions Registry settings Event logs
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Time System time gives an accurate timeline of events that have occurred on the system Collect the system time from: • Right bottom corner of the system • The time/t command
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logged-on Users Collect the information about users logged on to the system, both locally and remotely Note down context of a running process, the owner of a file, or the last access time on files • Psloggedon • Net Sessions • Logonsessions Tools and commands to determine logged-on-users are:
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logged-on Users (cont’d) • It shows the name of the user logged on locally as well as remotely • Syntax: psloggedon [-] [-l] [-x] [computername | username] Psloggedon Tool
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logged-on Users (cont’d) • It gives the information about the username and IP used to access the system via a remote login session and the type of client system accessed Net Sessions Command
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logged-on Users (cont’d) • It lists the authentication package used, type of logon, and active processes Logonsessions Tool
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Open Files Collect the information about the files opened by the intruder using remote login Tools and commands used for opening a file’s information: • Net File command • Psfile tool • Openfiles command
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Net File Command Net file command displays the names of all open shared files on a system The syntax of the net file command:
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Psfile Tool Use the Psfile tool to list or close files that are remotely opened Syntax: • psfile [RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Openfiles Command Use the Openfiles command to list or disconnect files and folders that are opened on a system Syntax of the Openfiles command: •OPENFILES /parameter [arguments] Examples: •OPENFILES /Disconnect •OPENFILES /Query •OPENFILES /Local
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NetBIOS Name Table Cache NetBIOS name table cache maintains a list of connections made to other systems using NetBIOS It contains the remote system’s names and IP addresses You can use the Windows inbuilt command line utility nbtstat to view NetBIOS name table cache Syntax of nbtstat command is: •Nbtstat [ [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-RR] [-s] [-S] [interval] ] Nbtstat with –c switch shows the NetBIOS name table cache
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Connections Collect the details of the network connections from the affected system It helps to find out: • Logged attacker • IRCbot communication • Worms logging into command and control server • Netstat is a tool for collecting information regarding network connections • It provides a simple view of TCP and UDP connections and their state and network traffic statistics Netstat Tool
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netstat with –ano Switch: Screenshot Netstat with the -ano switch displays the TCP and UDP network connections, listening ports, and the identifiers
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netstat with the –r Switch: Screenshot Netstat with the -r switch displays the routing table and shows the persistent routes enabled on the system
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process Information Investigate the processes running on a potentially compromised system Collect information from Task Manager • The full path to the executable image (.exe file) • The command line used to launch the process, if any • The amount of time that the process has been running • The security/user context that the process is running in • Which modules the process has loaded • The memory contents of the process Search for:
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Task Manager: Screenshot
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process Information (cont’d) • Tlist Tool • Tasklist command • Pslist • Listdlls • Handle The tools and commands to collect the process information:
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tlist Tool Tlist is included as part of the Microsoft Debugging Tools It displays a good deal of information about running processes Syntax of the tool: •TLIST, TLIST –t, TLIST pid, TLIST -t pid, TLIST pattern, TLIST -t pattern
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tasklist Command Tasklist is a native utility included with Windows XP Pro and Windows 2003 installations Tasklist provides options for output formatting, with choices between table, CSV, and list formats
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tasklist with the /v Switch: Screenshot (cont’d) /v switch provides information about the listed processes, including the image name, PID, name, and number of the session for the process
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pslist Tool Pslist displays basic information about running processes on a system • -x switch displays details about the threads and memory used by each process Pslist shows detailed information about threads or memory used by a process
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Listdlls Tool Listdlls tool shows the modules or DLLs that a process is using • These DLLs are important as they provide the actual code that is used
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handle Tool The handle tool shows various handles that processes have open on a system It shows information about the open files, ports, registry keys, and threads This information is useful to determine the resources accessed by a process while it is running Syntax: • handle [[-a] [-u] | [-c <handle> [-y]] | [-s]] [-p <process name>|<pid>> [name]
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process-to-Port Mapping Process-to-Port Mapping traces which process is using which port, and which protocol is connected to which IP The tools and commands to retrieve the process-to-port mapping: • Netstat command • Fport tool • Openports tool
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netstat Command Netstat command with the -o switch displays the process ID of the process responsible for the network connection
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fport Tool Fport tool obtains the process-to-port mapping It needs to be run from an Administrator account to obtain information
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Openports Tool Openports tool obtains the process-to-port mapping and provides multiple output formats It does not require an Administrator’s account to be used The -fport switch provides an fport-style output; displays the PID, the name of the process, and number of the port
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Status • Ipconfig command • Promiscdetect tool • Promqry tool Tools for the network status detection are: Check the network status of the system to get information about whether the system is connected to a wireless access point and what IP address is being used
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ipconfig Command Use /all switch of the Ipconfig command to display the network configuration of the NICs on the system
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Promiscdetect Tool Promiscdetect tool detects if the NIC is in promiscuous mode
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Promqry Tool Promqry tool is run against remote systems to determine the active network interfaces
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Important Information • Use Pclip.exe utility to retrieve the contents of the clipboard • It automates information collection through batch files and scripts Clipboard Contents • Check service/device information for any malicious program installed Service/Driver Information • Use the doskey /history command to see previously typed commands Command History
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Important Information (cont’d) Mapped Drives • Drives could be mapped with a malicious intent • Drive mappings can be correlated to network connection information retrieval Shares • Get the information regarding the shared resources • This information is maintained in a folder: KEY_LOCAL_MACHINESystemCurrentControlSetServicesla nmanserverShares key
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Non-volatile Information Collect the non-volatile information from: • Contents of Registry keys or files • Event Logs • Index.dat Collect the information such as drives mapped to or from the system, services started, or applications installed
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Run dir /o:d under c:/%systemroot%/system32> in DOS prompt Enables the investigator to examine : • The time and date of the installation of the operating system • The service packs, patches, and sub-directories that automatically updates themselves very often • For example: drivers etc Give priority to recently dated files Examining File Systems
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Settings Use Reg.exe command line tool for accessing and managing the Registry Some important Registry values that need to be noted down: • ClearPageFileAtShutdown • DisableLastAccess • AutoRuns
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Settings (cont’d) • Registry value tells the operating system to clear the page file when the system is shut down • When the system is shut down, the information within the page file remains on the hard drive • Bits of this information might provide important leads in investigation ClearPageFileAtShutdown: • Windows has the ability to disable updating of the last access times on files • HKEY_LOCAL_MACHINESystemCurrentControlSetControlFileSystem Disablelastacess set the value to 1 • In Windows XP and 2003, the same query can be enabled via the fsutil command DisableLastAccess:
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Settings (cont’d) • Many areas of the Registry are referred as autostart locations • These applications start when the system boots, user logs in, and the user takes a specific action • Collects the information with the help of the reg.exe tool or AutoRuns tools AutoRuns:
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Microsoft Security ID Microsoft Security IDs are available in Windows Registry The process for accessing IDs is: • Go to Registry Editor and view: • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList • Present under the ProfileList key RockXP reveals Windows and MS Office CD-Key
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event Logs Event logs change depends on what events are being audited and how they are configured Choose which data have to be collected depending on the instance occurred Use tools such as psloglist.exe and dumpevt.exe to retrieve the event records Copy .evt files from the system
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index.dat File Index.dat file is used by the Internet Explorer web browser as an active database, which runs as long as a user is logged on Windows It is a repository of redundant information, such as visited web URLs, search queries, recently opened files, and form auto-complete information Separate index.dat files exist for the Internet Explorer history, cache, and cookies
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index.dat File (cont’d) Common Index.dat File Locations for Internet Explorer are as shown in table: Operating System File Path Windows 95/98/Me WindowsTemporary Internet FilesContent.IE5 WindowsCookies WindowsHistoryHistory.IE5 Windows NT WinntProfiles<username>Local Settings Temporary Internet FilesContent.IE5 WinntProfiles<username>Cookies WinntProfiles<username>Local Settings History History.IE5 Windows 2K/XP Documents and Settings<username>Local SettingsTemporary Internet Files Content.IE5 Documents and Settings<username>Cookies Document and Settings<username>Local SettingsHistoryHistory.IE5
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Text View of an Index.dat File
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Devices and Other Information Collect other types of non-volatile information such as hard drive installed in the system Record the information for documentation purposes Use the DevCon tool to document devices that are attached to a Windows system Check the available device classes and the status of the connected devices with the help of DevCon
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DevCon Screenshot The output of DevCon resources =ports
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DevCon Screenshot Output of DevCon listclass usb 1394
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Slack Space Slack space is the space between the end of a file and the end of the disk cluster it is stored in Non-contiguous file allocation leaves more trailing clusters leaving more slack space The data residue in the slack space is retrieved by reading the complete cluster DRIVESPY tool collects all the Slack Space in an entire partition to a file
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Slack Space Information Collection Connect to a target computer and select media Create Bit-level copy of the original media Check again by generating its hash value Investigate using keyword searches, hash analysis, file signature analysis, and Enscripts present in Encase tool
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virtual Memory Virtual (or logical) memory is a concept that allows programmers to use a large range of memory or storage addresses for stored data Virtual memory can be scanned to find out the hidden running processes Various example of tools: • System Scanner • X-Ways Forensics CPU Cache RAM Virtual Memory Disk Storage
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: DriveSpy DriveSpy accesses physical drives and record all the activities to a log file It collects all the Slack Space in an entire partition to a file It wipes an entire Drive, individual Partition, unallocated space, or slack space
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Swap File A swap file is a space on a hard disk used as the virtual memory extension of a computer's RAM Swap files contain information about: • Files opened and their contents • Websites visited • Online chats • Emails sent and received On Windows, the swap file is a hidden file in the root directory called pagefile.sys The registry path for swap file is: • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Search Index Windows Search index maintain a record of any document or application on the PC, and the contents found within those items It maintain email messages, calendar events, contacts, and media files stored on the PC Windows Search indexes the contents of each user's "Documents" and "Favorites" folders
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Search Index Examiner Passware Search Index Examiner makes all the data indexed by Windows Search accessible This accessed search index data can be used as evidence Passware Search Index Examiner lists: • Documents • Emails • Spreadsheets • Creation and modification dates • Author • Recipients • Summary content It targets Windows Search database
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Hidden Partition Information Hidden partition is a logical section of a disk which is not accessible to the operating system Hidden partition may contain files, folders, confidential data or store backup of the system Tools like Partition Logic helps to collect the information from the hidden partition Partition Logic can create, delete, erase, format, defragment, resize, copy, and move partitions
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Partition Logic: Screenshot
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hidden ADS Streams Alternate Data Stream (ADS) holds the security information, link information User can hide data in alternate data streams ADS can be created by typing notepad visible.txt:hidden.txt in command prompt Data can be copied into an ADS by using type atextfile > visible.txt:hidden2.txt command Use the more < visible.txt:hidden2.txt > newfile.txt command to copy the ADS information into new file
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating ADS Streams ADS Streams Tool can detect the presence of hidden NTFS streams on target system
  66. 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  67. 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Memory Analysis Analyze the memory to check Malware presence, because, when the malware is launched, it will be decrypted in memory If the malware were allowed to execute, it would exist in memory in a decrypted state Analyzing the contents of RAM, will help to find what has been hidden in the memory
  68. 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Memory Dump Memory dump refers to copying data from one place to another without formatting It is used to diagnose bugs It helps in analyzing memory contents during program failure The memory dumps contain information in binary, octal, or hexadecimal forms This information can be checked using dumpchk.exe
  69. 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EProcess Structure Each process on a Windows system is represented as an executive process (EProcess) block EProcess block is a data structure which contains attributes of the process, as well as pointers to other attributes and data structures EProcess contents can be viewed with the help of the Microsoft Debugging Tools and LiveKD.exe dt -a -b -v _EPROCESS helps to view all the content of the EProcess block
  70. 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EProcess Structure (cont’d) Elements that are important to forensic investigation in the EProcess structure: • PPEB_LDR_DATA structure that includes pointers or references to DLLs used by the process • A pointer to the image base address, where the beginning of the executable image file can be found • A pointer to the process parameters structure, which maintains the DLL path, the path to the executable image, and the command line used to launch the process
  71. 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process Creation Mechanism • The image (.exe) file to be executed is opened • EProcess object is created • Initial thread is created • Windows subsystem is notified of the creation of the new process and thread along with the ID of the process creator and a flag • Execution of the initial thread starts • Initialization of the address space is completed Steps for the process creation:
  72. 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing Memory Contents • List Processes (Lsproc) locates processes • It takes the path and name to a RAM dump file • Ex: c:perlmemory>lsproc.pl d:dumpsdrfws1- mem.dmp • Output will be shown in six columns Lsproc.pl: Proc PPID PID Name of the process Offset of the process Creation time Figure: Output of Lsproc.pl
  73. 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing Memory Contents (cont’d) • Lspd.pl is a Perl script that allows user to list the details of the process • It takes two arguments: • Path and name of the dump file • Offset from the lsproc.pl output of the process • Ex: c:perlmemory>lspd.pl d:dumpsdfrws1-mem.dmp 0x0414dd60 Lspd.pl:
  74. 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing Process Memory Use strings.exe or grep to parse through the contents of a RAM dump Lspm.pl takes the arguments, such as: • Name and path of the dump file • Physical offset within the file of the process structure It extracts the available pages from the dump file and write them to a file within the current working directory Example: c:perlmemory>lspm.pl d:dumpsdfrws1-mem.dmp 0x0414dd60
  75. 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extracting the Process Image Lspi.pl is a Perl script that takes the same arguments as lspd.pl and lspm.pl It locates the beginning of the executable image for the process It parses the values contained in the PE header to locate the pages that make up the rest of the executable image file Example: c:perlmemory>lspi.pl d:dumpsdfrws1-mem.dmp 0x0414dd60 File extracted from the memory dump will not be exactly same as the original, since some of the file’s sections are writeable
  76. 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Process Memory Collect the contents of process memory available in a RAM dump file pmdump.exe tool allows dumping the contents of process memory without stopping the process Process Dumper (pd.exe) dumps the entire process space along with the additional metadata and the process environment to the console Process Dumper redirects the output to a file or a socket Userdump.exe is another tool which dumps any process on the fly, without attaching a debugger and without terminating the process
  77. 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  78. 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Inside the Registry An Administrator can interact with the Registry through intermediate programs Graphical user interface (GUI) Registry editors such as Regedit.exe or Regedt32.exe are commonly used as intermediate program There are five root folders in the Registry Editor: • HKEY_USERS • HKEY_CURRENT_USER • HKEY_LOCAL_MACHINE • HKEY_CURRENT_CONFIG • HKEY_CLASSES_ROOT
  79. 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Editor: Screenshot Figure: Registry Editor view showing five root folders
  80. 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Inside the Registry (cont’d) The HKEY_USERS hive contains all the actively loaded user profiles for that system The HKEY_CURRENT_USER is the active, loaded user profile for the currently logged-on user The HKEY_LOCAL_MACHINE hive contains a vast array of configuration information for the system including hardware settings and software settings The HKEY_CURRENT_CONFIG hive contains the hardware profile information used during startup The HKEY_CLASSES_ROOT hive contains configuration information relating to which application is used to open various files on the system
  81. 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Structure within a Hive File Various components of the Registry called ‘cells’ have a specific structure and contains specific information The various types of cells and information contained in the Registry : Key cell It contains Registry key information and includes offsets to other cells as well as the LastWrite time for the key Value cell It holds a value and its data Subkey list cell It is made up of a series of indexes pointing to key cells Value list cell It is made up of a series of indexes pointing to values cells Security descriptor cell It contains security descriptor information for a key cell
  82. 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Analysis During live response, you can retrieve and analyze much of the information in the Registry, and the complete data during post- mortem investigation ProDiscover tool is used to access the Registry during post-mortem analysis Steps to obtain information using ProDiscover: • Load the case into ProDiscover • Right-click Windows directory in Content View • Choose Add to Registry Viewer • It locates files and displays them on the Registry Viewer
  83. 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Information CurrentControlSet is a volatile portion of the Registry; an operating system uses the CurrentControlSet to store the system’s information It stores the information like version of the operating system, the Service Pack level, and the name of the computer There are two Controlsets: • ControlSet001 • ControlSet002 Find the computer name in the following key, in the ComputerName value: • SYSTEMCurrentControlSetControlComputerNameActiveComputerName Find the time when the system was last shut down in the following key: • SYSTEMControlSet00xControlWindows
  84. 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Time Zone Information Find information about the time zone settings in the following key: • SYSTEMCurrentControlSetControlTime ZoneInformation Use the ActiveTimeBias value from the TimeZoneInformation key to translate or normalize the times to other sources from the system
  85. 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Shares Windows 2000, XP, 2003, and Vista systems create hidden administrative shares on a system If a share is created by the user with the help of the net share command, it can be found in the HKEY_LOCAL_MACHINE hive The path for the share is: • SYSTEMCurrentControlSetServiceslanm anserverShares
  86. 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Audit Policy A system’s audit policy is maintained in the Security hive, below the PolicyPolAdtEv key Its default value is REG_NONE data type and contains binary information The first 4 bytes (DWORD) of the binary data gives the information about, whether auditing was enabled The value of DWORD explains the status of the audit policy: 00 There is no auditing 01 Success events are audited 02 Failure events are audited 03 Both success and failure events are audited
  87. 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless SSIDs On live systems, Windows XP maintains a list of Service Set IDentifiers (SSIDs) to which it is connected This list is maintained in the below registry key: • SOFTWAREMicrosoftWZCSVCParametersInterfaces{GUID} Below this key, there is a value Active Settings and other values called Static#000x SSIDs for any wireless access points that have been accessed will be included within this binary data Offset 0x10 is a DWORD value that contains the length of the SSID
  88. 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autostart Locations Autostart allows applications to be launched without the user’s interaction On a live Windows XP system, a command called MSConfig launches the System Configuration utility Path for the autostart option: • Start > Run > type msconfig > press Enter
  89. 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autostart Locations: Screenshot
  90. 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Boot Malware can be launched within the autostart locations of the Registry during the system boots, even without user-intervention • Example: Windows service at HKEY_LOCAL_MACHINESystemCurrentControlSetServices The ‘Current’ Controlset: • Services that are present in the ControlSet include: • That are scanned during startup, and • That are launched automatically • During intrusion analysis, you can use ProDiscover to locate the Controlset marked Current • You can sort the subkeys of the Services key, based on the LastWrite times • If there is any mismatch in the times shown in the LastWrite times and the actual time that the administrator launched legitimate programs, it implies that there is a possible intrusion
  91. 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited User Login When a user logs into a system, certain Registry keys are accessed and parsed so that listed applications can be run These keys are: •HKEY_LOCAL_MACHINE Software MicrosoftWindowsCurrentVersionRunonce •HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolic iesExplorerRun •HKEY_LOCAL_MACHINE SoftwareMicrosoftWindowsCurrentVersionRun •HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsRun •HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun •HKEY_CURRENT_USERSoftware MicrosoftWindowsCurrentVersionRunOnce These run keys are ignored if the system is started in Safe Mode
  92. 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited User Activity Autostart Registry locations are accessed when the user starts any program Look for malware in these locations: • HKEY_LOCAL_MACHINESoftwareClassesExefileShellOpencommand • HKEY_CLASSES_ROOTExefileShellOpenCommand TaskMan allows the user to choose an application to replace the Task Manager
  93. 93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Enumerating Autostart Registry Locations Use AutoRuns tool to retrieve information from a number of autostart locations on a live system It retrieves entries from a number of Registry keys and displays the result It retrieves the description and publisher from the executable file pointed by each Registry value and listed in the Image Path column
  94. 94. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Removable Storage Devices Footprints or artifacts are created in registry when a USB device is connected to the Windows system Plug and Play (PnP) Manager queries the device descriptor in the firmware for information about the device When a device is identified, a Registry key will be created beneath this key: •HKEY_LOCAL_MACHINESystemCurrentControlSetEnumUSBSTOR Sub key beneath this key will look like: •Disk&Ven_###&Prod_###&Rev_### This subkey identifies a specific class of device; fields represented by ### are filled in by the PnP Manager based on information found in the device descriptor
  95. 95. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Removable Storage Devices (cont’d) The value iSerialNumber is a unique instance identifier for the device and is similar to the MAC address of a network’s interface card ParentIdPrefix determines the last time the USB device was connected to the Windows system Its value can be used to correlate additional information from within the Registry which is important for investigation Navigate to the following key to find specific device classes: • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses
  96. 96. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mounted Devices The MountedDevices key stores information about the various devices and volumes mounted to the NTFS file system The complete path to the key : • HKEY_LOCAL_MACHINESystemMountedDevice Use the ParentIdPrefix value found within the unique instance ID key to map the entry from USBSTOR to the MountedDevices
  97. 97. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Finding Users Information about users is maintained in the Registry in the SAM hive “sam.h” file is helpful in deciphering the structures and revealing information The user’s information is maintained in the F value located in the following path: • SAMSAMDomainsAccountUsers{RID} Time/date stamps are represented as 64-bit FILETIME objects • Bytes 8–15 represent the last login date for the account • Bytes 24–31 represent the date that the password was last reset • Bytes 32–39 represent the account expiration date • Bytes 40–47 represent the date of the last failed login attempt The values and their locations :
  98. 98. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tracking User Activity Registry keys that track user’s activities can be found in the NTUSER.DAT file When a user performs a particular action, the registry key’s Lastwrite time is updated These registry keys track the user’s activity and add or modify timestamp information associated with the Registry values Majority of the user’s activities are recorded in the HKEY_CURRENT_USER hive
  99. 99. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The UserAssist Keys For more information, check the user’s NTUSER.DAT file at: • SoftwareMicrosoftWindowsCurrentVersionExplorerUser Assist{GUID}Count Value names beneath this key are ROT-13 encrypted Rot-13 refers to a Caesarian cipher in which each letter is replaced with the letter 13 spaces further down in the alphabet Use Perl script uAssist.pl to decrypt the value names The value names are preceded by UEME_, and then by RUNPATH, RUNPIDL, and RUNCPL
  100. 100. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The UserAssist Keys (cont’d) • Refers to an absolute path within the file system; occurs when you double-click an icon for an executable in Windows Explorer or type the name of the application in the Start | Run box RUNPATH • Refers to launching a Control Panel applet RUNCPL • A PIDL, or pointer to an ID list, part of the internal Explorer namespace, is used to refer to an object • In the case of the UserAssist keys, these are most often shortcuts or LNK files, as when you choose Start |Documents and select a file RUNPIDL
  101. 101. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MRU Lists Applications maintain MRU list, which is a list of files that have been most recently accessed The filenames appear at the bottom of the drop-down menu when a File is selected on the Menu bar Find the well-known MRU list Registry key that is the RecentDocs key at: • SoftwareMicrosoftWindowsCurrentVersionExplorerRece ntDocs MRU list has two sections: • The numbered value names: It contains the names of the files accessed • MRUListEx key: It maintains the order in which the files are accessed
  102. 102. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MRU Lists (cont’d) Another MRUList can be found in the RunMRU key: •SoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU This key maintains a list of all the values typed into the Run box on the Start menu Another key similar to the RunMRU key is the TypedURLs key: •SoftwareMicrosoftInternet ExplorerTypedURLs TypedURLs key maintains a list of the URLs that the user types into the Address bar Another location for MRU lists can be found in the following key: •SoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32OpenSaveMRU This key maintains MRU lists of files opened via Open and SaveAs dialogs
  103. 103. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Search Assistant The files and folders searched through the Windows XP Search function are stored into the Registry The path for the registry key: • SoftwareMicrosoftSearch AssistantACMru The ACMru key generally has some combination of four subkeys: 5001 Contains the MRU list for the Internet Search Assistant 5603 Contains the MRU list for the Windows XP files and folders search 5604 Contains the MRU list that corresponds to the “word or phrase in a file” dialog box 5647 Maintains the MRU list for the computers entered via the “for computers or people” selection in the Search Results dialog
  104. 104. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Connecting to Other Systems MRU list is created when a user uses the Map Network Drive Wizard to connect to a remote system The path of the key: • SoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU Information about the user using the net use command is stored at: • SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 The IP addresses appears in the following Registry key: • SoftwareMicrosoftWindowsCurrentVersionExplorerComputerDesc riptions
  105. 105. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyzing Restore Point Registry Settings The purpose of restore points is to take a snapshot of the system so that a user can restore system to a previous restore point The settings for restore points are stored at: •HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersion SystemRestore The interval for restore point creation is stored in the RPGlobalInterval value Look for the restore points in numbered folders at: •System Volume Information -restore {GUID}RP## Path to navigate to System Restore: • Select Start > All Programs > Accessories > System Tools > System Restore
  106. 106. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyzing Restore Point Registry Settings (cont’d) • When restore points are created on schedule, they are named System CheckPoint, that appears in the user’s interface • The restore point name is stored and pulled from the file rp.log found in the root of its RP## folder • The restore point name is stored starting at byte offset 16 of the rp.log file • If software or unsigned drivers are installed, a restore point is usually created • A user can manually create restore points, and the user-provided name is stored in this same location • The last 8 bytes of the rp.log file are a Windows 64-bit timestamp indicating when the restore point was created Characteristics of restore point names:
  107. 107. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Restore: Screenshot
  108. 108. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations Common Startup locations in the Registry are listed below: Registry Key Notes HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersionRun All values in this key are executed at system startup HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersionRunOnce All values in this key are executed at system startup and are deleted later HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersionRunServices All values in this key are run as services at system startup HKEY LOCAL MACHINESoftware MicrosoftWindows CurrentVersion RunServicesOnce All values in this key are run as services at system startup and then are deleted
  109. 109. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) Registry Key Notes HKEY_LOCAL_MACHINESoftware MicrosoftWindowsNT CurrentVersionWinlogon The value Shell will be executed when any user logs on. This value is normally set to explorer.exe, but it could be changed to a different Explorer in a different path HKEY_LOCAL_MACHINESoftware MicrosoftActive Setup Installed Components Each subkey (GUID name) represents an installed component. All subkeys are monitored, and the StubPath value in subkeys, when present, is a way of running code HKEY_LOCAL_MACHINESoftware MicrosoftWindows NT CurrentVersionWinlogon Value Userinit runs when any user logs on; it can be appended to have additional programs to start here HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersion ShellServiceObjectDelay Value Load, if present, runs using explorer.exe after it starts
  110. 110. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) Registry Key Notes HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersionPolicies Explorerrun If Explorer and run are present, the values under run are executed after Explorer starts HKEY_LOCAL_MACHINESOFTWARE MicrosoftWindows CurrentVersion RunOnceEx0001 It contains entries to be run RunMyApp = ||notepad.exe HKEY_LOCAL_MACHINESystem CurrentControlSetServices VxD When present, subkeys are monitored and the StaticVxD value in each subkey is a method of executing code HKEY_LOCAL_MACHINESystem CurrentControlSetControl Session Manager The value BootExecute contains files that are native applications executed before Windows Run HKEY_LOCAL_MACHINESystem CurrentControlSetServices This contains a list of services that run at system startup. If the value Start is 2, startup is automatic. If the value Start is 3, startup is manual and starts on demand for service. If the value Start is 4, service is disabled
  111. 111. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) Registry Key Notes HKEY_LOCAL_MACHINESystem CurrentControlSetServices Winsock2Parameters Protocol_Catalog Catalog_Entries The subkeys are for layered service providers, and the values are executed before any user logs in HKEY_LOCAL_MACHINESystem ControlWOW Whenever a legacy 16-bit application is run, the program listed in value cmdline is run HKEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersionRun All values in this subkey run when this specific user logs on, as this setting is user specific HKEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersionRunOnce All values in this subkey run when this specific user logs on, and then the values are deleted HKEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersion RunOnceSetup For this specific user, this key is used only by setup, and a progress dialog box tracks progress as the values in this key are run one at a time
  112. 112. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) Registry Key Notes HKEY_CURRENT_USER Control PanelDesktop For this specific user, if a screensaver is enabled, a value named scrnsave.exe is present. Whatever is in the path found in the string data for this value will execute when the screensaver runs HKEY_CURRENT_USERSoftware MicrosoftWindows NT CurrentVersionWindows For this specific user, the string specified in the value run executes when this user logs on HKEY_CURRENT_USERSoftware MicrosoftWindows NT CurrentVersionWindows For this specific user, the string specified in the value load runs when this user logs on HKEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersionPolicies Explorer For this specific user, the string specified in the value run runs when this user logs on
  113. 113. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) User Startup Folder Registry Settings are as shown below: Registry Key Default or Normal Settings HKCUSoftwareMicrosoft WindowsCurrentVersion ExplorerShell Folders Value Startup will be C:Documents and Settings%UserName% Start MenuProgramsStartup where %UserName% will not be the environment variable but will actually specify the user’s name HKCUSoftwareMicrosoft WindowsCurrentVersion ExplorerUser Shell Folders Value Startup will be %USERPROFILE%Start Menu ProgramsStartup HKLMSoftwareMicrosoft WindowsCurrentVersion ExplorerShell Folders Value Common Startup will be C:Documents and Settings All UsersStart MenuProgramsStartup HKLMSoftwareMicrosoft WindowsCurrentVersion ExplorerUser Shell Folders Value Common Startup will be %ALLUSERSPROFILE%Start MenuProgramsStartup
  114. 114. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  115. 115. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cache, Cookie, and History Analysis in IE All IE activities of user are stored in the directory: • C:Documents and Settingsuser Local SettingsTemporary Internet FilesContent.IE5 This directory stores the cached pages and images reviewed by the user IE activity directories which contains the Internet history activity: • C:Documents and SettingsuserLocal SettingsHistoryHistory.IE5 IE directory containing cookies: • C:Documents and SettingsuserCookies
  116. 116. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cache, Cookie, and History Analysis in Firefox/Netscape Mozilla/Netscape/Firefox save the web activity in a file named history.dat History.dat file is saved in an ASCII format History.dat file is that it does not link website activity with cached web pages Firefox files are located in the directory: • Documents and Settings<user name>Application DataMozillaFirefoxProfiles<random text>history.dat Mozilla/Netscape history files are found in the directory: • Documents and Settings<user name>Application DataMozillaProfiles<profile name><random text>history.dat
  117. 117. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Browsing Analysis Tool: Pasco Pasco is a command line tool that runs on Unix or Windows It accepts an Index.dat file, reconstructs the data, and gives the information in a delimited text file format • The record type - Signifies the activity is either a URL that was browsed or a website that redirected the user's browser to another site • The URL - The actual website that the user visited • Modified Time - The last moment in time the website was modified • Access Time - The moment in time the user browsed the website • Filename - The local file name that contains a copy of the URL listed • HTTP Headers - The HTTP headers the user received when he browsed the URL It shows the fields saved by IE such as:
  118. 118. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: IE Cache View IE Cache View reads the cache folder of Internet Explorer, and displays the list of all files currently stored in the cache • Filename • Content Type • URL • Last Accessed Time • Last Modified Time • Expiration Time • Number Of Hits • File Size • Folder Name • Full path of the cache filename It gives the information about:
  119. 119. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: IE Cache View (cont’d) • IE Cache View displays the list of cache files • It allows you to filter the cache files by file type • It allows to view the cache files of another user or from another disk • Selecting and copying the desired cache item in clipboard is easy Advantages:
  120. 120. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Tool: Cache Monitor Cache Monitor offers real time view of the current state cache It offers an interface to modify data It also: • Verify the configuration of dynamic caches • Verify the cache policies • Monitor cache statistics • Monitors data flowing through the caches • Data in the edge cache • View data offloaded to the disk • Manage the data in the cache
  121. 121. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool - IE History Viewer This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days It also allows you to select one or more URL addresses, and then removes them from the history file or save them into text, HTML, or XML file
  122. 122. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IE Cookie Analysis • Cookie file name • The record type • Record size in bytes • Number of hits • The site that created the cookie The file index.dat file provides the following information: • Modified date • Accessed date • Name of the user • MD5 of the actual cookie file Index.dat also contain the following information:
  123. 123. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IE Cookie Analysis (cont’d) Hash tables are used to retrieve the data records stored in a specified index.dat file The records collected are then parsed into separate information portions
  124. 124. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IE Cookie Analysis (cont’d) Figure: The HASH table offset
  125. 125. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Internet Traces • Cookies • C:Documents and SettingsAdministratorCookies • Temporary Internet files • C:Documents and SettingsAdministratorLocal SettingsTemporary Internet Files Internet Explorer investigations:
  126. 126. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool – IECookiesView Displays details of all cookies stored on the computer Views the contents of each cookie as well as save the cookies to a readable text file Enables the user to view references to deleted cookies
  127. 127. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool- IE Sniffer IE Sniffer tool can be used to perform forensic analysis of "index.dat" files • Cookie Monitor to keep only the cookies you want and displays all cookies that are deleted • Cache Cleaner - Cleans the Internet Explorer cache as well as all stored offline pages • Quick viewer - To quickly view the contents of an "index.dat" file and open any of the visited links in the browser • Hex Viewer - To view the contents of the "index.dat" files Features:
  128. 128. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: IE Sniffer
  129. 129. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  130. 130. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Calculation Message-Digest algorithm 5 (MD5) was designed by Ron Rivest in 1991 MD5 is a cryptographic hash function with a 128-bit hash value Md5 is used in the security applications and to check the integrity of files
  131. 131. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Algorithm MD5 processes a variable-length message into a fixed-length output of 128 bits Input message is broken up into chunks of 512-bit blocks The message is padded so that its length is divisible by 512 The padding is done as follows: • To the first single bit ‘1’ is appended to the end of the message • It is followed by as many zeros as are required to bring the length of the message up to 64 bits • Remaining bits are filled up with a 64-bit integer representing the length of the original message
  132. 132. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Pseudocode //Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating var int[64] r, k //r specifies the per-round shift amounts r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22} r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20} r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23} r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21} //Use binary integer part of the sines of integers (Radians) as constants: for i from 0 to 63 k[i] := floor(abs(sin(i + 1)) × (2 pow 32)) //Initialize variables: var int h0 := 0x01234567 var int h1 := 0x89ABCDEF var int h2 := 0xFEDCBA98 var int h3 := 0x76543210 //Pre-processing: append "1" bit to message append "0" bits until message length in bits ≡ 448 (mod 512) append bit /* bit, not byte */ length of unpadded message as 64-bit little- endian integer to message //Process the message in successive 512-bit chunks: for each 512-bit chunk of message break chunk into sixteen 32-bit little- endian words w[i], 0 ≤ i ≤ 15 //Initialize hash value for this chunk: var int a := h0 var int b := h1 var int c := h2 var int d := h3 //Main loop: for i from 0 to 63 if 0 ≤ i ≤ 15 then f := (b and c) or ((not b) and d) g := i else if 16 ≤ i ≤ 31 f := (d and b) or ((not d) and c) g := (5×i + 1) mod 16 else if 32 ≤ i ≤ 47 f := b xor c xor d g := (3×i + 5) mod 16 else if 48 ≤ i ≤ 63 f := c xor (b or (not d)) g := (7×i) mod 16 temp := d d := c c := b b := b + leftrotate((a + f + k[i] + w[g]) , r[i]) a := Temp //Add this chunk's hash to result so far: h0 := h0 + a h1 := h1 + b h2 := h2 + c h3 := h3 + d var int digest := h0 append h1 append h2 append h3 //(expressed as little-endian)
  133. 133. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Generator: Chaos MD5 Chaos MD5 is a free MD5 generator for Windows Input any file into this free program and it will generate a MD5 checksum for that file It generates an unique signature for each and every file Chaos MD5 does not require installation; simply copy it to the hard drive or USB device to run The MD5 checksum that is generated can be used for file identification or integrity checks
  134. 134. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chaos MD5: Screenshot
  135. 135. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Secure Hash Signature Generator Secure Hash Signature Generator generates hash signatures that are unique to the data stored on a disk drive These signatures are used to verify data integrity by detecting intentional or accidental tampering of drive data The application has the ability to detect up to three P-ATA, S- ATA, SCSI, or ATA compatible flash devices, attached to a PC This application runs under the Windows XP or Windows 2000 environment There are three different hash signature generating algorithms from which to choose from, including MD5 (128-bit signature), SHA1 (160-bit signature), and CRC32 (32-bit signature)
  136. 136. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Generator: Mat-MD5 Mat-MD5 is a software that allows you to check the MD5 value for each file processed and compare it with other MD5 strings It will process one or more file and it will add the result value to a list You can add your MD5 value to compare by typing it or by copying it from an external file, so you can easily compare your values =
  137. 137. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mat-MD5: Screenshot
  138. 138. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Checksum Verifier MD5 Checksum Verifier is files integrity checker based on the time proven MD5 algorithms With it, you can easily create checksums of files and verify their integrity in the future
  139. 139. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  140. 140. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recycle Bin The Recycle Bin exists as a metaphor for throwing files away, it also allows user to retrieve and restore files A subdirectory is created for the user within the Recycler directory and named with the user’s security identifier • For example: C:RECYCLERS-1-5-21-1454471165-630328440- 725345543-1003> Check the subdirectory for the deleted files’ information When a file is moved to the Recycle Bin, it is renamed using the following convention: • D<original drive letter of file><#>.<original extension>
  141. 141. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Restore Points • Rp.log is the restore point log file located within the restore point (RPxx) directory • It includes value indicating the type of the restore point; a descriptive name for the restore point creation event, and the 64-bit FILETIME object • Description of the restore point can be useful for information regarding the installation or removal of an application Rp.log Files • Key system and application files are continuously monitored so that the system can be restored to a particular state • Changes are recorded in the change.log files, which are located in the restore point directories • Monitored file is preserved and copied to the restore point directory and renamed Change.log.x Files
  142. 142. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Prefetch Files The data after processing is written to a .pf file in the WindowsPrefetch directory Collect this data from the Prefetch directory Prefetching is controlled by the Registry key: • HKEY_LOCAL_MACHINESYSTEMControlSet00x ControlSession ManagerMemory ManagementPrefetchParameters
  143. 143. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Shortcut Files Shortcuts are the files with the extension .lnk that are created and are accessed by the users It is created on the system in the recent folder It provides information about files or network shares that the user had accessed and also about devices that the user had attached to the system Tools like AccessData’s Forensic Toolkit (FTK), Windows File Analyzer (WFA), and EnCase are used to reveal information embedded within the file
  144. 144. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Searching with Event Viewer The Filter feature in the event viewer allows removing clutter from the event log display Each log can be independently configured with different filter properties Use Filter and Find features in Event Viewer-under the View menu After applying the filter, the Event Viewer will show the log with matched properties
  145. 145. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event Viewer: Screenshot
  146. 146. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Documents Word documents are compound documents, based on the Object Linking and Embedding (OLE) technology which defines file structure within the file Word documents can maintain past revisions as well as a list of up to the last 10 authors Use wmd.pl, and oledmp.pl scripts to list the OLE streams
  147. 147. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDF Documents Portable document format (PDF) files can also contain metadata such as the name of the author, the date that the file was created, and the application used to create that file The metadata shows that the PDF file was created on a Mac or it was created by converting a Word document to PDF format Use Pdfmeta.pl and pdfdmp.pl scripts to extract metadata from PDF files
  148. 148. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image Files Image files like JPEG contains the photographer’s information such as, location of where the picture was taken The metadata available in a JPEG image depends largely on the application that created or modified it Collect Exchangeable Image File Format (EXIF) information in images which includes the model and manufacturer of the camera, and also stores thumbnail or audio information Use tools such as Exifer, IrfanView, and the Image::MetaData::JPEG Perl module to view, retrieve, and modify the metadata embedded in JPEG image files
  149. 149. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File Signature Analysis Analyze files with unusual extensions or files with familiar extensions with the help of the file signature analysis File signature analysis is collecting information from the first 20 bytes of a file • This information will help to determine type and function of the file Use ProDiscover tool for the file signature analysis
  150. 150. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NTFS Alternate Data Streams An NTFS Alternate Data Stream (ADS) is a feature of the NTFS file system ADS supports the Hierarchal File System (HFS) used by the Macintosh Create ADS by typing the following command: • D:ads>notepad myfile.txt:ads.txt Vista has a switch that allows to enumerate ADSes with dir using the /r switch Use Type command for executing the ADS
  151. 151. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Executable File Analysis • Static analysis is a process that consists of collecting information about and from an executable file without actually running or launching the file under any circumstances Static Analysis • Dynamic analysis involves launching an executable file in a controlled and monitored environment so that its effects on a system can be observed and documented Dynamic Analysis
  152. 152. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documentation Before Analysis Full path and location of the file MAC timestamp The system Information where file was stored • The operating system and version • File system • User accounts • IP address Any references to that file within the file system or Registry Details about who found it and when
  153. 153. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Static Analysis Process Scan the suspicious file with antivirus software such as Norton, AVG, McAfee Search for strings Analyze PE Header Analyze Import Tables Analyze Export Table
  154. 154. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Search Strings Run suspicious files through tools such as strings.exe and BinText to extract all ASCII and Unicode strings of a specific length This will help to get an idea of the file’s nature from the strings within the file Collect the information about where the string is located within the file
  155. 155. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: BinText
  156. 156. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PE Header Analysis A file signature of the portable executable (PE) file consist of 64-byte structure called the IMAGE_DOS_HEADER Last DWORD (e_lfanew) value refer to the address of the new EXE file This value is defined in the ntimage.h header file The e_lfanew value points to the location of the PE header Use PEview tool to view the PE header
  157. 157. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: PEview
  158. 158. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Import Table Analysis Information about DLLs and functions accessed by the executing program is needed for operating system This information is maintained in the import table and the import address table of the executable file Use pedump.exe, Dependency Walker tool to easily access the import table information Locate the import data directory and parse the structures to determine the DLLs and their functions Collect the networking code from the import table of the DLLs
  159. 159. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Dependency Walker
  160. 160. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Export Table Analysis DLLs provide functions that other executable files can import DLLs maintain a table of functions available in their export table Collect the information about chained or cascading DLL dependencies with the help of tools like Dependency Walker, pedump.exe
  161. 161. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dynamic Analysis Process Create a testing environment Use the visualization tools such as Bochs, Parallels, Microsoft’s Virtual PC, VirtualIron, Vmware Arrange your tools properly Start the process of testing the malware
  162. 162. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Test Environment Run the malwares to be tested on a different system than the victim system Do not connect the test system to the victim system through network Reinstall operating system after each test Work on the visual platform Use virtualization tools such as Bochs, Parallels, Microsoft’s Virtual PC, VirtualIron, Vmware
  163. 163. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Information Using Tools Use network sniffer tools to know network connectivity information This will help to know whether malware attempt to communicate to a remote system, or open a port to listen connections Record TCP and UDP port activity with the help of Port Reporter tool Use Process Monitor tool to see files and Registry keys that were created or modified and also timeline of activity
  164. 164. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dynamic Analysis Steps 1 • Ensure that all monitoring tools are updated 2 • Ensure that all monitoring tools are configured properly 3 • Create log storage location 4 • Prepare malware to be analyzed 5 • Launch baseline phase of snapshot tools 6 • Enable real-time monitoring tools 7 • Launch malware 8 • Stop real-time monitoring tools, and save the data 9 • Launch second phase of snapshot tools, and save the data
  165. 165. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
  166. 166. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata The term metadata refers to data about data Example of metadata: • Organization name • Author name • Computer name • Network name • Hidden text or cells • Document versions • Template information • Personalized views • Non-visible portions of embedded OLE objects It is important to collect the data as it gives the information about: • Hidden information about the document • Who tried to hide, delete, or obscure the data • Correlated documents from different sources
  167. 167. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata Example: Screenshot
  168. 168. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Metadata Metadata is differentiated into three types, such as: • Descriptive metadata • Structural metadata • Administrative metadata Descriptive metadata includes the information such as title, abstract, author, and keywords Structural metadata facilitates information of navigation and presentation of electronic resources Administrative metadata provides information such as file created, file type and other technical information
  169. 169. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Metadata (cont’d) Type Description Sample Element Descriptive Metadata Describes and identifies information resources Unique identifiers, physical attributes, bibliographic attributes Structural Metadata Provides information about the internal structure of resources including page, section, chapter numbering, indexes, and table of contents Tags such as title page, table of contents, chapters, parts, errata, index, sub-object relationship Administrative Metadata Includes technical data on creation and quality control Resolution, bit depth, color space, file format, compression, light source, owner, copyright date, copying and distribution limitations
  170. 170. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata in Different File System Metadata such as modified, accessed, and created (MAC) timestamp gives information about when the file was last modified These MAC times are managed by the operating system depending on the file system used such as FAT, NTFS • On the FAT file system, times are stored based on the local time of the computer system • NTFS file system stores MAC times in Coordinated Universal Time (UTC) format Investigate the way the timestamps are displayed, based on various move and copy actions
  171. 171. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata in Different File System (cont’d) • Copy myfile.txt from C: to C:subdir Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time • Move myfile.txt from C: to C:subdir Myfile.txt keeps the same modification and creation dates • Copy myfile.txt from a FAT16 partition to an NTFS partition Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time • Move myfile.txt from a FAT16 partition to an NTFS partition Myfile.txt keeps the same modification and creation dates FAT 16 file system: • Copy myfile.txt from C: to C:subdir Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time • Move myfile.txt from C: to C:subdir Myfile.txt keeps the same modification and creation dates For NTFS file system:
  172. 172. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Metadata Metadata can be viewed with the help of some native application Metadata is viewed by going to File -> Properties in case of Microsoft Office; or File -> Document Properties in case of Adobe Acrobat Tools used to view metadata: • MetaViewer • Metadata Analyzer • iScrub
  173. 173. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MetaViewer Metaviewer allows to quickly extract file system metadata, OLE metadata contained in Microsoft Office Files and hash values It views metadata and hash values inside Windows Explorer It also allows to paste the retrieved information into any application
  174. 174. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata Analyzer Metadata Analyzer is an analytical tool for checking MS Office documents: • Microsoft Word • Microsoft Excel • Microsoft PowerPoint It gives information about an initial name, authors, corporate name, number of saves etc.
  175. 175. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited iScrub iScrub extracts the information about the authors of the document, deleted text, and drafting history Features: • It is a reporting tool to capture and display document metadata • It allows users to first manage metadata in a document and then lock it down
  176. 176. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Live system activity notification is important for responders and investors In live response, collect the data which is going to change in short span of time Several Registry values and settings could impact the forensic analysis Analyzing the contents of RAM, will help the investigator to find what has been hidden pmdump.exe tool allows dumping the contents of process memory without stopping the process Registry Analysis provides more information to the investigator during live response The logs generated by the web server are used for the exploitation of attacks on IIS web server
  177. 177. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  178. 178. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×