Windows Forensics Analysis DVD Toolkit 2nd Edition
Forensics Goals on a Computer(Standalone or Server)
or a Network:
1.Intrusion detection or Have I been Hacked.
2.Bug Hunt-Malware Detection.
Chapter 1:
Live Response :Collecting Volatile Data
Volatile Data = Data in Memory
Servers cannot be shutdown, viz a Web Server
Downtime - Hundreds of thousands of Dollars
Imaging Terabyte Hard disk takes time.
Volatile Data Contents:
Processes
Network Connections
Clipboard Contents
etc
*Your actions leave artifacts
“evidence dynamics”
Locards Exchange Principle:
Netcat
XP 24 auto sys restore point created
3 days limited defrag
Prefetch Directory/Files
Order of Volatility:
Processes
Network Connections
Volatile Data
■ System time -c:\date /t & time /t
■ Logged-on user(s) -psloggedon , net sessions
■ Open files-c:\openfiles
■ Network information -netbios ,nbtstat
■ Network connections-netstat
■ Process information
■ Process-to-port mapping
■ Process memory
■ Network status
■ Clipboard contents
■ Service/driver information
■ Command history
■ Mapped drives
■Shares
Windows File Protection
Spyware, Trojans, and even rootkits use a
technique called DLL injection to load themselves
into the memory space of a running process so
that they will be running and executing but won’t
show up in a process listing because they are
actually part of another process.
tools :listdll's tlist,pslist.tasklist ,handle,fport,
tcpvcon,ipconfig,promiscdetect,promqry
pclip.exe -clipboard contents
c:\doskey /history
c:\share.exe
perl wmi win32_process class
NonVolatile Information:
reg.exe
clearpagefileatshutdown registry value
Disablelastaccess:
HKLM\System\CurrentControlSet\
Control\FileSystem\NtfsDisableLastAccessUpdate
C:\>fsutil behavior query disablelastaccess
fsutil =tool
The NtfsDisableLastAccessUpdate functionality
is enabled by default on Vista.
Autoruns:
Autoruns also does a great job of checking areas within
the file system, such as Scheduled Tasks. Sometimes
administrators will use Scheduled Tasks to provide
themselves with elevated (i.e., SYSTEM level) privileges
to perform such tasks as view portions of the Registry that
are normally off-limits even to administrators. An attacker
who gains Administrator-level access to the system could
do something similar to further extend his presence on the
system.
Protected Storage > Memory-Registry stores Passwords etc
tool:pstoreview.exe(CLI),passview,protected storage explorer
Story IRCbots,
Autocomplete in IE
Event Logs
The volatile data that is the most useful to your
investigation depends on the type of incident you’re
faced with. For example, an incident involving a remote
intrusion or a Trojan backdoor will generally mean that
the process, network connection, and process-to-portmapping
information (and perhaps even the contents of certain Registry
keys) will be the most valuable to you. However, if an employee
in a corporate environment is suspected of having stolen
company-proprietary data or violating the corporate acceptable
use policy(AUP), information about storage devices connected
to his system, Web browsing history, contents of the Clipboard,
and so on could be more valuable to your investigation.
No comments:
Post a Comment