1 / 83

The PC as Victim

The PC as Victim. Reviewing an Active System. Computers change state by: User interaction Process execution Data transfers Power cycles. What is Lost When you Power Down. Registers, cache contents Memory contents State of network connections State of running processes

calum
Télécharger la présentation

The PC as Victim

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The PC as Victim

  2. Reviewing an Active System • Computers change state by: • User interaction • Process execution • Data transfers • Power cycles

  3. What is Lost When you Power Down • Registers, cache contents • Memory contents • State of network connections • State of running processes • Contents of storage media • Contents of removable and back up media

  4. Plan for Live Systems

  5. BIOS • System uses during boot process to identify hard drives and storage devices that contain OS • Check BIOS for • Drive geometry of evidence media • Boot sequence of system • Boot from clean floppy with OS • Review BIOS • Geometry is different (# of cylinders is different) • Failure to log configuration from BIOS means booting from imaged disk may fail if not aligned on correct cylinder boundaries • The boot process can be altered! What does this mean?

  6. Forensic Duplication Tools • All data must be imaged • Tool should handle read errors • No changes to original data • Scientific testing (validation) • Check sum

  7. Methodology • Safety net • Process of safeguarding magnetic media • Insures evidence not destroyed • Guarantees accuracy and integrity of data • For HD boot from floppy (A:\) • Virus free • Back-up software • Prevent writes • Document condition of disk

  8. Creating a Boot Disk • Format a: /U /S • IO.sys • Msdos.sys • Command.com • Drvspace.bin (delete it) • Use diskedit to alter io.sys • Tools to find all occurrences of C:\ • 11 instances of a reference to C:\ • Change to A:\ • Use MD5

  9. Generating a Host Image • Attach to the suspect system a write-protected, verified system disk with: • Operating system, duplication software, & then reboot • Generate an image of the suspect system disk • Mount it on a verified system • Advantages of this approach include: • Not affecting the operational environment of the suspect system because you're examining an image of it on another system • Preserving the original evidence for subsequent legal proceedings

  10. Back up Images • DAT is cheapest • Zips (removable HDs) format & verify • CD ROM as second level backup • Safeback only does a minimum of a partition • Physical drive is entire drive • Logical drives partition on a physical drive (0 or 1) • Backing up logical drives misses partition table

  11. Duplication • Determine need for duplication • 3 approaches • Image storage medium by removing it and attaching to forensic station • Image by attaching a hard drive to suspect computer • Hard drive must be scrubbed • Large enough to accommodate data • Image the storage medium by sending the disk image over a closed network • Allows multiple images to be gathered at the same time • Perform checksums on original and image

  12. Create Duplicate • Prompts for location to create an audit file • 4 modes of operation • Backup • Restore • Verify • Copy (backup and restore at the same time)

  13. Hard Drives • IDE vs SCSI drives • Terminology • Platters, cylinders, sectors, tracks • Partitioning • Partition types (see p. 69 K&H) • Drive letters • 3 absolutes: A: & B: are floppies • C: is booted partition

  14. Hard Drives Unused MBR Unused areas can be written to -- up to 31K of data C:\ Unused MBR D:\ Master Boot record has partition table that defines # of drives

  15. Chain of Custody • List of people that touched or had control of evidence • Evidence tag • Consent & signature • Receipt & transfer • Description • A list of office staff near evidence • State of the system when found • Serial numbers • Peripherals attached • Prevent future access with seized

  16. Avoiding Technical Mishaps • Altering time and date stamps • Terminating rogue processes • Patching the system before investigation • Not recording commands executed on the system • Using tools that require a GUI • Writing over evidence by installing software drivers • Writing over evidence by running programs that store on hard drive

  17. Cautions • Never allow suspect to touch the computer after decision to investigate • Remove/restrict under subterfuge • Remove computer or HD to secure area • Beware of magnetic devices to erase • Be aware of burn boxes to destroy diskettes • Confiscate all storage media (check keychain for Trek)

  18. Copying Your Data • Bit stream image is the first step • Whole data not just files • Safeback (standard for law enforcement) www.forensics-intl.com • Ghost www.symantec.com • Dd UNIX utility • Diskcopy/V • Snapback www.cdp.com • Byte Back www.toolsthatwork.com

  19. ATTRIB To display the attribute settings of all files in the current directory:ATTRIB To display the attributes of a directory:ATTRIB directoryname To display the attributes of a file:ATTRIB filename To set or remove attributes of a file or directory:ATTRIB [ + | - R] [ + | - A] [ + | - S] [ + | - H] [directory|filename] [/S] + Sets an attribute. - Clears an attribute. R, Read-only file A, Archive file S, System file H, Hidden file /S, Processes files in all directories in the specified path To display the attributes of a file named "news86": ATTRIB news86 To assign the Read-Only attribute to the file "report.txt", use: ATTRIB +R report.txt To remove the System and Hidden attributes from "record.txt": ATTRIB -S -H record.txt To hide the directory "c:\secret:"ATTRIB +H c:\secret To hide the files (but not the directories) in the C:\ directory: ATTRIB +H c:*.*

  20. CHKDSK CHKDSK [path] [/F] [/V]path Specifies the drive and directory to check. /F Fixes errors on the disk. /VDisplays the full path and name of every file on the disk.

  21. DRIVPRM The DRIVPARM command can only be invoked through Config.sys. The DRIVPARM command modifies the parameters of an existing physical drive. It does not create a new logical drive. The settings specified in the DRIVPARM command override the driver definitions for any previous block device. DRIVPARM=/D:number [/C] [/F:factor] [/H:heads] [/I] [/N] [/S:sectors] [/T:tracks] /D:number Specifies the physical drive number. number can be range from 0 to 255. Drive number 0 corresponds with drive a:, Drive number 1 corresponds with drive b:, and so on. How could this be used?

  22. FIND FIND [/V] [/C] [/N] [/I] "string" "filename1" "filename2" "filename ..." /V Displays all lines NOT containing the specified string. /C Displays only a count of lines containing the string. If used with /V, FIND displays a count of the lines that do not contain the specified string. /N Displays line numbers with the lines. If /C and /N are used together, /N is ignored. /I Ignores the case of characters in string. By default FIND is case sensitive and searches for an exact character match. String The text string to be found. String must be in inverted commas. Filename The file(s) to be searched. If filename does not contain spaces, it does not need to be enclosed in inverted commas.

  23. FIND To display all lines from the file "pencil.ad" that contain the string "Pencil Sharpener": FIND "Pencil Sharpener" pencil.ad If the string contains quotation marks, these must be doubled: FIND "This paper is ""for discussion only."" It is not a final report." report.doc To search the current directory for the string "PROMPT" in all .BAT files:FOR %f in (*.bat) DO FIND "PROMPT" %f To search your hard disk to find and display the filenames on drive C that contain the string "CPU", you can use the pipe "|" to direct the results of a DIR command to FIND: DIR c:\ /s /b | FIND "CPU" Remember, the default output from DIR can be upper and/or lower case depending on how a file was saved. To catch all instances of "CPU", "cpu". etc. either use the /L switch with DIR (to force lower case output), or the /I switch with FIND (to ignore case in string).

  24. LASTdrive Used to designate the maximum number of drives (real and virtual) recognized by the operating system. The LASTDRIVE command can only be invoked from Config.sys. LASTDRIVE=x LASTDRIVEHIGH=x x A single letter (A to Z) representing the last valid drive that MS-DOS is to recognize. (Default is Z)Note: a trailing colon should not be included.

  25. Path The PATH command is used to view or modify the Path environmental variable and is synonymous with "SET PATH=". To set a path: PATH path1 [;path2...]]or PATH=path1 [;path2...]] To add directories to an existing Path environmental variable: PATH %path%; path3 [;path4...]] To clear all path settings: PATH ; To display the current path settings: PATH • To add the directory c:\downloads to the regular path, enter PATH %path%;c:\downloads • To add a directory name that contains a space, enclose the name in inverted commas: PATH %path%;c:\"program files"\dos or PATH %path%;"c:\program files\dos"

  26. Del or erase To delete a file: DEL [path] filename [/P] To delete all files in a directory (with confirmation): DEL path or DEL path \*.* To delete all files in a directory (without confirmation): DEL path \?*.* DEL path \** (in Dos7.0 - confirmation is required in Dos7.1) Filename The file to delete. /P Forces confirmation before deleting each file.

  27. Mode • The MODE series of commands is used to control the computers links with its peripherals. • Display lines and columns • Display configuration • Printer configuration • Serial port configuration • Device status • Redirect printing from parallel to serial port • Set typematic rate • Set code page (character set) for international use • MODE CON[:] [COLS=c] [LINES=n] • C The number of characters per line. c can be 40 or 80 (Default: 80). • N The number of lines displayed on the screen. n can be 25, 43, or 50 (Default: 25). MODE CON Lines=50 • MODE [device] [/STATUS] • Device The name of the device. Default: all installed devices.

  28. Deltree Delete directory and subdirectories To delete a directory and all the subdirectories and files contained therein: DELTREE [/Y] directory To delete all the files and subdirectories but leave the directory itself: DELTREE [/Y] directory\*.* To delete a file: DELTREE [/Y] filename directory The directory to be deleted. /YSuppresses prompts for confirmation before deleting

  29. Deltree To delete the TEMP directory on drive C, including all files and subdirectories of the TEMP directory: DELTREE c:\temp To delete all the files and subdirectories in the "temp" directory leaving an empty "temp" directory for future use, and avoiding the prompt for confirmation: DELTREE /Y c:\temp\*.* To delete the read-only file text.doc in the c:\data directory (without resetting the attributes): DELTREE /Y c:\data\text.doc

  30. Format FORMAT drive: [/Switches] /V[:label] Specifies a volume label. /S Copies system files to the formatted disk (to make a boot disk). /B Allocates space on the formatted disk for system files. /C Tests clusters that are currently marked "bad.“ By default, if a disk contains clusters that have been marked as "bad", FORMAT does not retest the clusters; it simply leaves them marked "bad". /AUTOTEST Formatting proceeds without further user input or warning messages. All sectors previously marked bad on the hard drive are retested (i.e. equivalent to including the /C switch)².

  31. More The MORE command reads standard input from a pipe or redirected file and displays one screen of information at a time. MORE filename MORE < filename command | MORE [path][filename] Command a command whose output is to be displayed. filename file(s) to display one screen at a time MORE clients.newMORE < clients.newTYPE clients.new | MORE

  32. Prompt To change the command prompt: PROMPT [text] text Any series of alphanumeric characters including the following special codes: $P  Current drive and path  $E  Escape code (ASCII code 27)  $N  Current drive   $G  >  $V  Windows version number  $L  <  $D  Current date   $B  |  $T  Current time  $Q  =  $_  Carriage return and linefeed  $$  $  $H  Backspace (erases previous character) To reset the prompt to its default ($N$G): PROMPT $N$G

  33. Shell Specifies the command interpreter you want MS-DOS to use. The SHELL command can only be invoked from Config.sys. SHELL=filename [path] [parameters] filename The full filename and path of the command interpreter to be used path The path to the command interpreter parameters Any command-line parameters or switches that can be used with the specified command interpreter If Command.com is in the root directory and is to be loaded with its default values, the following line is optional: SHELL=c:\command.com c:\ /P

  34. Switches SWITCHES= /F /K /N /E[:n] Invoked from config.sys /F Skips the two-second delay after displaying the "Starting MS- DOS . . ." message during startup. /K Forces an enhanced keyboard to behave like a conventional keyboard. If Ansi.sys is installed, its K switch should also be used. /N Disables the F5 and F8 keys used to bypass commands in Config.sys and Autoexec.bat. It does not disable the Ctrl-F5 and Ctrl-F8 keys which bypass loading Drvspace.bin; to disable these keys, see DRVSPACE.

  35. Vol Displays a disk's volume label and serial number. Can be used with LABEL to identify a drive VOL [drive:] VOL E:

  36. Copy The prime use of COPY is to copy one or more files to another location but it can also be used to combine (concatenate) files and to type directly to a file, printer, or other device COPY source [destination] [/V] [/Y | /-Y] source The file(s) to be copied. Although this must be a single parameter, it may include multiple files specified using wildcards (* or ?). It may also be a valid device (e.g., CON) Destination The directory and/or filename for the new file(s). If destination... is not specified source is copied to the current directory with the same name and creation date as the original. file /A Forces COPY to treat the file as an ASCII test file file /B Forces COPY to treat the file as a binary file /V Verifies that new files can be read (does not compare with the original - see VERIFY). /Y No warning prompt before overwriting a file (default when COPY is used in a batch file). /-Y Displays a warning and requires confirmation before overwriting a file (default when COPY is used from the command line).

  37. Type • The TYPE command is used to display the contents of an ASCII text file on screen. • TYPE filename • To display the contents of HOLIDAY.MAR: TYPE holiday.mar • If the file is too long to fit on a single screen: TYPE holiday.mar | MORE • To pipe the contents of GO.TXT to a DEL command requiring confirmation before deleting all files in a directory. TYPE go.text | DEL *.*If the first two characters of GO.TXT contain a "Y" or "y" followed by an [Enter], the files will be deleted. Anything else and the operation will be skipped.

  38. Fdisk • FDISK is a menu driven utility used to configure and/or display information about the partitions on a hard disk. • Before a hard disk can be recognized by DOS (or any other compatible operating system), a Master Boot Record (MBR) must be established. The MBR defines areas of the disk to be a(n): • Primary Partition and/or • Extended Partition • CAUTION: Using FDISK to modify or delete partitions on a hard drive renders all the data associated with that partition unavailable – I.e., deleted! • FDISK [/X] To display a summary of the partition structure on all hard drives: FDISK [/STATUS] To create partitions without going through the standard FDISK menus: FDISK [/X] drive [/PRI:size] [/EXT:size] [/LOG:size] [/PRMT | /Q] • FDISK /MBR To rewrite the Master Boot Record of the primary drive without altering the partition table information: FDISK /CMBR drive To rewrite the Master Boot Record of any drive (drive) without altering the partition table information:

  39. Pipes & Redirection • A number of Dos commands send output to the screen and/or require input from the user. Redirection is a mechanism whereby the output of a command can be fed either to some other device (a printer or file) or to another program or command. • There are four redirection functions: • > Redirect output • >> Append • < Redirect input • | Pipe • To print out a sorted directory listing of all files in the Windows directory: DIR c:\windows /o/a > PRN • To create a file containing the directory listing of the same directory: DIR c:\windows /o/a > c:\data\directories\windows.txt • DIR c:\windows\system /o/a >> c:\data\directories\windows.txt

  40. Batch files              COPY CON COPYFILE.BAT   {ENTER} or EDIT    COPYFILE.BAT    {ENTER} FORMAT A:      {ENTER}                 COPY *.*       {ENTER}                 DIR A:  {ENTER} CTRL+Z or Save, Exit from the menu To run the file Type: COPYFILE {ENTER}

  41. Copy • COPY source1 + source2 + ... destination [/V] [/Y | /-Y] • To combine "mar89.rpt", "apr89.rpt" and "may.rpt" into one file named "report.rpt" in the current directory: COPY mar89.rpt + apr89.rpt + may89.rpt report.rpt • To combine all files in the current directory on the current drive that have the extension ".rpt" into one file named "combined.rpt": COPY *.rpt combined.rpt • To combine a series of files that have ".txt" extensions with their corresponding ".ref" files to make new files with the same file names but with ".doc" extensions (ie "file1.txt" is combined with "file1.ref" to form "file1.doc", and so on). COPY *.txt + *.ref *.doc • To combine first all files with the ".txt" extension, then all files with the ".ref" extension into one file named "combin.doc": COPY *.txt + *.ref combin.doc

  42. fc Compares two files or sets of files and displays the differences between them. FC [/Switches] file1 file2FC c:\test1.txt c:\test2.txt /B Performs a binary comparison. This is the default mode for comparing files when file1 has an extension of .EXE, .COM, .SYS, .OBJ, .LIB, or .BIN. /L Compares files as ASCII. This is the default mode for comparing files when file1 does not have an extension of .EXE, .COM, .SYS, .OBJ, .LIB, or .BIN. /LBn Sets the number of lines for the internal line buffer. If the files being compared have more than this number of consecutive differing lines, FC cancels the comparison. Default value of n: 100 /N Displays the line numbers on an ASCII comparison. /C Disregards the case of letters /T Does not expand tabs to spaces. By default, tabs are treated as spaces with 1 tab = 8 spaces. /W Compresses tabs and multiple spaces to a single space for the comparison.

  43. Mem The MEM command is used to display a table showing how memory (RAM) is currently allocated MEM [/Switches] None Displays the status of the computer's used and free memory /C Lists the programs that are currently loaded into memory and shows how much conventional and upper memory each program is using. /D Lists the programs and internal drivers that are currently loaded into memory. /F Lists the free areas of conventional and upper memory. /M progname   Shows how the program (progname) is currently using memory. /P Pauses after each screenful of information. /H Brief help (same as /?) .

  44. Mem/C/P

  45. Xcopy • Copies files and directory trees. • XCOPY source [destination] [/Switches] • source The file(s) to be copied. Although this must be a single parameter, it may include multiple files specified using wildcards (* or ?). • destination The location and/or name(s) of new files. Scope: By default, XCOPY will confine its operation to files in the source directory. • /E Copies the complete subdirectory structure of source and all files therein. • /S Copies the complete subdirectory structure of source and all files therein but does not copy empty subdirectories. • /T W Copies the subdirectory structure of source but does not copy any files and does not copy empty subdirectories. To include empty subdirectories, use with the /E switch. • XCOPY will not copy a folder's attributes (eg. 'hidden'). These have to be set as required using Windows Explorer or ATTRIB.

  46. Xcopy • To copy all files and subdirectories from the data directory to the disk in drive a: xcopy c:\data a: /s or xcopy c:\data\*.* a: /s • To copy all files and subdirectories from the data directory created/modified since 1st Jan.1997 to the disk in drive a: should be:xcopy c:\data a: /s /d:1/1/97

  47. Diskcopy DISKCOPY is used to duplicate floppy disks. Any data on the destination disk is overwritten. DISKCOPY drive1: [drive2:] [/1] [/V] [/M] drive1 Drive containing disk to be copied from (and to, if the computer has only one floppy drive) . drive2 Drive containing disk to be copied to (if different from drive1). /V Verifies that the information is copied correctly. /M Force multi-pass copy using memory only.

  48. DOS Commands & Utilities • www.evilpigeon.net/tutorials/commands/ • http://www.butterwick0.freeserve.co.uk/tutor/menu.html • http://www.maem.umr.edu/~batch/batchtoc.htm • http://home7.inet.tele.dk/batfiles/ • http://www.simtel.net/pub/msdos/ • http://www.ntfs.com/products.htm • http://www.opus.co.tt/dave/index.htm

  49. Searching for Evidence • Know what you are looking for • Create list of terms • Use text search tools to find data • Check hacker sites for names of programs • Anti-virus web sites for information on recent infections and registry entries

  50. Evidence on the Hard Drive • Hard disk drives • Files • Erased files • File slack • Hidden partitions • Encrypted files • Compressed data (zip) • Windows swap file • Windows temp files • Application temp files • Encrypted files • Hidden files/folders

More Related