10 apr 2007 tcss431 network security stephen rondeau institute of technology lab administrator n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Windows Forensics PowerPoint Presentation
Download Presentation
Windows Forensics

play fullscreen
1 / 17

Windows Forensics

224 Views Download Presentation
Download Presentation

Windows Forensics

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator Windows Forensics

  2. Agenda • Forensics Background • Operating Systems Review • Select Windows Features • Vectors and Payloads • Forensics Process • Forensics Tools Demonstration

  3. Forensics Background • Inspection of computer system for evidence of: • crime • unauthorized use • Evidence gathering/preservation techniques for admissibility in court of law • Consideration of suspect's level of expertise • Avoidance of data destruction or compromise

  4. Operating System Review • What does an OS do?

  5. Operating System Review • What does an OS do? • starts itself • low-level management of: • interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.) • higher-level management of: • file system, users, user interface, apps • addresses issues of fairness, efficiency, data protection/access, workload balancing

  6. Select Windows Features • Kernel vs. User Mode • Kernel features (architecture) • device drivers • installable file system • object security • Services

  7. Computing Device input output Hub Computing Devices: Simplistic • Computing Device • takes some input • processes it • OS, services, applications • provides some output • Network • connects device • Data • ?

  8. Computing Devices: Reality In Human K/M/touch,etc. Out Human A/V Data Scanner/GPS In/Out Data Storage Device, PC Card, Network, Printer, Etc.

  9. Computing Devices: Connections • removable media • floppy,CD/DVD,flash,microdrive • PC Card • wired • serial/parallel,USB,Firewire,IDE,SCSI,twisted pair • wireless • radio (802.11, cellular, Bluetooth) • Infrared (IR) • Ultrasound

  10. Vectors and Payloads • Vector: route used to gain entry to computer • via a device without human intervention • via an unsuspecting or willing person's actions • Payload: what is delivered via the vector • malicious code • may be multiple payloads • spyware, rootkits, keystroke loggers, bots, illegals software, spamming, etc.

  11. Forensics Process • Assess • after permission is granted • determine how to approach affected system(s) • watch out for anti-forensics • how to stop computer processing? • Acquire • capture volatile data • copy hard drive • Analyze

  12. Volatile Data • All of RAM, plus paging area • Logged on users • Processes (regular and services) • Process memory • Buffers • Clipboard • Network Information • Command history

  13. Nonvolatile Data • Partitions • Files • hidden, streams • Registry Keys • Recycle Bin • Scheduled Tasks • User information • Logs

  14. What to Look For • Know baseline system: what to expect of good system • Malware Footprint • in logs • on file system (changed dates/sizes) • in registry • in startup areas • in service list • in network connections • Abnormalcy – functionality, performance, traffic patterns • Cross-check with multiple tools

  15. Microsoft Tools • Basic • Windows Update, Malicious Software Removal, Baseline Security Analyzer, Time Service, Routing and Remote Access, Event Viewer, EventCombMT, LocalService, NetworkService, Runas, systeminfo, auditpol • Network tools • netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig • File • dir /ah, dir /od, dir /tc, findstr, cacls • Services • net start/stop, sc • Process: • tasklist, taskkill, schtasks

  16. External Tools • antivirus • backup • www.sysinternals.com • RootKitRevealer, ProcessExplorer, WinObj, Autoruns • PSTools: pslist, psexec, psservice, psgetsid, etc. • www.e-fense.com: Helix • statically-linked tools, variety of other tools • Bart’s PE

  17. References • Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 • Windows Forensic Analysis DVD Toolkit , Harlan Carvey, Syngress 2007 • File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005 • Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006