1 / 55

Extracting and Analyzing Evidence from Live Systems in Computer Forensics

This guide covers the process of extracting volatile data from live systems in computer forensics. It emphasizes the importance of using trusted tools, documenting results, and planning investigations carefully to avoid compromising evidence. Key procedures include identifying running processes, current users, and open network connections. The use of response toolkits, consisting of utility tools such as netstat and Fport, is essential in gathering evidence efficiently without altering the target system's state. Best practices for storing data and safeguarding integrity are also outlined.

pisces
Télécharger la présentation

Extracting and Analyzing Evidence from Live Systems in Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 250 Computer Forensics Windows Life Analysis

  2. Extracting Evidence from a Life System Degrees of Volatility of Data. • Gathering more volatile data versus • Safer forensics procedures.

  3. Extracting Evidence from a Life System Life Examination is done: • To quickly access the situation • Confirmation of incident. • To retrieve volatile data • Such as network connections, running processes, etc.

  4. Extracting Evidence from a Life System Initial response must not destroy potential evidence. • Use only trusted tools on a response toolkit. • Document results. • Notebook  • Hard Drive of target system  • Removable media connected to target drive  • Other system using netcat or cryptcat 

  5. Extracting Evidence from a Life System • Plan investigation. • Evidence gathering differs according to incidence: • Unacceptable web-surfing. • Intellectual property rights theft. • Compromised system.

  6. Extracting Evidence from a Life System • Response Toolkit • Collection of Trusted Tools. • Stored on removable media. • Floppies (write-protected) • CD • Thumbdrive (write-protected)

  7. Response Toolkit • Determine the tools needed. • Create Toolkit. • Check dependencies on DLL and other files. Include those in toolkit. • Include file authentication tool such as MD5.

  8. Response Toolkit: cmd.exe Built-in command prompt.

  9. Response Toolkit netstat • Enumerates all listening ports and all connections to those ports. Suspicious connection? (No, windows messenger.)

  10. Response Toolkit rasusers • Which users have remote access privileges on the target system.

  11. Response Toolkit Fport • Finds open TCP/IP and UDP ports and maps them to the owning application

  12. Response Toolkit: pslist

  13. Resource Tools ListDLLs

  14. Resource Toolkit: nbtstat

  15. Resource Toolkit: arp

  16. Resource Toolkit: kill • Get it from the Windows NT Resource Kit. • Terminates processes via process number.

  17. Recourse Toolkit: md5sum • Creates MD5 hashes for a file.

  18. Resource Toolkit: PsLogList • Dumps the event log list.

  19. Resource Toolkit: PsInfo Local System built.

  20. Remote Toolkit: PsFile

  21. Remote Toolkit: PsLoggedOn

  22. Resource Toolkit: PsService

  23. Resource Toolkit: regdump

  24. Preparing the Toolkit • Label the toolkit. • Check for dependencies with Filemon. • Lots of dependencies => lots of MAC changes. • Create an MD5 of the toolkit. • Write protect any floppies.

  25. Storing Obtained Data • Save data on the hard drive of target.  (Modifies System.) • Record data by hand.  • Save data on removable media.  • Includes USB storage. • Save data on a remote system with netcat or cryptcat. 

  26. Storing Obtained Data with netcat • Quick on, quick off target system. • Allows offline review. • Establish a netcat listener on the forensic workstation. Redirect into a file. • Establish a netcat funneler on the target system to the forensic workstation. • Cryptcat does the same, but protects against sniffing.

  27. Obtaining Volatile Data Store at least • System date and time. • List of current users. • List of current processes. • List of currently open sockets. • Applications listed on open socket. • List of systems with current or recent connections to the system.

  28. Obtaining Volatile Data: Procedure • Execute a trusted cmd.exe • Record system time and date. • Determine who is logged on. • Record file MAC. • Determine open ports. • List all apps associated with open ports.

  29. Obtaining Volatile Data: Procedure • List all running processes. • List current and recent connections. • Record the system time and date. • Document the commands used during initial response.

  30. Recording System Time

  31. Determining Logons

  32. Determining File MAC

  33. Determining Open Ports

  34. Listing Applications with Open Ports

  35. Listing all running processes

  36. List current connections

  37. List current connections

  38. Documenting history

  39. Scripting the response

  40. Scripting the response

  41. Examples • Use Fport to look at open ports. • Use a list of ports to find suspicious ports, i.e. those used by known Trojans, sniffers or spyware. www.doshelp.com/trojanports.htm

  42. Examples • If at your home system, fport shows a suspicious port use and netstat shows a current connection to this port, then kill the process.

  43. Examples • Knowing what processes are running does not do you any good. • You need to know what they are doing. • At least, know the typical processes.

  44. Examples • Access the registry with RegDump • Then study it with regedit on the forensic system.

  45. Examples Assume generic monitoring of systems. Look for • Unusual resource utilization or process behavior. • Missing processes. • Added processes. • Processes with unusual user identification.

  46. Examples • The windows task manager can be very helpful.

  47. Examples: Detecting and Deleting Trojans • Use port scanning tools, either on host machine or remote machine. • Fport (Windows) • Superscan (Windows) • Nmap • netstat (for open connections)

  48. Examples: Detecting and Deleting Trojans • Identify the Trojan on the disk. • Find out how it is being initiated and prevent the process. • Reboot the machine and delete the Trojan.

  49. Example • Run superscan on local host to check for open ports. • What is happening at port 5000?

  50. Example Port 5000?

More Related