91.460.201 & 91.530.202 selected topics: digital forensics chapter 7 current computer forensics...
TRANSCRIPT
91.460.201 & 91.530.202 Selected
Topics: Digital Forensics
Chapter 7 Current Computer Forensics Tools
Xinwen Fu
Laws of Physical Security Law #3: If a bad guy has unrestricted
physical access to your computer, it’s not your computer anymore.
Law #5: Weak passwords trump strong security
Law #10:Technology is not a panacea
Security is only as strong as the weakest link.
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
Dr. Xinwen Fu 2
Dr. Xinwen Fu 3
Scenarios You are a crime investigator and have a
suspect’s computer How can you get access to the data on the
hard disk? How can you get her password on this
computer?
You are a secret agent, and have 10 minutes of access to an opponent General’s computer How can you get access to the data on the
hard disk? How can you get her password on this
computer?
Dr. Xinwen Fu 4
Simple Approach to Access Hard Disk Recall you have the physical access to
somebody’s computer Tools you need to break into an unsecured
PC:1. A Phillips-head screwdriver2. USB Thumb drive3. Bootable Linux CD4. Bootable Linux Floppy5. Hard drive mounting kit
Dr. Xinwen Fu 5
What if the machine has a BIOS password? BIOS password can be bypassed
1. Remove the machine’s hard drive and put it in another machine
2. Reset the BIOS password via jumpers on the motherboard
3. Simply remove the CMOS battery to reset
http://www.liverepair.com/encyclopedia/articles/cmosreplace.asp
Dr. Xinwen Fu 6
Laptop CMOS Battery A little bit work
Dr. Xinwen Fu 7
Mounting CD under Linux Once accomplished, boot off CD or floppy. The hard disk will be automatically mounted to the
Linux on CD or floppy If not, use Linux command and mount it
What is the next step? Copy Delete Change What else?
Disk Encryption Disk encryption doesn’t work. Keys are stored in memory. Physical access can reveal the keys
Memory can be preserved between boots. Canned air increases time to 10 minutes. Liquid nitrogen increase time by 1 hour.
http://www.freedom-to-tinker.com/?p=1257
Dr. Xinwen Fu 8
CIS414 Dr. Xinwen Fu 9
Resetting Admin PasswordsApproach one - Use Windows XP Installation CD
1. Insert the Windows XP installation on a healthy installation2. Press enter to start setup3. Press F8 for the license agreement4. When you get the option to repair the current installation press
R to do so5. Let it run through and for windows XP wait until it reboots and
is installing devices then press shift F10 to open a command prompt.
6. In windows XP either type in "nusrmgr.cpl" w/o quotation marks at the command prompt and press enter. This should open up the user accounts applet in XP.
7. Select the users and change or remove their passwords accordingly, apply settings and close the control panel windows and command prompt windows so that just setup is running again.
8. Let the upgrade finish
Dr. Xinwen Fu 10
Resetting Admin PasswordsApproach two - Use bootable CDs
Boot the system with the CD Mount the hard disk to the booted OS Get access to the password file Do whatever you want
Petter Nordahl-Hagen's Offline NT Password & Registry Editor - A great boot CD/Floppy that can reset any user’s (including the local administrator) password.
Dr. Xinwen Fu 11
Step ONE: Select disk where the Windows installation is
1. ====================================2. Step ONE: Select disk where the Windows installation is 3. ====================================4. Disks: 5. Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB,
2147483648 bytes 6. NT partitions found:
1 : /dev/ide/host0/bus0/target0/lun0/part1 2043MB Boot
7. Please select partition by number or a = show all partitions, d = automatically load new disk drivers m = manually load new disk drivers l = relist NTFS/FAT partitions, q = quit
8. Select: [1]
CIS414 Dr. Xinwen Fu 12
Step TWO: Select PATH and registry files1. =====================================2. Step TWO: Select PATH and registry files 3. =====================================4. What is the path to the registry directory? (relative to windows
disk) [windows/system32/config] :5. -r-------- 1 0 0 262144 Jan 12 18:01 SAM 6. -r-------- 1 0 0 262144 Jan 12 18:01 SECURITY 7. -r-------- 1 0 0 262144 Jan 12 18:01 default 8. -r-------- 1 0 0 8912896 Jan 12 18:01 software 9. -r-------- 1 0 0 2359296 Jan 12 18:01 system 10. dr-x------ 1 0 0 4096 Sep 8 11:37 systemprofile 11. -r-------- 1 0 0 262144 Sep 8 11:53 userdiff
12. Select which part of registry to load, use predefined choices or list the files with space as delimiter
13. 1 - Password reset [sam system security] 14. 2 - RecoveryConsole parameters [software] 15. q - quit - return to previous 16. [1] :
CIS414 Dr. Xinwen Fu 13
Step THREE: Password or registry edit1. =====================================2. Step THREE: Password or registry edit 3. =====================================4. chntpw version 0.99.2 040105, (c) Petter N Hagen
5. [.. some file info here ..]
6. * SAM policy limits: 7. Failed logins before lockout is: 0 8. Minimum password length : 0 9. Password history count : 0
10. <>=====<> chntpw Main Interactive Menu <>=======<> 11. Loaded hives: <sam> <system> <security> 12. 1 - Edit user data and passwords 13. 2 - Syskey status & change 14. 3 - RecoveryConsole settings - - -
15. 9 - Registry editor, now with full write support! 16. q - Quit (you will be asked if there is something to save)
17. What to do? [1] -> 1
Dr. Xinwen Fu 14
Step THREE (Cont.)1. ===== chntpw Edit User Info & Passwords ====
2. RID: 01f4, Username: <Administrator> 3. RID: 01f5, Username: <Guest>, *disabled or locked* 4. RID: 03e8, Username: <HelpAssistant>, *disabled or
locked* 5. RID: 03eb, Username: <pnh>, *disabled or locked* 6. RID: 03ea, Username: <SUPPORT_388945a0>, *disabled
or locked*
7. Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) or simply enter the username to change: [Administrator]
Dr. Xinwen Fu 15
Step FOUR: Writing back changes1. ==========================2. Step FOUR: Writing back changes 3. ==========================
4. About to write file(s) back! Do it? [n] : y
Dr. Xinwen Fu 16
EDIT COMPLETE ***** EDIT COMPLETE ***** You can try again if it somehow failed, or
you selected wrong New run? [n] : n
Please answer n here and then reboot, CTRL-ALT-DEL. Remember to remove the floppy or CD
Windows XP may do some disk integrity checking and let it run
Dr. Xinwen Fu 17
Password Related Tools Windows Password recovery - Can retrieve
forgotten admin and users' passwords in minutes. Safest possible option, does not write anything to hard drive
Petter Nordahl-Hagen's Offline NT Password & Registry Editor - A great boot CD/Floppy that can reset the local administrator's password
Austrumi - Bootable CD for recovering passwords and other cool tools
EBCD – Emergency Boot CD - Bootable CD, intended for system recovery in the case of software or hardware faults
Openwall's John the Ripper - Good boot floppy with cracking capabilities
http://www.petri.co.il/forgot_administrator_password.htm
John The Ripper Program to crack passwords Advantages Disadvantages Practical use? Demo
Dr. Xinwen Fu 18
Dr. Xinwen Fu 19
Full Fledged Tools Knoppix: A full-featured Linux environment
with GUI and many tools FIRE: FIRE Forensic and Incident Response
Environment Bootable CD BackTrack: Merging of two Innovative
Penetration Testing live Linux distributions Whax and Auditor
Others Auditor, Knoppix-STD, Operator, PHLAK,
L.A.S Linux, Helix, nUbuntu, INSERT, Network Security Toolkit, Gentoo Forensic Toolkit
Dr. Xinwen Fu 20
References Shelley Bard,
Week 31: Physical security -- It is part of information security, 07/15/2004
Joel Dubin, Taking Care of Physical Security, 10/04/2005 Daniel Petri,
How can I gain access to a Windows NT/2000/XP/2003 computer if I forgot the administrator's password? How can I reset the administrator's password if I forgot it?, 07/10/2006
Don Burleson, Lost Root Password. Now What?, 01/06/2004 insidepro.com, SAMInside, 08/28/2006 Irongeek,
Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 using Open Source Tools, 3/22/2005
Dr. Xinwen Fu 21
References Daniel Petri,
How can I gain access to a Windows NT/2000/XP/2003 computer if I forgot the administrator's password? How can I reset the administrator's password if I forgot it?, 07/10/2006
Don Burleson, Lost Root Password. Now What?, 01/06/2004 insidepro.com, SAMInside, 08/28/2006 Irongeek,
Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 using Open Source Tools, 3/22/2005
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci993832,00.html University Of Wisconsin-safety Department, Fire Suppression Systems,
04/04/2005 Reliable Fire Equipment Company, Inergen, 08/28/2006 Reliable Fire Equipment Company, VESDA Laser Plus Air Sampling Systems,
08/28/2006 SANS InfoSec Reading Room, Physical Security, 08/282006 Wikipedia, Computer security, 2006 Network Security Center©2000 University of Chicago, NSC: Physical
Security, 2000 Anne Saita, Laptops lifted right under corporate noses, 10/12/2005 Micki Krause, Harold F. Tipton, Handbook of Information Security
Management, Publisher: CRC Press LLC, ISBN: 0849399475, January 1998 marc spamcatcher, physical security pentesting procedures, tips, audit
programs?, 12/02/2004