forensic tools and techniques
Post on 18-Nov-2014
1.368 Views
Preview:
DESCRIPTION
TRANSCRIPT
Forensic Tools and TechniquesPart I
Shane Hartman, CISSP, GCIA, GREMSecure Info Systems
Topics• Gathering Information• Helix• Netcat• Memory Acquisition
– With Helix– With Win32DD– With Winen
• Disk Acquisition– With Helix– With FTK
• MD5Sum• Uptime• Uname• Date / Time• Acquisition Analysis• Strings• Mounting the image• Pasco
Heisenberg's Uncertainty Theorem
• You can't observe or measure anything without changing it somewhat.
• When working on a live system– You can make sure you do not influence the data on
the harddrive– Because it is a live system, the same cannot be said
of memory,, more on that later..
Gathering Information
• Use your own tools• If you encounter a live system, do not trust
anything on it.• Have static binaries, you verified ready• Gather basic information such as
– date/time– processes– sessions– services, etc
Helix
• How do you get this information without effecting the machine
• Use Helix…• This is an open source bootable cd• Used Unix as its OS• It can be used on live or dead machines
Netcat
• Netcat is your friend• When you need to move information off a
machine using the network, use Netcat• Netcat is often referred to as a "Swiss-army knife
for TCP/IP." Its list of features includes:– Port scanning– Transferring files– Port listeningand it can be used as a backdoor….
Netcat
• Netcat is used in conjunction with many tools including:– Helix– Forensic Tool Kit– And any tool the writes files
– Common usage• As a listener : nc –l –p 8888 > image.dd• This tells netcat to listen on port 8888 and anything
coming across will be written in to image.dd file.• As a writer : ./memdump | ./nc 192.168.1.10 8888• This send the output of memdump to netcat which
attaches to a remote listener on port 8888 at 192.168.1.10
Memdump - Windows
• Through Helix you can dump the memory of the system.
• It can be posted to:– A network share– External Storage– A netcat connection– Works on Windows systems preceding Vista
• Microsoft changed how memory and system was accesses in Vista forward preventing this process from working.
Memory Acquisition with Helix
Memory Acquisition with win32dd
• Command line tool for dumping memory• IR\RAM\win32dd\ win32dd.exe• Example• win32dd e:\temp\win32dd_mem.img• Works on all the versions on windows including
Vista and Windows7 as long as you run it with administrator privileges
Memory Acquisition with Winen
• Command line tool for dumping memory• IR\RAM\win32dd\ winen.exe• Example• winen e:\temp\winen_mem.img• Works on all the versions on windows including
Vista and Windows7 as long as you run it with administrator privileges
Disk Acquisition with Helix
Disk Acquisition with FTK• Imager can be found on the Helix cd at
IR\Imager\FTKImager
MD5Sum
• Now that you have an image run and md5 hash on it.
• In IR\FAU\MD5sum will produce a hash for the image file
• Once complete make a copy and verify it• Then you can begin work
MD5Deep
• Similar to MD5Sum except you can use this to create hashes of whole directory structures.
• After extracting a directory from an image you can run md5deep to hash each file recovered and then check it later for compromise.
• Ex. Md5deep c:\temp\evidence\case001\*.* -r• This tells md5deep to go through the entire
directory structure and product a hash of each file.
More Gathering Information
• System Information• Uptime• Uname• Date/Time• Process List• Handle• ListDlls• Logon Sessions• Services• Netstat
System Information
Uptime - Windows
• Windows utility showing how long the system has been up.
• This information can be used as part of the timeline process for your investigation
• On the Helix CD you will find 2 versions– IR\Cygwin\uptime.exe – produces
• 23:56:30 up 1:41, 0 users, load average: 0.00, 0.00, 0.00
– IR\Microsoft\uptime.exe – produces• \\test1 has been up for: 0 day(s), 1 hour(s), 41 minute(s), 31
second(s)
Uname –a Windows
• Produces OS type and kernel build• IR\unxutils\uname.exe –a
– The (-) a function outputs all information• WindowsNT srql13132257 1 6 x86
Date / Time
• Data and Time utilities are located on the Helix CD in– IR\Cygwin\Date.exe and IR\Cygwin\Time.exe
• These are the same utilities in the windows system but verified.
Process Information Helix
Process List - PSlist• PSList can be found in the sysinternals directory• Running multiple tools can give you extra information
Handle• Gives you insight in what files in what directory
are opened and which PID they are assigned
Listdlls• Like PSList and Handle, ListDlls shows you what dlls are in
use with what PID. It also shows what version of the dll is running.
Logon Sessions
Services
Netstat• Netstat displays both incoming and outgoing
network connections
Acquisition Analysis
• Strings• Mounting image in Linux• Mounting image with FTK• Extracting a file with FTK• Internet Explore History - Pasco
Strings
• Strings is a utility which looks at a file and tries to show everything is ASCII text
• Output is messy but sometimes information can be gathered from this output
• It is located on the Helix CD in– IR\Sysinternals\Strings.exe– Format strings –a mem_image.img - producing
aaW(h4aaWaaWN<@39D$N8WPWQcompiling file:C:\WINDOWS\system32\WBEM\evntrprv.mof(Wed Jan 06 21:25:29 2010.1100001) : Parsing MOF file: C:\WINDOWS\system32\WBEM\hnetcfg.mof(Wed Jan 06 21:25:29 2010.1100091) : Finished compiling file:C:\WINDOWS\system32\WBEM\hnetcfg.mof(Wed Jan 06 21:25:29 2010.1100091) : Parsing MOF file: C:\WINDOWS\system32\WBEM\sr.mof
Mounting the image in Linux
• Once you have an image file you can review it on a Linux system by simply mounting it, just like any other device.
• Create a directory for the mount such as– cd /mnt– mkdir case001
• Mount –o ro, noexec,loop /tmp/case0001.img /mnt/case0001
• With root access you can now review the file system
Mounting the image in FTK• File – add evidence item – image file
Extract a file from the image w/FTK
• Extract a file from the image to do analysis• Find the file your interested in such as index.dat• Right-click on the file and extract it to a location• From here you can run tools on the file to gather
information• In the case of index.dat it contains information
about where the user has went on the internet with the browser. More on that to come.
Internet Explorer History - Pasco
• Found on Helix CD in IR\Foundstone directory• Pasco will read the index.dat file from Internet
Explorer and produce output showing all the URLs the user visited.
• Ex. Pasco index.dat > user1_ie.txt• Produces something like this.• URL http://www.shadowserver.org/wiki/pub/wsplus/wsplus.css Tue Mar 20 21:17:55
2007 Thu Jan 7 03:00:49 2010 wsplus[1].css C9B5QLQVHTTP/1.1 200 OK ETag: "1b432-d41-3d40a6c0" Content-Length: 3393 Keep-
Alive: timeout=15, max=95 Content-Type: text/css ~U:evil • URL http://images.google.com/intl/en_ALL/images/logos/images_logo_lg.gif
Wed May 27 22:00:10 2009 Thu Jan 7 03:02:10 2010 images_logo_lg[1].gif C9B5QLQV HTTP/1.1 200 OK Content-Type:
image/gif Content-Length: 9969 X-XSS-Protection: 0 ~U:evil
• This is just the beginning of what is out there…
top related