msra 2011 windows7 forensics-troyla
Post on 14-Jan-2015
1.422 Views
Preview:
DESCRIPTION
TRANSCRIPT
Microsoft Confidential
Summit 2011
Microsoft Confidential
Troy Larson, Principal Forensics Program ManagerNetwork Security—Investigations March 29, 2011
If a Bear Breaks into Your Computer, and No One Is There to
See It, Does It Leave A Clue? Incident Response, Forensics, and
Looking for Bear Tracks.
Microsoft Confidential
About This Presentation
OverviewSome forensic fundamentals.
Dissecting Windows 7 for malware, compromise and intrusions.
Microsoft Confidential
What is Digital Forensics?
The identification, preservation, collection, analysis, examination, . . . , and presentation of digital data in a reliable manner.
To collect admissible evidence.Authentication.
Complete.
To answer questions about data or files.Metadata.
Context.
To determine what has occurred on a system.
Microsoft Confidential
Digital Forensics in the Enterprise
At least two general types of forensics work:Content focused.
Find email, documents, graphics, or other types of files that match some criteria.
eDiscovery and litigation support.
Activity focused.
Determine what somebody or something did on a computer system.
Unauthorized activity.
Malware.
Compromise or intrusion.
Microsoft Confidential
Digital Forensics in the Enterprise
When trust is questioned.
Can this _______ still be trusted?
Microsoft Confidential
Forensics from XP to Vista• Changed location of boot sector.• BitLocker, unlocking, imaging,
preservation.• EXFAT. Transactional NTFS.• Event Logging changed.• New format-.evtx.• New system for collecting and
displaying events.• New security event numbering.• New directory tree for account
profiles.• Symbolic links. “Virtual” folders.• “Virtual” registries.• Volume Shadow Copies and
difference files.• User Account Control.• Enforced Signed Drivers x64.
• Hard links. WinSxS.*• Default settings-NTFS,
change journal.• Recycle Bin, no info2.• Built in volume and disk
wiping.• SuperFetch & prefetch files.• Profile based
thumbcaches.*• Office file format
changes .docx, .pptx, .xlsx.• New Office files—InfoPath,
Grove, OneNote.• EFS encrypted pagefile.• Windows 2008 Hyper-V.• Built in Defender.
Microsoft Confidential
Forensics from Vista to Windows 7• Changed volume header for
BitLocker volumes.• Updated BitLocker, multiple
volumes, Smartcard keys, not backwardly compatible.
• BitLocker To Go.• Virtual Hard drives—Boot
from, mount as “Disks.” • Virtual PC—integrated into
the OS.• XP Mode.• Flash Media Enhancements.• Libraries, Sticky Notes, Jump
Lists.• Service and Driver triggers.• Fewer Services on default
startup.
• I.E. 8, InPrivate Browsing, Tab and Session Recovery.
• Changes in Volume Shadow Copy behavior.
• New registry-like files.• Different WebDAV.• More x64 clients. X64
Windows 2008 R2 (server).
• Changes in Hyper-V.• Office 2010 file format
changes—OneNote.• Thumbnail Cache.• Virtual Servers, thin
clients.• Direct Access (IPSec).• Windows Search.
Microsoft Confidential
Forensics in Incident Response
When trust is questioned.
Can this system still be trusted?
Microsoft Confidential
Forensics in Incident Response
Incident response immediate goals:Technical assessment—what happened, when, how, etc.?
Risk assessment—what systems or data at risk?
Containment.
Incident Response end goals:Remediation.
Compliance.
Prevention.
Prosecution or litigation.
Microsoft Confidential
Forensics in Incident Response
Fvevol.sys
File Systems
Partition & Volume Managers
Applications
OS Artifacts
Disk
RAM
Processes
Services
Drivers
Ports
Network
Microsoft Confidential
Forensics in Incident ResponseDigital vivisection —collecting “live” data from a Windows system to determine what happened, when, and how.
Memory dump.
Processes.
Services.
Drivers.
Logged on users.
Ports.
System reports on itself.
Microsoft Confidential
Forensics in Incident ResponseDigital autopsy—dissecting an offline Windows system to determine what happened, when, and how.
File systems and file metadata.
File signatures.
Registry.
Shell: links, jump lists.
Wininet.
Prefetch.
Shadow Copies.
Event and other logs.
Microsoft Confidential
Forensics in Incident ResponseDigital forensics heuristics.
Any action on a computer changes something.Memory—programs, drivers, data, etc.
Media—files and metadata.
This includes the actions of incident responders.
Not all changes persist, and those that do don’t have to persist forever.
Data preservation should generally follow the order of volatility.
There are rules governing the ways things work on any platform.
Win32 APIs, NTFS, Security, etc.
These rules generate artifacts—indicators of compromise.
Microsoft Confidential
Forensics in Incident Response.
Microsoft Confidential
Forensics in Incident ResponseDigital forensics practical heuristics.
Compare memory dump to Windows own self-reporting.
Compare memory dump and self-reports to on disk sources.
Identify unknown files, mismatched files, and packed executables.
Examine ASEPs for unexpected items.
Examine Shell and Wininet data for indicators and correlations.
Examine prefetch files for program launches and dependencies.
Difference shadow copies to identify hidden files and infection times.
Review event and other logs, particularly those reporting on states of applications and system.
Microsoft Confidential
Forensics in Incident Response
Memory dumpsSometimes, it is easy.
All Microsoft code should have symbols.*
8d793000 8d79d000 nsiproxy (private pdb symbols) C:\Debuggers\sym\nsiproxy.pdb\C05F47CD56124B77BD71E3DFB669D4FF1\nsiproxy.pdb8d79d000 8d79e680 msvmmouf (private pdb symbols) C:\Debuggers\sym\msvmmouf.pdb\1234775836E14C2B869818BF740FE8DE1\msvmmouf.pdb8d79f000 8d7a9000 mssmbios (private pdb symbols) C:\Debuggers\sym\mssmbios.pdb\B9453B9B745D45DE974BA45D910B78481\mssmbios.pdb8d7a9000 8d7ab980 mrxnet (no symbols) 8d7ac000 8d7b0d80 mrxcls (no symbols) 8d7b1000 8d7bd000 discache (private pdb symbols) C:\Debuggers\sym\discache.pdb\1F3066C30EA34CC381D3006454C11BD11\discache.pdb8d7bd000 8d7ca000 CompositeBus (private pdb symbols) C:\Debuggers\sym\CompositeBus.pdb\F0E80E78F49541FDB4CF0AEB667653381\CompositeBus.pdb8d7ca000 8d7dc000 AgileVpn (private pdb symbols) C:\Debuggers\sym\AgileVpn.pdb\F9ABC733237047E898B7404203D52EDE1\AgileVpn.pdb8d7dc000 8d7f4000 rasl2tp (private pdb symbols) C:\Debuggers\sym\rasl2tp.pdb\6F6760EF4A3149DC9C430CE8A37585B12\rasl2tp.pdb
http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf
Microsoft Confidential
Forensics in Incident Response
Compare memory dumps to self-reported information.
Microsoft Confidential
Forensics in Incident ResponseCompare memory dumps and self-reported information to on disk sources.
Microsoft Confidential
Forensics in Incident ResponseMemory dumps and self-reported information should be examined for the unknown.
Unknown processes.
Unknown services.
Unknown drivers.
Unknown ports.
Etc.
Which unfortunately begs the question, what is unknown?
Good to build familiarity.
Baseline.
Microsoft Confidential
Forensics in Incident Response
To the media:Identify and exclude known good files.
Industry standard: MD5 hash values of the operating system and application files.
Microsoft Confidential
Forensics in Incident Response
Known good file hashes?http://www.nsrl.nist.gov/
Make as needed, based on standard load images, patched and updated as needed.
Pre-incident shadow copies. (Technically, not “known good,” but good enough to use for finding new, potentially bad files.)
Microsoft Confidential
Forensics in Incident ResponseRecovery and scan of all files.
Undelete.
Check the file signatures for all files to identify mismatched signatures.
Also known as a file signature/extension comparison.
Scan for binaries with “packed” code.
Microsoft Confidential
Forensics in Incident ResponseUsing file system date and time information:
Follow an event of interest (this is the starting point).
Sort on created dates and times. This is when files came to exist on the media.
Sort on last modified dates and times. This is when files where last written to.
Sort on entry modified (NTFS) for any changes in metadata or named streams.
Correlate—for each important finding, examine contemporaneous events. Especially important on exploits and downloaders.
Cross check date and time of significant files by comparing date and time from standard attributes to those in the name attribute.
Corroborate event times with corresponding events. E.g., event logs, internal metadata, shadow copies.
Build a time line.
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident ResponseExamine the registry for ASEPS:
Auto-start Extensibility Points.
http://www.usenix.org/event/lisa04/tech/full_papers/wang/wang.pdf
Autoruns, either online or offline.
http://technet.microsoft.com/en-us/sysinternals/bb963902
Microsoft Confidential
Forensics in Incident Response
When user activity may have contributed to the infection or compromise:
Registry “MRU” lists.
Microsoft Confidential
Forensics in Incident Response
When user activity may have contributed to the infection or compromise:
Registry, UserAssist.
Ntuser.dat.
Usrclass.dat.
Microsoft Confidential
Forensics in Incident Response
When user activity may have contributed to the infection or compromise:
Shell artifacts: Link files (also known as shortcuts).
Microsoft Confidential
Forensics in Incident Response
When user activity may have contributed to the infection or compromise:
Shell artifacts:
A malformed link file.
Microsoft Confidential
Forensics in Incident Response
The link points to a file, ~wtr4141.tmp, which is this:
Microsoft Confidential
Forensics in Incident Response
When user activity may have contributed to the infection or compromise:
Shell artifacts:
Jump lists.
Microsoft Confidential
Forensics in Incident Response
When user activity may have contributed to the infection or compromise:
Shell artifacts: Jump lists.
Microsoft Confidential
Forensics in Incident Response
Wininet: Internet history.Can expose browser exploit URLs and downloads.
Can indicate intruder downloads.First appearance of intruder tools in the history and cache for the Default account.
Multiple data sources:Internet history files (index.dat), and all fragments or deleted history files.
Browser cache folders.
Recovery files.
Jump lists.
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Cache folders
Microsoft Confidential
Forensics in Incident Response
Recovery folders
Microsoft Confidential
Forensics in Incident Response
Recover file
Microsoft Confidential
Forensics in Incident Response
Records of programs being run, and their dependencies, are found in prefetch files.
\Windows\Prefetch
The existence of a prefetch file indicates that the application named by the prefetch file was run.
The creation date of a prefetch file can indicate when the named application was first run.
The modification date of a prefetch file can indicate when the named application was last run.
Prefetch file internals show last launch time, number of times run, and files called during launch.
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Prefetch internals parsed.
Microsoft Confidential
Forensics in Incident ResponseShadow copies.
Snapshot of a volume at point in time.
Can show files added, modified, or deleted over time.
Microsoft Confidential
Forensics in Incident ResponseShadow copies.
Can be mounted as volumes, for scanning.
The command string below will mount expose each shadow copy on a volume as a symbolic link.
This command will follow each symbolic link and produce a file list of all files in the shadow copy.
for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for /f "tokens=4 delims=\" %g in ("%f") do @mklink /d %SYSTEMDRIVE%\%g %f\
for /f "tokens=1" %f in ('dir C:\ /B /A:D ^| findstr HarddiskVolumeShadowCopy') do @dir C:\%f /B /O:N /S > E:\%f-fileList.txt
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Microsoft Confidential
Forensics in Incident Response
Differencing shadow copies file lists makes malware files stand out:
Microsoft Confidential
Forensics in Incident ResponseEvents and other logs.
Often not the best entry point into an investigation.
System event log can show problems impacting system components.
Unexpected shutdowns
Port reassignment.
Application logs can show problems impacting various applications.
Unexpected terminations.
Errors and failures.
Value of the security event log depends on auditing policy settings.
Can be noisy.
Microsoft Confidential
Forensics in Incident ResponseEvents and other logs.
Microsoft Confidential
Forensics in Incident ResponseEvents and other logs.
Microsoft Confidential
Forensics in Incident ResponseEvents and other logs.
Microsoft Confidential
Q&A
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
top related