computer forensics

87
Chapter 3 Computer Forensics

Upload: leigh

Post on 19-Jan-2016

49 views

Category:

Documents


0 download

DESCRIPTION

Computer Forensics. Chapter 3. Understanding the Windows Registry. *. Understanding the Windows Registry. Registry A database that stores hardware and software configuration information, network connections, user preferences, and setup information - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Computer Forensics

Chapter 3

Computer Forensics

Page 2: Computer Forensics

Understanding the Windows Understanding the Windows RegistryRegistry

*

Page 3: Computer Forensics

Understanding the Windows Registry

• Registry– A database that stores hardware and software

configuration information, network connections, user preferences, and setup information

• For investigative purposes, the Registry can contain valuable evidence

• To view the Registry, you can use:– Regedit (Registry Editor) program for Windows 9x

systems– Regedt32 for Windows 2000 and XP

Page 4: Computer Forensics

Exploring the Organization of the Windows Registry

• Registry terminology:– Registry

– Registry Editor

– HKEY

– Key

– Subkey

– Branch

– Value

– Default value

– Hives

Page 5: Computer Forensics

Exploring the Organization of the Windows Registry (continued)

Page 6: Computer Forensics

Exploring the Organization of the Windows Registry (continued)

Page 7: Computer Forensics

Understanding Microsoft Understanding Microsoft Startup TasksStartup Tasks

*

Page 8: Computer Forensics

Understanding Microsoft Startup Tasks

• Learn what files are accessed when Windows starts

• This information helps you determine when a suspect’s computer was last accessed– Important with computers that might have been used

after an incident was reported

Page 9: Computer Forensics

Startup in Windows NT and Later

• All Windows NT computers perform the following steps when the computer is turned on:– Power-on self test (POST)– Initial startup– Boot loader– Hardware detection and configuration– Kernel loading– User logon

Page 10: Computer Forensics

Startup Process for Windows Vista

• Uses the new Extensible Firmware Interface ( EFI) as well as the older BIOS sys-tem.

• NT Loader (NTLDR) has been replaced by three boot utilities– Bootmgr.exe—displays list of operating systems– Winload.exe—loads kernel, HAL, and drivers– Winresume.exe—restarts Vista after hibernation

• See link Ch 6g

Page 11: Computer Forensics

Startup Files for Windows XP

• NT Loader (NTLDR)

• Boot.ini

• BootSect.dos

• NTDetect.com

• NTBootdd.sys

• Ntoskrnl.exe

• Hal.dll

• Pagefile.sys

• Device drivers

Page 12: Computer Forensics

Startup in Windows NT and Later (continued)

• Windows XP System Files

Page 13: Computer Forensics

Startup in Windows NT and Later (continued)

• Contamination Concerns with Windows XP– When you start a Windows XP NTFS workstation,

several files are accessed immediately• The last access date and time stamp for the files

change to the current date and time

– Destroys any potential evidence• That shows when a Windows XP workstation was last

used

Page 14: Computer Forensics

Startup in Windows 9x/Me

• System files in Windows 9x/Me containing valuable information can be altered easily during startup

• Windows 9x and Windows Me have similar boot processes

• Windows 9x OSs have two modes:– DOS protected-mode interface (DPMI)– Protected-mode GUI

Page 15: Computer Forensics

Startup in Windows 9x/Me (continued)

• The system files used by Windows 9x have their origin in MS-DOS 6.22– Io.sys communicates between a computer’s BIOS,

the hardware, and the OS kernel• If F8 is pressed during startup, Io.sys loads the

Windows Startup menu

– Msdos.sys is a hidden text file containing startup options for Windows 9x

– Command.com provides a command prompt when booting to MS-DOS mode (DPMI)

Page 16: Computer Forensics

Understanding MS-DOS Understanding MS-DOS Startup TasksStartup Tasks

*

Page 17: Computer Forensics

Understanding MS-DOS Startup Tasks

• Two files are used to configure MS-DOS at startup: – Config.sys

• A text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration

– Autoexec.bat• A batch file containing customized settings for MS-

DOS that runs automatically

• Io.sys is the first file loaded after the ROM bootstrap loader finds the disk drive

Page 18: Computer Forensics

Understanding MS-DOS Startup Tasks (continued)

• Msdos.sys is the second program to load into RAM immediately after Io.sys– It looks for the Config.sys file to configure device

drivers and other settings

• Msdos.sys then loads Command.com

• As the loading of Command.com nears completion, Msdos.sys looks for and loads Autoexec.bat

Page 19: Computer Forensics

Other Disk Operating Systems

• Control Program for Microprocessors (CP/M)– First nonspecific microcomputer OS– Created by Digital Research in 1970– 8-inch floppy drives; no support for hard drives

• Digital Research Disk Operating System (DR-DOS)– Developed in 1988 to compete with MS-DOS– Used FAT12 and FAT16 and had a richer command

environment

Page 20: Computer Forensics

Other Disk Operating Systems (continued)

• Personal Computer Disk Operating System (PC-DOS)– Created by Microsoft under contract for IBM– PC-DOS works much like MS-DOS

Page 21: Computer Forensics

Determining What Data to Determining What Data to Collect and AnalyzeCollect and Analyze

*

Page 22: Computer Forensics

Determining What Data to Collect and Analyze

• Examining and analyzing digital evidence depends on:– Nature of the case– Amount of data to process– Search warrants and court orders– Company policies

• Scope creep– Investigation expands beyond the original description

• Right of full discovery of digital evidence

Page 23: Computer Forensics

Approaching Computer Forensics Cases

• Some basic principles apply to almost all computer forensics cases– The approach you take depends largely on the

specific type of case you’re investigating

• Basic steps for all computer forensics investigations– For target drives, use only recently wiped media that

have been reformatted• And inspected for computer viruses

Page 24: Computer Forensics

Approaching Computer Forensics Cases (continued)

• Basic steps for all computer forensics investigations (continued)– Inventory the hardware on the suspect’s computer

and note the condition of the computer when seized– Remove the original drive from the computer

• Check date and time values in the system’s CMOS

– Record how you acquired data from the suspect drive

– Process the data methodically and logically

Page 25: Computer Forensics

Approaching Computer Forensics Cases (continued)

• Basic steps for all computer forensics investigations (continued)– List all folders and files on the image or drive– If possible, examine the contents of all data files in

all folders• Starting at the root directory of the volume partition

– For all password-protected files that might be related to the investigation

• Make your best effort to recover file contents

Page 26: Computer Forensics

Approaching Computer Forensics Cases (continued)

• Basic steps for all computer forensics investigations (continued)– Identify the function of every executable (binary

or .exe) file that doesn’t match known hash values– Maintain control of all evidence and findings, and

document everything as you progress through your examination

Page 27: Computer Forensics

Refining and Modifying the Investigation Plan

• Considerations– Determine the scope of the investigation– Determine what the case requires– Whether you should collect all information– What to do in case of scope creep

• The key is to start with a plan but remain flexible in the face of new evidence

Page 28: Computer Forensics

Using AccessData Forensic Toolkit to Analyze Data

• Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs

• FTK can analyze data from several sources, including image files from other vendors

• FTK produces a case log file

• Searching for keywords– Indexed search– Live search– Supports options and advanced searching

techniques, such as stemming

Page 29: Computer Forensics

Using AccessData Forensic Toolkit to Analyze Data (continued)

Page 30: Computer Forensics

Using AccessData Forensic Toolkit to Analyze Data (continued)

Page 31: Computer Forensics

Using AccessData Forensic Toolkit to Analyze Data (continued)

• Analyzes compressed files

• You can generate reports– Using bookmarks

Page 32: Computer Forensics

Using AccessData Forensic Toolkit to Analyze Data (continued)

Page 33: Computer Forensics

Locating and Recovering Locating and Recovering Graphics FilesGraphics Files

*

Page 34: Computer Forensics

Locating and Recovering Graphics Files

• Operating system tools– Time consuming– Results are difficult to verify

• Computer forensics tools– Image headers

• Compare them with good header samples

• Use header information to create a baseline analysis

– Reconstruct fragmented image files• Identify data patterns and modified headers

Page 35: Computer Forensics

Identifying Graphics File Fragments

• Carving or salvaging– Recovering all file fragments

• Computer forensics tools– Carve from slack and free space– Help identify image files fragments and put them

together

Page 36: Computer Forensics

Repairing Damaged Headers

• Use good header samples

• Each image file has a unique file header– JPEG: FF D8 FF E0 00 10– Most JPEG files also include JFIF string

• Exercise:– Investigate a possible intellectual property theft by a

contract employee of Exotic Mountain Tour Service (EMTS)

Page 37: Computer Forensics

Searching for and Carving Data from Unallocated Space

Page 38: Computer Forensics

Searching for and Carving Data from Unallocated Space (continued)

Page 39: Computer Forensics

Searching for and Carving Data from Unallocated Space (continued)

• Steps– Planning your examination– Searching for and recovering digital photograph

evidence• Use ProDiscover to search for and extract (recover)

possible evidence of JPEG files

• False hits are referred to as false positives

Page 40: Computer Forensics
Page 41: Computer Forensics

Searching for and Carving Data from Unallocated Space (continued)

Page 42: Computer Forensics

Searching for and Carving Data from Unallocated Space (continued)

Page 43: Computer Forensics

Searching for and Carving Data from Unallocated Space (continued)

Page 44: Computer Forensics

Searching for and Carving Data from Unallocated Space (continued)

Page 45: Computer Forensics

Searching for and Carving Data from Unallocated Space (continued)

Page 46: Computer Forensics

Rebuilding File Headers

• Try to open the file first and follow steps if you can’t see its content

• Steps– Recover more pieces of file if needed– Examine file header

• Compare with a good header sample

• Manually insert correct hexadecimal values

– Test corrected file

Page 47: Computer Forensics

Rebuilding File Headers (continued)

Page 48: Computer Forensics
Page 49: Computer Forensics
Page 50: Computer Forensics

Rebuilding File Headers (continued)

Page 51: Computer Forensics

Rebuilding File Headers (continued)

Page 52: Computer Forensics

Reconstructing File Fragments

• Locate the starting and ending clusters – For each fragmented group of clusters in the file

• Steps– Locate and export all clusters of the fragmented file– Determine the starting and ending cluster numbers

for each fragmented group of clusters– Copy each fragmented group of clusters in their

proper sequence to a recovery file– Rebuild the corrupted file’s header to make it

readable in a graphics viewer

Page 53: Computer Forensics

Reconstructing File Fragments (continued)

Page 54: Computer Forensics

Reconstructing File Fragments (continued)

Page 55: Computer Forensics

Reconstructing File Fragments (continued)

Page 56: Computer Forensics

Reconstructing File Fragments (continued)

Page 57: Computer Forensics

Reconstructing File Fragments (continued)

• Remember to save the updated recovered data with a .jpg extension

• Sometimes suspects intentionally corrupt cluster links in a disk’s FAT– Bad clusters appear with a zero value on a disk

editor

Page 58: Computer Forensics

Reconstructing File Fragments (continued)

Page 59: Computer Forensics

Reconstructing File Fragments (continued)

Page 60: Computer Forensics

Network Forensics OverviewNetwork Forensics Overview

Page 61: Computer Forensics

Network Forensics Overview

• Network forensics– Systematic tracking of incoming and outgoing traffic

• To ascertain how an attack was carried out or how an event occurred on a network

• Intruders leave trail behind

• Determine the cause of the abnormal traffic– Internal bug– Attackers

Page 62: Computer Forensics

Securing a Network

• Layered network defense strategy– Sets up layers of protection to hide the most

valuable data at the innermost part of the network

• Defense in depth (DiD)– Similar approach developed by the NSA– Modes of protection

• People (hiring and treatment)

• Technology (firewalls, IDSs, etc.)

• Operations (patches, updates)

Page 63: Computer Forensics

Securing a Network (continued)

• Testing networks is as important as testing servers

• You need to be up to date on the latest methods intruders use to infiltrate networks– As well as methods internal employees use to

sabotage networks

Page 64: Computer Forensics

Performing Live AcquisitionsPerforming Live Acquisitions

Page 65: Computer Forensics

Performing Live Acquisitions

• Live acquisitions are especially useful when you’re dealing with active network intrusions or attacks

• Live acquisitions done before taking a system offline are also becoming a necessity– Because attacks might leave footprints only in

running processes or RAM

• Live acquisitions don’t follow typical forensics procedures

• Order of volatility (OOV)– How long a piece of information lasts on a system

Page 66: Computer Forensics

Performing Live Acquisitions (continued)

• Steps– Create or download a live-acquisition forensic CD

– Make sure you keep a log of all your actions

– A network drive is ideal as a place to send the information you collect; an alternative is a USB disk

– Copy the physical memory (RAM)

– The next step varies: search for rootkits, check firmware, image the drive over the network, or shut down for later static acquisition

– Be sure to get a forensic hash value of all files you recover during the live acquisition

Page 67: Computer Forensics

Performing a Live Acquisition in Windows

• Several tools are available to capture the RAM.– Mantech Memory DD– Win32dd– winen.exe from Guidance Software– BackTrack

Page 68: Computer Forensics
Page 69: Computer Forensics

Developing Standard Developing Standard Procedures for Network Procedures for Network

ForensicsForensics*

Page 70: Computer Forensics

Developing Standard Procedures for Network Forensics

• Long, tedious process

• Standard procedure– Always use a standard installation image for systems

on a network– Close any way in after an attack– Attempt to retrieve all volatile data– Acquire all compromised drives– Compare files on the forensic image to the original

installation image

Page 71: Computer Forensics

Developing Standard Procedures for Network Forensics (continued)

• Computer forensics– Work from the image to find what has changed

• Network forensics– Restore drives to understand attack

• Work on an isolated system– Prevents malware from affecting other systems

Page 72: Computer Forensics

Reviewing Network Logs

• Record ingoing and outgoing traffic– Network servers– Routers– Firewalls

• Tcpdump tool for examining network traffic– Can generate top 10 lists– Can identify patterns

• Attacks might include other companies– Do not reveal information discovered about other

companies

Page 73: Computer Forensics

Using Network ToolsUsing Network Tools

Page 74: Computer Forensics

Using Network Tools

• Sysinternals– A collection of free tools for examining Windows

products

• Examples of the Sysinternals tools:– RegMon shows Registry data in real time– Process Explorer shows what is loaded– Handle shows open files and processes using them– Filemon shows file system activity

Page 75: Computer Forensics

SysInternals

• Link Ch 11b

Page 76: Computer Forensics

Using Network Tools (continued)

• Tools from PsTools suite created by Sysinternals– PsExec runs processes remotely– PsGetSid displays security identifier (SID)– PsKill kills process by name or ID– PsList lists details about a process– PsLoggedOn shows who’s logged locally– PsPasswd changes account passwords– PsService controls and views services– PsShutdown shuts down and restarts PCs– PsSuspend suspends processes

Page 77: Computer Forensics

Using UNIX/Linux Tools

• Knoppix Security Tools Distribution (STD)– Bootable Linux CD intended for computer and

network forensics

• Knoppix-STD tools– Dcfldd, the U.S. DoD dd version– memfetch forces a memory dump– photorec grabs files from a digital camera– snort, an intrusion detection system– oinkmaster helps manage your snort rules

Page 78: Computer Forensics

Using UNIX/Linux Tools (continued)

• Knoppix-STD tools (continued)– john– chntpw resets passwords on a Windows PC– tcpdump and ethereal are packet sniffers

• With the Knoppix STD tools on a portable CD– You can examine almost any network system

Page 79: Computer Forensics

Using UNIX/Linux Tools (continued)

• BackTrack– Contains more than 300 tools for network scanning,

brute-force attacks, Bluetooth and wireless networks, and more

– Includes forensics tools, such as Autopsy and Sleuth Kit

– Easy to use and frequently updated

Page 80: Computer Forensics

Using Packet Sniffers

• Packet sniffers– Devices or software that monitor network traffic– Most work at layer 2 or 3 of the OSI model

• Most tools follow the PCAP format

• Some packets can be identified by examining the flags in their TCP headers

Page 81: Computer Forensics

TCP Header

• From Wikipedia

Page 82: Computer Forensics

Tools

• Tcpdump (command-line packet capture)

• Tethereal (command-line version of Ethereal)

• Wireshark (formerly Ethereal)– Graphical packet capture analysis

• Snort (intrusion detection)

• Tcpslice– Extracts information from one or more tcpdump files

by time frame

Page 83: Computer Forensics

Tools

• Tcpreplay (replays packets)

• Tcpdstat (near-realtime traffic statistics)

• Ngrep (pattern-matching for pcap captures)

• Etherape (views network traffic graphically)

• Netdude (GUI tool to analyze pcap files)

• Argus (analyzes packet flows)

Page 84: Computer Forensics

Examining the Honeynet Project

• Attempt to thwart Internet and network hackers– Provides information about attacks methods

• Objectives are awareness, information, and tools

• Distributed denial-of-service (DDoS) attacks– A recent major threat– Hundreds or even thousands of machines (zombies)

can be used

Page 85: Computer Forensics

Examining the Honeynet Project (continued)

Page 86: Computer Forensics

Examining the Honeynet Project (continued)

• Zero day attacks– Another major threat– Attackers look for holes in networks and OSs and

exploit these weaknesses before patches are available

• Honeypot– Normal looking computer that lures attackers to it

• Honeywalls– Monitor what’s happening to honeypots on your

network and record what attackers are doing

Page 87: Computer Forensics

Examining the Honeynet Project (continued)

• Its legality has been questioned– Cannot be used in court– Can be used to learn about attacks

• Manuka Project– Used the Honeynet Project’s principles

• To create a usable database for students to examine compromised honeypots

• Honeynet Challenges– You can try to ascertain what an attacker did and

then post your results online