toma de evidencias en caso de incidente - incibe-cert · toma de evidencias en entornos windows 6:...
TRANSCRIPT
Toma de evidencias en entornos Windows 1
Author Asier Martínez Retenaga
This guide has been made with the collaboration of Daniel Fírvida Pereira and Jesús Díaz Vico.
November 2014
The present publication belongs to INCIBE (Instituto Nacional de Ciberseguridad) and is under a 3.0 Non-Commercial Recognition license from Creative Commons Spain. For this reason this work can be copied, distributed and communicated publicly under the following conditions:
• Recognition. The content of this report can be completely or partially reproduced by third parties, citing its origin and maklng reference both to INCIBE and CERTSI and its website: http://www.incibe.es. This recognition cannot, in any way, suggest that INCIBE supports the mentioned third party or support the use it makes of its work.
• Non-commercial use. The original material and derivative work can be distributed, copied and exhibited as long as it’s not for commercial purposes.
By reusing or distributing the work, the terms of the license of this work have to be stated clearly. Some of these conditions may not be applied if the CERTSI certification as owner of the author’s rights is obtained. Complete text regarding the license: http://creativecommons.org/licenses/by-nc-sa/3.0/es/
Toma de evidencias en entornos Windows 2
INDEX
1 ABOUT THE GUIDE 5
1.1. Used notations 5
2 INTRODUCTION TO A FORENSIC ANALYSIS 6
2.1. Locard’s exchange principle 6
2.2. Types of forensic analysys 7
2.3. Characteristics 7
2.4. Phases 8
2.5. Methods and guides 10
3 TYPOLOGIES OF AN INCIDENT 11
4 GUIDLINES FOR EVIDENCE GATHERING AND STORAGE 14
4.1. Principles during evidence gathering 14 4.1.1. Volatility order 14 4.1.2. Actions that must be avoided 14 4.1.3. Privacy considerations 15 4.1.4. Legal considerations 15
4.2. Gathering procedure 15 4.2.1. Reproducible 15 4.2.2. Steps 15
4.3. Storage procedure 16 4.3.1. Chain of custody 16 4.3.2. Where and how to store it 16
4.4. Necessary tools 16
4.5. Conclusions 16
5 EVIDENCE GATHERING 17
5.1. Previous considerations 17
5.2. Start of the process 18
5.3. Volatile information 19 5.3.1. Time and date of the system 20 5.3.2. Memory dump 20 5.3.3. Network information: state, active connections, open UDP and
TCP ports 26
Toma de evidencias en entornos Windows 3
5.3.4. Windows register 31 5.3.5. Passwords 44 5.3.6. Cached information in browsers (addresses, download history)45 5.3.7. File and folder tree 46 5.3.8. History of command interpretations 47 5.3.9. Screen captures 47 5.3.10. Clipboard information 47 5.3.11. Internet search history 47 5.3.12. Last searches 48 5.3.13. Cookies 49 5.3.14. Ciphered volumes 49 5.3.15. Mapping units 49 5.3.16. Shared folders 50 5.3.17. Pending recordings 50
5.4. Non volatile information 51 5.4.1. Disk dumping 51 5.4.2. Master Boot Record (MBR) 53 5.4.3. Master File Table (MFT) 54 5.4.4. System information 54 5.4.5. Programme tasks 55 5.4.6. Printed files 55 5.4.7. Variables in the settings 56 5.4.8. System logs 56 5.4.9. .PST and .OST files 58 5.4.10. Prefetch folder 58 5.4.11. Recycle bin 59 5.4.12. Hosts file 62 5.4.13. Check unsigned executables 63 5.4.14. LNK files 63
6 REVIEW 64
7 GLOSSARY 65
8 REFERENCES 66
ANNEX 1– CONTACTS 68
ANNEX 2 – CHAIN OF CUSTODY OF EVIDENCE 71
Toma de evidencias en entornos Windows 4
1 ABOUT THE GUIDE
This document offers information related to digital forensic analysis, specifically, for Windows settings. It focuses on the process of evidence gathering, carrying out tests on Windows XP (despite its support having ended, it still has an important market share), Windows 7, Windows 8 and 8.1. The indicated examples are applicable in many cases to other versions of the operating system as they have a similar structure.
It offers both a global vision of the process, explaining what it consists of, what for, the phases that make it up, the methods to carry it out, etc., and a specific vision on the obtaining of evidence. It is important to keep in mind that despite the fact that the guide makes an initial approach to digital forensic analysis, it focuses mainly on the phase of obtaining evidence and that is its objective.
The target audiences of this document are professionals from the IT sector: IT support technicians, system administrators, network administrators, malware analysts, etc., that have computing knowledge but are not familiar with the digital forensic analysis process and might have to face an incident that would require using one of these processes.
The document aims to be a practical guide with the steps to follow if an incident arises that requires gathering necessary evidence to carry out a subsequent analysis that leads to a solution for the incident itself, this subsequent analysis is beyond the focus of this document.
In order to avoid additional costs in terms of licenses, free tools will be used for the aforementioned processes.
1.1. USED NOTATIONS
The following notations will be used in the document:
Sections or parts of the document where the aim is to carry out a demonstration indicating when the information explained could be of use.
Underlines certain information that is relevant and that must be specially kept in mind.
Informs about an aspect that must be kept in mind.
Indicates other tools with similar characteristics or functions to one previously mentioned.
Toma de evidencias en entornos Windows 5
2 INTRODUCTION TO A FORENSIC ANALYSIS
The concept of digital forensic analysis refers to a combination of gathering procedures and evidence analysis that is carried out with the aim of responding to an incident related to IT security and that, on occasions, must be used as evidence in court. The aim is to answer the what, where, when, why, who and how, after running this procedure.
This science is starting to acquire a very important role in the last few years as it is increasingly common having to face different incidents related to computing security, such as intrusions, information theft, infections, etc.
Its use is extended through diverse fields, for instance:
• Prosecution of crimes such as financial fraud, tax evasion, harassment or child pornography.
• Discrimination or harassment cases.
• Insurance investigation.
• Recovery of deleted files.
• Theft of intellectual property.
• Cyberterrorism.
• Strengthen the resilience of companies, or in other words, the capacity of recovering from attacks.
How to proceed in different situations will be reflected throughout the document, as it is vital to have a clear idea of the steps to follow when carrying out digital forensic analysis as to not destroy evidence that would make it impossible to resolve the incident in a satisfying way. An incident is resolved in a satisfactory way when conclusions are drawn out that enable to answer the previously mentioned questions.
2.1. LOCARD’S EXCHANGE PRINCIPLE
When carrying out a digital forensic analysis it is vital to keep in mind Locard’s exchange principle. It sets the base for forensic science and says the following: “when two objects come in contact they transfer part of the material that incorporates the other object”. This means that in any kind of crime, including those related to computing which is what concerns us, leaves a trace, meaning that through a forensic analysis process it is possible to obtain evidence.
Toma de evidencias en entornos Windows 6
Likewise, Locard’s Exchange principle takes place when carrying out the actual forensic analysis, meaning that you have to be extremely careful so that the system is affected as little as possible and the acquired evidence is not altered.
2.2. TYPES OF FORENSIC ANALYSYS
A classification of types of forensic analysis can be made depending on what they aim to analyse. Keeping this aspect in mind, it is possible to identify three types of analysis:
• System forensic analysis: both Windows operating systems and OSX, GNU/Linux, etc.
• Network forensic analysis. • Embedded system forensic analysis. • Volatile memory forensic analysis.
This guide, as its name indicates and has been mentioned previously, focuses on evidence compilation on Windows settings, although the process from a global point of view is similar for all types.
2.3. CHARACTERISTICS
The procedure of forensic analysis must possess the following characteristics:
Crime scene
Suspects Victim
Evidence
Image 1: Locard’s Exchange Principle
Toma de evidencias en entornos Windows 7
• Verifiable: it must be possible to confirm the veracity of the conclusions drawn out from the analysis carried out.
• Reproducible: all the tests carried out throughout the process must be reproducible at all times.
• Documented: the whole process must be correctly documented and must be carried out in a comprehensible and detailed way.
• Independent: the conclusions obtained must be the same, regardless of the person who carries out the process and the method used.
2.4. PHASES
The forensic analysis process is made up of the following phases:
• Preservation: it corresponds to the phase guaranteeing that no evidence that must be
compiled for subsequent analysis is lost. A lack of knowledge could result in a loss of relevant information that could be decisive for the resolution of the incident. Critical aspects such as not switching off the system to preserve volatile information or the correct marking of elements to be analysed takes place during this phase.
Likewise, a constant register must be carried out of the operations that are taking place on the material that is going to be analysed, in order to maintain the legal validity of the evidence gathered subsequently, in case it is necessary. If materials must be transported, it must be done with the utmost care, avoiding information from being altered or being exposed to extreme temperatures or electromagnetic fields.
• Acquisition: This is the phase that this guide focuses on, and that will be explained in greatest detail, and that corresponds to the stage where evidence is gathered. Evidence can be defined as any proof that can be used in a legal process, although that is not always the case.
Characteristics of evidence:
Admissible: it must have legal value.
Authentic: it must be true and not manipulated in any way. For this, the corresponding hashes must have been extracted to ensure its integrity.
Complete: it must represent the evidence from an objective and technical point of view, without personal valuations or prejudices.
Credible: it must be understandable.
Reliable: the techniques used to obtain evidence must not generate any doubts as to its veracity and authenticity.
They can be classified in two types:
Preservation Acquisition Analysis Documentation Presentation
Image 2: Phases of the Forensic Analysis Process
Toma de evidencias en entornos Windows 8
• Physical evidence: refers to computing material such as: hard disks, pen drives, etc. • Digital evidence: corresponds to information stored in electronic evidence.
Some examples of digital evidence are:
Digital files.
Execution process.
Log.
Temporary files.
Registry entries.
• Analysis: when carrying out the analysis of compiled information it must be kept in mind the specific type of incident to respond to. Depending on the case it may be of use to make an in-depth analysis of different aspects such as:
MFT or Master File Table: the table that stores information about files in the disk. It stores information such as the name, access, creation and modification dates, location on the data on the disk, etc.
Paging (Pagefile.sys): it is a file that enables an optimum use of RAM memory since the operating system temporarily sends information that is not necessary at that moment in time there for the execution process and subsequently recovers it if anyone requests it.
Recycle bin.
Unassigned space: corresponds to the space in disk available for information storage. When a file is deleted in Windows, the operating system just removes the reference to that information, but not the information itself. Instead, the corresponding disk region is marked as writeable. Therefore, the deleted information may be recovered through different means.
Windows registry: it stores divers information, like the networks to which the system has connected to, a list of visited websites, installed applications, history of USB devices that has been plugged in, etc.
Slack Space: refers to the free space that remains within a cluster (set of adjacent disk sectors composing the smallest information unit in a disk) after storing a file.
Network traffic.
System processes.
System logs: such as the events log relating to the system, security or applications.
It is vital that the whole process is carried out from an objective point of view, without ruling out what the analyst may consider obvious.
Toma de evidencias en entornos Windows 9
• Documentation: a fundamental aspect in the forensic analysis process is the documentation, so this phase must be carried out in a very methodical and detailed way. The following actions, amongst others, can be carried out:
Photograph the proofs.
Chain of custody.
Document each and every step taken during the process, keeping a log with dates and times of each action carried out on the evidence.
Elaborate two types on conclusion reports: an executive and a technical one.
• Presentation: the presentation of information is as important, or even more, than the previous ones as the conclusions obtained in the forensic analysis process must be accessible and understandable.
In order to do this, it is recommendable to follow the following steps:
Prepare a presentation in an educational way so that it is easily understandable.
Detail the conclusions.
Explain clearly the process that has been carried out to obtain the evidence.
Avoid non-demonstrable affirmations or value judgments.
Elaborate the conclusions from an objective point of view.
It must be noted that the phases are not sequential but intertwined. For example, the documentation phase starts during the preservation phase.
2.5. METHODS AND GUIDES
There are different methods and guides when carrying out a forensic analysis, but they all have common aspects. RFC 32271«directories for the compilation of evidence and its storage» will be used as a reference for this document. It reflects in a complete way the process and the steps that must be followed when carrying out an analysis like this.
Following are another series of guides that could be used as a reference for readers interested in delving further into the subject:
• Guidelines for the best practices in the forensic examination of digital technology2 • Electronic Crime Scene Investigation: A Guide for First Responders3 • Forensic Examination of Digital Evidence: A Guide for Law Enforcement4 • UNE 71506 – Methodology for forensic analysis of digital evidences5 (Spanish only)
1 http://www.ietf.org/rfc/rfc3227.txt 2 http://www.ioce.org/fileadmin/user_upload/2002/ioce_bp_exam_digit_tech.html 3 https://www.ncjrs.gov/pdffiles1/nij/187736.pdf 4 https://www.ncjrs.gov/pdffiles1/nij/199408.pdf 5 http://www.aenor.es/aenor/normas/normas/fichanorma.asp?tipo=N&codigo=N0051414&PDF=Si#.UmTshXC8B5H
Toma de evidencias en entornos Windows 10
3 TYPOLOGIES OF AN INCIDENT
There is a vast amount of incidents related with IT security:
Keeping in mind those that the target audience of this guide will most probably face, and also noting that some might be interconnected, the following cases can be identified:
• Information theft: The theft of private information is one of the major concerns both for users and companies. There are a number of techniques that enable information theft such network traffic monitoring via sniffer, intercepting emails or simply plugging in a pendrive for copying private information, etc. This information is mainly used to obtain an economic benefit, but in some cases, it is merely used to harm the image of the affected party.
• Fraud: There are a number of examples of Internet fraud, such as: False job offers6. Lottery and prize frauds7. False inheritances.
6 http://www.osi.es/es/actualidad/blog/2013/05/07/fraudes-online-iv-ofertas-falsas-de-trabajo 7 http://www.osi.es/es/actualidad/blog/2013/06/28/fraudes-online-vi-has-ganado-un-premio
Toma de evidencias en entornos Windows 11
Investment and credit frauds. False emails asking for donations to NGO’s8. False invoices from messaging services. Downloads with invoices from SMS Premium9 services. Fines for illegal downloads.
Throughout a year, a great number of campaigns take place, making the most of important dates or events, to proliferate these kinds of threats.
• Malware: malware is another of the most typical incidents that a forensic analyst can encounter. The market professionalization has generated an important increase in the volume of these kinds of threats, reaching very sophisticated levels in some cases. Some of the most significant stats are the following:
There are almost 170 million samples of malware, of which almost 70 million have appeared in 201310.
In 2012, the number of files corresponding to digitally signed malware reached 2 million11.
In the year 2012, the number of malware corresponding to ransomware reached 700,000 samples12.
Cybercrime has generated losses of 87,000 million Euros in 201313. In the third quarter of 2013, Kaspersky catalogued over 120,000 samples of
malware for mobile phones14. McAfee catalogues over 100,000 samples every day15.
• Non-authorized access: According to a ThreatTrack Security study16 , non-authorized access to websites with sexual content is one of the main reasons for corporate computers to be infected. Another example is the exploitation of the software’s vulnerabilities to obtain privileges and access folders and documents containing confidential information.
• Inappropriate use of resources: the inappropriate use of resources is quite a normal practice in companies: printing personal documents or downloading multimedia content such as films or series are some of the most typical examples.
• Intellectual property: the infringement of intellectual property results in a very important annual cost. According to a study on the economic impact of cybercrime by McAfee, this provokes, on global stage, losses of up to 400,000 million dollars and one of the main reasons is the theft of intellectual property. There are a huge amount of websites where you can download films, music, software, etc., which have a direct impact on those losses.
8 http://www.osi.es/es/actualidad/blog/2013/12/13/los-5-fraudes-navidenos-mas-tipicos-que-no-te-enganen 9 http://www.osi.es/es/actualidad/blog/2013/02/15/identificando-banners-enganosos 10 http://www.av-test.org/en/statistics/malware/ 11 http://www.scmagazine.com/the-state-of-malware-2013/slideshow/1255/#3 12 http://www.scmagazine.com/the-state-of-malware-2013/slideshow/1255/#5 13 http://www.rtve.es/noticias/20131105/cibercrimen-generado-perdidas-87000-millones-euros-ultimo-ano/784565.shtml 14 http://www.securelist.com/en/analysis/204792312/IT_Threat_Evolution_Q3_2013#14 15 http://www.mcafee.com/au/resources/reports/rp-quarterly-threat-q1-2013.pdf 16 http://www.threattracksecurity.com/documents/malware-analysts-study.pdf
Toma de evidencias en entornos Windows 12
• Denial-of-service: A denial-of-service attack intends to impede access to an organization’s services and resources. These kinds of attacks are normally committed through the use of botnets17 (networks of infected computers) and have increased notably lately, sometimes provoked by hacktivist actions.
Despite this diversity of incidents, the procedure to follow during evidence gathering is common in the majority of cases. It must be kept in mind that the subsequent analysis will be specific depending on the type of incident.
There are other types of incidents, mainly related to child pornography, justifying acts of terrorism, extortion (this group includes cyberharassment, cyberbullying, grooming, sexting or intimacy infringement), etc., which must be passed on to the appropriate authorities for them to start an investigation and take the measure they deem appropriate. These kinds of incidents are beyond the focus of the document. In fact, some of the incidents described in this point might require passing them on to the authorities, such as those related to information theft or fraud. For all of those you must contact the Telematic Crimes Group18 or Police19 and follow the steps they indicate.
17 http://www.incibe.es/file/p9cSCisIwwtRK6a0e7iZKg 18 https://www.gdt.guardiacivil.es/webgdt/home_alerta.php 19 http://www.policia.es/bit/index.htm
Toma de evidencias en entornos Windows 13
4 GUIDLINES FOR EVIDENCE GATHERING AND STORAGE
RFC 322720 is a document that includes the «guidelines for the compilation and storage of evidence» and can be used as a standard for information gathering in security incidents.
The document includes the following sections:
4.1. PRINCIPLES DURING EVIDENCE GATHERING
• Capture an image of the system that is as precise as possible. • Make detailed notes, including dates and times that indicated if local time or UTC is
being used. • Minimize changes in the information that is being gathered and eliminate external
agents that may make changes. • If faced with a dilemma between compiling and analysing, choose compilation first
and analysis second. • Compile information depending on the order of volatility (from greatest to
fewest). • Keep in mind that with each device the compilation of information can be carried out
in a different way.
4.1.1. Volatility order The volatility order refers to the period of time in which certain information is accessible. Therefore, it is necessary to gather first information that is going to be available for the least amount of time, in other words, the information with greatest volatility.
Following this scale, the following list from greatest to least volatility may be created:
• Registers and cache contents. • Routing table, ARP cache, process table, kernel statistics, and memory. • Temporary information in the system. • Disk. • System logs. • Physical configuration and network topology. • Documents.
4.1.2. Actions that must be avoided The following actions must be avoided in order to not invalidate the information gathering process, since its integrity must be preserved so that the results obtained can be used in court if needed:
20 http://www.ietf.org/rfc/rfc3227.txt
Toma de evidencias en entornos Windows 14
• Do not turn off the computer until all the volatile information has been compiled. • Do not trust the information given by the system’s software as they might have been
compromised. Information must be gathered through software from a protected medium as will be explained further on.
• Do not execute software that modifies the date and time of access of all the system’s files.
4.1.3. Privacy considerations All the information gathered during the process must be guaranteed to be treated within the established legal framework, maintaining the demanded privacy. The log files are included in this section as they can store the behaviour patterns of the system’s user.
4.1.4. Legal considerations It must be noted that the law is different in every country, so evidence may be admitted in one country and not in another. In any case, the evidence must have a series of common characteristics.
• Admissible: the current law must be respected for evidence to have a judicial value. • Authentic: it must be provable that the evidence corresponds to the incident in
question. • Complete: it must correspond with the entire information and not just a partial view. • Reliable: there must not be any doubts as to how the evidence was obtained or
regarding any subsequent manipulation that could raise doubts regarding its authenticity and veracity.
• Credible: it must be plausible and easily understandable for a magistrate’s court.
4.2. GATHERING PROCEDURE
The gathering procedure must be as detailed as possible, making sure that it is not ambiguous and reducing decision making as much as possible.
4.2.1. Reproducible The methods used to compile evidence must be transparent and reproducible. You must be prepared to accurately reproduce the methods used, and those methods must have been tested by independent experts.
4.2.2. Steps
• Where is the evidence? Make a list of the systems that are involved in the incident and which ones can be used to extract evidence.
• Establish what is relevant. If in doubt, it is better to compile a lot of information than not much.
• Set the volatility order for each system. • Obtain information according to the established order. • Verify the level of synchronization of the system’s clock. • As the compilation steps are being taken ask yourself what more could be evidence. • Document every step.
Toma de evidencias en entornos Windows 15
• Do not forget the people that are involved. Note who was there, what they were doing, what they were looking at and how they reacted.
4.3. STORAGE PROCEDURE
4.3.1. Chain of custody The chain of custody must be clearly documented and the following points must be detailed:
• Where, when and who discovered and compiled evidence? • Where, when and who handled evidence? • Who has guarded the evidence? For how long? And how did he store it? • If the evidence changed custody, indicate when and how the exchange took place,
including the delivery note number, etc.
4.3.2. Where and how to store it The information must be stored in devices with a level of security that has been proven and that can detect non-authorized access attempts.
4.4. NECESSARY TOOLS
There are a set of guidelines that must be followed when choosing the tools that are going to be used for the compilation process:
• Tools that are external from the system must be used as the system might have been compromised.
• Tools that altering the scenario as little as possible should be used. Specifically, avoiding when possible the use of graphic interface tools and tools with great memory consumption.
• The software that is going to be used to gather evidence must be located in a reading device (CDROM, USB, etc.).
• A combination of utilities suitable for the target operating systems should be prepared.
• The analysis kit must include, amongst others, the following kinds of tools: Software to list and examine processes. Software to examine the state of the system. Software to make bit by bit copies.
4.5. CONCLUSIONS
When carrying out the information gathering process in a system that has suffered a security incident, it is necessary to have a clear idea of what actions must be carry out, being very meticulous and detailing this process at all times. Therefore, the process must be carried out trying to be as unobtrusive as possible, in order to preserve the system in its original state.
Toma de evidencias en entornos Windows 16
5 EVIDENCE GATHERING
One of the main tasks when carrying out a forensic analysis is having a clear idea of the specific kind of incident and from there seeing what information is necessary to obtain and how to proceed. There are common aspects but it is not the same to carry out a forensic analysis in a malware case than in a fraud case, since the points that the investigator must focus on to locate evidence is different.
Obviously, some of the steps that are indicated further ahead might not be necessary such as having to present evidence in court, so the documentation does not have to be very exhaustive, it is however recommendable to carry out the process from a professional and integral point of view and for it to be as complete as possible. It is down to the reader to determine what aspects to keep in mind, depending on the situation that you must analyse and what steps to follow.
The process of evidence gathering can be carried out from different points of view: using methods based on software or methods based on hardware. There are a great number of hardware devices designed specifically to carry out these kinds of tasks and that have a very high level of efficiency. This guide aims at helping the largest amount of people possible, so the focus is free software so that the task does not lead to costs in terms of licenses.
5.1. PREVIOUS CONSIDERATIONS
There are a number of previous considerations that must be kept in mind before starting the process of evidence compilation:
• In the first place, do not touch the computer; leave it exactly as it is: do not open files, do not run software, do not delete folders, etc. If it is turned on, do not switch it off, and if it is turned off, do not switch it on. It must be kept in mind that there is a great amount of volatile information, which disappears if the computer is turned off, so switching it off would lead to the loss of very important information. Likewise, if it is turned off, switching it on could lead to the modification of dates or the concealment of files if there is a rootkit.
• Establish on a global scale the steps that are going to be followed with the aim of having an operating guideline of the process and not forget any aspect.
• Parting from the previous point, detailed process of the steps that are going to be followed must be set. In this point, different aspects are taken into account such as the estimated time that the analysis will take the urgency of the analysis or the necessary resources to carry it out.
• Foresee and minimise the risks with the purpose of ensuring that if any problems arise they do not significantly affect the process in a negative way.
• Value if the person responsible for carrying out the process has the ability and knowledge needed to do so. If you doubt his capacity to carry it out the best thing to do is consult someone with experience and extensive knowledge with the purpose of him counselling the process and no evidence being accidentally destroyed.
• Obtain a written authorization from the corresponding person to be able to carry out the analysis and evidence compilation. This is a fundamental aspect, as confidential
Toma de evidencias en entornos Windows 17
information or of vital importance for a company could be implied in the process, or the availability of the services could be affected by the work of the forensic investigator. In certain kinds of incidents, it will be necessary to request a judicial authorization with the purpose of ensuring the validity of the compiled evidence in a future court case.
• Request necessary passwords to access encrypted files or volumes. • Have a complete kit of utilities prepared to follow the steps indicated in point 3.4. • Prepare a list of people who must be informed and kept in the loop of the process,
including their name, email address and any other type of information that could be relevant.
As an example, the model indicated in ANNEX 1 – Contacts, is attached.
The evidence gathering process may start once every previous consideration that helps to have a clear idea of the specific kind of incident and the steps that must be taken for solving it has been assessed.
5.2. START OF THE PROCESS
The first task is to tag, inventory and photograph every device that is going to be analysed: hard disks, pen drives, cameras, etc. Also, depending on the type of incident, it might be necessary to include routers, scanners, printers, etc. The brand, model, serial number, type of connection (USB, firewire, etc.) of all of them must be noted. Similarly, the information of the person responsible for the system and the user or users that work on it, and any other relevant information must be written down. The chain of custody is fundamental, because it proves that the evidence obtained has not been manipulated, so it is mandatory to be especially meticulous in this aspect. In order to do so, it is indispensable to document all the evidence obtained.
As an example, a template in “ANNEX 2 – Chain of custody of evidence” is available.
In the observations, section of it is important to justify the reason as to why the aforementioned evidence has been compiled. The aim of this task is to facilitate the work of the analyst if the investigator himself is not the person carrying out this role.
Once all the devices have been tagged, inventoried and photographed, evidence may start to be gathered. In a generic way, the type of obtained information can be classified in two great groups: volatile information and non-volatile information. We can also speak of live acquisition, which corresponds to the gathering of information in a functioning system, and static acquisition, which corresponds to the gathering of information in a system that is switched off.
To carry out a correct compilation of evidence it is important to use non-invasive software that can be found in devices protected against writing (pen drive, cd-rom, etc.). Similarly, if it is suspected that the system might have been affected by malware, information must be gathered through own implanted methods and not through the system’s API, because the integrity of the latter might have been
Toma de evidencias en entornos Windows 18
compromised and it will not reflect real results.
Following is a series of specialized kits in these types of tasks, although the most recommendable thing is to create one according to the needs of each person.
Table 1: List of open source kits containing utilities for forensic analysis.
Name URL
Caine http://www.caine-live.net
Digital Forensics Framework http://www.digital-forensic.org
The Sleuth Kit y AutoSpy http://www.sleuthkit.org
Helix Live CD http://www.e-fense.com
Forensic and Incident Response Environment (F.I.R.E) http://fire.dmzs.com
Digital Evidence & Forensic Toolkit http://www.deftlinux.net
Usually, it is only possible carry out one memory dump and disk dump, and from there work on different copies to obtain the rest of evidence. Following is an indication of the specific gathering of different evidence because depending on the case, it might not be necessary to carry out a complete dumping of information, and it would be enough to simply carry out a specific analysis.
5.3. VOLATILE INFORMATION
As indicated previously, volatile information could be very important when carrying out a forensic analysis because it might contain evidence of connections, execution processes, etc. The loss of this type of information could mean that the forensic analysis is not completed successfully or that the process is complicated greatly. This is why, as RFC 3227 indicates, volatile evidence must be gathered. Following, the method that must be used is indicated, and some examples are shown of incidents where it could be useful. In this manner, the person who carries out the process may complete the steps deemed appropriate, using the guidelines given here as a base.
Toma de evidencias en entornos Windows 19
5.3.1. Time and date of the system With regards to volatile information, the first thing to obtain is the date and time of the system, in order to establish a timeline of the compilation of evidence, duration of the process, etc.
To do so, write the following instruction from a secure Shell command, being able to do so through utilities such as PowerShell or WMIC:
date /t > FechaYHoraDeInicio.txt &time /t >> FechaYHoraDeInicio.txt
The obtained date must be compared with the coordinated universal time (UTC), a time standard that regulates the time worldwide, to determine if the established date in the system if correct or not, and what deviation exists.
It must also be kept in mind that FAT systems store time values depending on the local time of the computer, whereas NTFS systems store them in UTC format. This means that whilst NTFS systems are not affected by changes in a time zone or summer time, FATs will have a different value if they are viewed in one region or another with a different time zone, or in summer or winter.
Likewise, once the process has finished, the same instruction must be executed, changing the destination folder to FechaYHoraFin.txt.
5.3.2. Memory dump Memory dumping is one of the most important and critical aspects in the acquisition phase. As mentioned previously, the memory stores significant evidence such as established connections, executed processes, ciphered passwords, etc. Carrying out a correct memory dump can make the difference between resolving or not resolving the incident. It is because of this that you must be very careful during this process.
When obtaining memory, it must be kept in mind two types of memory: physical and virtual memory. Physical memory corresponds to the real memory of a system whereas virtual memory normally corresponds to the paging file pagefile.sys. As mentioned before virtual memory enables an optimum use of RAM memory, since the operating system temporarily sends information that is not necessary in that moment in time there for the running processes and subsequently recovers it if someone requests it.
There are a great number of utilities that enable a memory dump, but the outstanding one is DumpIt21 (because of its simplicity and compatibility with the different versions of Windows. It is enough just to execute the application from the command interpreter. It carries out a memory dump in RAW format in the same directory from which the programme is executed.
An example of how to use the programme is Image 3:
21 http://www.moonsols.com
Toma de evidencias en entornos Windows 20
Image 3: DumpIt
Volatility https://code.google.com/p/volatility
AccessData FTK Imager
http://www.accessdata.com
Memoryze http://www.mandiant.com/resources/download/memoryze
MDD http://sourceforge.net/projects/mdd/
Belkasoft Live RAM Capturer http://forensic.belkasoft.com/en/ram-capturer
Another way of obtaining physical memory is through crash dump, which corresponds to an error that the system can’t recover from. When these kinds of errors occur a file is generated, such as a minidump or, if it has been set up22, a complete dumping of the physical memory (%SystemRoot%\Memory.dmp), which subsequently can be analysed by the corresponding tool. These kinds of errors can be provoked by tools such as NotMyFault23 or directly by pulling out the cable from the back of the computer, if it is a desktop, and the battery if it is a PC. If it is possible to obtain memory through this method it is recommendable to verify the integrity of the file via utilities such as Dumpchk24.
To do so, type the following instruction:
dumpchk.exe Memory.dmp
If the integrity of the file is affected, an error message will pop up and if the integrity of the file is correct, the following message will appear: “Finished dump check”.
22 http://blogs.technet.com/b/plataformas/archive/2008/08/22/como-configurar-mi-m-quina-para-obtener-un-dump-de-memoria.aspx 23 http://download.sysinternals.com/files/NotMyFault.zip 24 http://technet.microsoft.com/es-es/library/ee424340%28v=ws.10%29.aspx
Toma de evidencias en entornos Windows 21
For different reasons, such as if physical access to the system where the evidence compilation is going to take place is not possible, it might be necessary to carry out the following process remotely. To do so tools such as psexec25 are useful, through which it is possible can carry out the aforementioned process in an effective way and without having to install any components in the remote system.
Once the image corresponding to the physical memory dump is obtained, it is necessary to obtain its hash, which will be noted down in the documentation of the chain of custody to guarantee that the aforementioned image is not modified subsequently and guarantee its integrity. A hash is a value that identifies information in an univocal way. There are different types of hashes: MD5, SHA-1, SHA-2, etc.
The use of the MD5 hash, despite its vast use, presents the problem that different collisions can occur, in other words, it could happen that different files have the same MD5, meaning that the validity of its proof could be questioned. That is why it is recommended that its use decreases.
A similar case, although not identical, is SHA-1, which is why it is advised to seek different alternatives such as SHA-256, SHA-512, etc.
There are a great number of tools such as HashMyFiles26, MD5deep27 r HashCalc28, which can help to obtain different hashes in a file. An example of the use of the HashMyFiles can be seen in Image 4
Image 4: HashMyFiles
It can also be of great interest for forensic analysis to obtain virtual memory, which is why it is recommendable to acquire pagefile.sys whenever possible. To do so, specialized tools such as NTFSCopy29 can be used. Alternatively, the computer may be switched off for extracting the hard disk and connect it to another computer so that the aforementioned file is not in used and can be copied. However, this implies the risk that, if the system has an option to
25 http://technet.microsoft.com/es-es/sysinternals/bb897553.aspx 26 http://www.nirsoft.net/utils/hash_my_files.html 27 http://md5deep.sourceforge.net 28 http://www.slavasoft.com/hashcalc/ 29 https://tzworks.net/prototype_page.php?proto_id=9
Toma de evidencias en entornos Windows 22
delete the virtual memory’s paging folder when the system is turned off, information can be lost.
For gathering the page file with the indicated tool, the programme may be executed from a command prompt.
An example of use is the following instruction:
NTFSCopy.exe c:\pagefile.sys g:\pagefile.sys –raw –MD5
It asks the tool to carry out a copy of the pagefile.sys located in C: and store it in the G: unit, adding MD5 to the name.
AccessData FTK Imager http://www.accessdata.com
Hobocopy https://github.com/candera/hobocopy
ShadowCopy http://www.runtime.org/shadow-copy.htm
It is not necessary to obtain the pagefile.sys if a subsequent disk dump is not going to take place, because through this page file itself is being obtained, so the person that is going to carry out the evidence analysis will not have any problems in extracting it from the actual image of the disk.
This also goes for the hibernation file, hiberfil.sys, which stores an exact image from the computer just before it hibernates with the purpose of restoring the image when it abandons the state of hibernation. If the hibernation is not configured by default, it can be done through Powercfg30 and subsequently force the state of hibernation with the PsShutdown31 utility or by going to Start- Shit down –Hibernate. On occasions, it might not be necessary, because of the incident, to dump the entire memory, and it is enough to obtain certain information. Following is some significant evidence that could be necessary to regain in certain incidents.
5.3.2.1. Running processes.
To obtain a list of running processes the utility tasklist may be used.
To do so, type the following instruction:
30 http://technet.microsoft.com/es-es/library/cc748940(v=ws.10).aspx 31 http://technet.microsoft.com/en-us/sysinternals/bb897541.aspx
Toma de evidencias en entornos Windows 23
tasklist > "ProcesosEnEjecución-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the result obtained is Image 5:
Image 5: Running processes
Pslist http://technet.microsoft.com/es-es/sysinternals/bb896682.aspx
Volatility https://code.google.com/p/volatility
CurrProcess http://www.nirsoft.net/utils/cprocess.html
In specific cases, mainly those related to malware, it might be useful to dump the memory of a running process that is suspicious of being used by the malware. Different tools can be used for this, such as PMDump32 or Process Dumper33, or on Windows 7, a dump folder from the task administrator can be created.
5.3.2.2. Running services
To obtain the list of running services use the utility sc query.
To do so, you type the following instruction:
32 http://ntsecurity.nu/toolbox/pmdump/ 33 http://www.trapkit.de/research/forensic/pd/
Toma de evidencias en entornos Windows 24
sc query > "ServiciosEnEjecución-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the result obtained is Image 6:
Image 6: Running services
PsService http://technet.microsoft.com/es-es/sysinternals/bb897542.aspx
Volatility https://code.google.com/p/volatility
5.3.2.3. Users that have opened a session and user account lists.
To obtain the list of users who have opened a session on the system, there are different tools available, such as netusers34.
To do so type the following instruction:
netUsers.exe > "UsuariosActualmenteLogueados-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
34 http://www.systemtools.com/cgi-bin/download.pl?NetUsers
Toma de evidencias en entornos Windows 25
With the same tool, the users that have opened a session on the machine at some stage and when was the last time they did so may be looked up. To do so, type the following instruction:
netUsers.exe /History > "HistoricoUsuariosLogueados-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
Psloggedon http://technet.microsoft.com/es-es/sysinternals/bb897545.aspx
LogonSessions http://technet.microsoft.com/es-es/sysinternals/bb896769.aspx
5.3.3. Network information: state, active connections, open UDP and TCP ports
5.3.3.1. State of the network
To obtain the state of the network, the network’s adaptors, its configuration, etc., use the ipconfig command.
To do so, type the following instruction:
ipconfig /all > "EstadoDeLaRed-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the result obtained is Image 7:
Image 7: Windows IP configuration
It could happen that, for different reasons, such as a malware infection, the system could be functioning as a sniffer in promiscuous mode, in other words, that it is capturing the entire network’s traffic. To detect this type of
Toma de evidencias en entornos Windows 26
practice, use tools such as Promiscdetect35.
To do so, type the following instruction:
Promiscdetect > "Promiscdetect-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
5.3.3.2. Established NetBIOS connections
NetBIOS is a protocol used by Windows, which normally functions on TCP/IP, which enables systems to communicate in a same local network. To do so, NetBIOS assigns an identification number to each system. Therefore, it can be accessed through the network via its name or the IP of the shared resources in the system.
NetBIOS stores the register of every access on a table. To view it, use the nbtstat or net command.
nbtstat -S > "ConexionesNetBIOSEstablecidas-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
Or,
net sessions > "SesionesRemotasEstablecidas-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the obtained result is Image 8:
Image 8: Established NetBIOS connections
5.3.3.3. Recently transferred files through NetBIOS
NetBIOS also temporarily stores the register of all the copied files via this protocol in a table.
To view it, type the following instruction:
net file > "FicherosCopiadosMedianteNetBIOS-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the obtained result is Image 9:
35 http://ntsecurity.nu/toolbox/promiscdetect/
Toma de evidencias en entornos Windows 27
Image 9: Recently transferred files via NetBIOS
5.3.3.4. Active connections or open ports
To obtain a list of active connections, use the netstat command.
To do so, type the following instruction:
netstat -an |findstr /i "estado listening established" > "PuertosAbiertos-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the obtained result is Image 10:
Image 10: Active connections or open ports
Likewise, it is possible to obtain the relation between open applications and ports. To do so, must type the following instruction:
netstat -anob > "AplicacionesConPuertosAbiertos-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
Fport http://www.mcafee.com/es/downloads/free-tools/fport.aspx
5.3.3.5. DNS cache contents
The DNS protocol (Domain Name System) associates IP addresses with domain names as the latter are easier to remember. The DNS cache stores the aforementioned association with regards to the domains which have been accessed from the system. This list can be obtained by using the ipconfig command.
To do so, type the following instruction:
Toma de evidencias en entornos Windows 28
ipconfig /displaydns > "DNSCache-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the result obtained is Image 11:
Image 11: DNS cache content
5.3.3.6. ARP cache
The ARP table stores the relation between the physical address (MAC) and logical address (IP) of the systems which the computer has communicated with recently. It must be kept in mind that the stored information is temporary and that, if the communication is not maintained, the corresponding entry will be eliminated in a brief amount of time.
To obtain the ARP table cache, use the arp command.
To do so, type the following instruction:
arp -a > "ArpCache-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the result obtained is Image 12:
Image 12: ARP Cache
5.3.3.7. Network traffic
Besides the information previously indicated with regards to the state of the network, active connections, etc., it is also important to capture the traffic during a certain amount of time for it to be analysed subsequently. In this analysis traffic generated by malware can be discovered, connections with C&C servers, reception of malformed packages, etc.
Toma de evidencias en entornos Windows 29
To do so, it is recommendable to use tools such as tshark36 or dumpcap37, which allows to capture the traffic in a promiscuous way (if the network card allows it), in other words, they support the monitoring of the entire traffic travelling through the network, regardless of if the origin or destination is the host that is being analysed.
An example of the use of this tool is the following:
tshark –w "CapturaRed-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.pcap"
Or,
dumpcap –w "CapturaRed-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.pcap"
Tcpdump http://www.tcpdump.org
Wireshark http://www.wireshark.org
Netsleuth http://www.netgrab.co.uk
Windump http://www.winpcap.org/windump
NetWitness http://www.emc.com/security/rsa-netwitness.htm
If is suspected that there is a risk of a possible exfiltration of sensitive data such as the malware belonging to a botnet, it is recommendable to redirect the system’s traffic to an isolated vlan with no access to Internet.
A practical case corresponds to a system in which access to internet worked extremely slowly and a network traffic capture was made. In a subsequent analysis, Image 13 was observed:
36 http://www.wireshark.org/docs/man-pages/tshark.html 37 http://www.wireshark.org/docs/man-pages/dumpcap.html
Toma de evidencias en entornos Windows 30
Image 13: Mass dispatch of Spam
The system sent a huge amount of spam emails such as Image 14:
Image 14: Spam email
In some emails it was noted that a file was attached with the name newbos3.exe which corresponded to a malware catalogued as Adware/SystemTool.
5.3.4. Windows register The register stores information of great interest for a forensic investigator (programmes that are loaded when the system is switched on, user profiles, access to wireless network configurations, history of USB devices connected to the system, etc.), which is why it is necessary to make a copy of it for subsequent analysis.
In the following table, the registry keys along with the information they contain can be seen.
Toma de evidencias en entornos Windows 31
Table 2: Registry entries and the information they contain [9].
Registry keys Abbreviation Information it contains
HKEY_CLASSES_ROOT HKCR It guarantees that when opening a file
with Windows Explorer it opens the correct programme.
HKEY_CURRENT_USER HKCU Configuration of the user that has opened a session.
HKEY_LOCAL_MACHINE HKML Specific configuration information of the system (for any user).
HKEY_USERS HKU User profiles actively loaded in the system.
HKEY_CURRENT_CONFIG HKCC Information regarding the profile of the
hardware used by the local system when the system is switched on.
To export them you must execute the following instructions (Structure: reg export Clave\Subclave file):
reg export HKEY_CLASSES_ROOT "HKCR-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export HKEY_CURRENT_USER "HKCU-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export HKEY_LOCAL_MACHINE "HKLM-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export HKEY_USERS "HKU-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export HKEY_CURRENT_CONFIG "HKCC-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
Likewise, there are a series of files that can be regained and that can be used as back up for the registry keys. In the following table, the connections between files and registry entrances can be seen:
Table 3: Registry entrances and associated files [9].
Registry entrances Associated files
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\SECURITY Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\SOFTWARE Software, Software.log, Software.sav
Toma de evidencias en entornos Windows 32
HKEY_LOCAL_MACHINE\SYSTEM System, System.log, System.alt, System.sav
HKEY_CURRENT_CONFIG System, System.log, System.alt, System.sav
HKEY_CURRENT_USER Ntuser.dat y Ntuser.dat.log
HKEY_USERS\.DEFAULT Default, Default.log, Default.sav
The files are stored at %SystemRoot%\System32\Config\ (Windows NT/2000/XP) or%SystemRoot%\System32\Config\Regback\ (Windows 7/8), except for Ntuser.dat andNtuser.dat.log which can be found at %HomePath%.
RegRipper
RegFileExport
Forensic Registry EDitor (fred)
Registry Decoder
https://code.google.com/p/regripper
http://www.nirsoft.net/utils/registry_file_offline_export.html
https://sectechno.com/fred-forensic-registry-editor/
https://code.google.com/p/registrydecoder
It might not be necessary, depending on the incident, to export the entire registry, but with certain keys it may be enough. Following is some significant evidence from the registry that could be necessary to compile for certain incidents.
5.3.4.1. Connected USB devices
With every connection of a new USB device to the system a corresponding registry entrance is created where its information is stored, such as the manufacturer or a unique identity number. That is why it could be relevant to export the registry entrances that are indicated in the following image, in case the incident requires it. To do so the following instructions must be executed:
reg export "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR" "USBSTOR-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB" "USB-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses" "DeviceClasses-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\System\MountedDevices" "MountedDevices-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
Toma de evidencias en entornos Windows 33
Likewise, setupapi.log (Windows XP) or setupapi.dev.log (from Windows Vista on) located in the %WinDir% and %WinDir%\inf folder contains information regarding the devices that have been installed and it stores registries such as the name of the device, its serial number, the date in which it connected to the system for the first time, etc.
A practical case corresponds to a company that prohibited the use of pendrives personally belonging to workers for safety reasons. One of the company’s systems, which had no access to the local network or internet, got infected with malware and after analysing the case, Image 15 was observed:
Image 15: USB devices connected
As indicated previously in the registry it may be obtained, amongst other information, the following:
• The number which identifies the class of the device (Device Class ID, in Disk&Vendedor&Producto&Version format, in this case Disk&Ven_USB&Prod_Flash_Disk&Rev_1100.
• The number of the unique identifier (Unique Instance ID), in this case FBH1301080600351&0. If the second character of the identifier is an &, it indicates that the device does not have a unique identity number and that the operating system has assigned it one.
Through this, it was proven that the rules had been infringed and that a USB device had been connected to the system.
USB History Dump http://sourceforge.net/projects/USBhistory/
5.3.4.2. List of Wi-Fi networks that the system has connected to:
In the case of a PC, it can be interesting to find out which WIFI networks it has connected to and their configurations. In Windows XP, the following instructions must be executed to export the corresponding registry entrances:
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces" "ListadoRedesWifi-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces" "ConfiguraciónRedesWifi-%date:~6,4%%date:~3,2%%date:~0,2%-
Toma de evidencias en entornos Windows 34
%time:~0,2%%time:~3,2%.reg"
In the case of Windows 7/8, that information is no longer stored in the registry; now, files with an XML extension are created on a disk in the folder C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces which corresponds to the WIFI network configurations that the system has connected to, meaning that it is necessary to copy its contents and export them via the following instructions:
netsh wlan show profiles > "PerfilesWifi-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
netsh wlan show all > "ConfiguraciónPerfilesWifi-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
Another option would be to export the profiles via the following instruction:
netsh wlan export profile
A practical case corresponds to a user that suspected to have illegitimately accessed a wireless network from his laptop with Windows XP, so the previously mentioned registry entrance exportation was performed.
The subsequent analysis of the entrance unravelled that the user had indeed connected to the SSID (Service Set Identifier) network “CIBER NOMBRE FICTICIO”, as can be observed in Image 16.
Image 16: List of WIFI networks that the system had connected to
WirelessNetConsole http://www.nirsoft.net/utils/wireless_net_console.html
Toma de evidencias en entornos Windows 35
5.3.4.3. Windows Security Center / Windows Action Center Configuration
Microsoft, from Windows XP’s Service Pack 2 onwards, included the Security Center, that in subsequent versions of the operating system had gone on to be named Action Center. This component is an information panel where the main aspects related to the security of the system can be viewed and configured: firewall, automatic upgrades, notifications, etc.
The configuration of this component is stored in the registry and it can be important to know this configuration for some incidents. To export the corresponding registry keys, execute the following instructions:
On Windows XP:
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center" "HKLM-SecurityCenter-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
On Windows 7/8:
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center" "HKLM-SecurityCenter-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center" "HKLM-ActionCenter-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
5.3.4.4. Windows firewall configuration.
In Windows’ firewall configuration the permitted applications, open ports and other information related to the firewall itself are stored.
To export this information, execute the following instruction:
reg export "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy" "HKLM-FirewallPolicy-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
A practical case corresponds to a system which has suffered a leak of information corresponding to the bank details of the owner of the system and after analysing the registry entrance it was observed that the firewall had established an exception so that the dfsdasdcxz.exe programme could connect with the outside, as can be observed in Image 17. After a subsequent investigation of the file it was determined that it was malware with keylogger functions and that it sent compiled information to an external server.
Toma de evidencias en entornos Windows 36
5.3.4.5. Programmes that are executed when the operating system is turned on.
The main registry entrances where the list of programmes that are executed when the operating system is switched on are stored are the following:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
That is why it is recommendable to export these registry keys via the following instructions:
reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" "HKCU-ShellFolders-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" "HKCU-UserShellFolders-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "HKCU-Run-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" "HKCU-RunOnce-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" "HKCU-Windows-
Image 17: Malware exception in a Windows firewall
Toma de evidencias en entornos Windows 37
%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" "HKLM-ShellFolders-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" "HKLM-UserShellFolders-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" "HKLM-Explorer-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" "HKLM-Run-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" "HKLM-RunOnce-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" "HKLM-SessionManager-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
A practical case corresponds to a system infected with a false antivirus, Image 18, which showed constant notifications and that, amongst other things, impeded the execution of the Task Administrator.
Image 18: False antivirus
Toma de evidencias en entornos Windows 38
After analysing the exported registry keys, it was determined that the following value had been created in the registry at HKLM\Software\Microsoft\Windows\CurrentVersion\Run, as can be observed on Image 19, meaning that it executed automatically when opening a session on the system.
Image 19: False antivirus executing when the operating system loads
Autoruns http://technet.microsoft.com/es-es/sysinternals/bb963902.aspx
WhatInStartup http://www.nirsoft.net/utils/what_run_in_startup.html
5.3.4.6. File extensions and associated programmes used to open them.
Windows stores, in the registry, the associations between types of files depending on their extension and programmed which should be used to open them. In certain incidents, mainly those related to malware, these modify the registry entrances with the purpose of executing automatically when the file is executed.
With the purpose of exporting the corresponding entrances to be able to carry out a subsequent analysis, the following instructions must be executed:
reg export "HKEY_CLASSES_ROOT\batfile\shell\open\command" "HKCR-batfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\cmdfile\shell\open\command" "HKCRcmdfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\comfile\shell\open\command" "HKCRcomfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\exefile\shell\open\command" "HKCRexefile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\htafile\shell\open\command" "HKCRhtafile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\https\shell\open\command" "HKCRhttps-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\JSEfile\shell\open\command" "HKCRJSEfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\piffile\shell\open\command" "HKCRpiffile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\regfile\shell\open\command" "HKCRregfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\scrfile\shell\open\command" "HKCRscrfile-
Toma de evidencias en entornos Windows 39
%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\txtfile\shell\open\command" "HKCRtxtfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\VBSfile\shell\open\command" "HKCRVBSfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_CLASSES_ROOT\WSFFile\shell\open\command" "HKCRWSFFile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\software\Classes\batfile\shell\open\command" "HKLMbatfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\software\Classes\comfile\shell\open\command" "HKLMcomfile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\software\Classes\exefile\shell\open\command" "HKLMexefile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
reg export "HKEY_LOCAL_MACHINE\software\Classes\piffile\shell\open\command" "HKLMpiffile-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
Or execute the following process file in sets:
@echo off
for %%t in (batfile cmdfile comfile exefile htafile https JSEfile piffile regfile scrfile txtfile VBSfile WSFFile) do (
reg export "HKEY_CLASSES_ROOT\%%t\shell\open\command" "HKCR-%%t-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
)
for %%t in (batfile comfile exefile piffile) do (
reg export "HKEY_LOCAL_MACHINE\software\Classes\%%t\shell\open\command" "HKLM-%%t-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
)
5.3.4.7. Association of files with filters.
In the Windows registry there are a series of entries which help indicate to the operating system that it must open a programme for it to be filtered. There is malware that makes the most of these entries to execute automatically, so it is advisable to execute the following instruction in these kinds of incidents in order to export the corresponding registry entry.
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "HKLM-IFEO-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
Toma de evidencias en entornos Windows 40
5.3.4.8. Browser Helper Objects (BHO)
Browser Helper Objects are compliments that allow to add functions to the navigator. On occasions, some programmes create BHOs with the purpose of monitoring which websites have been visited, show pop-ups, modify results in different search engines, etc. That is why in certain incidents it is useful to export the registry entry corresponding to these compliments. To export this information, execute the following instruction (valid until Windows 7):
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "BHOs-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
A practical case corresponds to a system that suspected it was infected, since constant pop-ups appeared, so and exportation of the registry key was carried out, as can be observed in Image 20.
Image 20: Browser Helper Objects
After analysing the exportation it was proven that the selected BHO was associated to a library (DLL) that corresponded to a malware known as Adware.BHO.NAP, as can be observed in Image 21.
Image 21: Virustotal analysis of a file associated to a BHO
5.3.4.9. MUICache
Every time a user executed a programme for the first time an entry is stored in the registry that saves the name of the programme. The key is found at:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache on Windows XP.
Toma de evidencias en entornos Windows 41
• HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache on Windows 7/8.
To export this information, run the following instruction:
Windows XP
reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" "MUICache-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
Windows 7/8
reg export "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" "MUICache-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
MUICacheView http://www.nirsoft.net/utils/muicache_view.html
5.3.4.10. LastVisitedMRU / LastVisitedPidlMRU
In Windows’ registry, the list of recently used applications is stored. This information can be interesting in certain types of incidents, so in order to export it, the following instruction must be executed:
Windows XP
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU" "LastVisitedMRU-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
Windows 7/8
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" "LastVisitedPidIMRU-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
5.3.4.11. OpenSaveMRU
The registry entry OpenSaveMRU contains a list of files opened or saved from the window corresponding to the dialogue box used by the majority of applications, as can be observed in Image 22.
Toma de evidencias en entornos Windows 42
Image 22: Dialogue Box corresponding to the OpenSaveMRU entry
To export this information, execute the following instruction:
Windows XP
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" "OpenSaveMRU-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
Windows 7/8 (Not valid for Windows 8.1)
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" "OpenSavePidlMRU-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
5.3.4.12. Recently opened files
The RecentDocs entry stores a list of recently opened files. To export this information, execute the following instructions:
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" "RecentDocs-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
In this example, a simulation is carried out of a possible case of access to incorrect information, such as the file Cuentas Generales Empresa Ficticia.pdf from the analysed system, as can be observed in Image 23.
Toma de evidencias en entornos Windows 43
Image 23: Recently opened files
5.3.4.13. Installed software.
In its registry, Windows stores a list of installed software along with its information. To export this information, you must execute the following instruction:
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" "SoftwareInstalado-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.reg"
5.3.5. Passwords In certain incidents, it might be useful to know the different user names and passwords stored in the system, so it is recommendable to compile them as long as explicit authorization has been granted beforehand, and compliance with the current law regarding data protection is maintained.
There are a number of passwords that could be stored in the system, from different services such as email addresses, online banking, trade services, etc., and a great number of programmes to compile them. Following is a selection of the most typical programs:
Toma de evidencias en entornos Windows 44
• WebBrowserPassView38: Compiles passwords stored in main browsers: Internet Explorer (4.0 - 10.0 Versions, Mozilla Firefox (every version), Google Chrome, Safari and Opera.
WebBrowserPassView /stab "ContraseñasNavegadores-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
• Network Password Recovery39: Compiles passwords corresponding to the network resources that the current user is connected to.
Netpass /stab "NetworkPasswordRecovery-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
• Mail PassView40: Compiles the passwords of the main email addresses used.
mailpv /stab "MailPassView-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
5.3.6. Cached information in browsers (addresses, download history)
• In the case of Google Chrome the Web data file must be copied using the following command:
Windows XP
copy %UserProfile%\Configuracion local\Datos de programa\Google\Chrome\User Data\Default\Web Data WebData
Windows 7/8
copy %UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Web Data WebData
This file corresponds to a database in SQLITE format that can be viewed via different utilities such as SQLite Database Browser41. In the directory itself, it is possible to locate different files that store information such as markers or the search history, amongst others, so it could be interesting to make a copy of it depending on the incident.
• In the case of Mozilla Firefox the formhistory.sqlite file must be copied via the following command:
Windows XP
copy %UserProfile%\Configuracion local\Datos de programa\ \Mozilla\Firefox\Profiles\<random>.default\formhistory.sqlite
38 http://www.nirsoft.net/utils/web_browser_password.html 39 http://www.nirsoft.net/utils/network_password_recovery.html 40 http://www.nirsoft.net/utils/mailpv.html 41 http://sourceforge.net/projects/sqlitebrowser/
Toma de evidencias en entornos Windows 45
formhistory.sqlite
Windows 7/8
copy %UserProfile%\AppData\Roaming\Mozilla\Firefox\Profiles\ <random>.default\formhistory.sqlite formhistory.sqlite
<random> is the random name given by Firefox to the user’s folder. To know it beforehand, it is necessary to make a list of the content in the Profiles directory. Just like in other browsers, in the user’s profile route all kinds of information is stored.
In the case of Internet Explorer it is possible to use the tool IECacheView42. To do so, use the following instruction:
IECacheView /stab "IECache-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
5.3.7. File and folder tree It can be interesting to know the file and folder tree in order to prove the existence of suspicious files. To do so, it is necessary to obtain 3 lists via the following instructions, that correspond to MAC file times:
• List based on the modification date.
dir /t:w /a /s /o:d c:\ > "ListadoFicherosPorFechaDeModificacion-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
• List based on the last access.
dir /t:a /a /s /o:d c:\ > "ListadoFicherosPorUltimoAcceso-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
• List based on the creation date.
dir /t:c /a /s /o:d c:\ > "ListadoFicherosPorFechaDeCreacion-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
If various hard disks or partitions exist the instruction must be run for every disk or partition. In other words, the command must be executed as many times as necessary, changing the directory where the list is made, in this case c:\ and changing at the same time the name of the file where the list will be stored.
42 http://www.nirsoft.net/utils/ie_cache_viewer.html
Toma de evidencias en entornos Windows 46
MacMatch http://ntsecurity.nu/toolbox/macmatch/
5.3.8. History of command interpretations If when carrying out the process of evidence compilation there is a window open from the command interpreter, the history of executed commands may be obtained via the following instruction:
doskey /history > "HistoricoCMD-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
5.3.9. Screen captures If the person responsible for carrying out the acquisition of evidence wishes to obtain a screen capture because he has observed something significant that must be gathered, a command-line tool such as screenshot-cmd43 may be used.
To do so, you must type the following instruction:
Screenshot-cmd -o "Screenshot-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%%time:~6,2%.png"
5.3.10. Clipboard information Information that could be of interest is stored in the clipboard: URLs, passwords, text fragments, etc. That is why it is recommendable to check its content. To do so, tools such as InsideClipboard44 may be used:
InsideClipboard /saveclp "Portapapeles-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.clp"
5.3.11. Internet search history The Internet search history could be an important focal point of important information in some incidents, mainly those related to some sort of malware infection provoked by the access to infected websites. In recent times, malware creators have intensified the exploitation of vulnerabilities in browsers, in technologies which develop websites or in servers where they stay to infect a great number of internet users. This increase in the exploitations of these kinds of vulnerabilities is provoked because it is a very easy and efficient way of reaching a large amount of users. That is why on many occasions it is recommendable to obtain information regarding the search history to be able to analyse the activity on internet.
43 https://code.google.com/p/screenshot-cmd/ 44 http://www.nirsoft.net/utils/inside_clipboard.html
Toma de evidencias en entornos Windows 47
Because of its convenience, given that it supports main browsers (Internet Explorer, Mozilla Firefox, Google Chrome and Safari) and their versions, it is recommendable to use tools such as BrowsingHistoryView45.
BrowsingHistoryView.exe /HistorySource 2 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /LoadSafari 1 /stab Historial-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
Browser History Spy http://securityxploded.com/browser-history-spy.php
IEHistoryView http://www.nirsoft.net/utils/iehv.html
MozillaHistoryView http://www.nirsoft.net/utils/mozilla_history_view.html
ChromeHistoryView http://www.nirsoft.net/utils/chrome_history_view.html
Pasco http://www.mcafee.com/es/downloads/free-tools/pasco.aspx
Mandiant Redline https://www.mandiant.com/resources/download/redline
A practical case corresponding to a system infected by malware. After exporting and analysing the search history, Image 24 could be observed:
Image 24: URL corresponding to a malware in the search history of an infected system
The aforementioned executable, classified as Trj/Lineage.JAE, was responsible for the infection and thanks to the exportation of the search history the focal point of the infection was located.
5.3.12. Last searches Knowing the last searches in the main search engines can be interesting depending on the type of incident. To compile this information, tools such as MyLastSearch46 can be used,
45 http://www.nirsoft.net/utils/browsing_history_view.html
46 http://www.nirsoft.net/utils/my_last_search.html
Toma de evidencias en entornos Windows 48
which obtains all the searches made using the main search engines (Google, Yahoo and MSN) and the main social networks too such as Twitter, Facebook, MySpace, etc.
MyLastSearch /stab "MyLastSearch-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
5.3.13. Cookies Cookies are small text files that allow, amongst other things, to maintain a session open on a website, monitor it, store visual preferences, etc. From them, certain information that could be relevant in a forensic process may be obtained, such as website addresses, user names, dates, etc. For this reason, it could be interesting to obtain them in order to analyse them if necessary.
There are different utilities that can be used depending on the browser to view cookies in a simpler way. Out of all of them ChromeCookiesView47, MozillaCookiesView48 and IECookiesView49 stand out. They function in a similar way:
Galleta http://www.mcafee.com/es/downloads/free-tools/galleta.aspx
Mandiant Redline https://www.mandiant.com/resources/download/redline
5.3.14. Ciphered volumes It is increasingly common to use encryption tools in order to add a certain level of privacy and security to information. It could be of interest in a forensic process to identify ciphered volumes as it is probable that they store relevant information. In order to do, tools such as Encrypted Disk Detector50 can be used, which analyses the computer’s storage units and determines if any of them correspond to a encrypted volume with the main tools, such as TrueCrypt, PGP®, Safeboot, or Bitlocker®.
In order to do so, type the following instruction:
EDD.exe > "VolumenesEncriptados-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
5.3.15. Mapping units To obtain a list of the mapping units you must execute the following instruction:
net use > "UnidadesMapeadas-%date:~6,4%%date:~3,2%%date:~0,2%-
47 http://www.nirsoft.net/utils/chrome_cookies_view.html 48 http://www.nirsoft.net/utils/mzcv.html 49 http://www.nirsoft.net/utils/iecookies.html 50 http://info.magnetforensics.com/encrypted-disk-detector/
Toma de evidencias en entornos Windows 49
%time:~0,2%%time:~3,2%.txt"
And the result obtained is image 25:
Image 25: Mapping units
5.3.16. Shared folders With the purpose of obtaining a list of shares resources, execute the following instruction:
net share > "CarpetasCompartidas-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the obtained result in image 26:
Image 26: Shared folders
5.3.17. Pending recordings From Windows XP onwards, operating systems possess the capacity of recording CDs without a need for additional software. This function must be kept in mind in some incidents such as those related to information theft if the offender is caught “red handed”. Despite the most typical way of doing this being via the use of pendrives, this possibility must not be ruled out. For this reason, the existence of pending compilations must be checked out with the purpose of being able to analyse what files were meant to be recorded.
To do so, run the following instruction from a window of the command interpreter, which exports the list of files pending recording.
In Windows XP
dir "%UserProfile%\Configuración local\Application Data\Microsoft\CD Burning" > "GrabacionesPendientes-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
In Windows 7/8
dir "%UserProfile%\AppData\Local\Microsoft\Windows\Burn" > "GrabacionesPendientes-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
Toma de evidencias en entornos Windows 50
It is possible to substitute the %UserProfile% setting variable for the route corresponding to the user’s profile directory.
5.4. NON VOLATILE INFORMATION
Once the volatile information has been compiled, not volatile evidence may be gathered, but that does not mean it is of less importance.
5.4.1. Disk dumping Some factors worth keeping in mind when compiling evidence are the speed of this compilation and its integrity. Nowadays the volume of disks is extremely vast and so the process could be costly in terms of time and resources. It is necessary to have a clear idea of what type of dump needs to be carried out, which can be classified in three types:
• Create a bit stream copy of the disk or image: it is the most typical and fastest method. Besides, it also allows to do as many copies as needed in a quick and simple way for the analysis phase. To create a bit stream copy of a disk or image FTK Imager51 is a good choice (command-line version). To do so, proceed with the following steps:
ftkimager.exe \\.\PHYSICALDRIVE0 g:\ImagenHD --verify
If dumping a secondary hard disk, or if there are various partitions, a list of available units can be created via the following parameter:
ftkimager.exe –list-drives
WinDD http://sourceforge.net/projects/windd/
Clonezilla http://clonezilla.org
OSFClone http://www.osforensics.com/tools/create-disk-images.html
• Create a bit stream copy from disk to disk: it is the method used when it is not possible to make a bit stream copy from a disc to an image.
In the same way that in the previous method, as many copies as disks can be done. Cloning via a hardware device entails a greater reliability and speed. However, as
51 http://www.accessdata.com/support/product-downloads
Toma de evidencias en entornos Windows 51
mentioned previously, in this guide we have opted for the use of free software with the purpose of this task not leading to costs in terms of licenses.
To create a bit stream copy from disk to disk, use utilities such as Clonezilla52. In order to do so, all that is needed is to switch on the computer with the utility and follow the indicated steps.
DC3DD http://sourceforge.net/projects/dc3dd/
OSFClone http://www.osforensics.com/tools/create-disk-images.html
dd Disponible en la distribuciones con Linux
FOG http://sourceforge.net/projects/freeghost/
AIR - Automated Image and Restore http://sourceforge.net/projects/air-imager/
For creating a bit stream copy from disk to image or from disk to disk, in SSDs keep the following in mind:
SSDs do not function in the same way as magnetic disks. Besides, manufacturers implemented the TRIM command which prolongs the useful life of an SSD and impedes performance degradation. This command informs the controller which cells are no longer in use, which at the same, notifies the garbage collector that it should electronically delete the content of these cells and prepare them for future writing operations. It is very important to have a clear idea that it is not possible to avoid the garbage collection process when the TRIM command is activated, not even by changing the SSD disk to another system, or placing a write blocker, given that an SSD disk, merely by having current, will start the aforementioned process automatically.
This means that if a user eliminates a file, and the TRIM command is activated, the evidence will disappear forever. This fact does not affect the encrypted volumes such as TrueCrypt, BitLocket, etc., meaning that they must be compiled for a subsequent analysis.
Likewise, it is worth noting that this fact affects when trying to extract the hash from an SDD disk, which can be different, given that the process that sets off the TRIM command operates on a backdrop and despite the fact that this disk has apparently not suffered any
52 http://clonezilla.org
Toma de evidencias en entornos Windows 52
modifications, it has actually suffered changes.
• Creation of copy of disperse data belonging to a folder or file: in other words, carry out a selective copy: given that on many occasions, depending on the type of incident, it can be necessary or not to dump all the disk and it can be sufficient to copy certain folders of files. To do so, use tools such as Teracopy53. An example of its use is as follows:
TeraCopy.exe Copy "D:\Info" F:\Backup
With this tool, it is possible to check if the copying process has been carried out correctly, given that it calculates the files hashes and its respective copies and compares them.
Robocopy http://technet.microsoft.com/es-es/library/cc733145(v=ws.10).aspx
Copy Disponible en sistemas operativos Windows.
Xcopy Disponible en sistemas operativos Windows.
ForensicCopy http://sandersonforensics.com/forum/content.php?121-ForensicCopy
In the three cases described, regardless of which one has been carried out, it will be obligatory to work during the analysis on the copies made, maintaining the original information intact and preserving its integrity at all times.
5.4.2. Master Boot Record (MBR) The Master Boot Record refers to the first sector, sector 0, of a data storage device, such as a hard disk. It possess a size of 512 bytes and stores information relative to how to start the system, what kind of partitions are in the device and their size, etc.
In certain incidents, mainly those related to malware, it can be of interest to extract it for a subsequent analysis to determine whether it is infected.
53 http://codesector.com/teracopy
Toma de evidencias en entornos Windows 53
To do so, it is recommendable to use tools such as MBRutil54, which allows exporting the MBR by executing the following instruction:
MBRutil /S="MBR-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.dat"
Likewise, it is possible to carry out the process with the aforementioned DC3DD and dd tools.
5.4.3. Master File Table (MFT) The Master File Table is a table that stores relevant information of all the files and folders of a unity or disk. It contains, amongst other things, information such as the name, size, date, time, or permits, including files that have been eliminated up to the moment in which this space becomes necessary and is overwritten.
To export the Master File Table, tools such as Ntfswalk55 may be used. To do so, type the following instruction:
Ntfswalk –partition c -csv > "MFT-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.csv"
5.4.4. System information From the command interpreter, via the syteminfo instruction, it is possible to obtain information regarding to hardware, software, hotfixes, versions, activity time period, etc.
To do so, type the following instruction:
systeminfo > "InformaciónDelSistema-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
54 http://www.symantec.com/business/support/index?page=content&id=TECH93277 55 https://tzworks.net/prototype_page.php?proto_id=12
Toma de evidencias en entornos Windows 54
And the obtained result can be seen in image 27:
Image 27: System information
This process can also be carried out via other tools such as psinfo56.
5.4.5. Programme tasks Via the schtasks command, it is possible to view the tasks in the operating system
To do so, type the following instruction:
schtasks > "TareasProgramadas-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
Likewise, it is useful to obtain the schedlgu.txt file located at %WinDir% on Windows XP and at %WinDir%\Tasks on Windows 7/8, which stores programme tasks that have been
A practical case corresponds to a system that was suspected to be infected so, amongst many other information, i the list of tasks was obtained. After analysing them, it was concluded that the malware had created a task to launch an additional component that carried out certain actions in the infected system.
5.4.6. Printed files It is possible to recover the files to be printed if the printer option “conserve documents after printing” is set, given that Windows creates intermediate storage files with *.SPL extension (metadata: owner, printing method, etc) and *.SHD (data to be printed) in the %WinDir%\system32\spool\printers file every time a document is sent for printing. Once the printing process is finalized, these files are eliminated unless if the contrary has been indicated, such as when you mark the aforementioned option.
56 http://technet.microsoft.com/es-es/sysinternals/bb897550.aspx
Toma de evidencias en entornos Windows 55
5.4.7. Variables in the settings To know all the variables in the settings, in other words, those that are on the path, run the following instruction:
path > "VariablesDeEntorno-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
And the obtained result is image 28:
Image 28: Variables of the settings
5.4.8. System logs Logs are text files that store relevant information such as remote connections, events of the system, etc. There are several logs that are of great forensic interest and that must be gathered.
5.4.8.1. Windows Event Logs
Inside Windows’ event logs there are three that are of special importance:
• AppEvent.evt(x): Registers events relating to applications. • SysEvent.evt(x): Registers events relating to the system. • SecEvent.evt(x): Registers events relating to security.
In Windows XP, they are located at %systemroot%\system32\config and can be exported using programmes such as psloglist57:
psloglist -s application > "Application-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
57 http://technet.microsoft.com/en-us/sysinternals/bb897544
Toma de evidencias en entornos Windows 56
psloglist -s system > "System-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
psloglist -s security > "Security-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
In Windows 7/8 they are located at %systemroot%\system32\winevt\Logs and, besides the aforementioned use, they can export via the system utility weytutil. To do so, execute the following instructions:
wevtutil epl application "Application-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.evtx"
wevtutil epl system "System-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.evtx"
wevtutil epl security "Security-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.evtx"
Through this utility a great amount of operating system logs can be exported. To obtain the complete list, execute the following instruction:
wevtutil el
MyEventViewer http://www.nirsoft.net/utils/my_event_viewer.html
5.4.8.2. WindowsUpdate.log
The WindowsUpdate.log file, located in the %WinDir% folder, stored a list of upgrades corresponding to the operating system that have taken place in the system.
A practical case corresponds to a system that had been a victim of a remote intrusion and thanks to the WindowsUpdate.log file it was established that the attacker had exploited certain vulnerabilities in the operating system that hadn’t been parched.
5.4.8.3. pfirewall.log
The pfirewall.log file, located in the %WinDir% (Windows XP) folder and in %WinDir%\System32\LogFiles\Firewall (Windows 7/8), stores different information corresponding to Windows’ firewall such as lost packages or connections that have been made correctly.
Toma de evidencias en entornos Windows 57
5.4.8.4. Other logs
There are other logs that can be present in q system or other systems that may be of interest depending on the type of incident, therefore its acquisition is convenient. Some of them are the following:
• Web servers such as Internet Information Server (IIS), Apache, etc. • Remote access utilities such as WinVNC, pcAnywhere, etc. • FTP clients such as Filezilla, WinSCP, etc. • Firewalls or intruder detection systems. • DHCP logs. • Messaging programmes logs such as Skype. • Dropbox synchronization file (.dbx).
5.4.9. .PST and .OST files PST (personal storage) files correspond to email address security copies, calendar events, etc., on Microsoft Outlook.
OST files correspond to Outlook data files without connection and they store, if it has been configured to do so, emails, calendar elements, etc.
The main differences between these two types of Outlook data files are:
• PST files are used for POP3, IMAP accounts and those based on Web that allow to make backups of Outlooks folders the elements of the system, including Exchange accounts.
• OST files are used in cases where an Exchange account is configured in order to be able to work without Internet connection.
Most email networks also allow making backups in PST format. Thus, it is recommendable to obtain these files, since in certain incidents, it can be of interest for subsequent analysis, given that they may contain a register of conversations, exchange of information, traces of information leaks, etc. By default, in Windows XP and Windows 7, the files are stored in the My Documents folder on Outlook, and in Windows 8 at %UserProfile%\AppData\Local\Microsoft\Outlook.
5.4.10. Prefetch folder This folder stores software that is usually open and used by the operating system, in order to improve the time required to load them. Each application normally has an associated file with a PF extension that stores information such as the executable’s name, the number of times it has been executed, associated libraries, etc.
This can be seen by accessing the %WinDir%\Prefetch folder, as shown in image 29.
Toma de evidencias en entornos Windows 58
Image 29: Prefetch folder content
A practical case corresponds to a company’s system that suspects it has been the victim of a remote intrusion. When checking the prefetch files, it established that certain applications were executed at non-working hours.
5.4.11. Recycle bin It is possible to obtain information from the eliminated elements that have been sent to the recycle bin. For this, it is useful to keep the following table in mind:
Table 4: Recycle bin routes depending on the version of the operating system.
Operating system Location
Windows XP %SystemDrive%\Recycler
Windows 7/8 %SystemDrive%\$Recycle.Bin\
In the indicated paths, folders are stored with the following format S-1-5-21-299502267-1677128483-839522115-1003, corresponding to Windows’ identifier of the user that has eliminated it. In the case of Windows XP, these folders contain eliminated files that have been renamed, along with a file by the name of INFO2 storing information corresponding to the deletion date, the size and the path where this file was stored. Following, in image 30, the structure of this file is indicated and the manner of obtaining the aforementioned information.
Toma de evidencias en entornos Windows 59
Image 30: Structure of the files in the recycle bin
Bytes between 0 and F correspond to the header of the file and, inside them, bytes 12 and 13 (20 03) to the size of each INFO2 registry. For every deleted file, a registry is created in the folder. This is an hexadecimal value. In order toconvert it to decimals for making it more understandable, it is necessary to keep in mind that the values are in Little Endian58, in other words: 2003 = 0320 = 800 bytes.
The name of the file or eliminated files appears twice, first in ASCII and then in UNICODE. In this case there is only one eliminated file whose name is keygen.exe and is located in the user’s desktop.
The date of the elimination of the file can be seen in image 31 from byte 272 to 279 (offset 0x10), keeping in mind that it is in FILETIME, Little Endian and Hexadecimal format, so it must be converted to a more understandable format.
58 http://es.wikipedia.org/wiki/Endianness
Toma de evidencias en entornos Windows 60
Image 31: Date of the elimination of files from the recycle bin
In this case the value is C0 2D D3 D1 95 C5 CE 01 = 01 CE C5 95 D1 D3 2D C0 = 130258686501400000 = Thursday, October the 10th of 2013 at 08:50:50
The size of the deleted file is obtained from byte 280 to 283 (offset 0x10), as can be observed in image 32. Therefore, a conversion from hexadecimal to decimal must be made, keeping in mind once again the Little Endian format: 00 90 00 00 = 00 00 90 00 = 36864 bytes.
Image 32: Size of the files in the recycle bin
The size of the file must be a multiple of the size of the cluster, in this case 4096.
With the purpose of making the interpretation of the INFO2 file easier, it is advisable to use tools such as rifiuti59.
59 http://www.mcafee.com/es/downloads/free-tools/rifiuti.aspx
Toma de evidencias en entornos Windows 61
In the case of Windows 7/8, in the folders located at %SystemDrive%\$Recycle.Bin\ for every file eliminated there will be two files with the same name except for the second letter, as can be observed in image 33. The one that has the letter L as the second letter stores the original route of the eliminated file and the one that has the letter R as the second letter stores the eliminated file itself.
Image 33: Recycle bin from Windows 7 onwards
5.4.12. Hosts file The functioning of a hosts file is as follows: when a user introduces a URL in the browser, the system consults the hosts files first. If the file contains an association with the aforementioned URL, it will redirect to the address that it has configured and if the URL does not appear on the hosts file an ISP (Internet Service Provider) lookup will be carried out to request the corresponding address.
Consulting the hosts file can be a convenient practice on given occasions as it is typical in cases of infection for the malware to modify the hosts file with the purpose of impeding the user from accessing certain websites, mainly those corresponding to the antivirus, security suite or upgrades of these kinds of software.
To obtain the contents of the hosts file, run the following instruction:
type c:\windows\system32\drivers\etc\hosts > "FicheroHosts-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
A practical case corresponds to a system belonging to an individual with an antivirus that was not able to upgrade, being the user also unable to access certain websites. Image 34 shows the contents of the host file:
Toma de evidencias en entornos Windows 62
Image 34: Host file modified by malware
It contained redirections for some antivirus companies with the purpose of making it impossible for the user to access them.
5.4.13. Check unsigned executables Depending on the type of incident, and mainly with those related to malware, it is useful to check the unsigned files from certain folders. To do so, use tools such as sigcheck60 by typing the following instruction:
sigcheck -ct -h -vn -vt c:\Windows > "FicherosFirmados-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
sigcheck -ct -h -vn -vt c:\Windows\System32 > "FicherosFirmadosWindows-%date:~6,4%%date:~3,2%%date:~0,2%-%time:~0,2%%time:~3,2%.txt"
5.4.14. LNK files Files with LNK extensions correspond to file shortcuts. These files store a great amount of information that can be relevant in an incident:
• Route of the file that they point to. • MAC times from the file itself and the file it connects with. • Information of the unit where it is stored (name, serial number, MAC address, etc.). • Network information, in the case that it makes reference to a file stored in a remote
location. • File size.
To gather all these files different utilities such as lnk-parser or Windows LNK Parsing Utility may be used. An example of Ink-parser use is the following:
lnk_parser_cmd.exe -o listadoLNKs -w -s C:
60 http://technet.microsoft.com/es-es/sysinternals/bb897441.aspx
Toma de evidencias en entornos Windows 63
6 REVIEW
As pointed out at the start of the document, the concept of digital forensic analysis refers to the combination of the information gathering and evidence analysis procedures that are carried out with the purpose of responding to an incident related to computer security and that, on some occasions, can be used as proof in court. Through this procedure, the aim is to respond to the following questions: What? Where? When? Why? Who? How?
This science is receiving a very important role in the last few years, as it is increasingly common to have to face different incidents related to computer security such as intrusions, information theft, infections, etc., which is why its use is being extended to diverse fields.
There are different methodologies that can be adopted to carry out this process, being all of them based on similar aspects and having common guidelines and phases. One of the most important ones, as described and detailed in the document, is RFC3227. Amongst the most important aspects that must be kept in mind, and which RFC3227 makes special reference to, is the volatility order of evidence, indicating that the first task is to gather evidence which is going to be available only for a limited period of time.
In general, a memory and disk dump is obtained, and replicated in order to work over the copies for obtaining further evidence. However, when carrying out the process, it is very important to have a very clear idea of the specific type of incident, in order to ascertain what information needs to be gathered and how to proceed.
Finally, it is worth emphasizing that every process must be carried out in a very rigorous and meticulous manner, with the purpose of maintaining its integrity and validity.
Toma de evidencias en entornos Windows 64
7 GLOSSARY
• Resilience: In computer security, it is the capacity to tolerate and recover from an incident that affects the security of the system.
• Sniffer: A sniffer is a utility that allows the monitorization and analysis of network traffic. • Offset: An offset within an array or another data structure is an integer indicating the
distance (displacement) from the beginning of the object to another point or given element.
• Promiscuous mode: It allows monitoring all the traffic that circulates through a network regardless of whether its origin or destination is the host being analysed.
• %WinDir% o %SystemRoot%: Variables that correspond to the installation directory of the operating system, normally c:\Windows.
• %SystemDrive%: Is the variable of the setting that corresponds to the unit where the operating system has been installed, normally c:\
• %UserProfile% o %HomePath%: Variables from the settings that correspond to the directory of the currently logged in user. Normally c:\Document and settings\Nombre de Usuario in Windows XP and c:\Users\Nombre de Usuario in Windows 7/8.
Toma de evidencias en entornos Windows 65
8 REFERENCES
[1] Using IOC (Indicators of Compromise) in Malware Forensics. Junio de 2012, disponible en https://www.sans.org/reading-room/whitepapers/incident/ioc-indicators-compromise-malware-forensics-34200.
[2] ANTI-CARTEL ENFORCEMENT MANUAL CARTEL WORKING GROUP Subgroup 2: Enforcement Techniques. Marzo de 2010, disponible en http://www.internationalcompetitionnetwork.org/uploads/library/doc627.pdf.
[3] Analysis of the incident handling six-step process. Octubre de 2012, disponible en http://www.giac.org/cissp-papers/17.pdf
[4] An introduction to the malware attribute enumeration and characterization white paper. Febrero de 2008, disponible en https://maec.mitre.org/about/docs/Introduction_to_MAEC_white_paper.pdf
[5] Auditando puertos USB y otros dispositivos. Registro de windows y software dedicado. Mayo de 2010, disponible en http://seguridadyredes.wordpress.com/2010/05/19/auditando-puertos-USB-y-otros-dispositivos-registro-de-windows-y-software-dedicado/
[6] Técnicas Anti-Forenses en Informática: Ingeniería Reversa Aplicada a TimeStomp. Septiembre de 2009, disponible en http://www.criptored.upm.es/cibsi/cibsi2009/docs/Papers/CIBSI-Dia3-Sesion6(3).pdf
[7] Computer forensics: Evidence Collection & Preservation. Disponible en http://ictc.aeoi.org.ir/sites/default/files/Evidence_Collection_Preservation.pdf
[8] Análisis forense de sistemas informáticos. Agosto de 2009, disponible en http://webs.uvigo.es/jlrivas/downloads/publicaciones/Analisis%20forense%20de%20sistemas%20informaticos.pdf
[9] Información del Registro de Windows para usuarios avanzados. Disponible en http://support.microsoft.com/kb/256986/es
[10] La informática forense, una herramienta para combatir la ciberdelincuencia. Diciembre de 2009 disponible en http://www.minseg.gob.ar/download/file/fid/893
[11] Digital Forensics with Open Source Tools. Marzo de 2011, disponible en http://www.amazon.es/Digital-Forensics-Open-Source-Tools-ebook/dp/B004W7DO78/ref=sr_1_1?ie=UTF8&qid=1410770257&sr=8-1&keywords=Digital+Forensics+with+Open+Source+Tools
[12] Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry. Enero de 2011, disponible en http://www.amazon.es/Windows-Registry-Forensics-Advanced-Forensic-ebook/dp/B004JN0CDO/ref=sr_1_11?ie=UTF8&qid=1410770470&sr=8-11&keywords=Digital+Forensics
Toma de evidencias en entornos Windows 66
[13] The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Julio de 2014, disponible en http://www.amazon.es/Art-Memory-Forensics-Detecting-Malware-ebook/dp/B00JUUZSQC/ref=sr_1_6?ie=UTF8&qid=1410770470&sr=8-6&keywords=Digital+Forensics
Toma de evidencias en entornos Windows 67
ANNEX 1– CONTACTS
Case number:
Type of incident: ______________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Affected company:
Address:
Telephone:
Date and time:
Investigator:
Observations
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
_________________________________________________________________________
__________________________________________________________________________
/ / 2 0 :
Toma de evidencias en entornos Windows 68
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Toma de evidencias en entornos Windows 69
CONTACTS
List of people
Case number:
Page number
Name and surname
Email Telephone Position
Imprimir esta página las veces que sea necesario.
Toma de evidencias en entornos Windows 70
ANNEX 2 – CHAIN OF CUSTODY OF EVIDENCE
Case number:
Type of incident: ______________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Affected company:
Address:
Telephone:
Date and time:
Investigator:
Observations
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
/ / 2 0 :
Toma de evidencias en entornos Windows 71
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
Toma de evidencias en entornos Windows 72
CHAIN OF CUSTODY OF EVIDENCE
List of evidence
Case number:
Page number
Evidence(Code)
Quantity Description of the article (Brand, Model, Serial number, state, etc).
Imprimir esta página las veces que sea necesario
Toma de evidencias en entornos Windows 73
INDEX OF IMAGES
Image 1: Locard’s Exchange Principle 7
Image 2: Phases of the Forensic Analysis Process 8
Image 3: DumpIt 21
Image 4: HashMyFiles 22
Image 5: Running processes 24
Image 6: Running services 25
Image 7: Windows IP configuration 26
Image 8: Established NetBIOS connections 27
Image 9: Recently transferred files via NetBIOS 28
Image 10: Active connections or open ports 28
Image 11: DNS cache content 29
Image 12: ARP Cache 29
Image 13: Mass dispatch of Spam 31
Image 14: Spam email 31
Image 15: USB devices connected 34
Image 16: List of WIFI networks that the system had connected to 35
Image 17: Malware exception in a Windows firewall 37
Image 18: False antivirus 38
Image 19: False antivirus executing when the operating system loads 39
Image 20: Browser Helper Objects 41
Image 21: Virustotal analysis of a file associated to a BHO 41
Image 22: Dialogue Box corresponding to the OpenSaveMRU entry 43
Toma de evidencias en entornos Windows 74
Image 23: Recently opened files 44
Image 24: URL corresponding to a malware in the search history of an infected system 48
Image 25: Mapping units 50
Image 26: Shared folders 50
Image 27: System information 55
Image 28: Variables of the settings 56
Image 29: Prefetch folder content 59
Image 30: Structure of the files in the recycle bin 60
Image 31: Date of the elimination of files from the recycle bin 61
Image 32: Size of the files in the recycle bin 61
Image 33: Recycle bin from Windows 7 onwards 62
Image 34: Host file modified by malware 63
Toma de evidencias en entornos Windows 75
INDEX OF TABLES
Table 1: List of open source kits containing utilities for forensic analysis. 19
Table 2: Registry entries and the information they contain [9]. 32
Table 3: Registry entrances and associated files [9]. 32
Table 4: Recycle bin routes depending on the version of the operating system. 59
Toma de evidencias en entornos Windows 76