Forensics of a Windows System

Pharmaceuticals
FIST Conference September/Madrid 2005
@

Forensics of a Windows system

Alfredo Reino
Systems Engineer
Pharma Global Informatics
F. Hoffmann-La Roche

Pharmaceuticals
F. Hoffmann – La Roche
A Global Healthcare Leader

• One of the leading research-intensive
healthcare groups
• Core businesses are pharmaceuticals and
diagnostics
• A world leader in Diagnostics
• The leading supplier of medicines for
cancer and transplantation and a market
leader in virology
• Employs roughly 65,000 people in 150
countries
• Has R&D agreements and strategic
alliances with numerous partners, including
majority ownership interests in Genentech
and Chugai

Pharmaceuticals
Agenda

• What is forensics?
• Role of forensics in incident handling
• Gathering volatile data
• Filesystem acquisition
• Timeline analysis
• Network information
• Tools

Pharmaceuticals
What is forensics?

Computer forensics is the process of investigating data storage
devices and/or data processing equipment typically a home
computer, laptop, server, office workstation, or removeable
media such as compact discs, to determine if the equipment
has been used for illegal, unauthorized, or unusual activities. It
can also include monitoring a network for the same purpose.
They must do so in a fashion that adheres to the standards of
evidence that is admissible in a court of law.

http://en.wikipedia.org/wiki/computer_forensics

Pharmaceuticals
What is forensics?

• Computer forensics includes the following aspects:
– identify evidence
– preserve evidence
– analyze evidence
– present results
• This has to be done following appropiate standards, especially if
results need to be admitted by court of law

Pharmaceuticals
Incident handling

• General areas of incident handling
– planning and preparation
– incident detection
– containment / response
– recovery
– analysis

Pharmaceuticals
Forensics scope and environment

applications

os
server

computerized systems

infrastructure systems
lan / dmz

external environment

do you have all the relevant information?

Pharmaceuticals
Gathering data

• Volatile data
– registers, cache contents
– memory contents
– network connections
– running processes
• Non-volatile data
– content of filesystems and drives
– content of removable media

Pharmaceuticals
Volatile data - preparation

• Create cd-rom with trusted toolset
– at least include a trusted version of CMD.EXE from the same operating
system
– netcat or cryptcat (http://sourceforge.net/projects/cryptcat/)
– system tools (ipconfig, netstat, date, time, net, arp ...) for different
windows versions and service pack levels
– pstools, listdlls, filemon, regmon, autoruns... (http://sysinternals.com)
– hfind, fport, ntlast, ... (http://foundstone.com)
– windows resource kit tools
– a good sniffer (ethereal, windump, ...)
– md5sum / md5deep

Pharmaceuticals
Volatile data - the set up

• Connect forensics workstation to same lan as suspect server
• Configure netcat or cryptcat in forensics workstation to listen on a port and save
received data to evidence file
• Mount trusted toolset cd-rom in suspect server
• Open trusted console (cmd.exe)

Pharmaceuticals
Volatile data - what to get

• System date and time
• Running processes
• Network connections
• Open ports
• Applications listening on open sockets
• Logged on users

Pharmaceuticals
Volatile data - tools

• date /t & time /t
– get system date and time
• ipconfig /all
– get tcp/ip configuration
• netstat -aon
– get network connections and listening ports (with associated process pid)
• psinfo -shd
– get computer information (hardware, software, hotfixes, versions, etc.)
• pslist -t
– get running processes

Pharmaceuticals

• psloggedon
– show logged on users and log on times
• psloglist
– dump event log
• psservice
– dump system service information
• net use
– list netbios/smb connections
• listdlls
– list all dlls loaded in system
• sigcheck -u -e c:windowssystem32
– enumerate all unsigned files (.exe, .dll)

Pharmaceuticals

• streams -s c:
– list files with alternate data streams (ads)
• logonsessions -p
– lists logged on sessions and processes running on each session
• strings
– searches for ascii/unicode strings in suspicious files (you decide which
are suspicious or not!)
• arp -a
– displays arp cache table
• ntlast
– record succesful and failed logins in system (including null sessions and
remote logins)

Pharmaceuticals

• autorunsc
– show all kinds of autorun items

• hfind c:
– finds hidden files

Pharmaceuticals
Volatile data - GUI tools

• rootkit revealer
– detects usermode or kernelmode rootkits
• process explorer
– useful information about running processes, loaded libraries,
used resources, etc.
• tcpview
– displays network connections and associated applications

Pharmaceuticals
Network information

• Useful static data to get
– IDS/IPS logs
– firewall logs
– radius/VPN logs
– DHCP logs and leased ip information
– application logs from other servers in same network if they
are suspected of being entry point (ftp, www, database, ...)

Pharmaceuticals
Network information

• Traffic to/from live system
– use of sniffer recommended
– can use ethernet probe (read-only cat5 if possible!)
– if server connected to hub, then plug probe into hub
– if connected to switch, use a mirror port (in expensive
switches) or use arp-spoofing to redirect traffic to sniffer
– best sniffer: ethereal

Pharmaceuticals
Filesystem acquisition

• Physical acquisition
– turn off machine (plug power cable)
– remove harddisk
– connect to forensics workstation using hardware IDE/SCSI
write blocker
– perform bitwise copy

Pharmaceuticals

• Network acquisition - live system
– not recommended
• untrusted operating system
• filesystem in inconsistent state
– configure forensics workstation
• lots of free disk space
• netcat listener (nc -l -p 9000 > disk1.dd)
• after acquiring compute hash (md5sum disk1.dd > disk.md5)
– acquire live filesystem
• run 'dd for windows' from trusted cd-rom toolset
• dd if=.PhysicalDrive0 bs=2k | nc -w 3 10.0.0.1 9000
– where 10.0.0.1 is the ip address of forensics workstation

Pharmaceuticals

• Network acquisition - non-live system
– configure forensics workstation
• lots of free disk space
• netcat listener (nc -l -p 9000 > disk1.dd)
• after acquiring compute hash (md5sum disk1.dd > disk.md5)
– configure suspect system
• boot suspect system (losing volatile info!) into linux livecd
distro (gentoo, helix, knoppix, ...)
• run dd to image disk over network with netcat
– dd if=/dev/sda | nc 10.0.0.1 9000

Pharmaceuticals
Filesystem analysis

• Many tools for this
– EnCase (commercial)
– The Sleuth Kit + forensics browser
– ftimes
• Basic analysis tool functionality
– file topography
– compute hashes for files
– create timeline analysis (mac data)
– identify and recover deleted files
– search functions
– case management

Pharmaceuticals
Filesystem analysis

• The Sleuth Kit + forensics browser

Pharmaceuticals
Filesystem analysis

• EnCase 5

Pharmaceuticals
Timeline analysis - other sources

• LastWrite information in registry keys
– use 'lsreg.pl' to parse registry and extract information
including lastwrite data
Key -> CurrentControlSetControlWindowsShutdownTime
LastWrite : Tue Aug 2 12:06:56 2005
Value : ShutdownTime;REG_BINARY;c4 96 a0 ad 5a 97 c5 01

• INFO2 files
– contains information about deleted files by each user (only if
it goes to recycle bin)
– use 'rifiuti' to extract information
– file normally at C:Recycler%SID%INFO2

Pharmaceuticals
• Prefetch folder
– used by windows to store information about how to effectively launch
executables to improve performance
– XP prefetches at boot time and application launch, 2003 prefetches only
at boot time (default)
– .pf files in %systemroot%/prefetch folder
– the .pf contains information about file paths
– the mac info of the .pf file gives us information about when an
application has been launched
– use 'pref' or 'pref_ver' to parse this info

Pharmaceuticals

• Logs
– event logs (application, system, security)
• very useful, many tools to extract
– IIS/webserver/FTP logs
• useful to detect webapp exploiting (maybe as point of entry), for
example unicode attacks, sql injection, ...
– setupapi.log
• information about installation of applications and devices
– schedlgu.txt
• information about scheduled tasks
– antivirus logs
– ...

Pharmaceuticals

• Recently opened documents
- check this registry key (for each user!)
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU

• Temp folders
– examine contents for suspicious files
• Web browser cache
– 'pasco' tool for internet explorer forensic analysis
– cache and cookies folders
– browser history

Pharmaceuticals
Analysis of evidence

• Need to find "footprints"
• Initial analysis
– check for hidden or unusual files
– check for unusual processes and open sockets
– check for unusual application requests
– check for suspicious accounts
– determine patch level of system
• Based on findings, we should develop a strategy for further investigation
– full filesystem analysis
– recovery of deleted files
– password cracking
– analysis of pagefile
– ...

Pharmaceuticals
Tools

• These are the mentioned
tools in this presentation
• Feel free to add more to your
toolkit
• Script (vbscript, perl) your
toolset!!

Pharmaceuticals
FIST Conference @ www.fistconference.org

Alfredo Reino
Madrid, September 2005

Thanks for your attention.

Forensics of a Windows System

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Forensics of a Windows System (20)

More from Conferencias FIST (20)

Recently uploaded (20)

Forensics of a Windows System