# smb ports are 139,445
In middle pane, filter on SMB Header, SMB Command: NT Create AndX (0xa2) will show filenames
This will include a bunch of junk.
Just save as RAW and edit in HexEditor searching the the file header listed in the file data section of wireshark. In this example 4d5a9000, then copy out the number of bytes specified in the packet 'Write AndX Request
use an existing share or add a share of the cdrom using system_config_samba so the binaries will be available. restart smb.
Stand alone machines with xpsp2, the firewall will block port 445. As a part of domain, it should be open.
Date, Time, Uptime
Use the code in d:\IR\Cygwin on the Helix CDRom
date time uptime hostname uname -a id whoami
d:\IR\sysinternals\psinfo.exe
psinfo
Determine system environment.
Install date can be a clue that someone has tampered with a system.
Determine system running processes
d:\IR\sysinternals\pslist.exe
pslist
gather open ports and sockets. Determin which apps are listenting for network connections.
Shows current listening ports
d:\IR\Foundstone\fport.exe
fport
http://www.spectorsoft.com/ rootkit that is non hacker relaed to grab screenshots, email keylogger, all knds of stuff for $100.
Automatically record everything they do on the internet.
for win2k, xp, 2003
d:\IR\FAU\dd.exe
\\.\PhysicalDrive1 If doing Physical drives, it is still better to use linux
\\.\C:
^Name^Windows^Linux^
| Physical | \\.\PhysicalDrive0 | /dev/hda /dev/sda |
| Logical | \\.\C: \\?\Volume{cc5deda7-d558-11d5-9226-806d6172696f} | /dev/hda1 /dev/sda1 |
D:\> dd.exe if=\\.\PhysicalDrive0 of=E:\drive0.img
D:\> dd.exe if=\\.\C: of=E:\images\Cdrive.img Use logical imaging for RAID's
D:\> dd.exe if=\\.\PhysicalMemory of=D:\images\mem.img conv=noerror An EOF error is normal.
memparser <image of memory>
D:\> dd.exe if=\\.\C: of=D:\CDrive.img –md5sum –verifymd5 –md5out=D:\CDrive.md5
of=\\server\share\output.img image memory over network share:
D:\> dd.exe if=\\.\PhysicalMemory of=\\Linuxforensics\images\windowsforensics\mem.img --md5sum --verifymd5 md5out=\\Linuxforensics\image\windowsforensics\mem.img.md5 conv=noerror D:\> dd.exe if=\\.\C: of=\\Linuxforensics\images\windowsforensiscs\CDRIVE.img --md5sum --verifymd5 md5out=\\Linuxforensiscs\images\windowsforensics\CDrive.img.md5
mount -t ntfs -o loop,ro,umask=0222,uid=forensic,gid=users /images/windowsforensics/hacked_ntfs.img /mnt/hack/windows_mount
mount -t ntfs -o umask=0222,loop,uid=forensic,gid=users,show_sys_files=true /images/windowsforensics/hacked_ntfs.img /mnt/hack/windows_mount/ showes $shares
mount -t smbfs -o ro,noexec,username=administrator //Winforensics/C$ /mnt/windows_forensic_server
use dls on the linux machine on the image.
dls -f ntfs hacked_ntfs.img -s > ntfs.slack
lazarus, foremost, dirty word search
slack space is tough to get a case from.
to examine index.dat file on linux
pasco * Recycle Bin..107
Subfolder created with users sid where files are placed. files in recycle bin are not named by their normalnames. Time and date stamps remain. INFO or INFO2 file keeps a map of the original filename and location.
rifiuti can examine an INFO2 file
fifiuti INFO2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
HKEY_CURRENT_USERS\Software\Microsoft\Internet Explorer\TyperdURLs
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKEY_USERS\S-1-5-21-1801674531-1563985344-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
a tool to read last time a key was written
keytime <full key path> (case sesitive)