Bitnami DokuWiki

User Tools

Site Tools

Trace: phototgraphy sans508-5 identityfinder sans508-4
aoe:sans508-4

Table of Contents

System Forensics, Investigation, and Response Day 4 to end

Day 4

Windows File System Forensics..1

  • Windows Forensic Myths..2
  • Today's Agenda..3
  • Forensic Investigation Methodology..4

Windows Compromise: Forensic Verification- network capture..5

  • Background of Attack - Window 2000 - SMB and HTTP based with multiple files transfered..6

# smb ports are 139,445

  • Ethereal - Hand-on..7
  • Scanning Users and Group..8
  • Initial System Access..9

In middle pane, filter on SMB Header, SMB Command: NT Create AndX (0xa2) will show filenames

  • Folow TCP Stream..10

This will include a bunch of junk.

  • Stripping the File..11

Just save as RAW and edit in HexEditor searching the the file header listed in the file data section of wireshark. In this example 4d5a9000, then copy out the number of bytes specified in the packet 'Write AndX Request

  • Stripping the Header..12
  • Stripping the footer..13
  • Network Capture..14
  • HTTP POST..15
  • Network Forensics - Hands-On..16
  • Network Capture Conclusion..17

Windows Incident Response..18

  • Objectives..19
    • Incident Response Enumeration
      • system Enumeration
      • Process Enumeration
      • Network Connection and Open Ports
      • File Enumeration
  • The First Command..20
  • Run-As Administrator..21
  • cmd.exe..22
  • Remote Command Shells..24

use an existing share or add a share of the cdrom using system_config_samba so the binaries will be available. restart smb.

  • psexec Usage..25

Stand alone machines with xpsp2, the firewall will block port 445. As a part of domain, it should be open.

  • Netcat for Windows..26
  • First Data Collected..27

Date, Time, Uptime

  • First Commands Example..28

Use the code in d:\IR\Cygwin on the Helix CDRom 

date
time
uptime
hostname
uname -a
id
whoami
  • System Environment..29

d:\IR\sysinternals\psinfo.exe 

psinfo
  • psinfo..30

Determine system environment.

Install date can be a clue that someone has tampered with a system.

  • pslist..31

Determine system running processes

d:\IR\sysinternals\pslist.exe 

pslist
  • Gather Network Information..33

gather open ports and sockets. Determin which apps are listenting for network connections.

  • fport..34

Shows current listening ports

d:\IR\Foundstone\fport.exe 

fport
  • Windows Forensic Toolchest (WFT)..36
  • Benefits of WFT..37
  • Example WFT Reports..38
  • WFT ConfigurationFile..39
  • WFT Usage..40
  • WFT Macro Substitutions..41
  • How to Use WFT in Practice..42
  • WFT In Action..43
  • WFT Example..44
  • Helix WFT..47
  • WFT-Hands On..48
  • Remote WFT Using psexec..49
  • Password IR Tools..50

http://www.spectorsoft.com/ rootkit that is non hacker relaed to grab screenshots, email keylogger, all knds of stuff for $100.

Automatically record everything they do on the internet.

  • Helix Image Search..53
  • Putting it all together..54

Windows Media Imaging..55

  • Objectives..56
  • dd.exe for Windows..57

for win2k, xp, 2003 

d:\IR\FAU\dd.exe
  • dd.exe as a Backup Tool..58
  • Basic dd.exe Operation..59
  • dd.exe Physical Drives..60

\\.\PhysicalDrive1 If doing Physical drives, it is still better to use linux

  • dd.exe Logical Drives..61

\\.\C:

  • dd.exe Translations..62

^Name^Windows^Linux^

Physical\\.\PhysicalDrive0/dev/hda /dev/sda
Logical\\.\C: \\?\Volume{cc5deda7-d558-11d5-9226-806d6172696f}/dev/hda1 /dev/sda1
  • dd.exe Physical Drive Example..63

D:\> dd.exe if=\\.\PhysicalDrive0 of=E:\drive0.img

  • dd.exe Logical Drive Example..64

D:\> dd.exe if=\\.\C: of=E:\images\Cdrive.img Use logical imaging for RAID's

  • Physical Memory..65

D:\> dd.exe if=\\.\PhysicalMemory of=D:\images\mem.img conv=noerror An EOF error is normal.

  • Looking at memory..67
  • memparser..68

memparser <image of memory>

  • Memory Artifacts..69
  • MD5 Integrity Checks..70
  • MD5 C Drive Example..72

D:\> dd.exe if=\\.\C: of=D:\CDrive.img –md5sum –verifymd5 –md5out=D:\CDrive.md5

  • Network Shares..74

of=\\server\share\output.img image memory over network share: 

  D:\> dd.exe if=\\.\PhysicalMemory of=\\Linuxforensics\images\windowsforensics\mem.img --md5sum --verifymd5 md5out=\\Linuxforensics\image\windowsforensics\mem.img.md5 conv=noerror
  D:\> dd.exe if=\\.\C: of=\\Linuxforensics\images\windowsforensiscs\CDRIVE.img --md5sum --verifymd5 md5out=\\Linuxforensiscs\images\windowsforensics\CDrive.img.md5
  • Step-by-Step Imaging..77
    • Obtain Physical Memory
    • Obtain Volume Information
    • Image Drives (Logical or Physical).
    • Image Removable Media
  • Windows Imaging - Hands On..78
  • Helix Acquisition..80
  • Helix FTK Imager..81
  • Remote Imaging using psexec..82
  • Objectives..83

Windows Forensics Using Linux..84

  • Why Linux?..85
  • Mounting Images..86
  • Mounting NTFS Example..87

mount -t ntfs -o loop,ro,umask=0222,uid=forensic,gid=users /images/windowsforensics/hacked_ntfs.img /mnt/hack/windows_mount

  • Mounting NTFS Example System Files Shown..88

mount -t ntfs -o umask=0222,loop,uid=forensic,gid=users,show_sys_files=true /images/windowsforensics/hacked_ntfs.img /mnt/hack/windows_mount/ showes $shares

  • Mounting Remote Drives..89
  mount -t smbfs -o ro,noexec,username=administrator //Winforensics/C$ /mnt/windows_forensic_server
  • Virtual Hardware Write Blocker..90
  • Share C on compromised machine
  • mount C through Linux SMBFS in READ-ONLY mode
  • Share out directory form linux using SAMBA
  • Any machine can now examine the compromised machine without changing any of the files
  • Examples from Previous Slide..91
  • Anti-Virus Scanner..92
  • Extracting Unallocated and Slack Space..93

use dls on the linux machine on the image. 

dls -f ntfs hacked_ntfs.img -s > ntfs.slack

lazarus, foremost, dirty word search

slack space is tough to get a case from.

  • Linux Windows Forensics..94

Windows Media Analysis..95

  • Objectives..96
  • E-Mail Forensics..97
  • E-Mail Headers..98
  • Forged SMTP Transaction..100
  • Resultant E-mail Headers..101
  • Word Forensics..102
  • Looking at Metadata in Hex-Editor..104
  • Using Sysinternal's strings to Examine Word Documents..105
  • Internet History..106

to examine index.dat file on linux 

pasco 
  * Recycle Bin..107

Subfolder created with users sid where files are placed. files in recycle bin are not named by their normalnames. Time and date stamps remain. INFO or INFO2 file keeps a map of the original filename and location.

  • Linux “Recycle Bin” Examination..111

rifiuti can examine an INFO2 file 

fifiuti INFO2
  • sid2user..112
  • What if INFO2 was Deleted..113
  • INFO2 Hexedit..114
  • System Registry..115
  • Registry..116
  • Search History..117

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU

  • Typed URLs..118

HKEY_CURRENT_USERS\Software\Microsoft\Internet Explorer\TyperdURLs

  • Last Commands Executed..119

HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

  • Last Files Saved..120
  HKEY_USERS\S-1-5-21-1801674531-1563985344-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
  • Registry Key Last Write Time..121

a tool to read last time a key was written 

keytime <full key path> (case sesitive)
  • Objectives..122

Windows Challenge..123

  • Challenge Hints..124
  • Forensic Investigation Methodology..125
  • Windows Programs..126
aoe/sans508-4.txt · Last modified: 2023/12/27 16:57 by 127.0.0.1