COEN 250 Computer ForensicsExtracting Evidence from a Life SystemSlide 3Slide 4Slide 5Slide 6Response ToolkitResponse Toolkit: cmd.exeSlide 9Slide 10Slide 11Response Toolkit: pslistResource Tools ListDLLsResource Toolkit: nbtstatResource Toolkit: arpResource Toolkit: killRecourse Toolkit: md5sumResource Toolkit: PsLogListResource Toolkit: PsInfoRemote Toolkit: PsFileRemote Toolkit: PsLoggedOnResource Toolkit: PsServiceResource Toolkit: regdumpPreparing the ToolkitStoring Obtained DataStoring Obtained Data with netcatObtaining Volatile DataObtaining Volatile Data: ProcedureSlide 29Recording System TimeDetermining LogonsDetermining File MACDetermining Open PortsListing Applications with Open PortsListing all running processesList current connectionsSlide 37Documenting historyScripting the responseScripting the responseExamplesSlide 42Slide 43Slide 44Slide 45Slide 46Examples: Detecting and Deleting TrojansSlide 48ExampleSlide 50Slide 51Slide 52Slide 53Slide 54Slide 55COEN 250 Computer ForensicsWindows Life AnalysisExtracting Evidence from a Life SystemDegrees of Volatility of Data.Gathering more volatile data versusSafer forensics procedures.Extracting Evidence from a Life SystemLife Examination is done:To quickly access the situationConfirmation of incident.To retrieve volatile dataSuch as network connections, running processes, etc.Extracting Evidence from a Life SystemInitial response must not destroy potential evidence.Use only trusted tools on a response toolkit.Document results.Notebook Hard Drive of target system Removable media connected to target drive Other system using netcat or cryptcat Extracting Evidence from a Life SystemPlan investigation.Evidence gathering differs according to incidence:Unacceptable web-surfing.Intellectual property rights theft.Compromised system.Extracting Evidence from a Life SystemResponse ToolkitCollection of Trusted Tools.Stored on removable media.Floppies (write-protected)CDThumbdrive (write-protected)Response ToolkitDetermine the tools needed.Create Toolkit.Check dependencies on DLL and other files. Include those in toolkit.Include file authentication tool such as MD5.Response Toolkit: cmd.exeBuilt-in command prompt.Response ToolkitnetstatEnumerates all listening ports and all connections to those ports.Suspicious connection? (No, windows messenger.)Response ToolkitrasusersWhich users have remote access privileges on the target system.Response ToolkitFport Finds open TCP/IP and UDP ports and maps them to the owning applicationResponse Toolkit: pslistResource Tools ListDLLsResource Toolkit: nbtstatResource Toolkit: arpResource Toolkit: killGet it from the Windows NT Resource Kit.Terminates processes via process number.Recourse Toolkit: md5sumCreates MD5 hashes for a file.Resource Toolkit: PsLogListDumps the event log list.Resource Toolkit: PsInfoLocal System built.Remote Toolkit: PsFileRemote Toolkit: PsLoggedOnResource Toolkit: PsServiceResource Toolkit: regdumpPreparing the ToolkitLabel the toolkit. Check for dependencies with Filemon.Lots of dependencies => lots of MAC changes.Create an MD5 of the toolkit.Write protect any floppies.Storing Obtained DataSave data on the hard drive of target.  (Modifies System.)Record data by hand. Save data on removable media.  Includes USB storage.Save data on a remote system with netcat or cryptcat. Storing Obtained Data with netcatQuick on, quick off target system.Allows offline review.Establish a netcat listener on the forensic workstation. Redirect into a file.Establish a netcat funneler on the target system to the forensic workstation.Cryptcat does the same, but protects against sniffing.Obtaining Volatile DataStore at leastSystem date and time.List of current users.List of current processes.List of currently open sockets.Applications listed on open socket.List of systems with current or recent connections to the system.Obtaining Volatile Data: ProcedureExecute a trusted cmd.exeRecord system time and date.Determine who is logged on.Record file MAC.Determine open ports.List all apps associated with open ports.Obtaining Volatile Data: ProcedureList all running processes.List current and recent connections.Record the system time and date.Document the commands used during initial response.Recording System TimeDetermining LogonsDetermining File MACDetermining Open PortsListing Applications with Open PortsListing all running processesList current connectionsList current connectionsDocumenting historyScripting the responseScripting the responseExamplesUse Fport to look at open ports.Use a list of ports to find suspicious ports, i.e. those used by known Trojans, sniffers or spyware.www.doshelp.com/trojanports.htmExamplesIf at your home system, fport shows a suspicious port use and netstat shows a current connection to this port, then kill the process.ExamplesKnowing what processes are running does not do you any good.You need to know what they are doing.At least, know the typical processes.ExamplesAccess the registry with RegDumpThen study it with regedit on the forensic system.ExamplesAssume generic monitoring of systems.Look for Unusual resource utilization or process behavior.Missing processes.Added processes.Processes with unusual user identification.ExamplesThe windows task manager can be very helpful.Examples: Detecting and Deleting TrojansUse port scanning tools, either on host machine or remote machine.Fport (Windows)Superscan (Windows)Nmapnetstat (for open connections)Examples: Detecting and Deleting TrojansIdentify the Trojan on the disk.Find out how it is being initiated and prevent the process.Reboot the machine and delete the Trojan.ExampleRun superscan on local host to check for open ports.What is happening at port 5000?ExamplePort 5000?ExampleRun fport.Connected to process 1260.ExampleUse pllist to find out what this is.Connected to a process called svchost.ExampleDo an internet search on svchost.Process checks the service portion of the registry to start services that need to run.Use Tasklist /SVC in a command promptExampleExampleNothing serious here.At least not on the