COEN 250 Computer ForensicsExtracting Evidence from a Life SystemSlide 3Slide 4Slide 5Slide 6Response ToolkitResponse Toolkit: cmd.exeSlide 9Slide 10Slide 11Response Toolkit: pslistResource Tools ListDLLsResource Toolkit: nbtstatResource Toolkit: arpResource Toolkit: killRecourse Toolkit: md5sumResource Toolkit: PsLogListResource Toolkit: PsInfoRemote Toolkit: PsFileRemote Toolkit: PsLoggedOnResource Toolkit: PsServiceResource Toolkit: regdumpPreparing the ToolkitStoring Obtained DataStoring Obtained Data with netcatObtaining Volatile DataObtaining Volatile Data: ProcedureSlide 29Recording System TimeDetermining LogonsDetermining File MACDetermining Open PortsListing Applications with Open PortsListing all running processesList current connectionsSlide 37Documenting historyScripting the responseScripting the responseExamplesSlide 42Slide 43Slide 44Slide 45Slide 46Examples: Detecting and Deleting TrojansSlide 48ExampleSlide 50Slide 51Slide 52Slide 53Slide 54Slide 55COEN 250 Computer ForensicsWindows Life AnalysisExtracting Evidence from a Life SystemDegrees of Volatility of Data.Gathering more volatile data versusSafer forensics procedures.Extracting Evidence from a Life SystemLife Examination is done:To quickly access the situationConfirmation of incident.To retrieve volatile dataSuch as network connections, running processes, etc.Extracting Evidence from a Life SystemInitial response must not destroy potential evidence.Use only trusted tools on a response toolkit.Document results.Notebook Hard Drive of target system Removable media connected to target drive Other system using netcat or cryptcat Extracting Evidence from a Life SystemPlan investigation.Evidence gathering differs according to incidence:Unacceptable web-surfing.Intellectual property rights theft.Compromised system.Extracting Evidence from a Life SystemResponse ToolkitCollection of Trusted Tools.Stored on removable media.Floppies (write-protected)CDThumbdrive (write-protected)Response ToolkitDetermine the tools needed.Create Toolkit.Check dependencies on DLL and other files. Include those in toolkit.Include file authentication tool such as MD5.Response Toolkit: cmd.exeBuilt-in command prompt.Response ToolkitnetstatEnumerates all listening ports and all connections to those ports.Suspicious connection? (No, windows messenger.)Response ToolkitrasusersWhich users have remote access privileges on the target system.Response ToolkitFport Finds open TCP/IP and UDP ports and maps them to the owning applicationResponse Toolkit: pslistResource Tools ListDLLsResource Toolkit: nbtstatResource Toolkit: arpResource Toolkit: killGet it from the Windows NT Resource Kit.Terminates processes via process number.Recourse Toolkit: md5sumCreates MD5 hashes for a file.Resource Toolkit: PsLogListDumps the event log list.Resource Toolkit: PsInfoLocal System built.Remote Toolkit: PsFileRemote Toolkit: PsLoggedOnResource Toolkit: PsServiceResource Toolkit: regdumpPreparing the ToolkitLabel the toolkit. Check for dependencies with Filemon.Lots of dependencies => lots of MAC changes.Create an MD5 of the toolkit.Write protect any floppies.Storing Obtained DataSave data on the hard drive of target. (Modifies System.)Record data by hand. Save data on removable media. Includes USB storage.Save data on a remote system with netcat or cryptcat. Storing Obtained Data with netcatQuick on, quick off target system.Allows offline review.Establish a netcat listener on the forensic workstation. Redirect into a file.Establish a netcat funneler on the target system to the forensic workstation.Cryptcat does the same, but protects against sniffing.Obtaining Volatile DataStore at leastSystem date and time.List of current users.List of current processes.List of currently open sockets.Applications listed on open socket.List of systems with current or recent connections to the system.Obtaining Volatile Data: ProcedureExecute a trusted cmd.exeRecord system time and date.Determine who is logged on.Record file MAC.Determine open ports.List all apps associated with open ports.Obtaining Volatile Data: ProcedureList all running processes.List current and recent connections.Record the system time and date.Document the commands used during initial response.Recording System TimeDetermining LogonsDetermining File MACDetermining Open PortsListing Applications with Open PortsListing all running processesList current connectionsList current connectionsDocumenting historyScripting the responseScripting the responseExamplesUse Fport to look at open ports.Use a list of ports to find suspicious ports, i.e. those used by known Trojans, sniffers or spyware.www.doshelp.com/trojanports.htmExamplesIf at your home system, fport shows a suspicious port use and netstat shows a current connection to this port, then kill the process.ExamplesKnowing what processes are running does not do you any good.You need to know what they are doing.At least, know the typical processes.ExamplesAccess the registry with RegDumpThen study it with regedit on the forensic system.ExamplesAssume generic monitoring of systems.Look for Unusual resource utilization or process behavior.Missing processes.Added processes.Processes with unusual user identification.ExamplesThe windows task manager can be very helpful.Examples: Detecting and Deleting TrojansUse port scanning tools, either on host machine or remote machine.Fport (Windows)Superscan (Windows)Nmapnetstat (for open connections)Examples: Detecting and Deleting TrojansIdentify the Trojan on the disk.Find out how it is being initiated and prevent the process.Reboot the machine and delete the Trojan.ExampleRun superscan on local host to check for open ports.What is happening at port 5000?ExamplePort 5000?ExampleRun fport.Connected to process 1260.ExampleUse pllist to find out what this is.Connected to a process called svchost.ExampleDo an internet search on svchost.Process checks the service portion of the registry to start services that need to run.Use Tasklist /SVC in a command promptExampleExampleNothing serious here.At least not on the
View Full Document