Computer Forensics - PowerPoint PPT Presentation

1 / 87
About This Presentation
Title:

Computer Forensics

Description:

Computer Forensics Chapter 3 – PowerPoint PPT presentation

Number of Views:495
Avg rating:3.0/5.0
Slides: 88
Provided by: Course366
Category:

less

Transcript and Presenter's Notes

Title: Computer Forensics


1
Computer Forensics
  • Chapter 3

2
Understanding the Windows Registry

3
Understanding the Windows Registry
  • Registry
  • A database that stores hardware and software
    configuration information, network connections,
    user preferences, and setup information
  • For investigative purposes, the Registry can
    contain valuable evidence
  • To view the Registry, you can use
  • Regedit (Registry Editor) program for Windows 9x
    systems
  • Regedt32 for Windows 2000 and XP

4
Exploring the Organization of the Windows Registry
  • Registry terminology
  • Registry
  • Registry Editor
  • HKEY
  • Key
  • Subkey
  • Branch
  • Value
  • Default value
  • Hives

5
Exploring the Organization of the Windows
Registry (continued)
6
Exploring the Organization of the Windows
Registry (continued)
7
Understanding Microsoft Startup Tasks

8
Understanding Microsoft Startup Tasks
  • Learn what files are accessed when Windows starts
  • This information helps you determine when a
    suspects computer was last accessed
  • Important with computers that might have been
    used after an incident was reported

9
Startup in Windows NT and Later
  • All Windows NT computers perform the following
    steps when the computer is turned on
  • Power-on self test (POST)
  • Initial startup
  • Boot loader
  • Hardware detection and configuration
  • Kernel loading
  • User logon

10
Startup Process for Windows Vista
  • Uses the new Extensible Firmware Interface ( EFI)
    as well as the older BIOS sys-tem.
  • NT Loader (NTLDR) has been replaced by three boot
    utilities
  • Bootmgr.exedisplays list of operating systems
  • Winload.exeloads kernel, HAL, and drivers
  • Winresume.exerestarts Vista after hibernation
  • See link Ch 6g

11
Startup Files for Windows XP
  • NT Loader (NTLDR)
  • Boot.ini
  • BootSect.dos
  • NTDetect.com
  • NTBootdd.sys
  • Ntoskrnl.exe
  • Hal.dll
  • Pagefile.sys
  • Device drivers

12
Startup in Windows NT and Later (continued)
  • Windows XP System Files

13
Startup in Windows NT and Later (continued)
  • Contamination Concerns with Windows XP
  • When you start a Windows XP NTFS workstation,
    several files are accessed immediately
  • The last access date and time stamp for the files
    change to the current date and time
  • Destroys any potential evidence
  • That shows when a Windows XP workstation was last
    used

14
Startup in Windows 9x/Me
  • System files in Windows 9x/Me containing valuable
    information can be altered easily during startup
  • Windows 9x and Windows Me have similar boot
    processes
  • Windows 9x OSs have two modes
  • DOS protected-mode interface (DPMI)
  • Protected-mode GUI

15
Startup in Windows 9x/Me (continued)
  • The system files used by Windows 9x have their
    origin in MS-DOS 6.22
  • Io.sys communicates between a computers BIOS,
    the hardware, and the OS kernel
  • If F8 is pressed during startup, Io.sys loads the
    Windows Startup menu
  • Msdos.sys is a hidden text file containing
    startup options for Windows 9x
  • Command.com provides a command prompt when
    booting to MS-DOS mode (DPMI)

16
Understanding MS-DOS Startup Tasks

17
Understanding MS-DOS Startup Tasks
  • Two files are used to configure MS-DOS at
    startup
  • Config.sys
  • A text file containing commands that typically
    run only at system startup to enhance the
    computers DOS configuration
  • Autoexec.bat
  • A batch file containing customized settings for
    MS-DOS that runs automatically
  • Io.sys is the first file loaded after the ROM
    bootstrap loader finds the disk drive

18
Understanding MS-DOS Startup Tasks (continued)
  • Msdos.sys is the second program to load into RAM
    immediately after Io.sys
  • It looks for the Config.sys file to configure
    device drivers and other settings
  • Msdos.sys then loads Command.com
  • As the loading of Command.com nears completion,
    Msdos.sys looks for and loads Autoexec.bat

19
Other Disk Operating Systems
  • Control Program for Microprocessors (CP/M)
  • First nonspecific microcomputer OS
  • Created by Digital Research in 1970
  • 8-inch floppy drives no support for hard drives
  • Digital Research Disk Operating System (DR-DOS)
  • Developed in 1988 to compete with MS-DOS
  • Used FAT12 and FAT16 and had a richer command
    environment

20
Other Disk Operating Systems (continued)
  • Personal Computer Disk Operating System (PC-DOS)
  • Created by Microsoft under contract for IBM
  • PC-DOS works much like MS-DOS

21
Determining What Data to Collect and Analyze

22
Determining What Data to Collect and Analyze
  • Examining and analyzing digital evidence depends
    on
  • Nature of the case
  • Amount of data to process
  • Search warrants and court orders
  • Company policies
  • Scope creep
  • Investigation expands beyond the original
    description
  • Right of full discovery of digital evidence

23
Approaching Computer Forensics Cases
  • Some basic principles apply to almost all
    computer forensics cases
  • The approach you take depends largely on the
    specific type of case youre investigating
  • Basic steps for all computer forensics
    investigations
  • For target drives, use only recently wiped media
    that have been reformatted
  • And inspected for computer viruses

24
Approaching Computer Forensics Cases (continued)
  • Basic steps for all computer forensics
    investigations (continued)
  • Inventory the hardware on the suspects computer
    and note the condition of the computer when
    seized
  • Remove the original drive from the computer
  • Check date and time values in the systems CMOS
  • Record how you acquired data from the suspect
    drive
  • Process the data methodically and logically

25
Approaching Computer Forensics Cases (continued)
  • Basic steps for all computer forensics
    investigations (continued)
  • List all folders and files on the image or drive
  • If possible, examine the contents of all data
    files in all folders
  • Starting at the root directory of the volume
    partition
  • For all password-protected files that might be
    related to the investigation
  • Make your best effort to recover file contents

26
Approaching Computer Forensics Cases (continued)
  • Basic steps for all computer forensics
    investigations (continued)
  • Identify the function of every executable (binary
    or .exe) file that doesnt match known hash
    values
  • Maintain control of all evidence and findings,
    and document everything as you progress through
    your examination

27
Refining and Modifying the Investigation Plan
  • Considerations
  • Determine the scope of the investigation
  • Determine what the case requires
  • Whether you should collect all information
  • What to do in case of scope creep
  • The key is to start with a plan but remain
    flexible in the face of new evidence

28
Using AccessData Forensic Toolkit to Analyze Data
  • Supported file systems FAT12/16/32, NTFS,
    Ext2fs, and Ext3fs
  • FTK can analyze data from several sources,
    including image files from other vendors
  • FTK produces a case log file
  • Searching for keywords
  • Indexed search
  • Live search
  • Supports options and advanced searching
    techniques, such as stemming

29
Using AccessData Forensic Toolkit to Analyze Data
(continued)
30
Using AccessData Forensic Toolkit to Analyze Data
(continued)
31
Using AccessData Forensic Toolkit to Analyze Data
(continued)
  • Analyzes compressed files
  • You can generate reports
  • Using bookmarks

32
Using AccessData Forensic Toolkit to Analyze Data
(continued)
33
Locating and Recovering Graphics Files

34
Locating and Recovering Graphics Files
  • Operating system tools
  • Time consuming
  • Results are difficult to verify
  • Computer forensics tools
  • Image headers
  • Compare them with good header samples
  • Use header information to create a baseline
    analysis
  • Reconstruct fragmented image files
  • Identify data patterns and modified headers

35
Identifying Graphics File Fragments
  • Carving or salvaging
  • Recovering all file fragments
  • Computer forensics tools
  • Carve from slack and free space
  • Help identify image files fragments and put them
    together

36
Repairing Damaged Headers
  • Use good header samples
  • Each image file has a unique file header
  • JPEG FF D8 FF E0 00 10
  • Most JPEG files also include JFIF string
  • Exercise
  • Investigate a possible intellectual property
    theft by a contract employee of Exotic Mountain
    Tour Service (EMTS)

37
Searching for and Carving Data from Unallocated
Space
38
Searching for and Carving Data from Unallocated
Space (continued)
39
Searching for and Carving Data from Unallocated
Space (continued)
  • Steps
  • Planning your examination
  • Searching for and recovering digital photograph
    evidence
  • Use ProDiscover to search for and extract
    (recover) possible evidence of JPEG files
  • False hits are referred to as false positives

40
(No Transcript)
41
Searching for and Carving Data from Unallocated
Space (continued)
42
Searching for and Carving Data from Unallocated
Space (continued)
43
Searching for and Carving Data from Unallocated
Space (continued)
44
Searching for and Carving Data from Unallocated
Space (continued)
45
Searching for and Carving Data from Unallocated
Space (continued)
46
Rebuilding File Headers
  • Try to open the file first and follow steps if
    you cant see its content
  • Steps
  • Recover more pieces of file if needed
  • Examine file header
  • Compare with a good header sample
  • Manually insert correct hexadecimal values
  • Test corrected file

47
Rebuilding File Headers (continued)
48
(No Transcript)
49
(No Transcript)
50
Rebuilding File Headers (continued)
51
Rebuilding File Headers (continued)
52
Reconstructing File Fragments
  • Locate the starting and ending clusters
  • For each fragmented group of clusters in the file
  • Steps
  • Locate and export all clusters of the fragmented
    file
  • Determine the starting and ending cluster numbers
    for each fragmented group of clusters
  • Copy each fragmented group of clusters in their
    proper sequence to a recovery file
  • Rebuild the corrupted files header to make it
    readable in a graphics viewer

53
Reconstructing File Fragments (continued)
54
Reconstructing File Fragments (continued)
55
Reconstructing File Fragments (continued)
56
Reconstructing File Fragments (continued)
57
Reconstructing File Fragments (continued)
  • Remember to save the updated recovered data with
    a .jpg extension
  • Sometimes suspects intentionally corrupt cluster
    links in a disks FAT
  • Bad clusters appear with a zero value on a disk
    editor

58
Reconstructing File Fragments (continued)
59
Reconstructing File Fragments (continued)
60
Network Forensics Overview
61
Network Forensics Overview
  • Network forensics
  • Systematic tracking of incoming and outgoing
    traffic
  • To ascertain how an attack was carried out or how
    an event occurred on a network
  • Intruders leave trail behind
  • Determine the cause of the abnormal traffic
  • Internal bug
  • Attackers

62
Securing a Network
  • Layered network defense strategy
  • Sets up layers of protection to hide the most
    valuable data at the innermost part of the
    network
  • Defense in depth (DiD)
  • Similar approach developed by the NSA
  • Modes of protection
  • People (hiring and treatment)
  • Technology (firewalls, IDSs, etc.)
  • Operations (patches, updates)

63
Securing a Network (continued)
  • Testing networks is as important as testing
    servers
  • You need to be up to date on the latest methods
    intruders use to infiltrate networks
  • As well as methods internal employees use to
    sabotage networks

64
Performing Live Acquisitions
65
Performing Live Acquisitions
  • Live acquisitions are especially useful when
    youre dealing with active network intrusions or
    attacks
  • Live acquisitions done before taking a system
    offline are also becoming a necessity
  • Because attacks might leave footprints only in
    running processes or RAM
  • Live acquisitions dont follow typical forensics
    procedures
  • Order of volatility (OOV)
  • How long a piece of information lasts on a system

66
Performing Live Acquisitions (continued)
  • Steps
  • Create or download a live-acquisition forensic CD
  • Make sure you keep a log of all your actions
  • A network drive is ideal as a place to send the
    information you collect an alternative is a USB
    disk
  • Copy the physical memory (RAM)
  • The next step varies search for rootkits, check
    firmware, image the drive over the network, or
    shut down for later static acquisition
  • Be sure to get a forensic hash value of all files
    you recover during the live acquisition

67
Performing a Live Acquisition in Windows
  • Several tools are available to capture the RAM.
  • Mantech Memory DD
  • Win32dd
  • winen.exe from Guidance Software
  • BackTrack

68
(No Transcript)
69
Developing Standard Procedures for Network
Forensics

70
Developing Standard Procedures for Network
Forensics
  • Long, tedious process
  • Standard procedure
  • Always use a standard installation image for
    systems on a network
  • Close any way in after an attack
  • Attempt to retrieve all volatile data
  • Acquire all compromised drives
  • Compare files on the forensic image to the
    original installation image

71
Developing Standard Procedures for Network
Forensics (continued)
  • Computer forensics
  • Work from the image to find what has changed
  • Network forensics
  • Restore drives to understand attack
  • Work on an isolated system
  • Prevents malware from affecting other systems

72
Reviewing Network Logs
  • Record ingoing and outgoing traffic
  • Network servers
  • Routers
  • Firewalls
  • Tcpdump tool for examining network traffic
  • Can generate top 10 lists
  • Can identify patterns
  • Attacks might include other companies
  • Do not reveal information discovered about other
    companies

73
Using Network Tools
74
Using Network Tools
  • Sysinternals
  • A collection of free tools for examining Windows
    products
  • Examples of the Sysinternals tools
  • RegMon shows Registry data in real time
  • Process Explorer shows what is loaded
  • Handle shows open files and processes using them
  • Filemon shows file system activity

75
SysInternals
  • Link Ch 11b

76
Using Network Tools (continued)
  • Tools from PsTools suite created by Sysinternals
  • PsExec runs processes remotely
  • PsGetSid displays security identifier (SID)
  • PsKill kills process by name or ID
  • PsList lists details about a process
  • PsLoggedOn shows whos logged locally
  • PsPasswd changes account passwords
  • PsService controls and views services
  • PsShutdown shuts down and restarts PCs
  • PsSuspend suspends processes

77
Using UNIX/Linux Tools
  • Knoppix Security Tools Distribution (STD)
  • Bootable Linux CD intended for computer and
    network forensics
  • Knoppix-STD tools
  • Dcfldd, the U.S. DoD dd version
  • memfetch forces a memory dump
  • photorec grabs files from a digital camera
  • snort, an intrusion detection system
  • oinkmaster helps manage your snort rules

78
Using UNIX/Linux Tools (continued)
  • Knoppix-STD tools (continued)
  • john
  • chntpw resets passwords on a Windows PC
  • tcpdump and ethereal are packet sniffers
  • With the Knoppix STD tools on a portable CD
  • You can examine almost any network system

79
Using UNIX/Linux Tools (continued)
  • BackTrack
  • Contains more than 300 tools for network
    scanning, brute-force attacks, Bluetooth and
    wireless networks, and more
  • Includes forensics tools, such as Autopsy and
    Sleuth Kit
  • Easy to use and frequently updated

80
Using Packet Sniffers
  • Packet sniffers
  • Devices or software that monitor network traffic
  • Most work at layer 2 or 3 of the OSI model
  • Most tools follow the PCAP format
  • Some packets can be identified by examining the
    flags in their TCP headers

81
TCP Header
  • From Wikipedia

82
Tools
  • Tcpdump (command-line packet capture)
  • Tethereal (command-line version of Ethereal)
  • Wireshark (formerly Ethereal)
  • Graphical packet capture analysis
  • Snort (intrusion detection)
  • Tcpslice
  • Extracts information from one or more tcpdump
    files by time frame

83
Tools
  • Tcpreplay (replays packets)
  • Tcpdstat (near-realtime traffic statistics)
  • Ngrep (pattern-matching for pcap captures)
  • Etherape (views network traffic graphically)
  • Netdude (GUI tool to analyze pcap files)
  • Argus (analyzes packet flows)

84
Examining the Honeynet Project
  • Attempt to thwart Internet and network hackers
  • Provides information about attacks methods
  • Objectives are awareness, information, and tools
  • Distributed denial-of-service (DDoS) attacks
  • A recent major threat
  • Hundreds or even thousands of machines (zombies)
    can be used

85
Examining the Honeynet Project (continued)
86
Examining the Honeynet Project (continued)
  • Zero day attacks
  • Another major threat
  • Attackers look for holes in networks and OSs and
    exploit these weaknesses before patches are
    available
  • Honeypot
  • Normal looking computer that lures attackers to
    it
  • Honeywalls
  • Monitor whats happening to honeypots on your
    network and record what attackers are doing

87
Examining the Honeynet Project (continued)
  • Its legality has been questioned
  • Cannot be used in court
  • Can be used to learn about attacks
  • Manuka Project
  • Used the Honeynet Projects principles
  • To create a usable database for students to
    examine compromised honeypots
  • Honeynet Challenges
  • You can try to ascertain what an attacker did and
    then post your results online
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Computer Forensics" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!