Computer Forensics

About This Presentation

Title:

Computer Forensics

Description:

Computer Forensics Chapter 3 – PowerPoint PPT presentation

Number of Views:504

Avg rating:3.0/5.0

Slides: 88

Provided by: Course366

Category:

more less

Transcript and Presenter's Notes

Title: Computer Forensics

1
Computer Forensics

Chapter 3

2
Understanding the Windows Registry

3
Understanding the Windows Registry

Registry
A database that stores hardware and software
configuration information, network connections,
user preferences, and setup information
For investigative purposes, the Registry can
contain valuable evidence
To view the Registry, you can use
Regedit (Registry Editor) program for Windows 9x
systems
Regedt32 for Windows 2000 and XP

4
Exploring the Organization of the Windows Registry

Registry terminology
Registry
Registry Editor
HKEY
Key
Subkey
Branch
Value
Default value
Hives

5
Exploring the Organization of the Windows
Registry (continued)
6
Exploring the Organization of the Windows
Registry (continued)
7
Understanding Microsoft Startup Tasks

8
Understanding Microsoft Startup Tasks

Learn what files are accessed when Windows starts
This information helps you determine when a
suspects computer was last accessed
Important with computers that might have been
used after an incident was reported

9
Startup in Windows NT and Later

All Windows NT computers perform the following
steps when the computer is turned on
Power-on self test (POST)
Initial startup
Boot loader
Hardware detection and configuration
Kernel loading
User logon

10
Startup Process for Windows Vista

Uses the new Extensible Firmware Interface ( EFI)
as well as the older BIOS sys-tem.
NT Loader (NTLDR) has been replaced by three boot
utilities
Bootmgr.exedisplays list of operating systems
Winload.exeloads kernel, HAL, and drivers
Winresume.exerestarts Vista after hibernation
See link Ch 6g

11
Startup Files for Windows XP

NT Loader (NTLDR)
Boot.ini
BootSect.dos
NTDetect.com
NTBootdd.sys
Ntoskrnl.exe
Hal.dll
Pagefile.sys
Device drivers

12
Startup in Windows NT and Later (continued)

Windows XP System Files

13
Startup in Windows NT and Later (continued)

Contamination Concerns with Windows XP
When you start a Windows XP NTFS workstation,
several files are accessed immediately
The last access date and time stamp for the files
change to the current date and time
Destroys any potential evidence
That shows when a Windows XP workstation was last
used

14
Startup in Windows 9x/Me

System files in Windows 9x/Me containing valuable
information can be altered easily during startup
Windows 9x and Windows Me have similar boot
processes
Windows 9x OSs have two modes
DOS protected-mode interface (DPMI)
Protected-mode GUI

15
Startup in Windows 9x/Me (continued)

The system files used by Windows 9x have their
origin in MS-DOS 6.22
Io.sys communicates between a computers BIOS,
the hardware, and the OS kernel
If F8 is pressed during startup, Io.sys loads the
Windows Startup menu
Msdos.sys is a hidden text file containing
startup options for Windows 9x
Command.com provides a command prompt when
booting to MS-DOS mode (DPMI)

16
Understanding MS-DOS Startup Tasks

17
Understanding MS-DOS Startup Tasks

Two files are used to configure MS-DOS at
startup
Config.sys
A text file containing commands that typically
run only at system startup to enhance the
computers DOS configuration
Autoexec.bat
A batch file containing customized settings for
MS-DOS that runs automatically
Io.sys is the first file loaded after the ROM
bootstrap loader finds the disk drive

18
Understanding MS-DOS Startup Tasks (continued)

Msdos.sys is the second program to load into RAM
immediately after Io.sys
It looks for the Config.sys file to configure
device drivers and other settings
Msdos.sys then loads Command.com
As the loading of Command.com nears completion,
Msdos.sys looks for and loads Autoexec.bat

19
Other Disk Operating Systems

Control Program for Microprocessors (CP/M)
First nonspecific microcomputer OS
Created by Digital Research in 1970
8-inch floppy drives no support for hard drives
Digital Research Disk Operating System (DR-DOS)
Developed in 1988 to compete with MS-DOS
Used FAT12 and FAT16 and had a richer command
environment

20
Other Disk Operating Systems (continued)

Personal Computer Disk Operating System (PC-DOS)
Created by Microsoft under contract for IBM
PC-DOS works much like MS-DOS

21
Determining What Data to Collect and Analyze

22
Determining What Data to Collect and Analyze

Examining and analyzing digital evidence depends
on
Nature of the case
Amount of data to process
Search warrants and court orders
Company policies
Scope creep
Investigation expands beyond the original
description
Right of full discovery of digital evidence

23
Approaching Computer Forensics Cases

Some basic principles apply to almost all
computer forensics cases
The approach you take depends largely on the
specific type of case youre investigating
Basic steps for all computer forensics
investigations
For target drives, use only recently wiped media
that have been reformatted
And inspected for computer viruses

24
Approaching Computer Forensics Cases (continued)

Basic steps for all computer forensics
investigations (continued)
Inventory the hardware on the suspects computer
and note the condition of the computer when
seized
Remove the original drive from the computer
Check date and time values in the systems CMOS
Record how you acquired data from the suspect
drive
Process the data methodically and logically

25
Approaching Computer Forensics Cases (continued)

Basic steps for all computer forensics
investigations (continued)
List all folders and files on the image or drive
If possible, examine the contents of all data
files in all folders
Starting at the root directory of the volume
partition
For all password-protected files that might be
related to the investigation
Make your best effort to recover file contents

26
Approaching Computer Forensics Cases (continued)

Basic steps for all computer forensics
investigations (continued)
Identify the function of every executable (binary
or .exe) file that doesnt match known hash
values
Maintain control of all evidence and findings,
and document everything as you progress through
your examination

27
Refining and Modifying the Investigation Plan

Considerations
Determine the scope of the investigation
Determine what the case requires
Whether you should collect all information
What to do in case of scope creep
The key is to start with a plan but remain
flexible in the face of new evidence

28
Using AccessData Forensic Toolkit to Analyze Data

Supported file systems FAT12/16/32, NTFS,
Ext2fs, and Ext3fs
FTK can analyze data from several sources,
including image files from other vendors
FTK produces a case log file
Searching for keywords
Indexed search
Live search
Supports options and advanced searching
techniques, such as stemming

29
Using AccessData Forensic Toolkit to Analyze Data
(continued)
30
Using AccessData Forensic Toolkit to Analyze Data
(continued)
31
Using AccessData Forensic Toolkit to Analyze Data
(continued)

Analyzes compressed files
You can generate reports
Using bookmarks

32
Using AccessData Forensic Toolkit to Analyze Data
(continued)
33
Locating and Recovering Graphics Files

34
Locating and Recovering Graphics Files

Operating system tools
Time consuming
Results are difficult to verify
Computer forensics tools
Image headers
Compare them with good header samples
Use header information to create a baseline
analysis
Reconstruct fragmented image files
Identify data patterns and modified headers

35
Identifying Graphics File Fragments

Carving or salvaging
Recovering all file fragments
Computer forensics tools
Carve from slack and free space
Help identify image files fragments and put them
together

36
Repairing Damaged Headers

Use good header samples
Each image file has a unique file header
JPEG FF D8 FF E0 00 10
Most JPEG files also include JFIF string
Exercise
Investigate a possible intellectual property
theft by a contract employee of Exotic Mountain
Tour Service (EMTS)

37
Searching for and Carving Data from Unallocated
Space
38
Searching for and Carving Data from Unallocated
Space (continued)
39
Searching for and Carving Data from Unallocated
Space (continued)

Steps
Planning your examination
Searching for and recovering digital photograph
evidence
Use ProDiscover to search for and extract
(recover) possible evidence of JPEG files
False hits are referred to as false positives

40
(No Transcript)
41
Searching for and Carving Data from Unallocated
Space (continued)
42
Searching for and Carving Data from Unallocated
Space (continued)
43
Searching for and Carving Data from Unallocated
Space (continued)
44
Searching for and Carving Data from Unallocated
Space (continued)
45
Searching for and Carving Data from Unallocated
Space (continued)
46
Rebuilding File Headers

Try to open the file first and follow steps if
you cant see its content
Steps
Recover more pieces of file if needed
Examine file header
Compare with a good header sample
Manually insert correct hexadecimal values
Test corrected file

47
Rebuilding File Headers (continued)
48
(No Transcript)
49
(No Transcript)
50
Rebuilding File Headers (continued)
51
Rebuilding File Headers (continued)
52
Reconstructing File Fragments

Locate the starting and ending clusters
For each fragmented group of clusters in the file
Steps
Locate and export all clusters of the fragmented
file
Determine the starting and ending cluster numbers
for each fragmented group of clusters
Copy each fragmented group of clusters in their
proper sequence to a recovery file
Rebuild the corrupted files header to make it
readable in a graphics viewer

53
Reconstructing File Fragments (continued)
54
Reconstructing File Fragments (continued)
55
Reconstructing File Fragments (continued)
56
Reconstructing File Fragments (continued)
57
Reconstructing File Fragments (continued)

Remember to save the updated recovered data with
a .jpg extension
Sometimes suspects intentionally corrupt cluster
links in a disks FAT
Bad clusters appear with a zero value on a disk
editor

58
Reconstructing File Fragments (continued)
59
Reconstructing File Fragments (continued)
60
Network Forensics Overview
61
Network Forensics Overview

Network forensics
Systematic tracking of incoming and outgoing
traffic
To ascertain how an attack was carried out or how
an event occurred on a network
Intruders leave trail behind
Determine the cause of the abnormal traffic
Internal bug
Attackers

62
Securing a Network

Layered network defense strategy
Sets up layers of protection to hide the most
valuable data at the innermost part of the
network
Defense in depth (DiD)
Similar approach developed by the NSA
Modes of protection
People (hiring and treatment)
Technology (firewalls, IDSs, etc.)
Operations (patches, updates)

63
Securing a Network (continued)

Testing networks is as important as testing
servers
You need to be up to date on the latest methods
intruders use to infiltrate networks
As well as methods internal employees use to
sabotage networks

64
Performing Live Acquisitions
65
Performing Live Acquisitions

Live acquisitions are especially useful when
youre dealing with active network intrusions or
attacks
Live acquisitions done before taking a system
offline are also becoming a necessity
Because attacks might leave footprints only in
running processes or RAM
Live acquisitions dont follow typical forensics
procedures
Order of volatility (OOV)
How long a piece of information lasts on a system

66
Performing Live Acquisitions (continued)

Steps
Create or download a live-acquisition forensic CD
Make sure you keep a log of all your actions
A network drive is ideal as a place to send the
information you collect an alternative is a USB
disk
Copy the physical memory (RAM)
The next step varies search for rootkits, check
firmware, image the drive over the network, or
shut down for later static acquisition
Be sure to get a forensic hash value of all files
you recover during the live acquisition

67
Performing a Live Acquisition in Windows

Several tools are available to capture the RAM.
Mantech Memory DD
Win32dd
winen.exe from Guidance Software
BackTrack

68
(No Transcript)
69
Developing Standard Procedures for Network
Forensics

70
Developing Standard Procedures for Network
Forensics

Long, tedious process
Standard procedure
Always use a standard installation image for
systems on a network
Close any way in after an attack
Attempt to retrieve all volatile data
Acquire all compromised drives
Compare files on the forensic image to the
original installation image

71
Developing Standard Procedures for Network
Forensics (continued)

Computer forensics
Work from the image to find what has changed
Network forensics
Restore drives to understand attack
Work on an isolated system
Prevents malware from affecting other systems

72
Reviewing Network Logs

Record ingoing and outgoing traffic
Network servers
Routers
Firewalls
Tcpdump tool for examining network traffic
Can generate top 10 lists
Can identify patterns
Attacks might include other companies
Do not reveal information discovered about other
companies

73
Using Network Tools
74
Using Network Tools

Sysinternals
A collection of free tools for examining Windows
products
Examples of the Sysinternals tools
RegMon shows Registry data in real time
Process Explorer shows what is loaded
Handle shows open files and processes using them
Filemon shows file system activity

75
SysInternals

Link Ch 11b

76
Using Network Tools (continued)

Tools from PsTools suite created by Sysinternals
PsExec runs processes remotely
PsGetSid displays security identifier (SID)
PsKill kills process by name or ID
PsList lists details about a process
PsLoggedOn shows whos logged locally
PsPasswd changes account passwords
PsService controls and views services
PsShutdown shuts down and restarts PCs
PsSuspend suspends processes

77
Using UNIX/Linux Tools

Knoppix Security Tools Distribution (STD)
Bootable Linux CD intended for computer and
network forensics
Knoppix-STD tools
Dcfldd, the U.S. DoD dd version
memfetch forces a memory dump
photorec grabs files from a digital camera
snort, an intrusion detection system
oinkmaster helps manage your snort rules

78
Using UNIX/Linux Tools (continued)

Knoppix-STD tools (continued)
john
chntpw resets passwords on a Windows PC
tcpdump and ethereal are packet sniffers
With the Knoppix STD tools on a portable CD
You can examine almost any network system

79
Using UNIX/Linux Tools (continued)

BackTrack
Contains more than 300 tools for network
scanning, brute-force attacks, Bluetooth and
wireless networks, and more
Includes forensics tools, such as Autopsy and
Sleuth Kit
Easy to use and frequently updated

80
Using Packet Sniffers

Packet sniffers
Devices or software that monitor network traffic
Most work at layer 2 or 3 of the OSI model
Most tools follow the PCAP format
Some packets can be identified by examining the
flags in their TCP headers

81
TCP Header

From Wikipedia

82
Tools

Tcpdump (command-line packet capture)
Tethereal (command-line version of Ethereal)
Wireshark (formerly Ethereal)
Graphical packet capture analysis
Snort (intrusion detection)
Tcpslice
Extracts information from one or more tcpdump
files by time frame

83
Tools

Tcpreplay (replays packets)
Tcpdstat (near-realtime traffic statistics)
Ngrep (pattern-matching for pcap captures)
Etherape (views network traffic graphically)
Netdude (GUI tool to analyze pcap files)
Argus (analyzes packet flows)

84
Examining the Honeynet Project

Attempt to thwart Internet and network hackers
Provides information about attacks methods
Objectives are awareness, information, and tools
Distributed denial-of-service (DDoS) attacks
A recent major threat
Hundreds or even thousands of machines (zombies)
can be used

85
Examining the Honeynet Project (continued)
86
Examining the Honeynet Project (continued)

Zero day attacks
Another major threat
Attackers look for holes in networks and OSs and
exploit these weaknesses before patches are
available
Honeypot
Normal looking computer that lures attackers to
it
Honeywalls
Monitor whats happening to honeypots on your
network and record what attackers are doing

87
Examining the Honeynet Project (continued)