SlideShare uma empresa Scribd logo

Forensics of a Windows system

Conferencias FIST
Conferencias FIST
Tecnologia
1 de 32
Baixar para ler offline
Pharmaceuticals FIST Conference September/Madrid 2005 @ Forensics of a Windows system Alfredo Reino Systems Engineer Pharma Global Informatics F. Hoffmann-La Roche
Pharmaceuticals F. Hoffmann – La Roche A Global Healthcare Leader • One of the leading research-intensive healthcare groups • Core businesses are pharmaceuticals and diagnostics • A world leader in Diagnostics • The leading supplier of medicines for cancer and transplantation and a market leader in virology • Employs roughly 65,000 people in 150 countries • Has R&D agreements and strategic alliances with numerous partners, including majority ownership interests in Genentech and Chugai
Pharmaceuticals Agenda • What is forensics? • Role of forensics in incident handling • Gathering volatile data • Filesystem acquisition • Timeline analysis • Network information • Tools
Pharmaceuticals What is forensics? Computer forensics is the process of investigating data storage devices and/or data processing equipment typically a home computer, laptop, server, office workstation, or removeable media such as compact discs, to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose. They must do so in a fashion that adheres to the standards of evidence that is admissible in a court of law. http://en.wikipedia.org/wiki/computer_forensics
Pharmaceuticals What is forensics? • Computer forensics includes the following aspects: – identify evidence – preserve evidence – analyze evidence – present results • This has to be done following appropiate standards, especially if results need to be admitted by court of law
Pharmaceuticals Incident handling • General areas of incident handling – planning and preparation – incident detection – containment / response – recovery – analysis
Pharmaceuticals Forensics scope and environment applications os server computerized systems infrastructure systems lan / dmz external environment do you have all the relevant information?
Pharmaceuticals Gathering data • Volatile data – registers, cache contents – memory contents – network connections – running processes • Non-volatile data – content of filesystems and drives – content of removable media
Pharmaceuticals Volatile data - preparation • Create cd-rom with trusted toolset – at least include a trusted version of CMD.EXE from the same operating system – netcat or cryptcat (http://sourceforge.net/projects/cryptcat/) – system tools (ipconfig, netstat, date, time, net, arp ...) for different windows versions and service pack levels – pstools, listdlls, filemon, regmon, autoruns... (http://sysinternals.com) – hfind, fport, ntlast, ... (http://foundstone.com) – windows resource kit tools – a good sniffer (ethereal, windump, ...) – md5sum / md5deep
Pharmaceuticals Volatile data - the set up • Connect forensics workstation to same lan as suspect server • Configure netcat or cryptcat in forensics workstation to listen on a port and save received data to evidence file • Mount trusted toolset cd-rom in suspect server • Open trusted console (cmd.exe)
Pharmaceuticals Volatile data - what to get • System date and time • Running processes • Network connections • Open ports • Applications listening on open sockets • Logged on users
Pharmaceuticals Volatile data - tools • date /t & time /t – get system date and time • ipconfig /all – get tcp/ip configuration • netstat -aon – get network connections and listening ports (with associated process pid) • psinfo -shd – get computer information (hardware, software, hotfixes, versions, etc.) • pslist -t – get running processes
Pharmaceuticals Volatile data - tools • psloggedon – show logged on users and log on times • psloglist – dump event log • psservice – dump system service information • net use – list netbios/smb connections • listdlls – list all dlls loaded in system • sigcheck -u -e c:windowssystem32 – enumerate all unsigned files (.exe, .dll)
Pharmaceuticals Volatile data - tools • streams -s c: – list files with alternate data streams (ads) • logonsessions -p – lists logged on sessions and processes running on each session • strings – searches for ascii/unicode strings in suspicious files (you decide which are suspicious or not!) • arp -a – displays arp cache table • ntlast – record succesful and failed logins in system (including null sessions and remote logins)
Pharmaceuticals Volatile data - tools • autorunsc – show all kinds of autorun items • hfind c: – finds hidden files
Pharmaceuticals Volatile data - GUI tools • rootkit revealer – detects usermode or kernelmode rootkits • process explorer – useful information about running processes, loaded libraries, used resources, etc. • tcpview – displays network connections and associated applications
Pharmaceuticals Network information • Useful static data to get – IDS/IPS logs – firewall logs – radius/VPN logs – DHCP logs and leased ip information – application logs from other servers in same network if they are suspected of being entry point (ftp, www, database, ...)
Pharmaceuticals Network information • Traffic to/from live system – use of sniffer recommended – can use ethernet probe (read-only cat5 if possible!) – if server connected to hub, then plug probe into hub – if connected to switch, use a mirror port (in expensive switches) or use arp-spoofing to redirect traffic to sniffer – best sniffer: ethereal
Pharmaceuticals Filesystem acquisition • Physical acquisition – turn off machine (plug power cable) – remove harddisk – connect to forensics workstation using hardware IDE/SCSI write blocker – perform bitwise copy
Pharmaceuticals Filesystem acquisition • Network acquisition - live system – not recommended • untrusted operating system • filesystem in inconsistent state – configure forensics workstation • lots of free disk space • netcat listener (nc -l -p 9000 > disk1.dd) • after acquiring compute hash (md5sum disk1.dd > disk.md5) – acquire live filesystem • run 'dd for windows' from trusted cd-rom toolset • dd if=.PhysicalDrive0 bs=2k | nc -w 3 10.0.0.1 9000 – where 10.0.0.1 is the ip address of forensics workstation
Pharmaceuticals Filesystem acquisition • Network acquisition - non-live system – configure forensics workstation • lots of free disk space • netcat listener (nc -l -p 9000 > disk1.dd) • after acquiring compute hash (md5sum disk1.dd > disk.md5) – configure suspect system • boot suspect system (losing volatile info!) into linux livecd distro (gentoo, helix, knoppix, ...) • run dd to image disk over network with netcat – dd if=/dev/sda | nc 10.0.0.1 9000
Pharmaceuticals Filesystem analysis • Many tools for this – EnCase (commercial) – The Sleuth Kit + forensics browser – ftimes • Basic analysis tool functionality – file topography – compute hashes for files – create timeline analysis (mac data) – identify and recover deleted files – search functions – case management
Pharmaceuticals Filesystem analysis • The Sleuth Kit + forensics browser
Pharmaceuticals Filesystem analysis • EnCase 5
Pharmaceuticals Timeline analysis - other sources • LastWrite information in registry keys – use 'lsreg.pl' to parse registry and extract information including lastwrite data Key -> CurrentControlSetControlWindowsShutdownTime LastWrite : Tue Aug 2 12:06:56 2005 Value : ShutdownTime;REG_BINARY;c4 96 a0 ad 5a 97 c5 01 • INFO2 files – contains information about deleted files by each user (only if it goes to recycle bin) – use 'rifiuti' to extract information – file normally at C:Recycler%SID%INFO2
Pharmaceuticals Timeline analysis - other sources • Prefetch folder – used by windows to store information about how to effectively launch executables to improve performance – XP prefetches at boot time and application launch, 2003 prefetches only at boot time (default) – .pf files in %systemroot%/prefetch folder – the .pf contains information about file paths – the mac info of the .pf file gives us information about when an application has been launched – use 'pref' or 'pref_ver' to parse this info
Pharmaceuticals Timeline analysis - other sources • Logs – event logs (application, system, security) • very useful, many tools to extract – IIS/webserver/FTP logs • useful to detect webapp exploiting (maybe as point of entry), for example unicode attacks, sql injection, ... – setupapi.log • information about installation of applications and devices – schedlgu.txt • information about scheduled tasks – antivirus logs – ...
Pharmaceuticals Timeline analysis - other sources • Recently opened documents - check this registry key (for each user!) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU • Temp folders – examine contents for suspicious files • Web browser cache – 'pasco' tool for internet explorer forensic analysis – cache and cookies folders – browser history
Pharmaceuticals Analysis of evidence • Need to find "footprints" • Initial analysis – check for hidden or unusual files – check for unusual processes and open sockets – check for unusual application requests – check for suspicious accounts – determine patch level of system • Based on findings, we should develop a strategy for further investigation – full filesystem analysis – recovery of deleted files – password cracking – analysis of pagefile – ...
Pharmaceuticals Tools • These are the mentioned tools in this presentation • Feel free to add more to your toolkit • Script (vbscript, perl) your toolset!!
Licensing Pharmaceuticals
Pharmaceuticals FIST Conference @ www.fistconference.org Alfredo Reino Madrid, September 2005 Thanks for your attention.

Recomendados

Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 

Recomendados

Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensicsChaitanya Dhareshwar
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigationOnline
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 

Mais conteúdo relacionado

Mais procurados

Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigationOnline
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 

Mais procurados (20)

Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigation
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 

Destaque

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
F Database
F DatabaseF Database
F DatabaseCTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on TwitterYansi Keim
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 

Destaque (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Netcat cheat sheet
Netcat cheat sheetNetcat cheat sheet
Netcat cheat sheet
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
F Database
F DatabaseF Database
F Database
 
Unit B Windows 7
Unit B Windows 7Unit B Windows 7
Unit B Windows 7
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
File system
File systemFile system
File system
 
Raidprep
RaidprepRaidprep
Raidprep
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 

Semelhante a Forensics of a Windows system

Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows SystemsConferencias FIST
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collectionFakrul Alam
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
BSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a BudgetBSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a Budgetdsplice
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101Mona Arkhipova
 

Semelhante a Forensics of a Windows system (20)

Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows Systems
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
 
3871778
38717783871778
3871778
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
cyber Forensics
cyber Forensicscyber Forensics
cyber Forensics
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
BSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a BudgetBSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a Budget
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101
 

Mais de Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

Mais de Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Último

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Último (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Forensics of a Windows system

  • 1. Pharmaceuticals FIST Conference September/Madrid 2005 @ Forensics of a Windows system Alfredo Reino Systems Engineer Pharma Global Informatics F. Hoffmann-La Roche
  • 2. Pharmaceuticals F. Hoffmann – La Roche A Global Healthcare Leader • One of the leading research-intensive healthcare groups • Core businesses are pharmaceuticals and diagnostics • A world leader in Diagnostics • The leading supplier of medicines for cancer and transplantation and a market leader in virology • Employs roughly 65,000 people in 150 countries • Has R&D agreements and strategic alliances with numerous partners, including majority ownership interests in Genentech and Chugai
  • 3. Pharmaceuticals Agenda • What is forensics? • Role of forensics in incident handling • Gathering volatile data • Filesystem acquisition • Timeline analysis • Network information • Tools
  • 4. Pharmaceuticals What is forensics? Computer forensics is the process of investigating data storage devices and/or data processing equipment typically a home computer, laptop, server, office workstation, or removeable media such as compact discs, to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose. They must do so in a fashion that adheres to the standards of evidence that is admissible in a court of law. http://en.wikipedia.org/wiki/computer_forensics
  • 5. Pharmaceuticals What is forensics? • Computer forensics includes the following aspects: – identify evidence – preserve evidence – analyze evidence – present results • This has to be done following appropiate standards, especially if results need to be admitted by court of law
  • 6. Pharmaceuticals Incident handling • General areas of incident handling – planning and preparation – incident detection – containment / response – recovery – analysis
  • 7. Pharmaceuticals Forensics scope and environment applications os server computerized systems infrastructure systems lan / dmz external environment do you have all the relevant information?
  • 8. Pharmaceuticals Gathering data • Volatile data – registers, cache contents – memory contents – network connections – running processes • Non-volatile data – content of filesystems and drives – content of removable media
  • 9. Pharmaceuticals Volatile data - preparation • Create cd-rom with trusted toolset – at least include a trusted version of CMD.EXE from the same operating system – netcat or cryptcat (http://sourceforge.net/projects/cryptcat/) – system tools (ipconfig, netstat, date, time, net, arp ...) for different windows versions and service pack levels – pstools, listdlls, filemon, regmon, autoruns... (http://sysinternals.com) – hfind, fport, ntlast, ... (http://foundstone.com) – windows resource kit tools – a good sniffer (ethereal, windump, ...) – md5sum / md5deep
  • 10. Pharmaceuticals Volatile data - the set up • Connect forensics workstation to same lan as suspect server • Configure netcat or cryptcat in forensics workstation to listen on a port and save received data to evidence file • Mount trusted toolset cd-rom in suspect server • Open trusted console (cmd.exe)
  • 11. Pharmaceuticals Volatile data - what to get • System date and time • Running processes • Network connections • Open ports • Applications listening on open sockets • Logged on users
  • 12. Pharmaceuticals Volatile data - tools • date /t & time /t – get system date and time • ipconfig /all – get tcp/ip configuration • netstat -aon – get network connections and listening ports (with associated process pid) • psinfo -shd – get computer information (hardware, software, hotfixes, versions, etc.) • pslist -t – get running processes
  • 13. Pharmaceuticals Volatile data - tools • psloggedon – show logged on users and log on times • psloglist – dump event log • psservice – dump system service information • net use – list netbios/smb connections • listdlls – list all dlls loaded in system • sigcheck -u -e c:windowssystem32 – enumerate all unsigned files (.exe, .dll)
  • 14. Pharmaceuticals Volatile data - tools • streams -s c: – list files with alternate data streams (ads) • logonsessions -p – lists logged on sessions and processes running on each session • strings – searches for ascii/unicode strings in suspicious files (you decide which are suspicious or not!) • arp -a – displays arp cache table • ntlast – record succesful and failed logins in system (including null sessions and remote logins)
  • 15. Pharmaceuticals Volatile data - tools • autorunsc – show all kinds of autorun items • hfind c: – finds hidden files
  • 16. Pharmaceuticals Volatile data - GUI tools • rootkit revealer – detects usermode or kernelmode rootkits • process explorer – useful information about running processes, loaded libraries, used resources, etc. • tcpview – displays network connections and associated applications
  • 17. Pharmaceuticals Network information • Useful static data to get – IDS/IPS logs – firewall logs – radius/VPN logs – DHCP logs and leased ip information – application logs from other servers in same network if they are suspected of being entry point (ftp, www, database, ...)
  • 18. Pharmaceuticals Network information • Traffic to/from live system – use of sniffer recommended – can use ethernet probe (read-only cat5 if possible!) – if server connected to hub, then plug probe into hub – if connected to switch, use a mirror port (in expensive switches) or use arp-spoofing to redirect traffic to sniffer – best sniffer: ethereal
  • 19. Pharmaceuticals Filesystem acquisition • Physical acquisition – turn off machine (plug power cable) – remove harddisk – connect to forensics workstation using hardware IDE/SCSI write blocker – perform bitwise copy
  • 20. Pharmaceuticals Filesystem acquisition • Network acquisition - live system – not recommended • untrusted operating system • filesystem in inconsistent state – configure forensics workstation • lots of free disk space • netcat listener (nc -l -p 9000 > disk1.dd) • after acquiring compute hash (md5sum disk1.dd > disk.md5) – acquire live filesystem • run 'dd for windows' from trusted cd-rom toolset • dd if=.PhysicalDrive0 bs=2k | nc -w 3 10.0.0.1 9000 – where 10.0.0.1 is the ip address of forensics workstation
  • 21. Pharmaceuticals Filesystem acquisition • Network acquisition - non-live system – configure forensics workstation • lots of free disk space • netcat listener (nc -l -p 9000 > disk1.dd) • after acquiring compute hash (md5sum disk1.dd > disk.md5) – configure suspect system • boot suspect system (losing volatile info!) into linux livecd distro (gentoo, helix, knoppix, ...) • run dd to image disk over network with netcat – dd if=/dev/sda | nc 10.0.0.1 9000
  • 22. Pharmaceuticals Filesystem analysis • Many tools for this – EnCase (commercial) – The Sleuth Kit + forensics browser – ftimes • Basic analysis tool functionality – file topography – compute hashes for files – create timeline analysis (mac data) – identify and recover deleted files – search functions – case management
  • 23. Pharmaceuticals Filesystem analysis • The Sleuth Kit + forensics browser
  • 25. Pharmaceuticals Timeline analysis - other sources • LastWrite information in registry keys – use 'lsreg.pl' to parse registry and extract information including lastwrite data Key -> CurrentControlSetControlWindowsShutdownTime LastWrite : Tue Aug 2 12:06:56 2005 Value : ShutdownTime;REG_BINARY;c4 96 a0 ad 5a 97 c5 01 • INFO2 files – contains information about deleted files by each user (only if it goes to recycle bin) – use 'rifiuti' to extract information – file normally at C:Recycler%SID%INFO2
  • 26. Pharmaceuticals Timeline analysis - other sources • Prefetch folder – used by windows to store information about how to effectively launch executables to improve performance – XP prefetches at boot time and application launch, 2003 prefetches only at boot time (default) – .pf files in %systemroot%/prefetch folder – the .pf contains information about file paths – the mac info of the .pf file gives us information about when an application has been launched – use 'pref' or 'pref_ver' to parse this info
  • 27. Pharmaceuticals Timeline analysis - other sources • Logs – event logs (application, system, security) • very useful, many tools to extract – IIS/webserver/FTP logs • useful to detect webapp exploiting (maybe as point of entry), for example unicode attacks, sql injection, ... – setupapi.log • information about installation of applications and devices – schedlgu.txt • information about scheduled tasks – antivirus logs – ...
  • 28. Pharmaceuticals Timeline analysis - other sources • Recently opened documents - check this registry key (for each user!) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU • Temp folders – examine contents for suspicious files • Web browser cache – 'pasco' tool for internet explorer forensic analysis – cache and cookies folders – browser history
  • 29. Pharmaceuticals Analysis of evidence • Need to find "footprints" • Initial analysis – check for hidden or unusual files – check for unusual processes and open sockets – check for unusual application requests – check for suspicious accounts – determine patch level of system • Based on findings, we should develop a strategy for further investigation – full filesystem analysis – recovery of deleted files – password cracking – analysis of pagefile – ...
  • 30. Pharmaceuticals Tools • These are the mentioned tools in this presentation • Feel free to add more to your toolkit • Script (vbscript, perl) your toolset!!
  • 32. Pharmaceuticals FIST Conference @ www.fistconference.org Alfredo Reino Madrid, September 2005 Thanks for your attention.