computer forensics

didosld

forensic3e_ppt_ch08.pptx

Home >Information Systems homework help >computer forensics

System Forensics, Investigation, and Response

Lesson 8

Windows Forensics

www.jblearning.com

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Learning Objective

Summarize various types of digital forensics.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Key Concepts

Windows details

Evidence in volatile data

Windows swap file

Windows logs and directories

Windows Registry

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

History of Windows

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Windows 3.1 (released in 1992)—Though earlier versions of Windows had been in existence since 1985, this version became widely popular. At that time, Windows was a graphical user interface (GUI), and not really an operating system. The operating system was the Disk Operating System (DOS).

Windows 95—The underlying operating system and the graphical user interface were fused into one single, coherent product. Shortly after the release of Windows 95, Windows NT 4.0 was released for servers and professionals.

Windows 2000—Considered a major improvement in the Windows line. Rather than separate NT and Windows lines, there were simply different editions of Windows 2000, including those for home users, for professional users, and for servers. The differences among the editions were primarily in the features available and the capacity, such as how much random access memory (RAM) could be addressed. With the release of Windows 2000, Microsoft began to recommend NTFS over FAT32 as a file system.

7/2/2017

Windows 3.x

Windows 95/NT

Windows 98/2000

History of Windows (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Windows XP and Windows Server 2003—Marked a return to having a separate server and desktop system. The interface was not very different, but there were structural improvements.

Windows Vista and Windows 7—Had feature changes and additional capabilities over XP, but essentially the interface was moderately tweaked with each version. The same can be said of Windows Server 2008. Someone comfortable with Windows Server 2003 would have no problem working with Windows Server 2008.

Windows 8—Was a radical change. Even though the desktop looks much like Windows 7, the operating system is meant to be more like that of a tablet.

7/2/2017

Windows XP/Server 2003

Windows Vista/ Windows 7/ Server 2008

Windows 8/ Server 2012

History of Windows (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Windows 10

Cortana

Edge browser

Universal apps

Issues Pertinent to Forensics

Does the Windows version in question support 64-bit processing?

Does it have a firewall? If so, is the firewall automatically on?

Does the version of Windows support the Encrypted File System (EFS)?

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Windows Details

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

32-bit

Addresses up to 4,294,967,295 bytes

Limited to 4 gigabytes (GB) of RAM

64-bit

Addresses up to 18,446,744,073,709,551,616 bytes

Referred to as x86

Referred to as x64

Windows Boot Process

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The BIOS conducts the power-on self test (POST). This is when the system’s BIOS checks to see if the drives, keyboard, and other key items are present and working. This occurs before any operating system components are loaded.

Computer reads the master boot record (MBR) and partition table.

MBR locates boot partition. This is the partition that has the operating system on it.

MBR passes control to boot sector on boot partition.

Boot sector loads NTLDR (the NT loader). It is the first part of the Windows operating system and responsible for preparing and loading the rest of the operating system.

Note that if instead of being shut down, Windows has been put in the hibernation state, the contents of hiberfil.sys are loaded into memory and the system resumes at the previous state.

NTLDR switches from real mode 32-bit memory or 64-bit depending on the system. Real mode is the default for x86 systems. It provides no support for memory protection, multitasking, or code privilege levels.

NTLDR starts minimal file system drivers (FAT, FAT32, NTFS).

NTLDR reads boot.ini and displays the boot loader menu. If there are multiple operating systems, they will be displayed.

Ntldr loads NTOSKRNL and passes hardware information. The NTOSKRNL is the actual kernel for the Windows operating system. This is the end of the boot phase and the beginning of the load phase.

NTLDR loads hal.dll (hardware abstraction layer).

NTLDR loads the system hive (i.e., the Registry) and reads in settings from it.

Kernel initialization begins (screen turns blue).

Services load phase begins.

Win32 subsystem start phase begins.

User logs on.

7/2/2017

BIOS

POST

Read MBR

Boot Loader

Loads NTLDR

Switches to 32- or 64-bit

Boot Files

Min. drivers

NTOSKRNL

boot.ini

Windows Boot Process (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Computer reads the master boot record (MBR) and partition table.

MBR locates boot partition. This is the partition that has the operating system on it.

MBR passes control to boot sector on boot partition.

Boot sector loads NTLDR (the NT loader). It is the first part of the Windows operating system and responsible for preparing and loading the rest of the operating system.

Note that if instead of being shut down, Windows has been put in the hibernation state, the contents of hiberfil.sys are loaded into memory and the system resumes at the previous state.

NTLDR starts minimal file system drivers (FAT, FAT32, NTFS).

NTLDR reads boot.ini and displays the boot loader menu. If there are multiple operating systems, they will be displayed.

Ntldr loads NTOSKRNL and passes hardware information. The NTOSKRNL is the actual kernel for the Windows operating system. This is the end of the boot phase and the beginning of the load phase.

NTLDR loads hal.dll (hardware abstraction layer).

NTLDR loads the system hive (i.e., the Registry) and reads in settings from it.

Kernel initialization begins (screen turns blue).

Services load phase begins.

Win32 subsystem start phase begins.

User logs on.

7/2/2017

Boot Files (cont.)

hal.dll

Windows Registry

Kernel Loading

Win32 Subsystem Starts

Important Files

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Ntdetect.com—A program that queries the computer for basic device/config data like time/date from CMOS, system bus types, disk drives, ports, and so on

Ntbootdd.sys—A storage controller device driver

Ntoskrnl.exe—The core of the operating system

Hal.dll—An interface for hardware

Smss.exe—A program that handles services on your system

Winlogon.exe—The program that logs you on

Lsass.exe—The program that handles security and logon policies

Explorer.exe—The interface the user interacts with, such as the desktop, Windows Explorer, and so on

Crss.exe—The program that handles tasks like creating threads, console windows, and so forth

7/2/2017

Ntdetect.com

Ntbootdd.sys

Ntoskrnl.exe

Hal.dll

Smss.exe

Winlogon.exe

Lsass.exe

Explorer.exe

Crss.exe

Volatile Memory

Live system forensic technique in which you:

Collect a memory dump

Compute the hash

Perform analysis in an isolated environment

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

With volatile memory analysis, you establish:

A trusted command shell

A data collection system and a method for transmitting the data

The steps in volatile memory analysis are as follows:

Acquire a physical memory dump of the compromised system and transmit it to the data collection system for analysis. VMware allows you to simply suspend the virtual machine and use the .vmem file as a memory image.

Compute the hash after you complete the memory capture. You don’t need to calculate a hash before data acquisition. Due to the volatile nature of running memory, the imaging process involves taking a snapshot of a “moving target.”

Analyze the evidence on the collection system. Unlike live response, you don’t need any additional evidence from the compromised system.

Justify the validity of the acquired memory data (essential when producing digital data from a live system as evidence in court). One common approach is to acquire volatile memory data in a dump file for offline examination. You can then analyze the dump electronically or manually in its static state.

7/3/2017

Offline Vs. Volatile Data Analysis

Offline Data Analysis	Volatile Data Analysis
Nonvolatile data	Volatile data
Isolation is relatively easy for experienced specialist	Isolation is difficult
Repeatable	Not repeatable
Uses no software that existed on the system during the time frame of investigation	Uses software that existed on the system during the time frame of the investigation

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Toolkits are available for collecting volatile memory data. These automated programs run on live systems and collect transient memory data. A major drawback of these tools is that they rely on the underlying operating system. Running them on a compromised system could affect the collected data’s reliability.

Maintaining data consistency is a problem with live system forensics in which data is not acquired at a unified moment. If a system is running, it is impossible to freeze the machine’s state in the course of data acquisition. Even the most efficient method introduces a time difference between the moment you acquire the first bit and the moment you acquire the last bit.

7/3/2017

Volatile Memory (cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

When dumping memory, keep in mind that there are actually two types of memory:

Stack (S)—Allocated based on the last-in, first-out (LIFO) principle. When the program is running, program variables use the memory allocated to the stack area again and again. This segment is the most dynamic area of the memory process. The data within this segment is discrepant and influenced by the program’s various function calls.

Heap (H)—A process may use a memory allocator such as malloc to request dynamic memory. When this happens, the address space of the process expands. The data in the heap area can exist between function calls. The memory allocator may reuse memory that has been released by the process. Therefore, heap data is less stable than the data in the data segment.

7/3/2017

Stack (S)

Allocated based on last-in, first-out (LIFO)

Heap (H)

Data can exist between function calls

Is less stable than data in the data segment

Most dynamic area of memory process

Live Forensics Tools

PsList - processes

PsInfo – operating system details

ListDLLs – loaded DLLs

PsLoggedOn – login information

netstat – network connections

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

PsList

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Use PsList to view process and thread statistics on a system. Running PsList lists all running processes on the system. However, it does not reveal the presence of the rootkit or the other processes that the rootkit has hidden. PsList is a part of a suite of tools, PsTools, available as a free download.

7/2/2017

PsInfo

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

This tool is also from the PsTools suite. It can tell you system uptime (time since last reboot), operating system details, and other general information about the system. This is good background information to put into your forensic report.

7/2/2017

ListDLLs

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

ListDLLs allows you to view the currently loaded dynamic-link libraries (DLLs) for a process. Running ListDLLs lists the DLLs loaded by all running processes. However, ListDLLs cannot show the DLLs loaded for hidden processes. A common attack involves using a Trojan horse to compromise a program or system DLL. So this tool can be important to your forensic investigation. It is available online for free.

7/2/2017

PsLoggedOn

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

PsLoggedOn helps you discover users who have logged on both locally and remotely. Of most importance, it tells you who is logged on to shares on the current machine. This is also part of the PsTools suite available from Microsoft TechNet.

7/2/2017

Netstat

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

This utility is important in checking live system data. Netstat is a command-line tool that displays both incoming and outgoing network connections. It also displays routing tables and a number of network interface statistics. It is available on UNIX, UNIX-like, and Windows-based operating systems.

Use the Netstat utility to view the network connections of a running machine. Running Netstat with the –an option will show all ports, list what they are doing (listening or sending), and list them in numerical order. This can be useful information in your forensic analysis, particularly if the suspected crime uses spyware or a botnet.

7/2/2017

Other Live Forensics Tools

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

FPort is a free tool that is now distributed by McAfee. FPort allows you to view all open TCP and UDP ports and maps those to specific processes. This lets you know which process is using which port. This tool is similar in function to running netstat –an.

Userdump is a command-line tool for dumping basic user info from Windows-based systems. With Userdump, you can extract the memory dumps of running processes for offline analysis. This is a free downloadable tool from Microsoft. This tool is used primarily to dump data to an external file, so you need to specify where to dump the data.

PTFinder is a Perl script memory analysis tool that supports analysis of Windows operating system versions. It enumerates processes and threads in a memory dump. It uses a brute-force approach to enumerating the processes and uses various rules to determine whether the information is either a legitimate process or just bytes. Although this tool does not reveal anything new in terms of malware, it does enable repeatability of the results, which is an important benefit in volatile memory analysis. The No Threads option on PTFinder provides a list of processes found in a memory dump. This is an open source graphics language that provides a visual representation of the relationships between threads and processes.

7/2/2017

FPort

View all open TCP and UDP ports

Userdump

Extract memory dumps of running processes

PTFinder

Enumerates processes and threads in a memory dump

Map ports to specific processes

Windows Swap File

A special place on the hard disk where items from memory can be temporarily stored for fast retrieval

Used to end in a .swp extension; since Windows XP, called pagefile.sys

Typically found in Windows root directory

Often referred to as virtual memory

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Windows Log Files

Files that contain information about events and other activities that occur in Windows

Event Viewer used to view log files

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

All versions of Windows support logging, although the method to get to the log can vary from one version to another. With Windows 10 and Windows Server 2012, you find the logs as follows:

Click on the Start button in the lower-left corner of the desktop.

Click the Control Panel.

Select Administrative Tools.

Select Event Viewer.

7/2/2017

Windows Log Files

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Security log has both successful and unsuccessful logon events; probably the most important log from a forensic point of view

Application log contains various events logged by applications or programs; Many applications record their errors here

System log contains events logged by Windows system components, including events like driver failures; Not as interesting from a forensic perspective as the other logs are

ForwardedEvents log is used to store events collected from remote computers; Has data in it only if event forwarding has been configured

Applications and Services logs are used to store events from a single application or component rather than events that might have systemwide impact

7/2/2017

Security

Application

System

ForwardedEvents

Applications and Services

Event Viewer

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Windows Directories/Folders

C:\Windows documents and settings

C:\users

C:\Program Files

C:\Program Files (x86)

C:\Users\username\Documents

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Certain directories in Windows are more likely than others to contain evidence. Although there are many directories on a computer, the following are the most forensically interesting:

C:\Windows documents and settings—This folder is the default location to save documents. Even though a criminal can save documents anywhere on the computer, it is a good idea to check this folder.

C:\users—This includes user profile information, documents, pictures, and more for all users, not just the one currently logged on.

C:\Program Files—By default, programs are installed in subdirectories of this directory.

C:\Program Files (x86)—In 64-bit systems, 32-bit programs are installed here.

C:\Users\username\Documents—The current user’s Documents folder. This is a very important place to look for evidence.

It is important to complete a general search of the entire suspect drive—not just these specific folders and directories.

7/2/2017

UserAssist

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

UserAssist is a feature of Windows 2000 and later that tracks what happens on the computer, including programs launched. Unless it is disabled there will be a record of everything done on that computer. This information is encrypted and stored in the Registry. The free UserAssist tool allows you to find out more.

7/2/2017

Unallocated/Slack Space

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Files stored on disk (archives, files, folders, etc.)

Host protected area (HPA) or vendor-specific drive space (recovery volumes, etc.)

Master boot record (MBR) where empty drive sectors remain

Boot sectors in nonbootable partitions

To find relevant data only in the unallocated space, search the unallocated space for keywords.

Tools such as AccessData’s Forensic Toolkit (FTK) allow an investigator to take an entire image and try to identify all of the documents in the file system, including the unallocated space.

To search the entire disk many times over, tools such as FTK can help you build a full-text index. Full-text indexing allows you to build a binary tree-based dictionary of all the words that exist in an image, and you can search the entire image for those words in seconds.

7/3/2017

Alternate Data Streams (ADS)

A method of attaching one file to another file, using the NTFS file system

A feature of NTFS that contains metadata for locating a specific file by some criterion, like title

What are the risks associated with ADS?

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Alternate data streams may be used by clever criminals to hide things on the target computer. Alternate data streams are essentially a method of attaching one file to another file, using the NTFS file system. A number of tools are available that will detect whether files are attached via alternate data streams. One of the most widely known is List Alternate Data Streams (a free download).

7/2/2017

Index.dat

Used by Microsoft Internet Explorer

Stores:

Web addresses

Search queries

Recently opened files

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Even if the suspect’s browsing history has been erased, it is still possible to retrieve it if he or she was using Microsoft Internet Explorer. Internet Explorer uses index.dat to store Web addresses, search queries, and recently opened files. So if a file is on a universal serial bus (USB) device but was opened on the suspect machine, index.dat would contain a record of that file.

You can download a number of tools from the Internet that will allow you to retrieve and review the index.dat file.

7/2/2017

Window Washer

Courtesy of Eusing Software

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Window Washer is an example of one tool that enables you to retrieve and review the index.dat file.

7/2/2017

Windows Files and Permissions

When copying and pasting on the same partition, files and folders inherit the rights of the folder they are being copied to.

When cutting and pasting (moving), files and folders retain the original permissions if they are on the same partition.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Windows Files and Permissions (Cont.)

MAC refers to three critical properties:

File modified

File accessed

File created

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

File modified: This date shows there has been a change to the file itself.

File accessed: This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by antivirus scanners or Windows system processes.

File created: This is the date the file was “created” on the volume. This does not change when working normally with a file, such as opening, closing, saving, or modifying

the file.

These date/time stamps can be important forensically. For example, if the modified date for an image is later than the created date, then that image has been edited.

7/3/2017

Windows Registry

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The Windows Registry is a repository of all the information on a Windows system. For example, the configuration settings for a newly installed program are stored in the Registry. Among other things, the Registry:

Includes information about the computer’s hardware configuration

Allows the operating system to keep multiple hardware configurations

Allows multiple users with individual preferences

Includes program shortcut menus and property sheets

Supports remote administration through the network

7/2/2017

Computer hardware configuration

Multiple users and preferences

Program shortcuts and properties sheets

Remote administration through network

Windows Registry

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The usual way to get to the Registry is through the tool regedit. In Windows 10 and Server 2012, you select Start, then Run, then type in regedit. In Windows 8, you need to go to the applications list and select All Apps then find regedit.

7/2/2017

Windows Registry Hives

HKEY_CLASSES_ROOT (HKCR)

HKEY_CURRENT_USER (HKCU)

HKEY_LOCAL_MACHINE (HKLM)

HKEY_USERS (HKU)

HKEY_CURRENT_CONFIG (HCU)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Five Windows Registry hives:

HKEY_CLASSES_ROOT (HKCR)

This hive stores information about drag-and-drop rules, program shortcuts, the user interface, and related items.

HKEY_CURRENT_USER (HKCU)

This hive is very important to any forensic investigation. It stores information about the currently logged-on user, including desktop settings, user folders, and so forth.

HKEY_LOCAL_MACHINE (HKLM)

This hive can also be important to a forensic investigation. It contains those settings common to the entire machine, regardless of the individual user.

HKEY_USERS (HKU)

This hive is very critical to forensic investigations. It has profiles for all the users, including their settings.

HKEY_CURRENT_CONFIG (HCU)

This hive contains the current system configuration. This might also prove useful in your forensic examinations.

7/3/2017

Importance of Examining Windows Registry

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

USB devices

The Registry key HKEY_LOCAL_MACHINE\System\ControlSet\Enum\UBSTOR lists USB devices that have been connected to the machine. It is often the case that a criminal will move evidence or exfiltrate other information to an external device and take it with him or her. This Registry setting tells you about the external drives that have been connected to this system.

Wireless networks

The Registry stores passphrases for accessing wireless networks. When an individual connects to a wireless network, the service set identifier (SSID) is logged as a preferred network connection. This information can be found in the Registry in the HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces key.

Tracking Word documents

It is possible to track Word documents in the Registry. Many versions of Word store a PID_GUID value in the Registry, for example, something like: { 1 2 3 A 8 B 2 2 - 6 2 2 B - 1 4 C 4 - 8 4 A D - 0 0 D 1 B 6 1 B 0 3 A 4 }. The string 0 0 D 1 B 6 1 B 0 3 A 4 is the MAC address of the machine on which this document was created.

Malware

Malware may be found in the Registry. If you search the Registry and find HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon, it has a value named Shell with default data Explorer.exe. This tells the system to launch Windows Explorer when the logon is completed. Some malware appends the malware executable file to the default values data, so that the malware will load every time the system launches. It is important to check this Registry setting if you suspect malware is an issue. The key HKLM\SYSTEM\CurrentControlSet\Services\ lists system services. Several types of malware install as a service, particularly backdoor software. Be sure to also check this key if you suspect malware is an issue.

Uninstalled software

The HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall key lets you see all the software that has been uninstalled from this machine.

Passwords

If the user tells Internet Explorer to remember passwords, then those passwords are stored in the Registry and you can retrieve them. The following key holds these values:

HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW

ShellBag

This entry can be found at HKCU\Software\Microsoft\Shell\Bags. ShellBag entries indicate a given folder was accessed, not a specific file. This Windows Registry key is of particular interest in child pornography investigations

Prefetch

See next slide.

7/3/2017

USB

Wireless network

Word documents

Malware

Uninstalled software

Passwords

ShellBag

Prefetch

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

To speed up the performance of programs, Windows keeps a list of all DLLs a given executable needs.

When the executable is launched, all the DLLs are “fetched.” \

A side benefit is that the prefetch entry keeps a list of how many times an executable has been run, and the last date/time it was run.

Most Windows forensics tools will pull this information for you. OSForensics makes it part of the “Recent Activity.”

7/3/2017

Volume Shadow Copy

Keeps a record or copy of state changes

Stores them in blocks of data that are compared daily

Changed blocks are copied to Volume Shadow

Volume Shadow Copy service runs once per day

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Memory Forensics

Capture the memory from a live machine. Can use:

Dump-it, RAM Capturer from Belkasoft, OSForensics, other tools

Analyze the captured memory. Can use:

Volatility, Pslist, Pstree, Psscan, Svcscan, other tools

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Summary

Windows details

Evidence in volatile data

Windows swap file

Windows logs and directories

Windows Registry

Page ‹#›

System Forensics, Investigation, and Response