Network Forensics

Lab 4 CMIT 460 Network Forensics

Table of Contents Introduction........................................................................................................................................... 2

Location of Lab 3 and 4 Files ..................................................................................................................... 3

Analyzing Memory .................................................................................................................................. 9

Analyzing PCAP Files.............................................................................................................................. 20

Hard Disk Analysis with EnCase ............................................................................................................... 29

Lab 4 Directions .................................................................................................................................... 38

Introduction

Lab Description:

Network Forensics involves examining digital evidence collected by examiners. Some of the common artifacts that are examined are:

• disk image files • images of memory (RAM) • volatile data collection • PCAP files

Using all of the artifacts, you are trying to build a case and determine what happened, when it happened, and who did it. When you are able to correlate events from more than one artifact, you build a strong case.

Learning Outcomes:

The goal is to implement various techniques that are used in forensic investigations in response to network intrusions to collect and analyze information from computer networks.

After completing this course, you should be able to:

• evaluate the network security posture of an organization by performing risk assessments • analyze the data or indicators from networks and systems to detect intrusions • evaluate and prioritize the risk, threat level, or business impact of a confirmed network security

incident • develop and execute a network security incident response strategy in order to mitigate effects

on an organization

Location of Lab 3 and 4 Files

1. After connecting to https://vdi.umuc.edu, allocating the CMIT 460 lab, and using the Lab Broker

to connect to the back end Windows 10 Workstation. (Username: StudentFirst, PW: Cyb3rl@b)

2. You should start on the Windows 10 Desktop. Double click on the Lab Resources folder on the Desktop.

Lab Resources Folder

3. Click the link to resources link.

Resources Folder

4. View the folders for the lab three and lab four files.

Lab Resources Folder

5. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder

Lab Resources Folder

6. Drag the CMIT_460_Lab_3-4.vmem file to the Local Disk C:

vmem file

7. You should now see CMIT_460_Lab_3-4.vmem file on Local Disk C:

Analyzing Memory

1. Ri ght cl ick on the Wi ndows i con i n the l eft hand corner of the des ktop and go to run.

run

2. Type the following command to open the command prompt

cmd

cmd

3. Type the following command to go to the root of the c: drive.

C:\Us ers \StudentFi rs t\>cd \

cmd

4. Type the following command to view the available switches for the volatility command:

C:\vola.exe -h

volatility

The full output of the command is listed below:

Usage: Volatility - A memory forensics analysis platform.

Options:

-h, --help list all available options and their default values.

Default values may be set in the configuration file

(/etc/volatilityrc)

--conf-file=.volatilityrc

User based configuration file

-d, --debug Debug volatility

--plugins=PLUGINS Additional plugin directories to use (semi-colon

separated)

--info Print information about all registered objects

--cache-directory=C:\Users\jesse/.cache\volatility

Directory where cache files are stored

--cache Use caching

--tz=TZ Sets the (Olson) timezone for displaying timestamps

using pytz (if installed) or tzset

-f FILENAME, --filename=FILENAME

Filename to use when opening an image

--profile=WinXPSP2x86

Name of the profile to load (use --info to see a list

of supported profiles)

-l LOCATION, --location=LOCATION

A URN location from which to load an address space

-w, --write Enable write support

--dtb=DTB DTB Address

--shift=SHIFT Mac KASLR shift address

--output=text Output in this format (support is module specific, see

the Module Output Options below)

--output-file=OUTPUT_FILE

Write output in this file

-v, --verbose Verbose information

-g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit

Windows 8 and above this is the address of

KdCopyDataBlock)

--force Force utilization of suspect profile

--cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for

Windows 10 only)

-k KPCR, --kpcr=KPCR Specify a specific KPCR address

Supported Plugin Commands:

amcache Print AmCache information

apihooks Detect API hooks in process and kernel memory

atoms Print session and window station atom tables

atomscan Pool scanner for atom tables

auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv

bigpools Dump the big page pools using BigPagePoolScanner

bioskbd Reads the keyboard buffer from Real Mode memory

cachedump Dumps cached domain hashes from memory

callbacks Print system-wide notification routines

clipboard Extract the contents of the windows clipboard

cmdline Display process command-line arguments

cmdscan Extract command history by scanning for _COMMAND_HISTORY

connections Print list of open connections [Windows XP and 2003 Only]

connscan Pool scanner for tcp connections

consoles Extract command history by scanning for _CONSOLE_INFORMATION

crashinfo Dump crash-dump information

deskscan Poolscaner for tagDESKTOP (desktops)

devicetree Show device tree

dlldump Dump DLLs from a process address space

dlllist Print list of loaded dlls for each process

driverirp Driver IRP hook detection

drivermodule Associate driver objects to kernel modules

driverscan Pool scanner for driver objects

dumpcerts Dump RSA private and public SSL keys

dumpfiles Extract memory mapped and cached files

dumpregistry Dumps registry files out to disk

editbox Displays information about Edit controls. (Listbox experimental.)

envars Display process environment variables

eventhooks Print details on windows event hooks

evtlogs Extract Windows Event Logs (XP/2003 only)

filescan Pool scanner for file objects

gahti Dump the USER handle type information

gditimers Print installed GDI timers and callbacks

gdt Display Global Descriptor Table

getservicesids Get the names of services in the Registry and return Calculated SID

getsids Print the SIDs owning each process

handles Print list of open handles for each process

hashdump Dumps passwords hashes (LM/NTLM) from memory

hibinfo Dump hibernation file information

hivedump Prints out a hive

hivelist Print list of registry hives.

hivescan Pool scanner for registry hives

hpakextract Extract physical memory from an HPAK file

hpakinfo Info on an HPAK file

idt Display Interrupt Descriptor Table

iehistory Reconstruct Internet Explorer cache / history

imagecopy Copies a physical address space out as a raw DD image

imageinfo Identify information for the image

impscan Scan for calls to imported functions

joblinks Print process job link information

kdbgscan Search for and dump potential KDBG values

kpcrscan Search for and dump potential KPCR values

ldrmodules Detect unlinked DLLs

lsadump Dump (decrypted) LSA secrets from the registry

machoinfo Dump Mach-O file format information

malfind Find hidden and injected code

mbrparser Scans for and parses potential Master Boot Records (MBRs)

memdump Dump the addressable memory for a process

memmap Print the memory map

messagehooks List desktop and thread window message hooks

mftparser Scans for and parses potential MFT entries

moddump Dump a kernel driver to an executable file sample

modscan Pool scanner for kernel modules

modules Print list of loaded modules

multiscan Scan for various objects at once

mutantscan Pool scanner for mutex objects

notepad List currently displayed notepad text

objtypescan Scan for Windows object type objects

patcher Patches memory based on page scans

poolpeek Configurable pool scanner plugin

printkey Print a registry key, and its subkeys and values

privs Display process privileges

procdump Dump a process to an executable file sample

pslist Print all running processes by following the EPROCESS lists

psscan Pool scanner for process objects

pstree Print process list as a tree

psxview Find hidden processes with various process listings

qemuinfo Dump Qemu information

raw2dmp Converts a physical memory sample to a windbg crash dump

screenshot Save a pseudo-screenshot based on GDI windows

servicediff List Windows services (ala Plugx)

sessions List details on _MM_SESSION_SPACE (user logon sessions)

shellbags Prints ShellBags info

shimcache Parses the Application Compatibility Shim Cache registry key

shutdowntime Print ShutdownTime of machine from registry

sockets Print list of open sockets

sockscan Pool scanner for tcp socket objects

ssdt Display SSDT entries

strings Match physical offsets to virtual addresses (may take a while, VERY verbose)

svcscan Scan for Windows services

symlinkscan Pool scanner for symlink objects

thrdscan Pool scanner for thread objects

threads Investigate _ETHREAD and _KTHREADs

timeliner Creates a timeline from various artifacts in memory

timers Print kernel timers and associated module DPCs

truecryptmaster Recover TrueCrypt 7.1a Master Keys

truecryptpassphrase TrueCrypt Cached Passphrase Finder

truecryptsummary TrueCrypt Summary

unloadedmodules Print list of unloaded modules

userassist Print userassist registry keys and information

userhandles Dump the USER handle tables

vaddump Dumps out the vad sections to a file

vadinfo Dump the VAD info

vadtree Walk the VAD tree and display in tree format

vadwalk Walk the VAD tree

vboxinfo Dump virtualbox information

verinfo Prints out the version information from PE images

vmwareinfo Dump VMware VMSS/VMSN information

volshell Shell in the memory image

windows Print Desktop Windows (verbose details)

wintree Print Z-Order Desktop Windows Tree

wndscan Pool scanner for window stations

yarascan Scan process or kernel memory with Yara signatures

- -

In order to get the needed information, you will need to use the correct options from above.

An example will be provided in the step below.

When you run the tool, you need to type vola.exe and provide the location of the image file.

First, let’s get the information from the RAM image.

5. Type the following command to view the information about the RAM image:

C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo

volatility

6. Type the following command to get the IP Address and Connection information:

C:\vola.exe –f CMIT_460_Lab_3-4.vmem --profile=Win2003SP2x86 connscan

volatility

We now have an IP Address of 10.10.5.69 that needs to be examined. Look at connecting IP’s.

Analyzing PCAP Files

1. Double click on the Lab Resources folder on the Desktop.

Lab Resources Folder

2. Click the link to resources link.

Resources Folder

3. View the folders for the lab three and lab four files.

Lab Resources Folder

4. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder

Lab Resources Folder

5. Double click on the CMIT_460_Lab_3-4.pcap file to open it with Wireshark, the protocol analyzer.

CMIT 460 lab3-4 pcap file

6. View the file within Wireshark, the protocol analyzer.

Wireshark

7. You have a relevant IP Address. You can filter on it by using by typing the following:

ip.addr == 10.10.5.69

Wireshark

8. Double click on the Lab Resources folder on the Desktop.

Lab Resources Folder

9. Double click the applications folder

Applications Folder

10. Double click on Network Miner

Network Miner

11. Drag the CMIT_460_Lab_3-4.pcap file into the Network Miner Window

Network Miner

12. View information about the intrusion in Network Miner

Network Miner

Hard Disk Analysis with EnCase

1. Double click on the Lab Resources folder on the Desktop.

Lab Resources Folder

2. Click the applications folder

Applications Folder

3. Right click on the link to EnCase v 8.0.9 and select Run as administrator

EnCase

4. Click New Case unless you already have a Lab3-4 case, in which case you can click it and skip to step 10.

EnCase

5. Type Lab3-4 for the Name and click OK. Click yes to the 3 different warnings if they appear.

EnCase

6. Click Add Evidence.

EnCase

7. Click Add Raw Image.

EnCase

8. Right click in the white space and select new

EnCase

9. Double Click on Desktop. Click on the Lab Resources folder. Double Click on the resources folder. Double click on the, CMIT_460_Lab_3-4_HDD. Highlight the first 5 files and click open.

EnCase

10. Double Click on the Disk Image to view the files and folders on the Hard Drive.

EnCase

11. View the files and folders from the disk/

EnCase

Lab 4 Directions

Submit all items via the instructor’s directions.

• Using the data from week 3 with regard to the volatile data, PCAP files, and RAM image, correlate the data to successfully locate and extract artifacts left behind on the HDD image.

• Explain why components were extracted, and the method used to locate artifacts.

• Complete the initial findings report and the intrusion picture with information correlated among the PCAP file, volatile data collected, the RAM image, and the HDD image. Include findings of additional analysis conducted on the extraction of suspected malicious software, and explain why its extraction was important to the case.