5.2. digital forensics
TRANSCRIPT
/wh0x41mi
George Lagoda
Security expert Pentester Interests: [deep|web]penetrations,
revers, forensics,
Work at . . .
Digital forensics, The.[quote]
Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.
[/quote]
What we going to talk about
• Data recovery• Evidence detection• Group-ib Olympic case discussion• Some tools discussionBasically we just goin to run through one more or less real interesting case and discuss techniques and tools we used…
Why also we need data recovery• Damaged discs• Damaged images• Deleted files• Something encrypted• Something partially missing• Something damaged by malware[…] All these things can omit evidence of crime
What can be restored
• MBR• Partition table• Encrypted volume• Private pgp key, certificates,etc..• Files/audio/video….. Why? Because it is still text with headers, structure, etc…How? TOOLS. Coming up later…
Can I haz cheezburger now?
Group-ib imageE01 format (Elcomsoft – making expensive but not very fast forensics software.)Image damaged40 gb of unallocated spaceNo partition table1 employee does not want go to jail.Can we help to Anna?
Tasks for helping Anna• Find all partitions, their fs, size • Find system info : OS versions, system time, machine name,
last power off time• All user accs• Autorun progs• All email addresses• Storage of secret key for digital signature, and is there
anything telling about compromising this key• Antivirus software, malware detections, rdp connections,
other people involved, their mails, malware on the disc, and some additional info about incident on disc…
Gathering system info• Recovering files from
Windows\System32\config– System, Software, Security, Sam,
• Recovering NTUSER.dat from Users\[username]
• Downloading MiTec Windows Registry Recovery(www.mitec.cz/wrr.html )
• Obtaining system info
searching malware• - autoruns• - %temp%• - %windir% or %systemdir%• - java cache• - downloads :)so on
Anna's case. Found malware:• Mipko keylogger (already in AV’s bases)• KIS quarantined file• xls.exe (drops xls+rdptool+installer)it's enough to do bad stuff
So now we haveWindows 7 Ultimate Product ID: 00426-OEM-8992662-00400KEY: 342DG-6YJR8-X92GV-V7DCV-P4K27 Version: Multiprocessor Free 6.1.7601.win7sp1_gdr.120330-1504install date: 12.04.2013 17:09:15With users :
Secret key storage
Recovering files and installing GNU4WIN on VM. Placing recovered files in the same folder on VMOpening Kleopatra
We need to find TC passwd and check on this secret file. Possible way is to look for keylooger
and dig for logs or screens
What we have?• System was compromise• Attackers obtained all passwd and key files to
perform crime• Anna will be ok. Don’t worry.