Forensic Tools and TechniquesPart I

Shane Hartman, CISSP, GCIA, GREMSecure Info Systems

Topics• Gathering Information• Helix• Netcat• Memory Acquisition

– With Helix– With Win32DD– With Winen

• Disk Acquisition– With Helix– With FTK

• MD5Sum• Uptime• Uname• Date / Time• Acquisition Analysis• Strings• Mounting the image• Pasco

Heisenberg's Uncertainty Theorem

• You can't observe or measure anything without changing it somewhat.

• When working on a live system– You can make sure you do not influence the data on

the harddrive– Because it is a live system, the same cannot be said

of memory,, more on that later..

Gathering Information

• Use your own tools• If you encounter a live system, do not trust

anything on it.• Have static binaries, you verified ready• Gather basic information such as

– date/time– processes– sessions– services, etc

Helix

• How do you get this information without effecting the machine

• Use Helix…• This is an open source bootable cd• Used Unix as its OS• It can be used on live or dead machines

Netcat

• Netcat is your friend• When you need to move information off a

machine using the network, use Netcat• Netcat is often referred to as a "Swiss-army knife

for TCP/IP." Its list of features includes:– Port scanning– Transferring files– Port listeningand it can be used as a backdoor….

Netcat

• Netcat is used in conjunction with many tools including:– Helix– Forensic Tool Kit– And any tool the writes files

– Common usage• As a listener : nc –l –p 8888 > image.dd• This tells netcat to listen on port 8888 and anything

coming across will be written in to image.dd file.• As a writer : ./memdump | ./nc 192.168.1.10 8888• This send the output of memdump to netcat which

attaches to a remote listener on port 8888 at 192.168.1.10

Memdump - Windows

• Through Helix you can dump the memory of the system.

• It can be posted to:– A network share– External Storage– A netcat connection– Works on Windows systems preceding Vista

• Microsoft changed how memory and system was accesses in Vista forward preventing this process from working.

Memory Acquisition with Helix

Memory Acquisition with win32dd

• Command line tool for dumping memory• IR\RAM\win32dd\ win32dd.exe• Example• win32dd e:\temp\win32dd_mem.img• Works on all the versions on windows including

Vista and Windows7 as long as you run it with administrator privileges

Memory Acquisition with Winen

• Command line tool for dumping memory• IR\RAM\win32dd\ winen.exe• Example• winen e:\temp\winen_mem.img• Works on all the versions on windows including

Vista and Windows7 as long as you run it with administrator privileges

Disk Acquisition with Helix

Disk Acquisition with FTK• Imager can be found on the Helix cd at

IR\Imager\FTKImager

MD5Sum

• Now that you have an image run and md5 hash on it.

• In IR\FAU\MD5sum will produce a hash for the image file

• Once complete make a copy and verify it• Then you can begin work

MD5Deep

• Similar to MD5Sum except you can use this to create hashes of whole directory structures.

• After extracting a directory from an image you can run md5deep to hash each file recovered and then check it later for compromise.

• Ex. Md5deep c:\temp\evidence\case001\*.* -r• This tells md5deep to go through the entire

directory structure and product a hash of each file.

More Gathering Information

• System Information• Uptime• Uname• Date/Time• Process List• Handle• ListDlls• Logon Sessions• Services• Netstat

System Information

Uptime - Windows

• Windows utility showing how long the system has been up.

• This information can be used as part of the timeline process for your investigation

• On the Helix CD you will find 2 versions– IR\Cygwin\uptime.exe – produces

• 23:56:30 up 1:41, 0 users, load average: 0.00, 0.00, 0.00

– IR\Microsoft\uptime.exe – produces• \\test1 has been up for: 0 day(s), 1 hour(s), 41 minute(s), 31

second(s)

Uname –a Windows

• Produces OS type and kernel build• IR\unxutils\uname.exe –a

– The (-) a function outputs all information• WindowsNT srql13132257 1 6 x86

Date / Time

• Data and Time utilities are located on the Helix CD in– IR\Cygwin\Date.exe and IR\Cygwin\Time.exe

• These are the same utilities in the windows system but verified.

Process Information Helix

Process List - PSlist• PSList can be found in the sysinternals directory• Running multiple tools can give you extra information

Handle• Gives you insight in what files in what directory

are opened and which PID they are assigned

Listdlls• Like PSList and Handle, ListDlls shows you what dlls are in

use with what PID. It also shows what version of the dll is running.

Logon Sessions

Services

Netstat• Netstat displays both incoming and outgoing

network connections

Acquisition Analysis

• Strings• Mounting image in Linux• Mounting image with FTK• Extracting a file with FTK• Internet Explore History - Pasco

Strings

• Strings is a utility which looks at a file and tries to show everything is ASCII text

• Output is messy but sometimes information can be gathered from this output

• It is located on the Helix CD in– IR\Sysinternals\Strings.exe– Format strings –a mem_image.img - producing

aaW(h4aaWaaWN<@39D$N8WPWQcompiling file:C:\WINDOWS\system32\WBEM\evntrprv.mof(Wed Jan 06 21:25:29 2010.1100001) : Parsing MOF file: C:\WINDOWS\system32\WBEM\hnetcfg.mof(Wed Jan 06 21:25:29 2010.1100091) : Finished compiling file:C:\WINDOWS\system32\WBEM\hnetcfg.mof(Wed Jan 06 21:25:29 2010.1100091) : Parsing MOF file: C:\WINDOWS\system32\WBEM\sr.mof

Mounting the image in Linux

• Once you have an image file you can review it on a Linux system by simply mounting it, just like any other device.

• Create a directory for the mount such as– cd /mnt– mkdir case001

• Mount –o ro, noexec,loop /tmp/case0001.img /mnt/case0001

• With root access you can now review the file system

Mounting the image in FTK• File – add evidence item – image file

Extract a file from the image w/FTK

• Extract a file from the image to do analysis• Find the file your interested in such as index.dat• Right-click on the file and extract it to a location• From here you can run tools on the file to gather

information• In the case of index.dat it contains information

about where the user has went on the internet with the browser. More on that to come.

Internet Explorer History - Pasco

• Found on Helix CD in IR\Foundstone directory• Pasco will read the index.dat file from Internet

Explorer and produce output showing all the URLs the user visited.

• Ex. Pasco index.dat > user1_ie.txt• Produces something like this.• URL http://www.shadowserver.org/wiki/pub/wsplus/wsplus.css Tue Mar 20 21:17:55

2007 Thu Jan 7 03:00:49 2010 wsplus[1].css C9B5QLQVHTTP/1.1 200 OK ETag: "1b432-d41-3d40a6c0" Content-Length: 3393 Keep-

Alive: timeout=15, max=95 Content-Type: text/css ~U:evil • URL http://images.google.com/intl/en_ALL/images/logos/images_logo_lg.gif

Wed May 27 22:00:10 2009 Thu Jan 7 03:02:10 2010 images_logo_lg[1].gif C9B5QLQV HTTP/1.1 200 OK Content-Type:

image/gif Content-Length: 9969 X-XSS-Protection: 0 ~U:evil

• This is just the beginning of what is out there…