Forensic Tools and Techniques

Download Forensic Tools and Techniques

Post on 18-Nov-2014




0 download

Embed Size (px)


This presentation will cover some of the processes and tools used by first responders and analyst during the first part of a forensic investigation. Some of the things covered will be bootable forensic cds, harddrive and memory imaging, and the tools used to look analyze those images


<p>Forensic Tools and Techniques Part IShane Hartman, CISSP, GCIA, GREM Secure Info Systems</p> <p>Topics Gathering Information Helix Netcat Memory Acquisition With Helix With Win32DD With Winen</p> <p>Disk Acquisition With Helix With FTK</p> <p>MD5Sum Uptime Uname Date / Time Acquisition Analysis Strings Mounting the image Pasco</p> <p>Heisenberg's Uncertainty Theorem You can't observe or measure anything without changing it somewhat. When working on a live system You can make sure you do not influence the data on the harddrive Because it is a live system, the same cannot be said of memory,, more on that later..</p> <p>Gathering Information Use your own tools If you encounter a live system, do not trust anything on it. Have static binaries, you verified ready Gather basic information such as date/time processes sessions services, etc</p> <p>Helix How do you get this information without effecting the machine Use Helix This is an open source bootable cd Used Unix as its OS It can be used on live or dead machines</p> <p>Netcat Netcat is your friend When you need to move information off a machine using the network, use Netcat Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes: Port scanning Transferring files Port listening and it can be used as a backdoor.</p> <p>Netcat Netcat is used in conjunction with many tools including: Helix Forensic Tool Kit And any tool the writes files</p> <p> Common usage As a listener : nc l p 8888 &gt; image.dd This tells netcat to listen on port 8888 and anything coming across will be written in to image.dd file.</p> <p> As a writer : ./memdump | ./nc 8888 This send the output of memdump to netcat which attaches to a remote listener on port 8888 at</p> <p>Memdump - Windows Through Helix you can dump the memory of the system. It can be posted to: A network share External Storage A netcat connection Works on Windows systems preceding Vista Microsoft changed how memory and system was accesses in Vista forward preventing this process from working.</p> <p>Memory Acquisition with Helix</p> <p>Memory Acquisition with win32dd Command line tool for dumping memory IR\RAM\win32dd\ win32dd.exe Example win32dd e:\temp\win32dd_mem.img Works on all the versions on windows including Vista and Windows7 as long as you run it with administrator privileges</p> <p>Memory Acquisition with Winen Command line tool for dumping memory IR\RAM\win32dd\ winen.exe Example winen e:\temp\winen_mem.img Works on all the versions on windows including Vista and Windows7 as long as you run it with administrator privileges</p> <p>Disk Acquisition with Helix</p> <p>Disk Acquisition with FTK Imager can be found on the Helix cd at IR\Imager\FTKImager</p> <p>MD5Sum Now that you have an image run and md5 hash on it. In IR\FAU\MD5sum will produce a hash for the image file Once complete make a copy and verify it Then you can begin work</p> <p>MD5Deep Similar to MD5Sum except you can use this to create hashes of whole directory structures. After extracting a directory from an image you can run md5deep to hash each file recovered and then check it later for compromise. Ex. Md5deep c:\temp\evidence\case001\*.* -r This tells md5deep to go through the entire directory structure and product a hash of each file.</p> <p>More Gathering Information System Information Uptime Uname Date/Time Process List Handle ListDlls Logon Sessions Services Netstat</p> <p>System Information</p> <p>Uptime - Windows Windows utility showing how long the system has been up. This information can be used as part of the timeline process for your investigation On the Helix CD you will find 2 versions IR\Cygwin\uptime.exe produces 23:56:30 up 1:41, 0 users, load average: 0.00, 0.00, 0.00</p> <p> IR\Microsoft\uptime.exe produces \\test1 has been up for: 0 day(s), 1 hour(s), 41 minute(s), 31 second(s)</p> <p>Uname a Windows Produces OS type and kernel build IR\unxutils\uname.exe a The (-) a function outputs all information WindowsNT srql13132257 1 6 x86</p> <p>Date / Time Data and Time utilities are located on the Helix CD in IR\Cygwin\Date.exe and IR\Cygwin\Time.exe</p> <p> These are the same utilities in the windows system but verified.</p> <p>Process Information Helix</p> <p>Process List - PSlist PSList can be found in the sysinternals directory Running multiple tools can give you extra information</p> <p>Handle Gives you insight in what files in what directory are opened and which PID they are assigned</p> <p>Listdlls Like PSList and Handle, ListDlls shows you what dlls are in use with what PID. It also shows what version of the dll is running.</p> <p>Logon Sessions</p> <p>Services</p> <p>Netstat Netstat displays both incoming and outgoing network connections</p> <p>Acquisition Analysis Strings Mounting image in Linux Mounting image with FTK Extracting a file with FTK Internet Explore History - Pasco</p> <p>Strings Strings is a utility which looks at a file and tries to show everything is ASCII text Output is messy but sometimes information can be gathered from this output It is located on the Helix CD in IR\Sysinternals\Strings.exe Format strings a mem_image.img - producingaaW (h4 aaW aaW N user1_ie.txt Produces something like this. URL Tue Mar 20 21:17:55 2007 Thu Jan 7 03:00:49 2010 wsplus[1].css C9B5QLQV HTTP/1.1 200 OK ETag: "1b432-d41-3d40a6c0" Content-Length: 3393 KeepAlive: timeout=15, max=95 Content-Type: text/css ~U:evil URL Wed May 27 22:00:10 2009 Thu Jan 7 03:02:10 2010 images_logo_lg[1].gif C9B5QLQV HTTP/1.1 200 OK Content-Type: image/gif Content-Length: 9969 X-XSS-Protection: 0 ~U:evil</p> <p> This is just the beginning of what is out there</p>


View more >