Low Level Host Examinations

Download Low  Level  Host Examinations

Post on 03-Jan-2016




0 download

Embed Size (px)


Low Level Host Examinations. Non-Destructive Actions. Fdisk Chkdsk Dir Redirection Type. Normal to have access in past 24 hours Last person on system Normal work hours Need to work outside established hours Work patterns Time of incident System backed up Time with organization - PowerPoint PPT Presentation


<ul><li><p>Low Level Host Examinations</p></li><li><p>Non-Destructive ActionsFdiskChkdskDirRedirectionType</p></li><li><p>First responder ConcernsNormal to have access in past 24 hoursLast person on systemNormal work hoursNeed to work outside established hoursWork patternsTime of incidentSystem backed upTime with organizationAny different behaviorAny changes to network or problemsAccess level to systems/applicationsAny changes to work areaNon-US citizenAccess logs into building/garageUser ID and PWAny reprimandsContractor accessWho had access to areaEducational and computer expertise of individualsWhat is work of organizationWho noticed? Who reported?Anything touchedWho knows of incidentCopy of security policies and proceduresWhy is this a problemPurchasing record of system(s) and base configurationDiagram of network architecture</p><p>Names and contact info for experts/supervisorsDescribe evidence collection proceduresBackups to systemSystem re-imaged or new versions installedNew applications added to systemAny new rights issued for systems/applicationsAny disgruntled employees</p></li><li><p>Lockards Exchange PrincipleAnyone, or anything, entering a crime scene takes something of the crime scene with them. They also leave behind something of themselves when they depart.</p></li><li><p>Evidence on the Hard DriveHard disk drivesFilesErased filesFile slackHidden partitionsEncrypted filesCompressed data (zip)Windows swap fileWindows temp filesApplication temp filesEncrypted filesHidden files/folders</p></li><li><p>FBI InvestigationsCheck records, logs, and documentationInterview personnelConduct surveillancePrepare a search warrantSearch the suspects premisesSeize evidence </p></li><li><p>Analysis of the EvidenceIdentify &amp; document evidence of criminal violationsIntelligence gathering from other sourcesTie media to computersIdentify email &amp; Internet browsing patterns tied to criminal activityIdentify associatesIdentify time linesIdentify weaknesses in caseAudit issues regarding violations of corporate policyDiscover evidence for civil or criminal casesIdentify source of trade secret thefts &amp; abusesMisuse of Internet accessLocate trade secrets</p></li><li><p>Just "Look"You can just look at a person's workspace--Passwords are too often out in plain view:</p><p>- Taped to the monitor- Written on the desktop- In the Rolodex file- On a "Post-It" note</p></li><li><p>Workstation PoliciesPerform a physical auditTag &amp; inventory all physical computing resourcesPolicies address use of PDAs, storage devices, and laptopsResponsibility for stolen devicesHow hardware/software is used at homeTechnicians &amp; passwordsHelp desk reportsNo downloads or software installsProhibit running executable files received as e-mail attachmentsBitstream back-up entire contents of hard disk(s) when employee leaves/terminated</p></li><li><p>Preparing a CaseComments to law enforcement are on the recordKnow your lossHave documentation of the caseGather and deliver physical evidenceUse legal counsel that can explain the lawDescribe the investigationHave only one set of notesConduct the investigation in secretTime is of the essence</p></li><li><p>Detection of incidentInitial responseResponse strategy formulationInvestigationIsolate and containRecoveryReportLessons learnedIncident Response Implementation</p></li><li><p>Why Use a Methodology?A formal methodology allows an investigator to approach and investigate a computer crime rationally and expeditiously, without a loss of thoroughness. More importantly, it establishes a protocol by which electronic evidence (physical and logical) is gathered and handled, to reduce the potential for this evidence to be corrupted or tainted.</p><p>Timothy Wright</p></li><li><p>Low Hanging FruitInternet history filesCheck cookies for subscription services passwordsReview of directories &amp; files with simple DOS commandsCheck processes.BAK &amp; .DAT files on PDAsParaben forensics tools for PDAs </p></li><li><p>ToolsMake sure virus freeNIST certified virus checkerUse same software versions for each investigation (do not change in middle)CHKDSK identifies orphan clustersSYSINFO documents systemFDISK documents # and size of partitionStart up disk (bootable)Use only licensed softwareCopy drivers to start-up disk (Parallel, IDE, SCSI)Config.sys for devicesCheck peer-to-peer access for storage on another mediumGetTime grabs date and timeDisklocking programs (floppylock, writeblock,diskblock)Ribbon cable for hook up to HD</p></li><li><p>Are There Limits?All of the computer hardware, software and media that a suspect might have access to at his job, is probably owned by the employer. Seizures do not need to adhere to Fourth Amendment</p></li><li><p>Approaching a ScenePermission to process PCPictures to document scenePull plug from in back not wall (picture first)Remove all connections &amp; labelPulling plug does not change state of hard drive but a shut down will!</p></li><li><p>Preliminary PreparationAccumulate the packaging and materialsPrepare the log for documentation of the search Ensure IRT is aware of forms of evidence &amp; proper handling materials Evaluate the current legal ramifications of crime scene searches Discuss the search with involved personnel before arrival at the sceneIdentify a person-in-charge prior to arrival at the scene Assess the personnel assignments normally required to process a crime scene successfully </p></li><li><p>Reviewing The SurroundingsDesktopsMonitors Next to telephonesIn wallets or pursesElectronic pocket organizersIn a suspect's pocketTrash can Inside of books and manualsTaped underneath keyboards</p></li><li><p>Victim theory of accessCorroborating evidence of employee access New files created during timeline of theftCode entry (doors, gates, rooms)Telephone records (corroborate login)Placement at scene (eyewitness, camera)Obtain court order for trap and trace for homeInvestigation of Computer Intrusion</p></li><li><p>Employee SuspectsCheck personnel fileSigned for receipt of proprietary informationCheck building logsCleaned out desk areaPhone records for calls to competitorsCalls from former employees requesting information</p></li><li><p>ProceduresTake photographs of: The computer screenThe front, back and sides of the computerThe cables attached to the computerAny peripherals attached to the computerLog whether the computer is on or offIf on, note in the log what it appears to be doingLog whether or not the computer is on a network</p></li><li><p>Examination in DOSCreate a DOS diskCopy DOS filesVirus checkPlace boot disk in A: driveBoot to DOSInsert copy disk Backup VerifyDuplicate from copy (place in separate area)Run disksig and CRCMD5 on victim hard drive</p></li><li><p>ToolsGetTimeDocuments the time and date settings of the victim computerReads date/time from CMOSSyntax: GetTime Creates a file note time on your watch/clock</p></li><li><p>ToolsFilelist, filecnvt, ExcelFilelist Catalogs contents of the diskFilelist /m /d a:\DriveC C: Dir /od a: creates 2 files (delete 2nd one)Run filecnvtEnter name of computerRun Excel Column 3 has the filenames of deleted files</p></li><li><p>ToolsGetfreeContent of unallocated spaceGetfree C: provide estimate for amount of freespaceGetfree /f d:\FreeC c:/f excludes non-printed characters</p></li><li><p>Tools GetswapWindows 98 or 95 copy win386.swp or 386spart.parIf NT/2000 you must do this from DOS (not a window)Locate pagefile.sys (usually c:\winnt\system32\)Copy fileTo read instructions: getswap man | moreGetswap id to find out partitions recognizedGetswap d:\swapdata c: e: f: g:Getswap /f d:\swapdata C:</p></li><li><p>ToolsGetslack Getslack c: to determine how much existsGetslack /f d:C_slack C:</p></li><li><p>Temp Files.tmp extensionStart: FindCopy</p></li><li><p>CRCMD5Calculates a 32 bit checksumCrcmd5 file1 file2/s current directory /h headerless textCrcmd5 /s d:Crcmd5 d:swapdata.f01</p></li><li><p>ToolsDisksig computes checksum for an entire hard drive (boot sector is excluded)Disksig d:To include boot sector use /bCompressed drives have the signature performed on the raw uncompressed hard drive</p></li><li><p>ToolsDocDocuments the contents of files and directories and related informationDoc Can be redirected to a file for printingWill be in a file</p></li><li><p>SearchingFavoritesBookmarksCookies History file Internet Options setProperties for file dates, ownershipRecycle binHidden system folderSequence of deletion, files deleted, dates, types of filesFolder in 95 &amp; 98 Recycled or NT/2000 Recycler</p></li><li><p>Recycle BinWhen files deleted:Moved to recycle bin creates a new entryDeletion of file folder from original locationAddition of information about the file to a hidden file INFO (800) or INFO2 (280)First time use of recycle bin in NT/2000 a subfolder is created with users SIDIdentifies which user created Date and time recorded in INFO not binOther INFOPrior file locationOrder in binNew filename in bin (original drive letter, index #, original extensionEmpty bin and INFO is deletedUse Quickview Plus to look at deleted file infoIdentify information about other media</p></li><li><p>ShortcutExamineWindows desktopWindows\recentup to 15 shortcutsWindows start menuWindows send to.lnk filesRefers to target files (applications, folders, data, objects)Existence of shortcuts indicates knowledge of presence of a fileIf times differ can point to knowledge to create Icon</p></li><li><p>Cached FilesIE caches websitesCached files stored in Windows\Temporary Internet Files folderINDEX.DAT has all cached files</p></li><li><p>RegistryRepository for hardware and software configuration informationWindows\system.dat or windows\user.datOn NT/2000 the registry is comprised of hives located in %systemroot%\system32\config and Ntuser.dat files related to each user accountRegedit or regedt32 or NT Resource Kit has a utility regdmp</p></li><li><p>PrintingShadow files created about print jobs .shdInformation on print job: owner, printer, name of file and method Existence points to knowledge of printing activity</p></li><li><p>MAC TimesOS records dates and times of files accessed, created modifiedDates can be sorted to reveal a sequence of activities</p></li><li><p>MFTMaster File Table is a system file created during formating of NTFS volume1 MFT record for every file on a volume including an entry about itself and some metadataMFT records store attributes about a file or folder MFT records store all or some data in a file in the $data attributeContain flag with allocation status (0 if deletion/unallocated)</p></li><li><p>RecycledDC178 TXT 72 01-24-03 8:54a DC178.TXTDC179 TXT 96 01-24-03 8:54a DC179.TXTDC180 TXT 74 01-23-03 12:11p DC180.TXTDC181 TXT 94 01-23-03 12:09p DC181.TXTDC182 TXT 110 01-23-03 12:09p DC182.TXTDC183 TXT 318 01-23-03 12:07p DC183.TXTDC184 TXT 70 01-23-03 12:07p DC184.TXTDC185 TXT 104 01-23-03 11:26a DC185.TXTDC186 TXT 71 01-23-03 11:26a DC186.TXTDC187 TXT 155 01-23-03 8:39a DC187.TXTDC188 TXT 175 01-22-03 6:15p DC188.TXTDC189 TXT 104 01-22-03 6:13p DC189.TXTDC190 TXT 80 01-22-03 6:12p DC190.TXTDC191 TXT 94 01-22-03 6:12p DC191.TXTDC192 TXT 148 01-22-03 6:11p DC192.TXTDC193 TXT 95 01-22-03 5:54p DC193.TXTDC194 TXT 95 01-22-03 5:51p DC194.TXTDC195 TXT 77 01-22-03 5:49p DC195.TXTDC196 TXT 127 01-22-03 5:47p DC196.TXTDC197 TXT 163 01-25-03 3:01p DC197.TXTDC198 TXT 70 02-05-03 8:56a DC198.TXT 198 file(s) 2,723,699 bytes 2 dir(s) 15,511.09 MB free</p><p>C:\RECYCLED&gt;</p><p>Your organization's acceptable use policy for workstations should require that users shut down or lock their unattended workstationsEnsure that procedures are in place to update your hardware inventory:Physical location of equipment changesHardware configuration is upgraded (e.g., memory addedEquipment is added to or removed from your systemsPhysical location of all network devices Intermediate public networks (if any )Identify network monitoring and management mechanisms to keep this information up-to- date and to alert you to anomalies</p><p>Executables should be run on a host that is isolated from your operational systems, the file should be run through virus detection tools, and you need to verify the file originator CompuTrace, SecureIT, Stealth Signal, ZTrace</p><p>- May contain important notes, computer media, manuals, computer equipment, and cables May have post-it notes with passwords and other important information May include notes with important phone numbers (e.G., Dial up numbers), passwords, and user names- May contain ID cards, notes, and important numbers and passwords- May contain important user names, passwords, electronic notes and documents- May contain diskettes, tapes, cds, important notes May contain important hard copy and computer media evidence, as well as notes and documents with other evidentiary value- Important notes, documents, diskettes, cds and other media - important notes, documents, diskettes, cds and other media</p></li></ul>


View more >