module 07 windows forensics.pdf

Computer HackingForensic Investigator

Module VII

Windows Forensics

EC-CouncilCopyright © by EC-Council

All Rights reserved. Reproduction is strictly prohibited

Scenario

Ethan works as a technical consultant in a reputed IT firm. He plans of using a P2P program to download full length movies into his computer, which would definitely breach companies policies.Not aware of a trojan being loaded into his system, he downloads his favorite movie, Phone booth and watches it. To his shock, Ethan’s Windows 2000 based system failed to reboot the next day.His system administrator, Jake checks his system and changes the hard disk. A week later, when the reports came in from the forensic investigator, Ethan was fired for company policy breach.But how did the forensic investigator find out about Ethan’s activities?



Module Objective

Locating evidence on Windows systemsGathering volatile evidence Investigating Windows file slackExamining file systemsChecking RegistryImportance of Memory dumpSystem state backupInvestigating Internet traces



Module Flow

Locating evidence on Windows

system

Gathering volatile evidence

Investigating Windows file slackExamining File systems

Checking Registry Importance of memory dump

System state backupInvestigating Internet traces



Locating Evidence on Windows Systems

Hidden filesAssessing file attributes to find file signature The registrySearching Index.dat files

Areas to look for evidenceFiles

Slack space

Swap file

Unallocated clusters

Unused partitions

Hidden partitions



Gathering Volatile Evidence

Collecting volatile data using command prompt in Windows NT/2000System date and time• C:/>date ; C:/>time

Currently running processes• Tool - pslist

Currently open sockets• C:/>netstat

Applications listening on open sockets• Tool - fport

Current users logged on• Tool - psloggedon

Systems currently or recently connected.• C:/>nbstat



Forensic Tool: Pslist

Supports Windows NT/2000/XP

Lists all currently running processes on the system.

Information include:• Time of the process when executed

• Time the process has executed in kernel and user modes

• Physical memory that the OS has assigned the process



Forensic Tool: fport

Lists all open TCP/IP and UDP portsMaps the ports to their running processes with their • PID, • Process name, and • Path

Useful in locating unknown open ports and their related applications



Forensic Tool - Psloggedon

Displays locally logged on usersAlso displays users who are logged on through resources for either the local or a remote computerRuns a search on the computers present in the network neighborhood and informs if the user is currently logged on



Investigating Windows File Slack

File SlackThe space existing at the end of the file of the last cluster.Contains data from computers memory.Identifies network logon names, passwords and other sensitive information associated with computer.

File slacks can be gathered from a hard disk drive or a floppy diskette by using Encase Forensic edition tool

Examiner connects to target computer and selects media

Bit-level copy of the original media is created

It is checked again by generating its hash value

Investigation using keyword searches, hash analysis, file signature analysis, and Enscripts present in Encase tool



Run dir /o:d under c:/%systemroot%/system32> in DOS promptEnables the investigator to examine

• The time and date of the installation of the operating system• The service packs, patches, and sub-directories that automatically update

themselves very often– For example: drivers etc

Importance should be given to recently dated files

Examining File Systems



A program that displays all the unsigned drivers and related files in the computerA signed file indicates the authenticity and quality associated to a file from its manufacturerAny unsigned files can indicate presence of infected driver files placed by hackersMost of the driver files are signed by the operating system manufacturer such as MicrosoftHelps in finding the unsigned files present in the system

Built-in Tool: Sigverif



Word Extractor

Hacking tool that interprets human words from machine language Helps in many ways like finding a cheat in a game, finding hidden text or passwords in a file (exe, bin, dll), etc...



Checking Registry

HKEY_LOCAL_MACHINE• \Software\Microsoft\Windows\CurrentVersion\Run

• \Software\Microsoft\Windows\CurrentVersion\RunOnce

• \Software\Microsoft\Windows\CurrentVersion\RunOnceEx

• \Software\Microsoft\Windows\CurrentVersion\RunServices

• \Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

• \Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Same for• HKEY_CURRENT_USER

• HKEY_USERS\.DEFAULT



Reglite.exe

Searches Registry



Tool: Resplendent Registrar 3.30

Controls system configurationReliable registry backupRepair broken Windows configurationsRemote access to systems on a network

http://www.resplendence.com/registrar



Microsoft Security ID

Microsoft Security IDs are available in Windows Registry

For accessing IDs, process is as follows:• Go to Registry Editor and view:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

• Present under the ProfileList key



Windows CD-KEY Revealer

This program reveals CD-KEY of a Windows operating system

Helps in investigating the ownership license of the OS software

Download this tool from http://www.eccouncil.org/cehtools/win-cdkey.zip

Note: This slide is not in your courseware

http://www.eccouncil.org/ceh-tools/win-cdkey.zip

http://www.eccouncil.org/ceh-tools/win-cdkey.zip



Importance of Memory Dump

Memory dump refers to copying data from one place to another without formattingUsed to diagnose bugsHelps in analyzing memory contents during program failureThe memory dumps contains information in binary, octal or hexadecimal formsMemory dump information can be checked using dumpchk.exe

A memory dump file records all information that made a computer to stop abruptly

Windows keeps a list of all the small memory dump files in the %SystemRoot%/Minidump folder



Manual Memory Dumping in Windows 2000

Right-click My Computer, and click Properties

Advanced tab -> Startup and Recovery

Select Complete memory dump and ensure that a valid dump file location is entered

Connect the Null modem cable to the server’s serial port

Editing boot.ini file• Copy the typical boot up entry and add it at the end of the boot.ini

file

• Add and mark the following description as Debug boot– /debug /debugport=com1 /baudrate=57600

Click Debug boot after rebooting the system



Memory Dumping in Windows XP and Pmdump

In Windows XPBy default, stores information to Pagefile.sys on the system root driveEnables offline analysis toolsContains small memory dump which uses upto 64 kb space.Stored in %systemroot%/Minidump folder

PMDump

A tool that dumps the memory contents of processor to a file without stopping the process

Stands for Post Mortem Dump

The dump information is saved on some secondary storage medium like magnetic tape or disk

Supports Windows 2000/XP/NT



System State Backup

Useful for forensic analysis of a Windows system

Windows backup or registry backup will not suffice

A full system state backup stores the following:• Active Directory

• The boot files.

• The COM+ class registration database.

• The Registry

• The system volume

• The IIS metabase.



How to Create a System State Backup?

Start -> Programs -> Accessories -> System Tools -> Backup.

In Backup tab, check the System State box

Select the Schedule Job tab and click Add Job button

Click Yes and choose media options

• Media type,

• Location and

• Backup name.

Click Next and recheck that Normal option is selected, then click Next

In the case of backing-up to disk, there will not be a need for verifying data. Click Next

Choose whether you want to append to or replace any existing backups. Click Next

Schedule the backup accordingly. Click Next

Set the account under which the backup should be run.

Click Finish



Investigating Internet Traces

Internet Explorer investigations• Cookies

– Windows 2000/XP

– <c:\Documents and settings\%username%\Cookies>

– Windows 95/98/ME

– <c:\Windows\Cookies>

• History

• Temporary Internet files



Tool - IECookiesView

Displays details of all cookies stored on the computer

View the contents of each cookie as well as save the cookies to a readable text file

Also enables the user to view references to deleted cookies



Tool - IE History Viewer

It parses and prints the history of visited URLsReads the NFO and INFO2 files from recycle bins of the Windows and also from the Netscape cache file "fat.db" and Netscape history file "Netscape.hst"



Forensic Tool: Cache Monitor

Offers real time view of current state cacheOffers an interface to modify dataAlso does the following:

• Verify the configuration of dynamic caches.• Verify the cache policies• Monitor cache statistics• Monitors data flowing through the caches.• Data in the edge cache• View data offloaded to the disk• Manage the data in the cache



CD-ROM Bootable Windows XP

Following are the methods of creating Bootable CD-ROM for Windows XP:• Bart PE (Bart Preinstalled Environment)

– Provide a complete Win32 environment with network support

– Rescuing files to a network share, virus scan etc

• Ultimate Boot CD– Provide shared internet access .

– Can Modify NTFS volumes,

– Recover deleted files,

– Create new NTFS volumes, scanning viruses etc.



Bart PE Screenshot



Ultimate Boot CD-ROM



List of Tools in UB CD-ROM



Summary

File Slack identifies network logon names, passwords and other sensitive information associated with computerThe investigator must look for renamed files, changed extensions and file attributes as they can be used to hide dataSigverif is a built-in Windows program that displays all the unsigned drivers and related files in the computerMemory dump refers to copying data from one place to another without formattingSystem state backup is useful for forensic analysis of a Windows system