Windows%20Forensics

About This Presentation

Title:

Windows%20Forensics

Description:

... used to gain entry to computer. via a device without human intervention ... watch out for anti-forensics, booby-traps. consider how to stop computer processing ... – PowerPoint PPT presentation

Number of Views:92

Avg rating:3.0/5.0

Slides: 19

Provided by: stephen164

Learn more at: http://css.insttech.washington.edu

Category:

more less

Transcript and Presenter's Notes

Title: Windows%20Forensics

1
Windows Forensics

24 Jan 2008
TCSS431 Network Security
Stephen Rondeau
Institute of Technology
Lab Administrator

2
Agenda

Forensics Background
Operating Systems Review
Select Windows Features
Vectors and Payloads
Forensics Process
Forensics Tools Demonstration

3
Forensics Background

Inspection of computer system for evidence of
crime
unauthorized use
Evidence gathering/preservation techniques for
admissibility in court of law
Consideration of suspect's level of expertise
Avoidance of data destruction or compromise

4
Operating System Review

What does an OS do?

5
Operating System Review

What does an OS do?
starts itself
low-level management of
interrupts, time, memory, processes, devices
(storage, communication, keyboard, display,
etc.)?
higher-level management of
file system, users, user interface, apps
addresses issues of fairness, efficiency, data
protection/access, workload balancing

6
Select Windows Features

Kernel vs. User Mode
Kernel features (architecture)?
device drivers
installable file system
object security
Services
User accounts, passwords and privileged groups
Security policies

7
Computing Devices Simplistic

Computing Device
takes some input
processes it
OS, services, applications
provides some output
Network
connects device
Data

8
Computing Devices Reality
In
Human K/M/touch,etc.
Out
Human A/V
Data Scanner/GPS
In/Out
Data Storage Device, PC/Express Card, Network,
Printer, Etc.
9
Computing Devices Connections

removable media
floppy,CD/DVD,flash,microdrive
PC/Express Card
wired
serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS
twisted pair
wireless
radio (802.11, cellular, Bluetooth)?
Infrared (IR)?
Ultrasound

10
Vectors and Payloads

Vector route used to gain entry to computer
via a device without human intervention
via an unsuspecting or willing person's actions
Payload what is delivered via the vector
malicious code
may be multiple payloads
spyware, rootkits, keystroke loggers, bots,
illegal software, spamming, etc.

11
Forensics Process

Assess (after permission is granted)?
determine how to approach affected system(s)?
inspect physical environment
watch out for anti-forensics, booby-traps
consider how to stop computer processing
Acquire
capture volatile data
copy hard drive
Analyze

12
Volatile Data

All of RAM, plus paging area
Logged on users
Processes (regular and services)?
Process memory
Buffers
Clipboard
Network Information (incoming and outgoing)?
Command history

13
Nonvolatile Data

Partitions
Files
hidden, streams
Registry Keys
Recycle Bin
Scheduled Tasks
User Account and Group Information
Logs

14
What to Look For

Know baseline system what to expect of good
system
Malware Footprint
in logs
on file system (changed dates/sizes, hidden)?
in registry
in startup areas
in services list
in network connections
Abnormality function, performance, traffic
patterns
Cross-check with multiple tools

15
Microsoft Tools

Basic
Prevent Windows Update, Time Service, Routing
and Remote Access, LocalService, NetworkService,
Runas
Inspect net user/group/localgroup, Active
Directory Users and Groups, Event Viewer,
EventCombMT, systeminfo, auditpol, Security
Configuration Manager
Fix Malicious Software Removal, Security
Configuration Manager
Network tools
netstat -anob, nbtstat, ping, tracert, arp,
netsh, ipconfig
File
dir /ah, dir /od, dir /tc, findstr, cacls
Services
net start/stop, sc, services.msc
Process
tasklist, taskkill, schtasks