Forensics 101 - PowerPoint PPT Presentation

1 / 46
About This Presentation
Title:

Forensics 101

Description:

Who owns the system? Who manages the system? Is it patched? What ... Stores 3 timestamps (MAC) of target. Uses ObjectID to find file (Distributed Link Service) ... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 47
Provided by: cmcl9
Category:
Tags: forensics

less

Transcript and Presenter's Notes

Title: Forensics 101


1
Forensics 101
  • Incident Triage
  • Warren Raquel
  • Network Security Officer

2
Agenda
  • Considerations when compromised
  • What to do and not to do
  • What to look for
  • Available tools
  • ASK QUESTIONS!

3
Computer Forensics
  • Forensics of or pertaining to the law
  • Detailed examination of computers
    (media/peripherals) in the interest of
    determining potential legal evidence.

4
A Word About Evidence
  • Child Pornography
  • Sensitive Information
  • Criminal Activity
  • Contact Appropriate Party
  • NEVER MOVE OR DESTROY EVIDENCE!

5
Forensic Incident Triage
  • First responder tips
  • How not to corrupt evidence
  • How to make a decision regarding escalation

6
Full Investigations
  • Evidence seizure
  • Investigation and analysis
  • Reporting results

7
First Questions To Ask
  • Is this system mission critical?
  • Is there sensitive information?
  • Who owns the system?
  • Who manages the system?
  • Is it patched?
  • What firewall group is it in?
  • What am I allowed to do?

8
Its About Time!
  • Dont forget to take note of the time
  • BIOS clock (battery dead?)
  • Time zone settings
  • Offset
  • Timestamps may be UTC or Local
  • Vista Last Accessed disabled.

9
What Not to Do
  • Delete files
  • Kill processes
  • Run a virus scan
  • Reboot
  • Run Firefly! )

10
What To Do
  • Take notes
  • Ask questions
  • What happened?
  • What else is on the system?
  • Look around

11
Escalation
  • Criminal Activity?
  • Password Files
  • Sensitive Information
  • Not Sure????
  • Contact security_at_uiuc.edu

12
What Happens Next?
  • Evidence Seizure
  • Varies by situation
  • Chain of Evidence

13
Gathering Evidence - Volatile
  • Open Ports/Network Connections
  • Attached devices
  • Running programs
  • Bitlocker/Truecrypt?
  • RAM Dumps
  • Rootkits?

14
Volatile - Network Information
  • Netstat
  • TCPView from SysInternals (MS)
  • Found in RAM
  • IP Address/MAC/Active NICs

15
Volatile - Attached Devices
  • Mounted Volumes
  • Network Shares
  • USB/Firewire devices

16
Volatile - Running Programs
  • ps
  • tasklist.exe
  • Process Explorer (MS)
  • User Mode Process Dumper
  • WinHex

17
Volatile - Encryption
  • External Devices
  • TrueCrypt
  • EFS/Bitlocker
  • dm-crypt
  • FileVault

18
Volatile - RAM
  • Can detect rootkits
  • List of network connections
  • All processes, even hidden ones
  • Some programs are only in memory

19
Shutting Down
  • Varies by system
  • Remove network
  • Can corrupt various data
  • Can contaminate evidence

20
Offline
  • Imaging drives
  • Be aware of BIOS options
  • Encrypted Volumes
  • BEWARE OF DATA CORRUPTION!

21
Where to Look
  • Logs
  • Hidden Directories
  • Registry
  • Slack Space, unallocated space

22
Where to Look - Mac
  • Home Subdirectories
  • Address Book Cache
  • plist files
  • Log files
  • Disk Arbitration

23
Where to Look - nix
  • History
  • wtmp/last
  • syslog
  • ps
  • SUID bit
  • Hidden folders/.ltspacegt
  • Proc folder

24
Where to Look - Windows
  • Logs, logs logs
  • Documents and Settings/Users
  • Registry
  • Prefetch files
  • NTFS artifacts

25
Windows Logs
  • Event Logs (FixEvt.exe)
  • System/Security/Application/Internet/Office
  • LogParser
  • SQL queries to pull data
  • Vista logging - oO

26
Documents and Settings
  • Per user data
  • Users in Vista
  • NTUSER.DAT (HKCU)
  • Creation Date

27
Registry
  • NTUSER.DAT
  • System/Security/Software
  • Best observed offline
  • Cant copy live registry hives

28
Registry Artifacts
  • Time Zone
  • UserAssist
  • Bitlocker Keys

29
Registry Artifacts Time Zone
  • HKLM\System\ControlSet001\Control\TimeZoneInformat
    ion

30
Registry Artifacts - UserAssist
  • HKCU\Soft..\Micr..\Win..\Cur..\Exp..\UserAssist\7
    50487.\Count
  • ROT13
  • Used to list frequently used programs
  • Last Run, Count

31
Registry Artifacts - MUICache
  • HKCU\Sof..\Mic..\Win..\ShellN..\MUICache
  • Any executable ever run on the system
  • Application Name

32
Bitlocker
  • Password File ltVolumeGUIDgt.txt (1KB)
  • Recovery Key ltGUIDgt.BEK (1KB)
  • cscript manage-bde.wsf protectors C
  • Auto-unlock keys stored HKLM\System\CurrentContro
    lSet\Control\FVEAutoUnlock\VolumeGUID

33
Windows Prefetch
  • WINDIR\Prefetch\ltprogramgt-lthashgt.pf
  • Header has last run and run count
  • List of dlls loaded
  • Application Hosting vs Normal
  • Limited to 128 .pf files

34
About Slack Space
  • data-------
  • RAM Slack
  • - Disk Slack (hidden data?)

35
NTFS Artifacts
  • Object IDs
  • LogFile
  • AttributeIDs
  • Alternative Data Streams
  • Recycle Bin/System Information

36
LNK files
  • Stores 3 timestamps (MAC) of target
  • Uses ObjectID to find file (Distributed Link
    Service)
  • Can determine when file was first accessed.

37
Object IDs
  • Distributed Link Tracking service (DLT)
  • RFC 4122 v1
  • Timestamp
  • Primary MAC address
  • Boot Sequence

38
Object ID Structure
  • A6124319-7710-11D6-B63D-00038A000015
  • 60-bit counter
  • Clock Sequence
  • Primary MAC address
  • HKLM\Soft\Micr\Rpc\UuidSequenceNumber

39
LogFile
  • A basic metadata transaction log
  • May hold CLI execution commands

40
Thumbs.db
  • Stores thumbnails even after deletion
  • Vista no longer uses Thumbs.db
  • App..Data/Mic..Inter..Exp../Thumbscacheltgt

41
Alternative Data Stream
  • file.exestream.exe
  • Alternate Data attribute
  • LADS List Alternative Data Streams
  • LNS List NTFS Streams

42
Recycle Bin
  • INFO2 record
  • \Recycler\SID
  • Original Location
  • File size
  • Deletion time
  • INFO2 deleted when Bin is emptied
  • Can be found in slack

43
Forensic Tools
  • Helix
  • TSK/Autopsy
  • EnCase
  • SMART Linux
  • FTK
  • X-Ways Forensics
  • WetStone
  • HBGary Responder
  • Clearwell

44
Acquisition Tools
  • Helix
  • Specialized hardware (Tableau/VroomTech)
  • dd

45
Analysis Tools
  • Volatility RAM
  • Sandman Hibernation File
  • Anubis/ThreatExpert
  • VirusTotal

46
Questions?
  • Feel free to email me any questions
  • wraquel_at_uiuc.edu
  • This PowerPoint has extra notes in the notes
    section
  • Thanks!
Write a Comment
User Comments (0)
About PowerShow.com