Enviar búsqueda
Cargar
File000125
•
0 recomendaciones
•
1,009 vistas
Desmond Devendran
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 178
Descargar ahora
Descargar para leer sin conexión
Recomendados
File000119
File000119
Desmond Devendran
File000120
File000120
Desmond Devendran
Computer Forensic
Computer Forensic
Tawhidur Rahman
Operating System Forensics
Operating System Forensics
ArunJS5
Computer Forensics
Computer Forensics
Bense Tony
CHFI
CHFI
Desmond Devendran
Information Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Dr Raghu Khimani
Recomendados
File000119
File000119
Desmond Devendran
File000120
File000120
Desmond Devendran
Computer Forensic
Computer Forensic
Tawhidur Rahman
Operating System Forensics
Operating System Forensics
ArunJS5
Computer Forensics
Computer Forensics
Bense Tony
CHFI
CHFI
Desmond Devendran
Information Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Dr Raghu Khimani
Forensics of a Windows System
Forensics of a Windows System
Conferencias FIST
Digital forensics
Digital forensics
Vidoushi B-Somrah
Cyber forensic 1
Cyber forensic 1
anilinvns
Network forensics
Network forensics
ArthyR3
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
Computer forensics and its role
Computer forensics and its role
Sudeshna Basak
Cloud-forensics
Cloud-forensics
anupriti
Introduction to computer forensic
Introduction to computer forensic
Online
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
Digital forensic tools
Digital forensic tools
Parsons Corporation
Intro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
Network forensics and investigating logs
Network forensics and investigating logs
anilinvns
Computer crimes and forensics
Computer crimes and forensics
Avinash Mavuru
Digital forensics
Digital forensics
vishnuv43
Computer forensic ppt
Computer forensic ppt
Priya Manik
Security management.pptx
Security management.pptx
AhmadUsman79
Computer +forensics
Computer +forensics
Rahul Baghla
Data Acquisition
Data Acquisition
primeteacher32
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
Digital Forensic ppt
Digital Forensic ppt
Suchita Rawat
File000126
File000126
Desmond Devendran
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
Más contenido relacionado
La actualidad más candente
Forensics of a Windows System
Forensics of a Windows System
Conferencias FIST
Digital forensics
Digital forensics
Vidoushi B-Somrah
Cyber forensic 1
Cyber forensic 1
anilinvns
Network forensics
Network forensics
ArthyR3
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
Computer forensics and its role
Computer forensics and its role
Sudeshna Basak
Cloud-forensics
Cloud-forensics
anupriti
Introduction to computer forensic
Introduction to computer forensic
Online
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
Digital forensic tools
Digital forensic tools
Parsons Corporation
Intro to cyber forensics
Intro to cyber forensics
Chaitanya Dhareshwar
Network forensics and investigating logs
Network forensics and investigating logs
anilinvns
Computer crimes and forensics
Computer crimes and forensics
Avinash Mavuru
Digital forensics
Digital forensics
vishnuv43
Computer forensic ppt
Computer forensic ppt
Priya Manik
Security management.pptx
Security management.pptx
AhmadUsman79
Computer +forensics
Computer +forensics
Rahul Baghla
Data Acquisition
Data Acquisition
primeteacher32
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
Digital Forensic ppt
Digital Forensic ppt
Suchita Rawat
La actualidad más candente
(20)
Forensics of a Windows System
Forensics of a Windows System
Digital forensics
Digital forensics
Cyber forensic 1
Cyber forensic 1
Network forensics
Network forensics
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Computer forensics and its role
Computer forensics and its role
Cloud-forensics
Cloud-forensics
Introduction to computer forensic
Introduction to computer forensic
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
Digital forensic tools
Digital forensic tools
Intro to cyber forensics
Intro to cyber forensics
Network forensics and investigating logs
Network forensics and investigating logs
Computer crimes and forensics
Computer crimes and forensics
Digital forensics
Digital forensics
Computer forensic ppt
Computer forensic ppt
Security management.pptx
Security management.pptx
Computer +forensics
Computer +forensics
Data Acquisition
Data Acquisition
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Digital Forensic ppt
Digital Forensic ppt
Similar a File000125
File000126
File000126
Desmond Devendran
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
EPAM Systems
Intrusion Discovery on Windows
Intrusion Discovery on Windows
dkaya
File000174
File000174
Desmond Devendran
File000175
File000175
Desmond Devendran
File000173
File000173
Desmond Devendran
Assingment 5 - ENSA
Assingment 5 - ENSA
Jeewanthi Fernando
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
Internship msc cs
Internship msc cs
Pooja Bhojwani
Systems Administration
Systems Administration
Mark John Lado, MIT
10 Tips for AIX Security
10 Tips for AIX Security
HelpSystems
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
Module 4 Enumeration
Module 4 Enumeration
leminhvuong
File000138
File000138
Desmond Devendran
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
Unit 4
Unit 4
pm_ghate
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
Workshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
Similar a File000125
(20)
File000126
File000126
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Intrusion Discovery on Windows
Intrusion Discovery on Windows
File000174
File000174
File000175
File000175
File000173
File000173
Assingment 5 - ENSA
Assingment 5 - ENSA
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
Internship msc cs
Internship msc cs
Systems Administration
Systems Administration
10 Tips for AIX Security
10 Tips for AIX Security
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Module 4 Enumeration
Module 4 Enumeration
File000138
File000138
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Unit 4
Unit 4
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
Workshop on BackTrack live CD
Workshop on BackTrack live CD
Más de Desmond Devendran
Siam key-facts
Siam key-facts
Desmond Devendran
Siam foundation-process-guides
Siam foundation-process-guides
Desmond Devendran
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Desmond Devendran
Enterprise service-management-essentials
Enterprise service-management-essentials
Desmond Devendran
Service Integration and Management
Service Integration and Management
Desmond Devendran
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Desmond Devendran
CHFI 1
CHFI 1
Desmond Devendran
File000176
File000176
Desmond Devendran
File000172
File000172
Desmond Devendran
File000171
File000171
Desmond Devendran
File000170
File000170
Desmond Devendran
File000169
File000169
Desmond Devendran
File000168
File000168
Desmond Devendran
File000167
File000167
Desmond Devendran
File000166
File000166
Desmond Devendran
File000165
File000165
Desmond Devendran
File000164
File000164
Desmond Devendran
File000163
File000163
Desmond Devendran
File000162
File000162
Desmond Devendran
File000161
File000161
Desmond Devendran
Más de Desmond Devendran
(20)
Siam key-facts
Siam key-facts
Siam foundation-process-guides
Siam foundation-process-guides
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Enterprise service-management-essentials
Enterprise service-management-essentials
Service Integration and Management
Service Integration and Management
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
CHFI 1
CHFI 1
File000176
File000176
File000172
File000172
File000171
File000171
File000170
File000170
File000169
File000169
File000168
File000168
File000167
File000167
File000166
File000166
File000165
File000165
File000164
File000164
File000163
File000163
File000162
File000162
File000161
File000161
Último
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Hervé Boutemy
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
RankYa
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Último
(20)
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
File000125
1.
Module XII –
Windows Forensics I
2.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Passware Exposes Private Data Indexed by Windows Search New evidence discovery software extracts all users' data from a Windows Search Database. MOUNTAIN VIEW, Calif., Nov. 12 / / - Passware, Inc., the expert in cryptanalysis, introduces a new evidence discovery solution for Windows Vista, XP, and Server 2003. Passware Search Index Examiner makes all the data indexed by Windows Search instantly accessible to computer forensics and IT professionals. Search Index Examiner lists all the documents, emails, and spreadsheets, as well as provides creation and modification dates, author, recipients, summary content, and other information for each item. The only data it needs from the target computer is a Windows Search database. A quick scan of a Windows Search Database can find documents relevant to a case, and even a preview of files and items which have been deleted, deliberately or not. It takes under 10 minutes to perform a full scan -- extracting over 150,000 items. As an average personal computer stores far fewer items, a typical extraction is almost instant. The wizard interface makes the process easy as ABC. Source: http://news.thomasnet.com/
3.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Collecting volatile and Non-volatile Information • Windows Memory Analysis • Window Registry Analysis • Window File Analysis • Text-Based Logs • Other Audit Events • Forensic Analysis of Event Logs • Tool Analysis • Windows Password Issues This module will familiarize you with:
4.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Collecting Volatile & Non-volatile Information Windows Memory Analysis Window Registry Analysis Window File Analysis Text-Based Logs Other Audit Events Forensic Analysis of Event Logs Tool Analysis Windows Password Issues
5.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Volatile Information Volatile information can be easily modified or lost It helps you to determine a logical timeline of the security incident and the users who would be responsible Volatile Information • System time • Logged-on user(s) • Open files • Network information • Network connections • Process information • Process-to-port mapping • Process memory • Network status • Clipboard contents • Service/driver information • Command history • Mapped drives • Shares
6.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Non-volatile Information Non-volatile information is used for the secondary storage, and is long-term persisting It is non-perishable and can be collected after the volatile data collection Non-Volatile Information: Hidden Files Slack space Swap file Index.dat files Metadata Hidden ADS streams Windows Search Index Unallocated clusters Unused partitions Hidden partitions Registry settings Event logs
7.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
8.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Time System time gives an accurate timeline of events that have occurred on the system Collect the system time from: • Right bottom corner of the system • The time/t command
9.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logged-on Users Collect the information about users logged on to the system, both locally and remotely Note down context of a running process, the owner of a file, or the last access time on files • Psloggedon • Net Sessions • Logonsessions Tools and commands to determine logged-on-users are:
10.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logged-on Users (cont’d) • It shows the name of the user logged on locally as well as remotely • Syntax: psloggedon [-] [-l] [-x] [computername | username] Psloggedon Tool
11.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logged-on Users (cont’d) • It gives the information about the username and IP used to access the system via a remote login session and the type of client system accessed Net Sessions Command
12.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logged-on Users (cont’d) • It lists the authentication package used, type of logon, and active processes Logonsessions Tool
13.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Open Files Collect the information about the files opened by the intruder using remote login Tools and commands used for opening a file’s information: • Net File command • Psfile tool • Openfiles command
14.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Net File Command Net file command displays the names of all open shared files on a system The syntax of the net file command:
15.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Psfile Tool Use the Psfile tool to list or close files that are remotely opened Syntax: • psfile [RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]
16.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Openfiles Command Use the Openfiles command to list or disconnect files and folders that are opened on a system Syntax of the Openfiles command: •OPENFILES /parameter [arguments] Examples: •OPENFILES /Disconnect •OPENFILES /Query •OPENFILES /Local
17.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NetBIOS Name Table Cache NetBIOS name table cache maintains a list of connections made to other systems using NetBIOS It contains the remote system’s names and IP addresses You can use the Windows inbuilt command line utility nbtstat to view NetBIOS name table cache Syntax of nbtstat command is: •Nbtstat [ [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-RR] [-s] [-S] [interval] ] Nbtstat with –c switch shows the NetBIOS name table cache
18.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Connections Collect the details of the network connections from the affected system It helps to find out: • Logged attacker • IRCbot communication • Worms logging into command and control server • Netstat is a tool for collecting information regarding network connections • It provides a simple view of TCP and UDP connections and their state and network traffic statistics Netstat Tool
19.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netstat with –ano Switch: Screenshot Netstat with the -ano switch displays the TCP and UDP network connections, listening ports, and the identifiers
20.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netstat with the –r Switch: Screenshot Netstat with the -r switch displays the routing table and shows the persistent routes enabled on the system
21.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process Information Investigate the processes running on a potentially compromised system Collect information from Task Manager • The full path to the executable image (.exe file) • The command line used to launch the process, if any • The amount of time that the process has been running • The security/user context that the process is running in • Which modules the process has loaded • The memory contents of the process Search for:
22.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Task Manager: Screenshot
23.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process Information (cont’d) • Tlist Tool • Tasklist command • Pslist • Listdlls • Handle The tools and commands to collect the process information:
24.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tlist Tool Tlist is included as part of the Microsoft Debugging Tools It displays a good deal of information about running processes Syntax of the tool: •TLIST, TLIST –t, TLIST pid, TLIST -t pid, TLIST pattern, TLIST -t pattern
25.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tasklist Command Tasklist is a native utility included with Windows XP Pro and Windows 2003 installations Tasklist provides options for output formatting, with choices between table, CSV, and list formats
26.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tasklist with the /v Switch: Screenshot (cont’d) /v switch provides information about the listed processes, including the image name, PID, name, and number of the session for the process
27.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pslist Tool Pslist displays basic information about running processes on a system • -x switch displays details about the threads and memory used by each process Pslist shows detailed information about threads or memory used by a process
28.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Listdlls Tool Listdlls tool shows the modules or DLLs that a process is using • These DLLs are important as they provide the actual code that is used
29.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handle Tool The handle tool shows various handles that processes have open on a system It shows information about the open files, ports, registry keys, and threads This information is useful to determine the resources accessed by a process while it is running Syntax: • handle [[-a] [-u] | [-c <handle> [-y]] | [-s]] [-p <process name>|<pid>> [name]
30.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process-to-Port Mapping Process-to-Port Mapping traces which process is using which port, and which protocol is connected to which IP The tools and commands to retrieve the process-to-port mapping: • Netstat command • Fport tool • Openports tool
31.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netstat Command Netstat command with the -o switch displays the process ID of the process responsible for the network connection
32.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fport Tool Fport tool obtains the process-to-port mapping It needs to be run from an Administrator account to obtain information
33.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Openports Tool Openports tool obtains the process-to-port mapping and provides multiple output formats It does not require an Administrator’s account to be used The -fport switch provides an fport-style output; displays the PID, the name of the process, and number of the port
34.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Status • Ipconfig command • Promiscdetect tool • Promqry tool Tools for the network status detection are: Check the network status of the system to get information about whether the system is connected to a wireless access point and what IP address is being used
35.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ipconfig Command Use /all switch of the Ipconfig command to display the network configuration of the NICs on the system
36.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Promiscdetect Tool Promiscdetect tool detects if the NIC is in promiscuous mode
37.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Promqry Tool Promqry tool is run against remote systems to determine the active network interfaces
38.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Important Information • Use Pclip.exe utility to retrieve the contents of the clipboard • It automates information collection through batch files and scripts Clipboard Contents • Check service/device information for any malicious program installed Service/Driver Information • Use the doskey /history command to see previously typed commands Command History
39.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Important Information (cont’d) Mapped Drives • Drives could be mapped with a malicious intent • Drive mappings can be correlated to network connection information retrieval Shares • Get the information regarding the shared resources • This information is maintained in a folder: KEY_LOCAL_MACHINESystemCurrentControlSetServicesla nmanserverShares key
40.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
41.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Non-volatile Information Collect the non-volatile information from: • Contents of Registry keys or files • Event Logs • Index.dat Collect the information such as drives mapped to or from the system, services started, or applications installed
42.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Run dir /o:d under c:/%systemroot%/system32> in DOS prompt Enables the investigator to examine : • The time and date of the installation of the operating system • The service packs, patches, and sub-directories that automatically updates themselves very often • For example: drivers etc Give priority to recently dated files Examining File Systems
43.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Settings Use Reg.exe command line tool for accessing and managing the Registry Some important Registry values that need to be noted down: • ClearPageFileAtShutdown • DisableLastAccess • AutoRuns
44.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Settings (cont’d) • Registry value tells the operating system to clear the page file when the system is shut down • When the system is shut down, the information within the page file remains on the hard drive • Bits of this information might provide important leads in investigation ClearPageFileAtShutdown: • Windows has the ability to disable updating of the last access times on files • HKEY_LOCAL_MACHINESystemCurrentControlSetControlFileSystem Disablelastacess set the value to 1 • In Windows XP and 2003, the same query can be enabled via the fsutil command DisableLastAccess:
45.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Settings (cont’d) • Many areas of the Registry are referred as autostart locations • These applications start when the system boots, user logs in, and the user takes a specific action • Collects the information with the help of the reg.exe tool or AutoRuns tools AutoRuns:
46.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Microsoft Security ID Microsoft Security IDs are available in Windows Registry The process for accessing IDs is: • Go to Registry Editor and view: • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList • Present under the ProfileList key RockXP reveals Windows and MS Office CD-Key
47.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event Logs Event logs change depends on what events are being audited and how they are configured Choose which data have to be collected depending on the instance occurred Use tools such as psloglist.exe and dumpevt.exe to retrieve the event records Copy .evt files from the system
48.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index.dat File Index.dat file is used by the Internet Explorer web browser as an active database, which runs as long as a user is logged on Windows It is a repository of redundant information, such as visited web URLs, search queries, recently opened files, and form auto-complete information Separate index.dat files exist for the Internet Explorer history, cache, and cookies
49.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index.dat File (cont’d) Common Index.dat File Locations for Internet Explorer are as shown in table: Operating System File Path Windows 95/98/Me WindowsTemporary Internet FilesContent.IE5 WindowsCookies WindowsHistoryHistory.IE5 Windows NT WinntProfiles<username>Local Settings Temporary Internet FilesContent.IE5 WinntProfiles<username>Cookies WinntProfiles<username>Local Settings History History.IE5 Windows 2K/XP Documents and Settings<username>Local SettingsTemporary Internet Files Content.IE5 Documents and Settings<username>Cookies Document and Settings<username>Local SettingsHistoryHistory.IE5
50.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Text View of an Index.dat File
51.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Devices and Other Information Collect other types of non-volatile information such as hard drive installed in the system Record the information for documentation purposes Use the DevCon tool to document devices that are attached to a Windows system Check the available device classes and the status of the connected devices with the help of DevCon
52.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DevCon Screenshot The output of DevCon resources =ports
53.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DevCon Screenshot Output of DevCon listclass usb 1394
54.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Slack Space Slack space is the space between the end of a file and the end of the disk cluster it is stored in Non-contiguous file allocation leaves more trailing clusters leaving more slack space The data residue in the slack space is retrieved by reading the complete cluster DRIVESPY tool collects all the Slack Space in an entire partition to a file
55.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Slack Space Information Collection Connect to a target computer and select media Create Bit-level copy of the original media Check again by generating its hash value Investigate using keyword searches, hash analysis, file signature analysis, and Enscripts present in Encase tool
56.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Virtual Memory Virtual (or logical) memory is a concept that allows programmers to use a large range of memory or storage addresses for stored data Virtual memory can be scanned to find out the hidden running processes Various example of tools: • System Scanner • X-Ways Forensics CPU Cache RAM Virtual Memory Disk Storage
57.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: DriveSpy DriveSpy accesses physical drives and record all the activities to a log file It collects all the Slack Space in an entire partition to a file It wipes an entire Drive, individual Partition, unallocated space, or slack space
58.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Swap File A swap file is a space on a hard disk used as the virtual memory extension of a computer's RAM Swap files contain information about: • Files opened and their contents • Websites visited • Online chats • Emails sent and received On Windows, the swap file is a hidden file in the root directory called pagefile.sys The registry path for swap file is: • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management
59.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
60.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Search Index Windows Search index maintain a record of any document or application on the PC, and the contents found within those items It maintain email messages, calendar events, contacts, and media files stored on the PC Windows Search indexes the contents of each user's "Documents" and "Favorites" folders
61.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Search Index Examiner Passware Search Index Examiner makes all the data indexed by Windows Search accessible This accessed search index data can be used as evidence Passware Search Index Examiner lists: • Documents • Emails • Spreadsheets • Creation and modification dates • Author • Recipients • Summary content It targets Windows Search database
62.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Hidden Partition Information Hidden partition is a logical section of a disk which is not accessible to the operating system Hidden partition may contain files, folders, confidential data or store backup of the system Tools like Partition Logic helps to collect the information from the hidden partition Partition Logic can create, delete, erase, format, defragment, resize, copy, and move partitions
63.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Partition Logic: Screenshot
64.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hidden ADS Streams Alternate Data Stream (ADS) holds the security information, link information User can hide data in alternate data streams ADS can be created by typing notepad visible.txt:hidden.txt in command prompt Data can be copied into an ADS by using type atextfile > visible.txt:hidden2.txt command Use the more < visible.txt:hidden2.txt > newfile.txt command to copy the ADS information into new file
65.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating ADS Streams ADS Streams Tool can detect the presence of hidden NTFS streams on target system
66.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
67.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Windows Memory Analysis Analyze the memory to check Malware presence, because, when the malware is launched, it will be decrypted in memory If the malware were allowed to execute, it would exist in memory in a decrypted state Analyzing the contents of RAM, will help to find what has been hidden in the memory
68.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Memory Dump Memory dump refers to copying data from one place to another without formatting It is used to diagnose bugs It helps in analyzing memory contents during program failure The memory dumps contain information in binary, octal, or hexadecimal forms This information can be checked using dumpchk.exe
69.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EProcess Structure Each process on a Windows system is represented as an executive process (EProcess) block EProcess block is a data structure which contains attributes of the process, as well as pointers to other attributes and data structures EProcess contents can be viewed with the help of the Microsoft Debugging Tools and LiveKD.exe dt -a -b -v _EPROCESS helps to view all the content of the EProcess block
70.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EProcess Structure (cont’d) Elements that are important to forensic investigation in the EProcess structure: • PPEB_LDR_DATA structure that includes pointers or references to DLLs used by the process • A pointer to the image base address, where the beginning of the executable image file can be found • A pointer to the process parameters structure, which maintains the DLL path, the path to the executable image, and the command line used to launch the process
71.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Process Creation Mechanism • The image (.exe) file to be executed is opened • EProcess object is created • Initial thread is created • Windows subsystem is notified of the creation of the new process and thread along with the ID of the process creator and a flag • Execution of the initial thread starts • Initialization of the address space is completed Steps for the process creation:
72.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing Memory Contents • List Processes (Lsproc) locates processes • It takes the path and name to a RAM dump file • Ex: c:perlmemory>lsproc.pl d:dumpsdrfws1- mem.dmp • Output will be shown in six columns Lsproc.pl: Proc PPID PID Name of the process Offset of the process Creation time Figure: Output of Lsproc.pl
73.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing Memory Contents (cont’d) • Lspd.pl is a Perl script that allows user to list the details of the process • It takes two arguments: • Path and name of the dump file • Offset from the lsproc.pl output of the process • Ex: c:perlmemory>lspd.pl d:dumpsdfrws1-mem.dmp 0x0414dd60 Lspd.pl:
74.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parsing Process Memory Use strings.exe or grep to parse through the contents of a RAM dump Lspm.pl takes the arguments, such as: • Name and path of the dump file • Physical offset within the file of the process structure It extracts the available pages from the dump file and write them to a file within the current working directory Example: c:perlmemory>lspm.pl d:dumpsdfrws1-mem.dmp 0x0414dd60
75.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Extracting the Process Image Lspi.pl is a Perl script that takes the same arguments as lspd.pl and lspm.pl It locates the beginning of the executable image for the process It parses the values contained in the PE header to locate the pages that make up the rest of the executable image file Example: c:perlmemory>lspi.pl d:dumpsdfrws1-mem.dmp 0x0414dd60 File extracted from the memory dump will not be exactly same as the original, since some of the file’s sections are writeable
76.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Process Memory Collect the contents of process memory available in a RAM dump file pmdump.exe tool allows dumping the contents of process memory without stopping the process Process Dumper (pd.exe) dumps the entire process space along with the additional metadata and the process environment to the console Process Dumper redirects the output to a file or a socket Userdump.exe is another tool which dumps any process on the fly, without attaching a debugger and without terminating the process
77.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
78.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Inside the Registry An Administrator can interact with the Registry through intermediate programs Graphical user interface (GUI) Registry editors such as Regedit.exe or Regedt32.exe are commonly used as intermediate program There are five root folders in the Registry Editor: • HKEY_USERS • HKEY_CURRENT_USER • HKEY_LOCAL_MACHINE • HKEY_CURRENT_CONFIG • HKEY_CLASSES_ROOT
79.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Editor: Screenshot Figure: Registry Editor view showing five root folders
80.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Inside the Registry (cont’d) The HKEY_USERS hive contains all the actively loaded user profiles for that system The HKEY_CURRENT_USER is the active, loaded user profile for the currently logged-on user The HKEY_LOCAL_MACHINE hive contains a vast array of configuration information for the system including hardware settings and software settings The HKEY_CURRENT_CONFIG hive contains the hardware profile information used during startup The HKEY_CLASSES_ROOT hive contains configuration information relating to which application is used to open various files on the system
81.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Structure within a Hive File Various components of the Registry called ‘cells’ have a specific structure and contains specific information The various types of cells and information contained in the Registry : Key cell It contains Registry key information and includes offsets to other cells as well as the LastWrite time for the key Value cell It holds a value and its data Subkey list cell It is made up of a series of indexes pointing to key cells Value list cell It is made up of a series of indexes pointing to values cells Security descriptor cell It contains security descriptor information for a key cell
82.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Analysis During live response, you can retrieve and analyze much of the information in the Registry, and the complete data during post- mortem investigation ProDiscover tool is used to access the Registry during post-mortem analysis Steps to obtain information using ProDiscover: • Load the case into ProDiscover • Right-click Windows directory in Content View • Choose Add to Registry Viewer • It locates files and displays them on the Registry Viewer
83.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Information CurrentControlSet is a volatile portion of the Registry; an operating system uses the CurrentControlSet to store the system’s information It stores the information like version of the operating system, the Service Pack level, and the name of the computer There are two Controlsets: • ControlSet001 • ControlSet002 Find the computer name in the following key, in the ComputerName value: • SYSTEMCurrentControlSetControlComputerNameActiveComputerName Find the time when the system was last shut down in the following key: • SYSTEMControlSet00xControlWindows
84.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Time Zone Information Find information about the time zone settings in the following key: • SYSTEMCurrentControlSetControlTime ZoneInformation Use the ActiveTimeBias value from the TimeZoneInformation key to translate or normalize the times to other sources from the system
85.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Shares Windows 2000, XP, 2003, and Vista systems create hidden administrative shares on a system If a share is created by the user with the help of the net share command, it can be found in the HKEY_LOCAL_MACHINE hive The path for the share is: • SYSTEMCurrentControlSetServiceslanm anserverShares
86.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Audit Policy A system’s audit policy is maintained in the Security hive, below the PolicyPolAdtEv key Its default value is REG_NONE data type and contains binary information The first 4 bytes (DWORD) of the binary data gives the information about, whether auditing was enabled The value of DWORD explains the status of the audit policy: 00 There is no auditing 01 Success events are audited 02 Failure events are audited 03 Both success and failure events are audited
87.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless SSIDs On live systems, Windows XP maintains a list of Service Set IDentifiers (SSIDs) to which it is connected This list is maintained in the below registry key: • SOFTWAREMicrosoftWZCSVCParametersInterfaces{GUID} Below this key, there is a value Active Settings and other values called Static#000x SSIDs for any wireless access points that have been accessed will be included within this binary data Offset 0x10 is a DWORD value that contains the length of the SSID
88.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autostart Locations Autostart allows applications to be launched without the user’s interaction On a live Windows XP system, a command called MSConfig launches the System Configuration utility Path for the autostart option: • Start > Run > type msconfig > press Enter
89.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autostart Locations: Screenshot
90.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Boot Malware can be launched within the autostart locations of the Registry during the system boots, even without user-intervention • Example: Windows service at HKEY_LOCAL_MACHINESystemCurrentControlSetServices The ‘Current’ Controlset: • Services that are present in the ControlSet include: • That are scanned during startup, and • That are launched automatically • During intrusion analysis, you can use ProDiscover to locate the Controlset marked Current • You can sort the subkeys of the Services key, based on the LastWrite times • If there is any mismatch in the times shown in the LastWrite times and the actual time that the administrator launched legitimate programs, it implies that there is a possible intrusion
91.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited User Login When a user logs into a system, certain Registry keys are accessed and parsed so that listed applications can be run These keys are: •HKEY_LOCAL_MACHINE Software MicrosoftWindowsCurrentVersionRunonce •HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolic iesExplorerRun •HKEY_LOCAL_MACHINE SoftwareMicrosoftWindowsCurrentVersionRun •HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsRun •HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun •HKEY_CURRENT_USERSoftware MicrosoftWindowsCurrentVersionRunOnce These run keys are ignored if the system is started in Safe Mode
92.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited User Activity Autostart Registry locations are accessed when the user starts any program Look for malware in these locations: • HKEY_LOCAL_MACHINESoftwareClassesExefileShellOpencommand • HKEY_CLASSES_ROOTExefileShellOpenCommand TaskMan allows the user to choose an application to replace the Task Manager
93.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Enumerating Autostart Registry Locations Use AutoRuns tool to retrieve information from a number of autostart locations on a live system It retrieves entries from a number of Registry keys and displays the result It retrieves the description and publisher from the executable file pointed by each Registry value and listed in the Image Path column
94.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Removable Storage Devices Footprints or artifacts are created in registry when a USB device is connected to the Windows system Plug and Play (PnP) Manager queries the device descriptor in the firmware for information about the device When a device is identified, a Registry key will be created beneath this key: •HKEY_LOCAL_MACHINESystemCurrentControlSetEnumUSBSTOR Sub key beneath this key will look like: •Disk&Ven_###&Prod_###&Rev_### This subkey identifies a specific class of device; fields represented by ### are filled in by the PnP Manager based on information found in the device descriptor
95.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited USB Removable Storage Devices (cont’d) The value iSerialNumber is a unique instance identifier for the device and is similar to the MAC address of a network’s interface card ParentIdPrefix determines the last time the USB device was connected to the Windows system Its value can be used to correlate additional information from within the Registry which is important for investigation Navigate to the following key to find specific device classes: • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses
96.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mounted Devices The MountedDevices key stores information about the various devices and volumes mounted to the NTFS file system The complete path to the key : • HKEY_LOCAL_MACHINESystemMountedDevice Use the ParentIdPrefix value found within the unique instance ID key to map the entry from USBSTOR to the MountedDevices
97.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Finding Users Information about users is maintained in the Registry in the SAM hive “sam.h” file is helpful in deciphering the structures and revealing information The user’s information is maintained in the F value located in the following path: • SAMSAMDomainsAccountUsers{RID} Time/date stamps are represented as 64-bit FILETIME objects • Bytes 8–15 represent the last login date for the account • Bytes 24–31 represent the date that the password was last reset • Bytes 32–39 represent the account expiration date • Bytes 40–47 represent the date of the last failed login attempt The values and their locations :
98.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tracking User Activity Registry keys that track user’s activities can be found in the NTUSER.DAT file When a user performs a particular action, the registry key’s Lastwrite time is updated These registry keys track the user’s activity and add or modify timestamp information associated with the Registry values Majority of the user’s activities are recorded in the HKEY_CURRENT_USER hive
99.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The UserAssist Keys For more information, check the user’s NTUSER.DAT file at: • SoftwareMicrosoftWindowsCurrentVersionExplorerUser Assist{GUID}Count Value names beneath this key are ROT-13 encrypted Rot-13 refers to a Caesarian cipher in which each letter is replaced with the letter 13 spaces further down in the alphabet Use Perl script uAssist.pl to decrypt the value names The value names are preceded by UEME_, and then by RUNPATH, RUNPIDL, and RUNCPL
100.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The UserAssist Keys (cont’d) • Refers to an absolute path within the file system; occurs when you double-click an icon for an executable in Windows Explorer or type the name of the application in the Start | Run box RUNPATH • Refers to launching a Control Panel applet RUNCPL • A PIDL, or pointer to an ID list, part of the internal Explorer namespace, is used to refer to an object • In the case of the UserAssist keys, these are most often shortcuts or LNK files, as when you choose Start |Documents and select a file RUNPIDL
101.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MRU Lists Applications maintain MRU list, which is a list of files that have been most recently accessed The filenames appear at the bottom of the drop-down menu when a File is selected on the Menu bar Find the well-known MRU list Registry key that is the RecentDocs key at: • SoftwareMicrosoftWindowsCurrentVersionExplorerRece ntDocs MRU list has two sections: • The numbered value names: It contains the names of the files accessed • MRUListEx key: It maintains the order in which the files are accessed
102.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MRU Lists (cont’d) Another MRUList can be found in the RunMRU key: •SoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU This key maintains a list of all the values typed into the Run box on the Start menu Another key similar to the RunMRU key is the TypedURLs key: •SoftwareMicrosoftInternet ExplorerTypedURLs TypedURLs key maintains a list of the URLs that the user types into the Address bar Another location for MRU lists can be found in the following key: •SoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32OpenSaveMRU This key maintains MRU lists of files opened via Open and SaveAs dialogs
103.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Search Assistant The files and folders searched through the Windows XP Search function are stored into the Registry The path for the registry key: • SoftwareMicrosoftSearch AssistantACMru The ACMru key generally has some combination of four subkeys: 5001 Contains the MRU list for the Internet Search Assistant 5603 Contains the MRU list for the Windows XP files and folders search 5604 Contains the MRU list that corresponds to the “word or phrase in a file” dialog box 5647 Maintains the MRU list for the computers entered via the “for computers or people” selection in the Search Results dialog
104.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Connecting to Other Systems MRU list is created when a user uses the Map Network Drive Wizard to connect to a remote system The path of the key: • SoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU Information about the user using the net use command is stored at: • SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 The IP addresses appears in the following Registry key: • SoftwareMicrosoftWindowsCurrentVersionExplorerComputerDesc riptions
105.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyzing Restore Point Registry Settings The purpose of restore points is to take a snapshot of the system so that a user can restore system to a previous restore point The settings for restore points are stored at: •HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersion SystemRestore The interval for restore point creation is stored in the RPGlobalInterval value Look for the restore points in numbered folders at: •System Volume Information -restore {GUID}RP## Path to navigate to System Restore: • Select Start > All Programs > Accessories > System Tools > System Restore
106.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyzing Restore Point Registry Settings (cont’d) • When restore points are created on schedule, they are named System CheckPoint, that appears in the user’s interface • The restore point name is stored and pulled from the file rp.log found in the root of its RP## folder • The restore point name is stored starting at byte offset 16 of the rp.log file • If software or unsigned drivers are installed, a restore point is usually created • A user can manually create restore points, and the user-provided name is stored in this same location • The last 8 bytes of the rp.log file are a Windows 64-bit timestamp indicating when the restore point was created Characteristics of restore point names:
107.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Restore: Screenshot
108.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations Common Startup locations in the Registry are listed below: Registry Key Notes HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersionRun All values in this key are executed at system startup HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersionRunOnce All values in this key are executed at system startup and are deleted later HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersionRunServices All values in this key are run as services at system startup HKEY LOCAL MACHINESoftware MicrosoftWindows CurrentVersion RunServicesOnce All values in this key are run as services at system startup and then are deleted
109.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) Registry Key Notes HKEY_LOCAL_MACHINESoftware MicrosoftWindowsNT CurrentVersionWinlogon The value Shell will be executed when any user logs on. This value is normally set to explorer.exe, but it could be changed to a different Explorer in a different path HKEY_LOCAL_MACHINESoftware MicrosoftActive Setup Installed Components Each subkey (GUID name) represents an installed component. All subkeys are monitored, and the StubPath value in subkeys, when present, is a way of running code HKEY_LOCAL_MACHINESoftware MicrosoftWindows NT CurrentVersionWinlogon Value Userinit runs when any user logs on; it can be appended to have additional programs to start here HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersion ShellServiceObjectDelay Value Load, if present, runs using explorer.exe after it starts
110.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) Registry Key Notes HKEY_LOCAL_MACHINESoftware MicrosoftWindows CurrentVersionPolicies Explorerrun If Explorer and run are present, the values under run are executed after Explorer starts HKEY_LOCAL_MACHINESOFTWARE MicrosoftWindows CurrentVersion RunOnceEx0001 It contains entries to be run RunMyApp = ||notepad.exe HKEY_LOCAL_MACHINESystem CurrentControlSetServices VxD When present, subkeys are monitored and the StaticVxD value in each subkey is a method of executing code HKEY_LOCAL_MACHINESystem CurrentControlSetControl Session Manager The value BootExecute contains files that are native applications executed before Windows Run HKEY_LOCAL_MACHINESystem CurrentControlSetServices This contains a list of services that run at system startup. If the value Start is 2, startup is automatic. If the value Start is 3, startup is manual and starts on demand for service. If the value Start is 4, service is disabled
111.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) Registry Key Notes HKEY_LOCAL_MACHINESystem CurrentControlSetServices Winsock2Parameters Protocol_Catalog Catalog_Entries The subkeys are for layered service providers, and the values are executed before any user logs in HKEY_LOCAL_MACHINESystem ControlWOW Whenever a legacy 16-bit application is run, the program listed in value cmdline is run HKEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersionRun All values in this subkey run when this specific user logs on, as this setting is user specific HKEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersionRunOnce All values in this subkey run when this specific user logs on, and then the values are deleted HKEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersion RunOnceSetup For this specific user, this key is used only by setup, and a progress dialog box tracks progress as the values in this key are run one at a time
112.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) Registry Key Notes HKEY_CURRENT_USER Control PanelDesktop For this specific user, if a screensaver is enabled, a value named scrnsave.exe is present. Whatever is in the path found in the string data for this value will execute when the screensaver runs HKEY_CURRENT_USERSoftware MicrosoftWindows NT CurrentVersionWindows For this specific user, the string specified in the value run executes when this user logs on HKEY_CURRENT_USERSoftware MicrosoftWindows NT CurrentVersionWindows For this specific user, the string specified in the value load runs when this user logs on HKEY_CURRENT_USERSoftware MicrosoftWindows CurrentVersionPolicies Explorer For this specific user, the string specified in the value run runs when this user logs on
113.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining the Startup Locations (cont’d) User Startup Folder Registry Settings are as shown below: Registry Key Default or Normal Settings HKCUSoftwareMicrosoft WindowsCurrentVersion ExplorerShell Folders Value Startup will be C:Documents and Settings%UserName% Start MenuProgramsStartup where %UserName% will not be the environment variable but will actually specify the user’s name HKCUSoftwareMicrosoft WindowsCurrentVersion ExplorerUser Shell Folders Value Startup will be %USERPROFILE%Start Menu ProgramsStartup HKLMSoftwareMicrosoft WindowsCurrentVersion ExplorerShell Folders Value Common Startup will be C:Documents and Settings All UsersStart MenuProgramsStartup HKLMSoftwareMicrosoft WindowsCurrentVersion ExplorerUser Shell Folders Value Common Startup will be %ALLUSERSPROFILE%Start MenuProgramsStartup
114.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
115.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cache, Cookie, and History Analysis in IE All IE activities of user are stored in the directory: • C:Documents and Settingsuser Local SettingsTemporary Internet FilesContent.IE5 This directory stores the cached pages and images reviewed by the user IE activity directories which contains the Internet history activity: • C:Documents and SettingsuserLocal SettingsHistoryHistory.IE5 IE directory containing cookies: • C:Documents and SettingsuserCookies
116.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cache, Cookie, and History Analysis in Firefox/Netscape Mozilla/Netscape/Firefox save the web activity in a file named history.dat History.dat file is saved in an ASCII format History.dat file is that it does not link website activity with cached web pages Firefox files are located in the directory: • Documents and Settings<user name>Application DataMozillaFirefoxProfiles<random text>history.dat Mozilla/Netscape history files are found in the directory: • Documents and Settings<user name>Application DataMozillaProfiles<profile name><random text>history.dat
117.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Browsing Analysis Tool: Pasco Pasco is a command line tool that runs on Unix or Windows It accepts an Index.dat file, reconstructs the data, and gives the information in a delimited text file format • The record type - Signifies the activity is either a URL that was browsed or a website that redirected the user's browser to another site • The URL - The actual website that the user visited • Modified Time - The last moment in time the website was modified • Access Time - The moment in time the user browsed the website • Filename - The local file name that contains a copy of the URL listed • HTTP Headers - The HTTP headers the user received when he browsed the URL It shows the fields saved by IE such as:
118.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: IE Cache View IE Cache View reads the cache folder of Internet Explorer, and displays the list of all files currently stored in the cache • Filename • Content Type • URL • Last Accessed Time • Last Modified Time • Expiration Time • Number Of Hits • File Size • Folder Name • Full path of the cache filename It gives the information about:
119.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: IE Cache View (cont’d) • IE Cache View displays the list of cache files • It allows you to filter the cache files by file type • It allows to view the cache files of another user or from another disk • Selecting and copying the desired cache item in clipboard is easy Advantages:
120.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Tool: Cache Monitor Cache Monitor offers real time view of the current state cache It offers an interface to modify data It also: • Verify the configuration of dynamic caches • Verify the cache policies • Monitor cache statistics • Monitors data flowing through the caches • Data in the edge cache • View data offloaded to the disk • Manage the data in the cache
121.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool - IE History Viewer This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days It also allows you to select one or more URL addresses, and then removes them from the history file or save them into text, HTML, or XML file
122.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IE Cookie Analysis • Cookie file name • The record type • Record size in bytes • Number of hits • The site that created the cookie The file index.dat file provides the following information: • Modified date • Accessed date • Name of the user • MD5 of the actual cookie file Index.dat also contain the following information:
123.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IE Cookie Analysis (cont’d) Hash tables are used to retrieve the data records stored in a specified index.dat file The records collected are then parsed into separate information portions
124.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IE Cookie Analysis (cont’d) Figure: The HASH table offset
125.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Internet Traces • Cookies • C:Documents and SettingsAdministratorCookies • Temporary Internet files • C:Documents and SettingsAdministratorLocal SettingsTemporary Internet Files Internet Explorer investigations:
126.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool – IECookiesView Displays details of all cookies stored on the computer Views the contents of each cookie as well as save the cookies to a readable text file Enables the user to view references to deleted cookies
127.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool- IE Sniffer IE Sniffer tool can be used to perform forensic analysis of "index.dat" files • Cookie Monitor to keep only the cookies you want and displays all cookies that are deleted • Cache Cleaner - Cleans the Internet Explorer cache as well as all stored offline pages • Quick viewer - To quickly view the contents of an "index.dat" file and open any of the visited links in the browser • Hex Viewer - To view the contents of the "index.dat" files Features:
128.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: IE Sniffer
129.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
130.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Calculation Message-Digest algorithm 5 (MD5) was designed by Ron Rivest in 1991 MD5 is a cryptographic hash function with a 128-bit hash value Md5 is used in the security applications and to check the integrity of files
131.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Algorithm MD5 processes a variable-length message into a fixed-length output of 128 bits Input message is broken up into chunks of 512-bit blocks The message is padded so that its length is divisible by 512 The padding is done as follows: • To the first single bit ‘1’ is appended to the end of the message • It is followed by as many zeros as are required to bring the length of the message up to 64 bits • Remaining bits are filled up with a 64-bit integer representing the length of the original message
132.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Pseudocode //Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating var int[64] r, k //r specifies the per-round shift amounts r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22} r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20} r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23} r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21} //Use binary integer part of the sines of integers (Radians) as constants: for i from 0 to 63 k[i] := floor(abs(sin(i + 1)) × (2 pow 32)) //Initialize variables: var int h0 := 0x01234567 var int h1 := 0x89ABCDEF var int h2 := 0xFEDCBA98 var int h3 := 0x76543210 //Pre-processing: append "1" bit to message append "0" bits until message length in bits ≡ 448 (mod 512) append bit /* bit, not byte */ length of unpadded message as 64-bit little- endian integer to message //Process the message in successive 512-bit chunks: for each 512-bit chunk of message break chunk into sixteen 32-bit little- endian words w[i], 0 ≤ i ≤ 15 //Initialize hash value for this chunk: var int a := h0 var int b := h1 var int c := h2 var int d := h3 //Main loop: for i from 0 to 63 if 0 ≤ i ≤ 15 then f := (b and c) or ((not b) and d) g := i else if 16 ≤ i ≤ 31 f := (d and b) or ((not d) and c) g := (5×i + 1) mod 16 else if 32 ≤ i ≤ 47 f := b xor c xor d g := (3×i + 5) mod 16 else if 48 ≤ i ≤ 63 f := c xor (b or (not d)) g := (7×i) mod 16 temp := d d := c c := b b := b + leftrotate((a + f + k[i] + w[g]) , r[i]) a := Temp //Add this chunk's hash to result so far: h0 := h0 + a h1 := h1 + b h2 := h2 + c h3 := h3 + d var int digest := h0 append h1 append h2 append h3 //(expressed as little-endian)
133.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Generator: Chaos MD5 Chaos MD5 is a free MD5 generator for Windows Input any file into this free program and it will generate a MD5 checksum for that file It generates an unique signature for each and every file Chaos MD5 does not require installation; simply copy it to the hard drive or USB device to run The MD5 checksum that is generated can be used for file identification or integrity checks
134.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chaos MD5: Screenshot
135.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Secure Hash Signature Generator Secure Hash Signature Generator generates hash signatures that are unique to the data stored on a disk drive These signatures are used to verify data integrity by detecting intentional or accidental tampering of drive data The application has the ability to detect up to three P-ATA, S- ATA, SCSI, or ATA compatible flash devices, attached to a PC This application runs under the Windows XP or Windows 2000 environment There are three different hash signature generating algorithms from which to choose from, including MD5 (128-bit signature), SHA1 (160-bit signature), and CRC32 (32-bit signature)
136.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Generator: Mat-MD5 Mat-MD5 is a software that allows you to check the MD5 value for each file processed and compare it with other MD5 strings It will process one or more file and it will add the result value to a list You can add your MD5 value to compare by typing it or by copying it from an external file, so you can easily compare your values =
137.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mat-MD5: Screenshot
138.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Checksum Verifier MD5 Checksum Verifier is files integrity checker based on the time proven MD5 algorithms With it, you can easily create checksums of files and verify their integrity in the future
139.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
140.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recycle Bin The Recycle Bin exists as a metaphor for throwing files away, it also allows user to retrieve and restore files A subdirectory is created for the user within the Recycler directory and named with the user’s security identifier • For example: C:RECYCLERS-1-5-21-1454471165-630328440- 725345543-1003> Check the subdirectory for the deleted files’ information When a file is moved to the Recycle Bin, it is renamed using the following convention: • D<original drive letter of file><#>.<original extension>
141.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited System Restore Points • Rp.log is the restore point log file located within the restore point (RPxx) directory • It includes value indicating the type of the restore point; a descriptive name for the restore point creation event, and the 64-bit FILETIME object • Description of the restore point can be useful for information regarding the installation or removal of an application Rp.log Files • Key system and application files are continuously monitored so that the system can be restored to a particular state • Changes are recorded in the change.log files, which are located in the restore point directories • Monitored file is preserved and copied to the restore point directory and renamed Change.log.x Files
142.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Prefetch Files The data after processing is written to a .pf file in the WindowsPrefetch directory Collect this data from the Prefetch directory Prefetching is controlled by the Registry key: • HKEY_LOCAL_MACHINESYSTEMControlSet00x ControlSession ManagerMemory ManagementPrefetchParameters
143.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Shortcut Files Shortcuts are the files with the extension .lnk that are created and are accessed by the users It is created on the system in the recent folder It provides information about files or network shares that the user had accessed and also about devices that the user had attached to the system Tools like AccessData’s Forensic Toolkit (FTK), Windows File Analyzer (WFA), and EnCase are used to reveal information embedded within the file
144.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Searching with Event Viewer The Filter feature in the event viewer allows removing clutter from the event log display Each log can be independently configured with different filter properties Use Filter and Find features in Event Viewer-under the View menu After applying the filter, the Event Viewer will show the log with matched properties
145.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Event Viewer: Screenshot
146.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Documents Word documents are compound documents, based on the Object Linking and Embedding (OLE) technology which defines file structure within the file Word documents can maintain past revisions as well as a list of up to the last 10 authors Use wmd.pl, and oledmp.pl scripts to list the OLE streams
147.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDF Documents Portable document format (PDF) files can also contain metadata such as the name of the author, the date that the file was created, and the application used to create that file The metadata shows that the PDF file was created on a Mac or it was created by converting a Word document to PDF format Use Pdfmeta.pl and pdfdmp.pl scripts to extract metadata from PDF files
148.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Image Files Image files like JPEG contains the photographer’s information such as, location of where the picture was taken The metadata available in a JPEG image depends largely on the application that created or modified it Collect Exchangeable Image File Format (EXIF) information in images which includes the model and manufacturer of the camera, and also stores thumbnail or audio information Use tools such as Exifer, IrfanView, and the Image::MetaData::JPEG Perl module to view, retrieve, and modify the metadata embedded in JPEG image files
149.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File Signature Analysis Analyze files with unusual extensions or files with familiar extensions with the help of the file signature analysis File signature analysis is collecting information from the first 20 bytes of a file • This information will help to determine type and function of the file Use ProDiscover tool for the file signature analysis
150.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NTFS Alternate Data Streams An NTFS Alternate Data Stream (ADS) is a feature of the NTFS file system ADS supports the Hierarchal File System (HFS) used by the Macintosh Create ADS by typing the following command: • D:ads>notepad myfile.txt:ads.txt Vista has a switch that allows to enumerate ADSes with dir using the /r switch Use Type command for executing the ADS
151.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Executable File Analysis • Static analysis is a process that consists of collecting information about and from an executable file without actually running or launching the file under any circumstances Static Analysis • Dynamic analysis involves launching an executable file in a controlled and monitored environment so that its effects on a system can be observed and documented Dynamic Analysis
152.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documentation Before Analysis Full path and location of the file MAC timestamp The system Information where file was stored • The operating system and version • File system • User accounts • IP address Any references to that file within the file system or Registry Details about who found it and when
153.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Static Analysis Process Scan the suspicious file with antivirus software such as Norton, AVG, McAfee Search for strings Analyze PE Header Analyze Import Tables Analyze Export Table
154.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Search Strings Run suspicious files through tools such as strings.exe and BinText to extract all ASCII and Unicode strings of a specific length This will help to get an idea of the file’s nature from the strings within the file Collect the information about where the string is located within the file
155.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: BinText
156.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PE Header Analysis A file signature of the portable executable (PE) file consist of 64-byte structure called the IMAGE_DOS_HEADER Last DWORD (e_lfanew) value refer to the address of the new EXE file This value is defined in the ntimage.h header file The e_lfanew value points to the location of the PE header Use PEview tool to view the PE header
157.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: PEview
158.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Import Table Analysis Information about DLLs and functions accessed by the executing program is needed for operating system This information is maintained in the import table and the import address table of the executable file Use pedump.exe, Dependency Walker tool to easily access the import table information Locate the import data directory and parse the structures to determine the DLLs and their functions Collect the networking code from the import table of the DLLs
159.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Dependency Walker
160.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Export Table Analysis DLLs provide functions that other executable files can import DLLs maintain a table of functions available in their export table Collect the information about chained or cascading DLL dependencies with the help of tools like Dependency Walker, pedump.exe
161.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dynamic Analysis Process Create a testing environment Use the visualization tools such as Bochs, Parallels, Microsoft’s Virtual PC, VirtualIron, Vmware Arrange your tools properly Start the process of testing the malware
162.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Test Environment Run the malwares to be tested on a different system than the victim system Do not connect the test system to the victim system through network Reinstall operating system after each test Work on the visual platform Use virtualization tools such as Bochs, Parallels, Microsoft’s Virtual PC, VirtualIron, Vmware
163.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Information Using Tools Use network sniffer tools to know network connectivity information This will help to know whether malware attempt to communicate to a remote system, or open a port to listen connections Record TCP and UDP port activity with the help of Port Reporter tool Use Process Monitor tool to see files and Registry keys that were created or modified and also timeline of activity
164.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dynamic Analysis Steps 1 • Ensure that all monitoring tools are updated 2 • Ensure that all monitoring tools are configured properly 3 • Create log storage location 4 • Prepare malware to be analyzed 5 • Launch baseline phase of snapshot tools 6 • Enable real-time monitoring tools 7 • Launch malware 8 • Stop real-time monitoring tools, and save the data 9 • Launch second phase of snapshot tools, and save the data
165.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Window Password Issues Window File Analysis Window Registry Analysis Other Audit Events Forensic Analysis of Event Logs Metadata Investigation Text Based Logs MD5 Calculation Cache, Cookie and History Analysis Window Memory Analysis Collecting Non- Volatile Information Collecting Volatile Information Forensics Tools
166.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata The term metadata refers to data about data Example of metadata: • Organization name • Author name • Computer name • Network name • Hidden text or cells • Document versions • Template information • Personalized views • Non-visible portions of embedded OLE objects It is important to collect the data as it gives the information about: • Hidden information about the document • Who tried to hide, delete, or obscure the data • Correlated documents from different sources
167.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata Example: Screenshot
168.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Metadata Metadata is differentiated into three types, such as: • Descriptive metadata • Structural metadata • Administrative metadata Descriptive metadata includes the information such as title, abstract, author, and keywords Structural metadata facilitates information of navigation and presentation of electronic resources Administrative metadata provides information such as file created, file type and other technical information
169.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Metadata (cont’d) Type Description Sample Element Descriptive Metadata Describes and identifies information resources Unique identifiers, physical attributes, bibliographic attributes Structural Metadata Provides information about the internal structure of resources including page, section, chapter numbering, indexes, and table of contents Tags such as title page, table of contents, chapters, parts, errata, index, sub-object relationship Administrative Metadata Includes technical data on creation and quality control Resolution, bit depth, color space, file format, compression, light source, owner, copyright date, copying and distribution limitations
170.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata in Different File System Metadata such as modified, accessed, and created (MAC) timestamp gives information about when the file was last modified These MAC times are managed by the operating system depending on the file system used such as FAT, NTFS • On the FAT file system, times are stored based on the local time of the computer system • NTFS file system stores MAC times in Coordinated Universal Time (UTC) format Investigate the way the timestamps are displayed, based on various move and copy actions
171.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata in Different File System (cont’d) • Copy myfile.txt from C: to C:subdir Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time • Move myfile.txt from C: to C:subdir Myfile.txt keeps the same modification and creation dates • Copy myfile.txt from a FAT16 partition to an NTFS partition Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time • Move myfile.txt from a FAT16 partition to an NTFS partition Myfile.txt keeps the same modification and creation dates FAT 16 file system: • Copy myfile.txt from C: to C:subdir Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time • Move myfile.txt from C: to C:subdir Myfile.txt keeps the same modification and creation dates For NTFS file system:
172.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Metadata Metadata can be viewed with the help of some native application Metadata is viewed by going to File -> Properties in case of Microsoft Office; or File -> Document Properties in case of Adobe Acrobat Tools used to view metadata: • MetaViewer • Metadata Analyzer • iScrub
173.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MetaViewer Metaviewer allows to quickly extract file system metadata, OLE metadata contained in Microsoft Office Files and hash values It views metadata and hash values inside Windows Explorer It also allows to paste the retrieved information into any application
174.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Metadata Analyzer Metadata Analyzer is an analytical tool for checking MS Office documents: • Microsoft Word • Microsoft Excel • Microsoft PowerPoint It gives information about an initial name, authors, corporate name, number of saves etc.
175.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited iScrub iScrub extracts the information about the authors of the document, deleted text, and drafting history Features: • It is a reporting tool to capture and display document metadata • It allows users to first manage metadata in a document and then lock it down
176.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Live system activity notification is important for responders and investors In live response, collect the data which is going to change in short span of time Several Registry values and settings could impact the forensic analysis Analyzing the contents of RAM, will help the investigator to find what has been hidden pmdump.exe tool allows dumping the contents of process memory without stopping the process Registry Analysis provides more information to the investigator during live response The logs generated by the web server are used for the exploitation of attacks on IIS web server
177.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
178.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Descargar ahora