Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fundamental Computer Investigation for Windows Barbara Chung, CISSP, CISM Chief Security Advisor, US Ed Microsoft Corporation

Similar presentations

Presentation on theme: "Fundamental Computer Investigation for Windows Barbara Chung, CISSP, CISM Chief Security Advisor, US Ed Microsoft Corporation"— Presentation transcript:

1 Fundamental Computer Investigation for Windows Barbara Chung, CISSP, CISM Chief Security Advisor, US Ed Microsoft Corporation

2 Agenda Prepare Assess Acquire Analyze Report

3 Computer Investigation Model AssessAcquireAnalyzeReport Notify and acquire authorization Review policies and laws Identify team members Prepare for evidence acquisition Build investigation toolkit Collect the data Store and Archive Analyze network data Analyze host data Analyze storage media Gather and organize Write the report

4 Assess: Initial Decision Making Preventing further damage should be the first concern Investigation is secondary unless there are national security issues You may be required to report to authorities: consult with your legal team

5 Assess Establish Scope Identify Required Resources

6 Assess Notify decision makers: – if no written response policies and procedures exist, you should obtain written authorization to conduct the investigation – Document all actions that you take Priorities*: – Prevent further harm – Restore services (if necessary) – Investigate incident * Absent national security or life safety issues

7 Assess Review policies and laws that might pertain: Do you have legal authority? Internal privacy policies for employees, contractors, others? Consult with legal regarding: – Possible compromise of personal data – State/federal privacy laws – Criminal/civil liability for improper interception of electronic communications – Viewing sensitive or privileged info

8 Assess Customer privacy and confidentiality issues: – All data should be transferred securely, stored locally, not easily accessible. – Maintain data and documentation per local policy or as advised by legal counsel/law enforcement. – Maintain digital copies of evidence, printouts of evidence, and the chain of custody for all evidence, in case of legal action in secure storage.

9 Assess Identify Investigation Team Members Ideally the team is established before they are needed. Assign one technical lead; clarify responsibilities A small team minimizes risk to confidential data and information leaks Engage a trusted external investigation team if you do not have the internal expertise Ensure that each team member has the necessary clearance and authorization

10 Assess Prioritize your actions and justify resources Describe the situation, its potential severity, potentially affected parties, and (if available) the suspected party or parties. Identify the impact and sensitivity of the investigation on your organization. Analyze the business impact of the incident throughout the investigation. Analyze affected intangible resources

11 Assess

12 Document the scope Affected networks The number affected computers and types Detailed network topology External storage and remote computers Capture network traffic if live analysis is required – Be aware of internal policy around the use of network capture tools, be sure you have clearance/authorization. Examine the state of software applications and OS on machines that may be affected: application logs, system logs, Sysinternals pstools. Examine affected file and application servers: Sysinternals tools as pstools, psfile, shareenum, internal Windows security logs. Ensure that volatile realtime data is securely stored.

13 Assess Best practices Build a timeline and map everything to it. Identify and interview anyone who might be involved, such as sysadmins and users Document interview outcomes Retrieve info (logs) from internal and external facing network devices that might be in the attack path Identify public IP address and domain ownership (Windows Sysinternals Whois, or the American Registry for Internet NumbersAmerican Registry for Internet Numbers

14 Assess Prepare for Evidence Acquisition Detailed document containing: – Initial estimate of impact – Network topology identifying affected systems – Summaries of interviews – Outcomes of legal and third party interactions – Reports and logs generated during assessment phase – A proposed course of action

15 Acquire the Data

16 Assess Prepare for Evidence Acquisition Detailed document containing: – Initial estimate of impact – Network topology identifying affected systems – Summaries of interviews – Outcomes of legal and third party interactions – Reports and logs generated during assessment phase – A proposed course of action

17 Acquire the Data Build the Toolkit Core tools and personnel should be identified before they are needed Make adjustments as needed for the current situation – Tools (such as WOLF where MS PSS is involved) – Personnel

18 Build the Toolkit Laptop – H/W and tools used only for the investigation – Storage device is forensically sterile Different OS and patches Application media Backup devices Blank Media Basic Networking Equipment Cables

19 Build the Toolkit Proving accuracy of data acquisition tools is generally easier if you use well-known computer forensics software. The tools must not modify the access time of files.

20 Build the Toolkit List each OS you will support and ensure you have the necessary tools: Include a tool to collect and analyze metadata. Include a tool for creating bit-to-bit and logical copies. Include tools to collect and examine volatile data, such as the system state – Microsoft Sysinternals ListDLLs, LogonSessions, PendMoves, Autoruns, ProcessExplorer – Other Windows Tools Systeminfo, Ipconfig, Netstat, Arp – Dedicated forensics software, for example: Encase (Guidance Software) The Forensic Toolkit (FTK) (AccessData) ProDiscover (Technology Pathways) Tools should be archived and preserved to allow for future verification of data

21 Build the Toolkit Generate checksums and digital signatures on files and other data: the File Checksum Integrity Validator (FCIV) tool. – This tool is available through Microsoft Knowledge Base article 841290, Availability and description of the File Checksum Integrity Verifier utility.Availability and description of the File Checksum Integrity Verifier utility

22 Build the Toolkit: Worksheets and Samples Link to the Fundamental Computer Investigation Guide for Windows on the Microsoft Download CenterFundamental Computer Investigation Guide for Windows – Chain of Custody Log – Impact Analysis Worksheet – Sample Internal Investigation Report Appendix C. Sample Worksheets in Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of Justice, an agency of the U.S. Department of Justice:Forensic Examination of Digital Evidence: A Guide for Law Enforcement – Computer Evidence – Hard Drive Evidence – Removable Media

23 Build the Toolkit: Preparing Personnel At least part of the team should have some formal investigation training List of nonprofit agencies, organizations, Federal law enforcement agencies, and academic institutions that provide computer forensic training, see "Appendix G. Training Resources List" in Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of Justice, an agency of the U.S. Department of Justice.Forensic Examination of Digital Evidence: A Guide for Law Enforcement

24 Collect the Data If a machine is infected with a rootkit, it will probably return lots of false information; you must check for this first Sysinternals’ RootkitRevealer, but there is no single tool or methodology that will answer the question for you. See: – Mark Russinovich’s TechEd vid Advanced Malware Cleaning (chapter on rootkits) Advanced Malware Cleaning

25 Collect the Data Collecting data locally offers greater control over computers and data Remote collection is sometimes necessary

26 Collect the Data: Process 1.Create accurate documentation that will allow the data to be identified and authenticated later – Who performed the action and why they did it. What were they attempting to accomplish? – How they performed the action, including the tools they used and the procedures they followed. – When they performed the action (date and time) and the results.

27 Collect the Data: Process 2.Determine which methods to use – Online only when necessary, since you risk altering original evidence – Use offline methods when possible (uses bit-wise copy of the original data)

28 Collect the Data: Process 3.Identify and document potential data sources – Servers: role, logs, files and applications – Logs from internal/external network devices that may be in the path of attack: firewalls, routers, proxy servers, network access servers, IDS systems – Internal hardware components: NICs, PCMCIA cards, external port types such as Firewire, USB, PCMCIA – Storage devices: hard disks, network storage devices, removable media, mobile devices

29 Collect the Data: Process 4.Collecting Volatile Data – Carefully consider the order in which it is collected

30 Collect the Data: Process 5.Collecting Data from Storage Media – Volatile data collection is complete before turning off the computer to remove device? – Remove device and collect data using another computer? – Create a bit-wise copy of the evidence in another location? Use industry-accepted software, such as EnCase by Guidance Software, or FTK by AccessData – Document internal devices, configuration information, type of device and condition

31 Collect the Data: Process 6. Verify collected data – Use checksums, digital signatures – You can use the Microsoft File Checksum Integrity Verifier (FCIV) tool to compute an MD5 or SHA1 cryptographic hash of the content of a fileMicrosoft File Checksum Integrity Verifier

32 Collect the Data: Store and Archive Best Practices – Physically secure and store in tamper-proof location – Document who has physical and network access to the evidence – Make at least two copies—one stored securely offsite – Ensure evidence is secured both physically and digitally – Document chain of custody, with check/in-check/out info

33 Analyze the Data

34 Analyze Network Data Not always necessary Be prepared for large amounts of data: focus on specific criteria Examine firewall, proxy server, IDS, remote access server logs View network sniffs where data might help identify activities. Encrypted sessions cannot be viewed, but time of connection, or endpoints may be valuable

35 Analyze Host Data Host Data – Lots of data, so identify and search for what you are seeking: Sysinternals Strings may be useful – \\Windows\prefetch contains info such as when and where apps were launched \\Windows\prefetch – OS Data: clock drift info, data in memory, processes running or scheduled to run (Sysinternals Autoruns) – Running apps, processes, network connections (Sysinternals ProcessExplorer, LogonSession, PSFile.)

36 Analyze the Data: Storage Media If possible use offline analysis Create a diagram of the directory structure Determine if encryption was used (EFS). See "Encrypting File System in Windows XP and Windows Server 2003" on Microsoft TechNet.Encrypting File System in Windows XP and Windows Server 2003 If necessary, uncompress files Identify files of interest Use file viewers to view contents

37 Analyze the Data: Storage Media File Resources: – Hash sets for well-known software: National Software Reference LibraryNational Software Reference Library – – Wotsit’s Format: – – Microsoft's DLL Help Microsoft's DLL Help – Sysinternals Streams for Alternate Data Streams Metadata: Encase by Guidance Software, The Forensic Toolkit (FTK) by AccessData, or ProDiscover by Technology Pathways.Guidance Software AccessDataTechnology Pathways Registry Resources: – Windows Server 2003 Resource Kit Registry Reference Windows Server 2003 Resource Kit Registry Reference – RegEdit, Windows Sysinternals RegMon for Windows, and Registry Viewer by AccessDataWindows Sysinternals RegMon for Windows Registry Viewer

38 Report

39 Report: Gather and Organize Identify parts of the documentation that are relevant to the investigation. Identify facts to support the conclusions you will make in the report. Create a list of all evidence to be submitted with the report. List any conclusions you wish to make in your report. Organize and classify

40 Report: Write the Report Purpose of Report. Author(s) of Report. Incident Summary. Introduce the incident and explain its impact. The summary should be written so that a non-technical person such as a judge or jury would be able to understand what occurred and how it occurred. Evidence Details: evidence, analysis methods, findings, etc. Conclusion. Supporting documents.

41 Report

42 Resources Fundamental Computer Investigation Guide for Windows: recovery/computer_investigation/default.mspx recovery/computer_investigation/default.mspx Windows Sysinternals: Channel 9: Mark Russinovich, chat re: Windows Security Microsoft Windows Security Resource Kit: Microsoft Security Risk Management Guide: nceandpolicies/secrisk/default.mspx nceandpolicies/secrisk/default.mspx

43 Other Resources Microsoft Security Awareness Toolkit and Guide

44 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 Services Platform Products Windows Live OneCare Exchange Hosted Services Windows Live Safety Center Windows Live ID ISA Server 2004 Microsoft Antigen Windows Rights Management Services Microsoft Identity Integration Server 2003 Data Protection Manager 2006 Windows XPSP2 Windows Server 2003 SP1 Anti-malware tools Microsoft Update Windows Server Update Services Encrypted File System Active Directory Federation Services Certificate Services Next generation of services Forefront Server Security line Forefront Client Security ISA Server 2007 MIIS “Gemini” Microsoft Certificate Lifecycle Manager Active Directory Rights Management Services Forefront content filtering services Windows Vista Windows Defender Bit Locker Info Card Internet Explorer 7 Windows Server “Longhorn” Network Access Protection Active Directory Certificate Services

Download ppt "Fundamental Computer Investigation for Windows Barbara Chung, CISSP, CISM Chief Security Advisor, US Ed Microsoft Corporation"

Similar presentations

Ads by Google