Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David.

Similar presentations


Presentation on theme: "© 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David."— Presentation transcript:

1 © 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David Bowie This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 © 2006 The Trustees of Boston College   Slide 2 Overview »What this talk is about o How to quickly assess what is going on from a technical POV o Drawing conclusions based upon a small sample size o How to use public tools and current data to understand an incident o Windows-centric »What this talk is NOT about o How to obtain evidence o How to preserve evidence o How to conduct an investigation o How to secure a computer used in a crime o How to respond to a subpoena o IANAL

3 © 2006 The Trustees of Boston College   Slide 3 Who am I? »David Bowie o Senior Security Analyst with Boston College  CISSP  President, Boston Infragard Member’s Alliance o 20yrs with a Tier-1 ISP  BBN, GTE-I, Genuity, Level-3 o

4 © 2006 The Trustees of Boston College   Slide 4 Before an incident »Cultivate your (extended) network o IPS/IDS o Snort o Network flows o DNS queries o Network/policy changes o Chatter  mail lists & Industry websites »Check your toolkit o Latest tools on CD or USB o Blank CDs & USB for data o Laptop for browsing & IM o Notebook

5 © 2006 The Trustees of Boston College   Slide 5 Basic process »Define a set of sample computers o Triage »Isolate the computers o Controlled test environment »Evaluate the common threads o Apps & activities »Theorize on the likely infection & vector o Occam’s Razor »Validate your hypothesis o Test to prove o Don’t be afraid to be wrong »SET your GOALS o Confirm or eliminate known infections o Define the vector  airborne or clickaholic? o Define the threatened population

6 © 2006 The Trustees of Boston College   Slide 6 Triage a’ la M*A*S*H »Focus your efforts on those who will survive… o Those who need care within five minutes are "immediate“ o Those with stabilized injuries, but needing treatment, are "delayed" o Patients whose wounds are beyond the ability to treat and who are likely to die are labeled "expectant" »Applying this to computers… o Is the computer running the required SW? o Does the computer NOT have games/sharing SW? o Is the computer portable?

7 © 2006 The Trustees of Boston College   Slide 7 Clearing the decks for action »Gather your tools »Define a location »Hints: o allows you to change the boot order  Usually, but some BIOS work different o Keep a hard-copy notebook – log everything o Open WORD on the target computer for screen captures  Remember will capture the active window o Save everything to your USB disk in separate folders  Burn to CD later o Dedicate time to the process  This is either an incident, or not.

8 © 2006 The Trustees of Boston College   Slide 8 What tools do I use? »Public tools o TCPview o Procexp o Autoruns o MSConfig o Rootkit revealer o WFT o HELIX »Purchased tools o ERD Commander »Where to get tools o Sysinternals   Free tools o Winternals   Purchased tools o Foundstone   Free tools o HELIX   Free knoppix with tools o WFT  /wft  Free tools in a single package

9 © 2006 The Trustees of Boston College   Slide 9 Tools & Toys »Interesting place for new tools and to share tools o »Top free tools o »Knoppix o o Free bootable linux CD by Klaus Knopper

10 © 2006 The Trustees of Boston College   Slide 10 Using the tools »TCPView o Watch for attempts to connect for no reason  Trace back to the application or service »Procexp o Look for odd processes or services started remotely  Find the names »Autoruns o Look for applications that start automatically  Are they suspect?

11 © 2006 The Trustees of Boston College   Slide 11 Sample process of discovery Examine AV logs Login as ADMIN Passwd? ERD tcpviewprocexpautoruns Process name Search the disk Time of infection Processes used DUH VECTOR

12 © 2006 The Trustees of Boston College   Slide 12 Anti-Virus may answer all questions

13 © 2006 The Trustees of Boston College   Slide 13 TCPView – what it looks like (my cpu)

14 © 2006 The Trustees of Boston College   Slide 14 Procexp – what it looks like (my cpu)

15 © 2006 The Trustees of Boston College   Slide 15 Autoruns - what it looks like (my cpu)

16 © 2006 The Trustees of Boston College   Slide 16 Determining the likely infection vector »Look for a file created or used by the malware »Search the disk for files created on the same date as the identified file o Sort by time »Check all the files created immediately preceding the infection file »Pay attention to ‘prefetch’ files that show what commands were executed

17 © 2006 The Trustees of Boston College   Slide 17 TCPView – what it looks like (infected cpu)

18 © 2006 The Trustees of Boston College   Slide 18 Procexp – what it looks like (infected proc)

19 © 2006 The Trustees of Boston College   Slide 19 Search for files (oracle.exe)

20 © 2006 The Trustees of Boston College   Slide 20 Correlate with Event Logs

21 © 2006 The Trustees of Boston College   Slide 21 Search for files (oracle.exe)

22 © 2006 The Trustees of Boston College   Slide 22 Correlate to the event log (system)

23 © 2006 The Trustees of Boston College   Slide 23 Focus on the strange

24 © 2006 The Trustees of Boston College   Slide 24 Google what you don’t understand »Terminal Services supports the automatic redirection of printers that are configured to use local ports (such as LPT1, LPT2, or LPT3) on computers that have open client sessions through the Remote Desktop Protocol (RDP) 5 client. »rdpclip.exe is the executable for File Copy. It is provides function for Terminal Services server that allows you to copy and paste between server and client.

25 © 2006 The Trustees of Boston College   Slide 25 Correlate findings and tune hypothesis »Is the infection airborne? »Is the compromise due to user activity? »Is there a policy problem? »What is the population of at-risk computers? »APPLY WHAT YOU KNOW NOW TO SIMILARLY INFECTED COMPUTERS.

26 © 2006 The Trustees of Boston College   Slide 26 Did you meet your objectives? o Is the infection known, or new?  If new – grab a copy and send it to your AV vendor for analysis –Is there a DAT file that needs to be distributed? o Define the vector  Airborne or Clickaholic? –Is there a block to be effected? –Is this an education opportunity? o Define the threatened population  Desktop and/or infrastructure? –Specific patch level? –Specific application?

27 © 2006 The Trustees of Boston College   Slide 27 Close the incident »Recommendations o Assist in developing the mitigation strategy o Close any holes o Clean infected computers »Redefine normal »Educate and Evaluate

28 © 2006 The Trustees of Boston College   Slide 28


Download ppt "© 2006 The Trustees of Boston College   Slide 1 Forensics in Fifteen Evaluating Computers for Technical, rather than Legal, information. Copyright David."

Similar presentations


Ads by Google