Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Investigating.

Published byNorma Lyons Modified over 9 years ago

Similar presentations

Presentation on theme: "Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Investigating."— Presentation transcript:

1

2 Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Investigating Windows Systems Learning by Doing Theory  Practice

3 Session Outline Forensic Mindset Investigative Questions Common File Systems Type Investigating Windows Systems Windows Registry Investigative and Case Management Tools

4 Learning Objectives At the end of this module you will be able to: Describe the importance of the forensic mindset Describe common investigative questions Explain the basic steps in the forensic analysis process Discuss the forensic importance of the Windows Registry Demonstrate the case management functions of EnCASE and FTK

5 Forensic Mindset Digital Forensic Mindset – Condensed Definition: - Using your skills to determine what has occurred or, - What most likely occurred as opposed to what is possible - You do NOT work for anyone but the TRUTH! The tools used are not nearly important as the person using them! The examination should not occur in a vacuum. Find out all you can about what is already known.

6 Organizing the Investigation Use your knowledge to examine the system to answer; could it have happened that way or not? Don’t make it more complicated than it has to be – start with the obvious! Examples: –Check for programs that will cause you aggravation – encryption (PGP, Magic Folders, File Vault, EFS, etc.) –http://www.iopus.com/guides/efs.htm

7 Organizing the Investigation MAC information – what was happening on the system during the time frame you are interested in? What was being “written”, “changed” or “accessed”?

8 Investigative Questions One of most common questions is: Where on the Internet was it surfing. In absence of managed server logs. Use ?????? A great product (LE or Corp Security only is IEHistory by Scott Ponder of Phillips Ponder Company) - http://www.phillipsponder.com/histviewer.htm

9 Questions/Requests Another very common request is to gather up the all the e-mails, including the deleted ones for the investigator to read. As always, this is done on the image or with hardware write protect. Any communication is usually requested and chat is being used more and more. MSN Chat does not by default store it’s chat’s. Newer versions do! AOL Instant Messenger. Encryption Yahoo Messenger stores them on the local drive but they are encrypted. Any ideas how to get around this?

10 Passwords & Encryption #1 rule – if you don’t know the password, ask the person who does! Are they lazy, is there an easily obtained password that is used in both circumstances. Access Data software (Password Recovery/ Ultimate Tool Kit) Is there a corporation that you can pay to have it done for you?

11 Where Do We Start? Verify integrity of image –MD5, SHA1 etc. Recover deleted files & folders Determine keyword list –What are you searching for Determine time lines –What is the time zone setting of the suspect system –What time frame is of importance –Graphical representation is very useful

12 Where Do We Start? Examine directory tree –What looks out of place –Stego tools installed –Evidence Scrubbers Perform keyword searches –Indexed –Slack & unallocated space

13 Where Do We Start? Search for relevant evidence types –Hash sets can be useful –Graphics –Spreadsheets –Hacking tools –Etc. Look for the obvious first When is enough enough??

14 Common File System Types FAT (File Allocation Table): FAT 16: DOS; Windows 3.X; Windows 95. FAT 32: Windows 95 release 2, Windows 98, Windows Me, Windows 2000, Windows XP, Server 2003. NTFS (New Technology File systems): Windows NT; Windows 2000; Window XP; Server 2003.

15 FAT 16 Use 16 bits in the file allocation table (FAT) Two FAT (Primary and Backup) Support up to 4GB of volume space Maximum file size of 2GB Support two partitions and 3 logical drives in the second partition. Use 8.3 file naming convention “/”, “\”, “[“, “]”, “|”, “ ”, “+”, “=“, “;”, “*” and “?” are illegal or invalid characteristics

16 NTFS Long file name support Ability to handle large storage devices Built-in security controls POSIX support. http://www.pcguide.com/ref/hdd/file/ntfs/otherPOSIX-c.html Volume striping File compression Master file table (MFT)

17 Investigating Windows Systems User/Systems/Data: (Intentionally) User profiles Program files Temporary files (temp files) Special application-level files. Internet history, e-mail. Artifacts: (Generated by the Systems) Metadata Windows system registry Event logs or log files Swap files Printer spool Recycle bin

18 Windows Registry A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices. Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files First introduced in Windows 3.1 for storing OLE Settings (pre 1995). - http://en.wikipedia.org/wiki/ActiveX

19 Windows Registry Wealth of investigative information Registered Owner Registered Organization Shutdown Time Recent DOCS Most Recent Used (MRU) List Typed URLs Previous Devices Mounted Software Installed

20 Registry Tools Registry Reader: Access Data Encase Windows –Regedit –Regedt32 Freeware tools –Never work on the original –Make a copy

21 Windows Registry There are five root keys: (HKCR) (HKCU) (HKLM) (HKU) (HKCC)

22 Registry Architecture Two are “Master” keys: HKEY_LOCAL_MACHINE Configuration data describing hardware and software installed on the computer HKEY_USERS Configuration data for each user that logs into the computer HKLM HKU Master Keys

23 Registry Architecture HKEY_CLASSES_ROOT File Associations and OLE HKEY_CURRENT_USER Currently logged on user HKEY_CURRENT_CONFIG Current hardware profile Three are derived from “Master” keys

24 HKEY_CLASSES_ROOT From HKLM\Software\Classes

25 HKEY_CURRENT_USER From HKU\SID of current user

26 HKEY_CURRENT_CONFIG HKLM\System\CurrentControlSet\Hardware Profiles\Current

27 The Windows Registry Dial-up Accounts: HKEY_CURRENT_USER\RemoteAccess\Addresses Dial-up Account Usernames: HKEY_CURRENT_USER\RemoteAccess\Profile\[isp_name] RegisteredOwner/Organization, Version, VersionNumber, ProductKey, ProductID, ProductName HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion MSN Messenger Info: HKEY_CURRENT_USER\Identities\{string}\Software\Microsoft\Messenger Service HKEY_CURRENT_USER\Software\Microsoft\MessengerService

28 The Windows Registry Outlook Express User Info (e-mail, newsgroups, etc): HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\0000000x Internet Explorer History settings length: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Internet Settings\URLHistory

29 Automated Tools Easier case management Keyword searching includes slack\residue and other unallocated areas of disk space. Ability to use hash sets of known system files to minimize keyword search times. Ability to use hash sets to search for known files such as child porn, root kits or whatever you want to hash and find quickly. Unicode and ANSI compatible –Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. –Needed for foreign language support Etc.

30 Encase Forensic Tools Supports “bit stream acquisitions” in three ways: #1 – drive to drive in a DOS environment loading it’s own drive lock TSR. #2 – drive to drive in a Windows environment using a hardware drive locker – “Fastbloc” or others.

31 Encase Forensic Tools

32 #3 – computer via computer using a cross over network cable. Encase for Dos loaded from a diskette with write protect software on suspect’s computer, Encase for Windows on Forensic examiner’s computer.

33

34

35 Forensic Toolkit: Access Data

36 Forensic Toolkit

37

38 Summary Computer Forensics is not a piece of software. Forensic mindset is paramount The windows registry is a treasure chest of forensics information You will need several tools in your forensic tool box.

Download ppt "Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Investigating."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.

Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
Chapter 1 Network Operating Systems ISQA424 Instructor: Rob Knauerhase Portland State University.

Chapter 1 Network Operating Systems ISQA424 Instructor: Rob Knauerhase Portland State University.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Chapter 7: Configuring Disks. 2/24 Objectives Learn about disk and file system configuration in Vista Learn how to manage storage Learn about the additional.

Chapter 7: Configuring Disks. 2/24 Objectives Learn about disk and file system configuration in Vista Learn how to manage storage Learn about the additional.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Similar presentations

Ads by Google