Download presentation
Presentation is loading. Please wait.
Published byPhilip Ellis Modified over 9 years ago
1
Forensic Analysis of a Windows 2000 Server Operating System Joshua Young CS585F – Fall 2002
2
Scenario Computer is still in its original environment Computer is on Computer appears connected to the internet. Computer and room have not yet been touched Evidence handling procedures are already in place
3
Take Pictures… (Video if possible)
4
Lots and Lots of Pictures…
5
Intro to WinHex Hex Editor Plus Many Forensic Uses, especially for the novice –Disk Cloning, Ram Capture, Hex Searches, Spanned Files Small (can fit on a floppy) Inexpensive –Free limited trial Version –$100 for full version (with variations in between) http://www.winhex.com
6
Ram Capture Before Unplugging
7
RAM Export
8
Get Password Hashes Use PWDUMP from floppy to floppy While this causes a small change to the disk, the hashes are not easily recovered once the machine is off –Win 2000 encrypts the hashes. Even if you use a boot disk to access the NTFS partition and recover the SAM file, password crackers will not be able to break it.
9
LophtCrack 4 Foiled
10
PWDump2 Any changes to the Hard Disk would be minor. Source Code is available, so the impact could be independently verified Only works if the person logged on has administrative rights
11
PWDump2 to the rescue
12
Freeze the System Once we have the RAM…. And the Password Hashes….. Pull the plug
13
Don’t Forget Other Media Collect all other media for analysis (similar analysis to Hard Disk) –Floppies –CDRoms –Zip Disks –Smart Cards / Memory Sticks If media has software on it, record name, serial number, and whether it was original media or not. If possible, check serial numbers with vendors to see if any of it violates copyright law.
14
Computer Used Linux Bootable Toolbox 2.0 –Genuine Intel Pentium II –Speed: 348.49 Mhz –Cache: 512Kb –Flags: fpu vme de pse tsc msr …etc Memory –Main129,835,008 Fdisk DeviceBootStartEndBlocksIDSystem /dev/hda1 *18326289888+7 HPFS/NTFS
15
Prep Destination disk(s) To be on the safe side, before cloning the hard disk, it is a good idea to wipe the drive that will house the clone. This helps eliminate any question that data found on the disk could have originated on your system. I used QuickWiper as an example
16
QuickWiper
18
Clone the Hard Disk (bit for bit copy)
19
Create Hash of Disk (2 or more different types if possible)
20
Time Stamp the Evidence Using a service such as digistamp, it is a good idea to timestamp the evidence to help prove that you made no additional changes to the media.
21
Begin the Analysis Never work on the original media. Always use the copy. I conducted my analysis within windows itself. First I cracked the passwords so I could log in.
22
LophtCrack 2.5
23
Map Files Use known good version of cmd.exe file Pipe lists to text files Get several files –By date (creation, last access, last write, etc.) –By extension (pics, docs, zips, etc. ) –By type (hidden, system, read-only, etc.) Import into excel or database for analysis Notepad is not adequate for large text files. I used TextPad to view, search, etc.
25
Dir Command Dir c: /Q /S /TA >d:FileList1.txt Q displays owner S causes recursive list TA displays last access time Took about 5 minutes to run Produced a 4.5 Meg File
27
Objective Focus on typical use of the computer Focus on possible illegal activities –Illegal Material (Piracy and/or outlawed content) –Hacking –Unauthorized Data Focus on Information Collection –Contacts –Account Numbers –Passwords
28
I searched for 4 types of data Configuration –System Information –Networking Parameters –Installed Programs Regular –documents, email, keyword, zipped, etc. Deleted –Recycle Bin –Marked for deletion but still recoverable –Left Over Registry Entries Hidden –Slack/Free Space –Steganalysis –Encrypted –Altered File Types –Streams
29
System Info On top of data obtained by the Linux Bootable Toolkit (shown before), the information contained under the start menu/settings/control panel details the system –All Administrative tools are there –Date/Time, System, Hardware Settings –Disk Tools –Computer Management Application
31
Specific things to look for in configuration Web Site(s) FTP Site(s) Terminal Services DNS or Mail Services Running Log Files –EventViewer –C:\WINNT\system32\LogFiles\
34
Network Parameters Simple IPConfig command Windows Network Dialog –Start Menu/Settings/Network and Dialup Connections
35
IPConfig
37
Specific things to look for in network settings Dial-Up Accounts (to contact for logs) VPN’s set up Whether it’s got multiple IP’s Protocols Installed Sharing Configuration
38
Installed Programs Add/Remove Programs Hard Disk –List files by.exe,.com,.bat,.zip,.msi Services Registry –Regedit –Deleted Apps may leave key values or Components installed Programs that run at start up
40
Dir *.msi /s (Microsoft Installer Files)
42
Regedit Search for ‘Transcender’
43
Start Up Programs Start Menu For each user Regkey: –HKEY_LOCAL_MACHINE –HKEY_CURRENT_USER Software/microsoft/windows/currentversion –Run –Runonce –Runonceex
44
Specific things to look for in Installed Programs Hacking/Cracking Tools –Encryption –Data Hiding –Sniffers –Password Crackers Illegal Software –Bootleg Software Registered Software Development Tools Financial Software
45
Regular Data Pictures Office Docs (Word, Wordperfect, Excel, etc.) Emails Wav Files Movie Files PDF Files Search for ‘Common File Types’ on www.google.com returns many sites that list common extensions and their viewers. www.google.com
46
Finding and Viewing Data Dir or Windows Search Some Apps contain recent file lists Regedit search Some must be viewed individually, but some can be viewed all at once –Example, lview pro for images Be sure to include hidden files –Search parameter –Attrib command Be sure to check attachments folder for email
49
Advantages to Lview Opens all common image files Presents in many formats (slideshow, contact sheet, etc.) Preview pane Can pass a file list from command line (obtained by something like the Dir command) Does not rely on extension –Will open.jpg file even if extension is wrong
50
If Docs are encrypted… Several Inexpensive utilities can break passwords on many common files. –AccessData –Cain Keys may be found written down or stored electronically in plaintext (via textfiles)
51
Deleted Data Recycle Bin Marked For Delete but recoverable –Trial Version of Norton doesn’t work on NT –WinHex will list deleted files, but has limited recovery capability (fragmentation hinders it). Registry Search –Keys are often left over Important to do on an unaltered copy of the drive
54
Web Info History Cache Cookies Tools I tried didn’t work
55
Hidden Data Important to do these tests on an unaltered copy of the drive Free/Slack/Swap Space Staganalysis Encryption Altered File Types Streams
56
Free/Slack/Swap Space Swap Space is a file on Windows Free Space is space marked available to write to in Windows Slack Space is unused space at the end of a file Used WinHex
57
Free Space
58
Altered File Types Software can detect files via their headers Most apps will open their own files correctly if pointed to them directly Some applications serve as multipurpose. For example, word opens most document types. LViewPro opens most image types.
60
Alternate Data Streams Originated to provide compatibility with Macintosh Hierarchical File System (HFS) Invisible using standard windows browsing utilities. Free program Lads will display all streams
62
Steganalysis and Encryption Both very effective at hiding data, especially when used together. Detection is difficult, but actually recovering the data can be unfeasible for most analysts. Most common means of detection is the presence of software utilities used for Steganography or Encryption Most common means of recovery is poor password security. Either passwords are found via other applications or written down.
63
Conclusion Was able to accumulate a considerable amount of information from a default Windows 2000 Server machine Several tools and techniques didn’t work as described in research. Windows is getting better. If secured correctly, I don’t know that I would have been able to recover much information at all.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.