Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Analysis of a Windows 2000 Server Operating System Joshua Young CS585F – Fall 2002.

Similar presentations


Presentation on theme: "Forensic Analysis of a Windows 2000 Server Operating System Joshua Young CS585F – Fall 2002."— Presentation transcript:

1 Forensic Analysis of a Windows 2000 Server Operating System Joshua Young CS585F – Fall 2002

2 Scenario Computer is still in its original environment Computer is on Computer appears connected to the internet. Computer and room have not yet been touched Evidence handling procedures are already in place

3 Take Pictures… (Video if possible)

4 Lots and Lots of Pictures…

5 Intro to WinHex Hex Editor Plus Many Forensic Uses, especially for the novice –Disk Cloning, Ram Capture, Hex Searches, Spanned Files Small (can fit on a floppy) Inexpensive –Free limited trial Version –$100 for full version (with variations in between) http://www.winhex.com

6 Ram Capture Before Unplugging

7 RAM Export

8 Get Password Hashes Use PWDUMP from floppy to floppy While this causes a small change to the disk, the hashes are not easily recovered once the machine is off –Win 2000 encrypts the hashes. Even if you use a boot disk to access the NTFS partition and recover the SAM file, password crackers will not be able to break it.

9 LophtCrack 4 Foiled

10 PWDump2 Any changes to the Hard Disk would be minor. Source Code is available, so the impact could be independently verified Only works if the person logged on has administrative rights

11 PWDump2 to the rescue

12 Freeze the System Once we have the RAM…. And the Password Hashes….. Pull the plug

13 Don’t Forget Other Media Collect all other media for analysis (similar analysis to Hard Disk) –Floppies –CDRoms –Zip Disks –Smart Cards / Memory Sticks If media has software on it, record name, serial number, and whether it was original media or not. If possible, check serial numbers with vendors to see if any of it violates copyright law.

14 Computer Used Linux Bootable Toolbox 2.0 –Genuine Intel Pentium II –Speed: 348.49 Mhz –Cache: 512Kb –Flags: fpu vme de pse tsc msr …etc Memory –Main129,835,008 Fdisk DeviceBootStartEndBlocksIDSystem /dev/hda1 *18326289888+7 HPFS/NTFS

15 Prep Destination disk(s) To be on the safe side, before cloning the hard disk, it is a good idea to wipe the drive that will house the clone. This helps eliminate any question that data found on the disk could have originated on your system. I used QuickWiper as an example

16 QuickWiper

17

18 Clone the Hard Disk (bit for bit copy)

19 Create Hash of Disk (2 or more different types if possible)

20 Time Stamp the Evidence Using a service such as digistamp, it is a good idea to timestamp the evidence to help prove that you made no additional changes to the media.

21 Begin the Analysis Never work on the original media. Always use the copy. I conducted my analysis within windows itself. First I cracked the passwords so I could log in.

22 LophtCrack 2.5

23 Map Files Use known good version of cmd.exe file Pipe lists to text files Get several files –By date (creation, last access, last write, etc.) –By extension (pics, docs, zips, etc. ) –By type (hidden, system, read-only, etc.) Import into excel or database for analysis Notepad is not adequate for large text files. I used TextPad to view, search, etc.

24

25 Dir Command Dir c: /Q /S /TA >d:FileList1.txt Q displays owner S causes recursive list TA displays last access time Took about 5 minutes to run Produced a 4.5 Meg File

26

27 Objective Focus on typical use of the computer Focus on possible illegal activities –Illegal Material (Piracy and/or outlawed content) –Hacking –Unauthorized Data Focus on Information Collection –Contacts –Account Numbers –Passwords

28 I searched for 4 types of data Configuration –System Information –Networking Parameters –Installed Programs Regular –documents, email, keyword, zipped, etc. Deleted –Recycle Bin –Marked for deletion but still recoverable –Left Over Registry Entries Hidden –Slack/Free Space –Steganalysis –Encrypted –Altered File Types –Streams

29 System Info On top of data obtained by the Linux Bootable Toolkit (shown before), the information contained under the start menu/settings/control panel details the system –All Administrative tools are there –Date/Time, System, Hardware Settings –Disk Tools –Computer Management Application

30

31 Specific things to look for in configuration Web Site(s) FTP Site(s) Terminal Services DNS or Mail Services Running Log Files –EventViewer –C:\WINNT\system32\LogFiles\

32

33

34 Network Parameters Simple IPConfig command Windows Network Dialog –Start Menu/Settings/Network and Dialup Connections

35 IPConfig

36

37 Specific things to look for in network settings Dial-Up Accounts (to contact for logs) VPN’s set up Whether it’s got multiple IP’s Protocols Installed Sharing Configuration

38 Installed Programs Add/Remove Programs Hard Disk –List files by.exe,.com,.bat,.zip,.msi Services Registry –Regedit –Deleted Apps may leave key values or Components installed Programs that run at start up

39

40 Dir *.msi /s (Microsoft Installer Files)

41

42 Regedit Search for ‘Transcender’

43 Start Up Programs Start Menu For each user Regkey: –HKEY_LOCAL_MACHINE –HKEY_CURRENT_USER Software/microsoft/windows/currentversion –Run –Runonce –Runonceex

44 Specific things to look for in Installed Programs Hacking/Cracking Tools –Encryption –Data Hiding –Sniffers –Password Crackers Illegal Software –Bootleg Software Registered Software Development Tools Financial Software

45 Regular Data Pictures Office Docs (Word, Wordperfect, Excel, etc.) Emails Wav Files Movie Files PDF Files Search for ‘Common File Types’ on www.google.com returns many sites that list common extensions and their viewers. www.google.com

46 Finding and Viewing Data Dir or Windows Search Some Apps contain recent file lists Regedit search Some must be viewed individually, but some can be viewed all at once –Example, lview pro for images Be sure to include hidden files –Search parameter –Attrib command Be sure to check attachments folder for email

47

48

49 Advantages to Lview Opens all common image files Presents in many formats (slideshow, contact sheet, etc.) Preview pane Can pass a file list from command line (obtained by something like the Dir command) Does not rely on extension –Will open.jpg file even if extension is wrong

50 If Docs are encrypted… Several Inexpensive utilities can break passwords on many common files. –AccessData –Cain Keys may be found written down or stored electronically in plaintext (via textfiles)

51 Deleted Data Recycle Bin Marked For Delete but recoverable –Trial Version of Norton doesn’t work on NT –WinHex will list deleted files, but has limited recovery capability (fragmentation hinders it). Registry Search –Keys are often left over Important to do on an unaltered copy of the drive

52

53

54 Web Info History Cache Cookies Tools I tried didn’t work

55 Hidden Data Important to do these tests on an unaltered copy of the drive Free/Slack/Swap Space Staganalysis Encryption Altered File Types Streams

56 Free/Slack/Swap Space Swap Space is a file on Windows Free Space is space marked available to write to in Windows Slack Space is unused space at the end of a file Used WinHex

57 Free Space

58 Altered File Types Software can detect files via their headers Most apps will open their own files correctly if pointed to them directly Some applications serve as multipurpose. For example, word opens most document types. LViewPro opens most image types.

59

60 Alternate Data Streams Originated to provide compatibility with Macintosh Hierarchical File System (HFS) Invisible using standard windows browsing utilities. Free program Lads will display all streams

61

62 Steganalysis and Encryption Both very effective at hiding data, especially when used together. Detection is difficult, but actually recovering the data can be unfeasible for most analysts. Most common means of detection is the presence of software utilities used for Steganography or Encryption Most common means of recovery is poor password security. Either passwords are found via other applications or written down.

63 Conclusion Was able to accumulate a considerable amount of information from a default Windows 2000 Server machine Several tools and techniques didn’t work as described in research. Windows is getting better. If secured correctly, I don’t know that I would have been able to recover much information at all.


Download ppt "Forensic Analysis of a Windows 2000 Server Operating System Joshua Young CS585F – Fall 2002."

Similar presentations


Ads by Google