Volatile Data Acquisition & Analysis

Transcription

1 Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014

2 VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical Memory (RAM) Virtual Memory (Pagefile.sys) Hibernation File Virtual Machine RAM (*.vmem) Describes the state of the system at a particular point in time Types of volatile information include: System time Logged-on user(s) Open files Network information Network connections

3 ACTIVE USERS! Determine who is actively logged on a compromised system is important. The psloggedon command will display all users that are currently active on the local system, in addition to users active on the system via remote resources.!

4 SYSTEM INFORMATION The psinfo command will capture a tremendous amount of volatile data, in addition to specific hardware information that may be useful later in the investigation. Information captured by this utility is as follows: System Uptime Kernel Build Install Date Registered Organization & Owner Processors Information Physical Memory Disk Volume Information (-d switch) Installed Applications (-s switch) Installed hotfixes (-h switch)! By knowing what applications and hotfixes are installed, one may be able to help determine what vulnerabilities are present on the system.

5 SYSTEM INFORMATION

6 FILE LISTING Another important command to execute is one that captures a complete file listing of all files and directories on the system. This will create a snapshot of all files along with their timestamps. There are several options with the dir command that will document and sort the file listing by access date, modified date or creation date. Some of the more important options are listed below:! /t = gets time stamp /a = shows all files /s = recursive listing /Q = shows files owners /o:d = sorts by date

7 FILE LISTING Examples of the command are listed below. The following commands will sort the file listing by access data, modified data and creation date, respectively. The following commands will capture a recursive file listing from the root of the C:\ drive. If the incident only warranted a certain directory or user s account, then the last option of the command could be modified.! \dir /t:a /a /s /Q /o:d c:\ \dir /t:w /a /s /Q /o:d c:\ \dir /t:c /a /s /Q /o:d c:\

8 OPEN NETWORK PORTS Netstat is another utility that can be used for documenting all open ports. As indicated before, there are numerous options available. The four options that should be used are indicated below:! F:\netstat.exe -anob -a = displays all connection and listening ports -n = displays the numerical addresses -b = displays the executable involved -o = displays the owning process ID

9 OPEN NETWORK PORTS

10 RUNNING PROCESSES Pslist is a utility that documents all of the running processes currently active on a system. This utility is useful in identifying and documenting any unauthorized processes running on a compromised system. An example of the command and useful options are detailed below:! pslist.exe tdmx -t = process list in tree format -d = shows thread detail -m = shows memory detail -x = shows processes, memory information and threads

11 RUNNING PROCESSES

12 ACTIVE DLLs ListDLLs is a utility that will document and display all DLLs that are currently loaded and associated with a specific process or process ID. If a rogue application or process is running, documenting what DLLs are associated with the process could be critical information for later examination and reengineering efforts.! \listdlls.exe uv -u = list unsigned DLLs -v = display DLL version information processname = displays all DLLs loaded by a process pid = displays all DLLs associated with a pid

13 PHYSICAL NETWORK CONNECTIONS In addition to documenting and recording processes, opened files and active users, it is equally important to record the current network configuration. This will help document the current network settings, MAC address, connected network and assigned IP address. An example of the command and useful options are detailed below:! \ipconfig /all /all = displays detailed information

14 PHYSICAL NETWORK CONNECTIONS

15 INSTALLED SERVICES Psservices utility can be used to document and record all installed services on the system. The information can be used as a starting point to see if any of the installed services have known exploits. An example of the command is detailed below:! \psservices.exe

16 INSTALLED SERVICES

17 EVENT LOGS The next set of commands is used to deal with event logs. Event logs can be critical in documenting and reporting permission changes, installation activities and user account access, to only name a few. The auditpol /get utility can be used to determine the current audit log policy. This can help determine what policies are currently running on the system and may help explain what logs are and are not seen in the event logs. Psloglist is a utility that will extract all of the event logs from the various event logs in an easily viewable format.! \psloglist.exe -x system (extracts system event logs) \psloglist.exe -x security (extracts security event logs) \psloglist.exe -x application (extracts application event logs)

18 EVENT LOGS

19 LOGIN / LOGOFF EVENTS The ntlast utility can be used to only document and record user logon and logoff events. This may be helpful to document so that extensive time is not wasted mining through the extensive event logs (EVT) on a properly configured system. When used with the verbose option (-v), all logon, logoff and duration entries are extracted.! ntlast.exe v

20 REMOTE FILES The psfile utility can be used to document and record all files that are remotely open on the system from which it is executed. The utility also has the capability to close any of the open files.!

21 OPEN FILES AND FOLDERS The handle utility can be used to document and record, which program has a certain file and/or directory open. If a rogue application has been identified, this command would help determine what the application is doing by showing what files and/or folders are being accessed by the rogue application.!

22 OPEN FILES AND FOLDERS

23 EFS ENCRYPTED FILES One final command that may be useful will identify if any files on the target system are encrypted utilizing NTFS s built-in encryption algorithm. The encryption algorithm is referred to as Encrypting File System (EFS) and is supported on any system running Windows 2000 and newer. Additionally, the hard drive must be formatted as NTFS. The EFS encryption password is directly tied to the user s account that encrypted the file. If EFS encrypted files are identified, it is recommended that the files be exported to a FAT32 formatted thumb drive. By exporting to a FAT32 thumb drive, the encryption will be lost, because FAT32 does not support EFS. In other words, if you are investigating a live box and you have access to the decrypted files, copy the files out before the system is shutdown or the user s account is logoff, rendering the decrypted files unreadable. An example of the command and useful options are detailed below:! C:\cipher /U /N! The /U /N options will identify all encrypted files on all attached volumes.

24 EFS ENCRYPTED FILES

25 EFS ENCRYPTED FILES

26 BATCH FILES All of the data generated from the above commands can be exported to a text file using the output switch (>). An example of this exportation feature would be:! psloggedon.exe > e:\trusted_thumb_drive\active_users.txt! For efficiency, a script could be created to automatically run each of these commands and send all of the outputs to individual files or append all of the outputs (>>) to a single text file. An example of a scripting would be:! date > e:\ trusted_thumb_drive\results.txt time >> e:\ trusted_thumb_drive\results.txt psloggedon.exe >> e:\ trusted_thumb_drive\results.txt psinfo.exe h s d >> e:\psinfo.exe h s d date >> e:\ trusted_thumb_drive\results.txt time >> e:\ trusted_thumb_drive\results.txt! The date and time commands are a great way to document when the incidence response actions were started and finished. Remembering that documentation is a major factor when dealing with an evidentiary scenario. When capturing the system s data and time settings, it is important to document any discrepancies. This information will be critical, if discrepancies do exist. If timeline analysis becomes a necessary analysis tool, then knowing any date and/or time differences would be critical so that examination conclusions are based on accurate facts of the incident.

27 BATCH FILES Another way to record the volatile data is to set up a forensic workstation and utilize the netcat program. Netcat can be used to send the data from the target system to the forensic workstation over a network connection. On the forensic workstation, the following command will start a netcat session using port 2222 and record the incoming data to a text file named pslist.txt:! nc l p 2222 > pslist.txt! Once the listening port has been established on the forensic workstation, any command can be executed on the compromised system and the volatile data can be recorded on the forensic workstation. The command listed below will execute the pslist command and send the output to the forensic workstation over port 2222:! pslist nc

28 VOLATILE DATA - OS X Volatile Data: Command: Switch Operation: Date and Time date N/A List of Commands Run history N/A List Users id N/A Users Logged On w N/A System Uptime uptime N/A File Time Stamps ls -alru / ls -alrc / ls -alr / l = long listing R = Recursive Listing u = access time c = modification time w/o u or c = create time Network Connections netstat -anp a = display all ports n = indicates numerical addresses Running Processes ps -a N/A Network Config ifconfig N/A Last Logins of Users last N/A Mounted File Systems df -ah a = show all mount points H = human readable sizes Password Hashes cat N/A Open Files lsof N/A

29 VOLATILE DATA - LINUX Volatile Data: Command: Switch Operation: Users Logged On w N/A Date and Time Date N/A System Uptime uptime N/A File Time Stamps ls -alru / ls -alrc / ls -alr / l = long listing R = Recursive Listing u = access time c = modification time w/o u or c = create time Network Connections netstat -anop a = display all ports n = indicates numerical addresses o = networking timers p = process ID Running Processes Ps -aux N/A Network Config ifconfig N/A Log Data last N/A Kernal Modules lsmod N/A Mounted File Systems df -ah a = show all mount points H = human readable sizes Password Hashes cat N/A Open Files lsof N/A

30 RAM CAPTURE This process will change / alter evidence. Documentation is very important when deciding to extract physical memory. There is no current method to write-protect physical memory. Why memory should be captured: Running processes Network Connections Configuration Parameters Encryption Keys Passwords Memory-only exploits Data carving (INFO2, lnk files, graphic files, internet artifacts (i.e. session cookies), etc.)

31 RAM CAPTURE

32 RAM CAPTURE

33 RAM CAPTURE

34 ACCESSDATA S FTK

35 ACCESSDATA S FTK

36 VOLATILITY

37 MANDIANT REDLINE Mandiant offers a free memory acquisition and analysis tool for the Windows and Macintosh platform called Memoryze. This tool is specially designed to aid the incident response team in identifying malicious activity or evidence of such activity in the physical memory. Memoryze is capable of capturing the physical memory and analyzing raw images of physical memory even if the program didn t initially capture it. The feature list is extensive but capable of everything between enumerating all hidden and unhidden running processes to identifying all drivers loaded in memory.! User Guide:

38 MANDIANT REDLINE

39 MANDIANT REDLINE

40 MANDIANT REDLINE

41 MANDIANT REDLINE

42 MANDIANT REDLINE

43 MANDIANT REDLINE

44 MANDIANT REDLINE

45 MANDIANT REDLINE

46 MANDIANT REDLINE

47 MANDIANT REDLINE

48 MANDIANT REDLINE

49 MANDIANT REDLINE

50 MANDIANT REDLINE

51 MANDIANT REDLINE

52 OSTRIAGE

53 OSTRIAGE

54 OSTRIAGE

55 OSTRIAGE

56 OSTRIAGE

57 OSTRIAGE

58 OSTRIAGE

59 OSTRIAGE

60 OSTRIAGE