Digital Forensics. Module 7 CS 996

Transcription

1 Digital Forensics Module 7 CS 996

2 Module #6 Covered Using Autopsy Using Helix 3/30/2005 Module 7 2

3 Outline of Module #7 Review mid-term Helix presentation Forensic business news Gates v. Bando case Linux host forensics Windows host forensics 3/30/2005 Module 7 3

4 Write Blocker Products Parallel IDE $199 Serial ATA/IDE $281 SCSI $446 Firewire A/B and USB 1.x/2.0 com 3/30/2005 Module 7 4

5 Version 5 of EnCase Better analysis Outlook and Outlook Express AOL Personal File Cabinets MBOX archives Support for FireFox and Opera Linux for Encase! New products EnCase for Law Enforcement EnCase for Corporate EnCase for Corporate (Delux) 3/30/2005 Module 7 5

6 Gates v. Bando ( ) Started field of computer forensics Gates and Bando in field of industrial drive belts Gates accused Bando of stealing trade secrets (computer design programs) Gates then filed motion for summary judgment because Bando had destroyed evidence 3/30/2005 Module 7 6

7 Gates v. Bando, cont. Judge allows Gates access to Bando computers Gates uses Norton Unerase and file by file copy, thereby deleting information Bando s expert challenges Gates procedures Judge rejects Gates motion! Standards are set for forensic analysis y/library/preservation/gates.html 3/30/2005 Module 7 7

8 Forensic Analysis in Linux: Where to Look? history file user accounts logfiles program size root kits unusual files in unusual locations other?? 3/30/2005 Module 7 8

9 Look for Unauthorized Accounts 3/30/2005 Module 7 9

10 Log File Analysis 3/30/2005 Module 7 10

11 Program Size Changes 3/30/2005 Module 7 11

12 Rootkit: 3/30/2005 Module 7 12

13 Searching for Unusual Files 3/30/2005 Module 7 13

14 Investigating Windows Systems Basic Application log files Temp files Recently used documents Recycle bin History + temporary Internet files Registry Hidden Files ADS.chk files Swap space 3/30/2005 Module 7 14

15 Investigating Windows Registry Log files Windows IIS Application data search Graphics files in Windows 3/30/2005 Module 7 15

16 Using Helix Knoppix plus many forensic tools! Autopsy Sleuthkit Etc. Current version 1.6 ( e-fense, inc) Live Windows investigation Bootable Linux distribution 3/30/2005 Module 7 16

17 Helix: dd GUI-- GRAB 3/30/2005 Module 7 17

18 Helix for Windows 3/30/2005 Module 7 18

19 Helix: Acquisition 3/30/2005 Module 7 19

20 Helix Windows File Recovery 3/30/2005 Module 7 20

21 After Recovering Image 3/30/2005 Module 7 21

22 Helix Windows Security Report Live system analysis Security Report 3/30/2005 Module 7 22

23 Helix System Audit Audit report 3/30/2005 Module 7 23

24 Windows Registry Great digital dumpster for investigations! Two primary hives HKEY_LOCAL MACHINE HKEY_USERS Registry files No extension Full copy of hive data.alt extension Backup copy.log extension Changes to data.sav extension 3/30/2005 Module 7 24

25 Location of Registry Files Win2000 and XP C:\winnt\system32\config Win98 C:\windows 3/30/2005 Module 7 25

26 Discovering Deleted User Accounts Deleted accounts may not be visible in Windows Computer Manager (Win2000) Check registry HKEY_LOCAL_MACHINE\SOFTWARE\MICRO SOFT\WINDOWS NT\CURRENT VERSION\PROFILE LIST\ Shows deleted account names! 3/30/2005 Module 7 26

27 3/30/2005 Module 7 27

28 Searching Windows Registry Regedit has limited search ability Regedt32 has no search ability Resplendence Registrar: good search ability Freeware version: Resplendence Lite Searching under username What has user done on machine? Looking for recent searches of current user using Windows Search function 3/30/2005 Module 7 28

29 Investigating the Registry Registrar Lite editor (free at Investigate old user names Most recently used files Recent searches for files 3/30/2005 Module 7 29

30 3/30/2005 Module 7 30

31 3/30/2005 Module 7 31

32 What Files Has User Searched For? HKEY_USERS\SID\Software\Microsoft\Inte rnet Explorer\Explorer Bars\ID\Files Named MRU\ List of recent Windows searches Why do we need this? Might not have access to disk image Court may give you a smaller sandbox! Minimize collateral damage in investigations! 3/30/2005 Module 7 32

33 Internet Temp File Time Stamps 3/30/2005 Module 7 33

34 3/30/2005 Module 7 34

35 Windows Log Files (Win2000) Configure for proactive forensics Review for potential evidence Location: c:\winnt\system32\config\ appevent.evt secevent.evt sysevent.evt Basic configuration: administrative tools computer management event viewer 3/30/2005 Module 7 35

36 3/30/2005 Module 7 36

37 Setting Audit Policy Administrative Tools Local Security Policy Local Policies Audit Policy Default: nothing logged! 3/30/2005 Module 7 37

38 3/30/2005 Module 7 38

39 Security Events of Interest Account logon Logs local access Account management Logs administrator activities Logon events Where account is used System events 3/30/2005 Module 7 39

40 Auditing IIS Log Files Default location: c:\winnt\system32\logfiles Configure through: Administrative Tools Internet Services Manager Three possible log file formats: W3C Extended: configurable Microsoft IIS: not configurable NCSA Common Format 3/30/2005 Module 7 40

41 IIS Log File Format 3/30/2005 Module 7 41

42 3/30/2005 Module 7 42

43 Investigative Searching Free evaluation Step #1: build document index of words Index specific folders Index entire harddrive! Step #2: run searches Desktop search Internet search 3/30/2005 Module 7 43

44 Search Options Boolean Stemming: grammatical forms Phonic: sounds like Fuzzy: misspellings Synonyms Files filters: date, size, name, etc. 3/30/2005 Module 7 44

45 Copernic Desktop Search 3/30/2005 Module 7 45

46 Managing Graphics Files in Windows Thumbsplus Finds and creates thumbnail view of all graphic files Creates database of images Finds images like selected image Free trial download 3/30/2005 Module 7 46

47 3/30/2005 Module 7 47

48 References for Module #7 Warren Kruse, Computer Forensics, Chapters 9-11, Dave Dittrich, Basic Steps in Forensic Analysis of Unix Systems ensics 3/30/2005 Module 7 48