WEEK 2.0. Any sufficiently advanced technology is indistinguishable from magic.

Transcription

1 WEEK 2.0 Any sufficiently advanced technology is indistinguishable from magic.

2 Recycler A recycle bin for each user Created upon file deletion Only for RB aware programs ie Office, not command line tools Must find recycle bin for each user if you are to restore Do not open on your PC as you will change MACs and combine contents

3 Access from DOS prompt (/a ext) Accessed by SID User to SID, SID to User may be helpful INFO file links deleted files to real names and deletion times use IEhist

4

5 Deleted Naming Convention D%DriveLetter%_%IndexNumber%_%FileExtension%. The "D" stands for Drive. %DriveLetter% is the drive that the file resided on. %IndexNumber%: This number is assigned to each file or folder that is sent to the Recycle Bin, and can be used to tell the order of deletion. The highest number was the last file deleted. When the Recycle Bin is emptied and the system is restarted, the index numbering starts all over. %FileExtension%: This will be the original file extension of the file. If a folder is deleted, there will be no extension.

6 A file named Steve.doc is deleted from the C: drive and is sent to the Recycle Bin. It is the first item deleted for the particular user session. The file will be named Dc1.doc. A file named hacker.txt is deleted from the C: drive and is sent to the Recycle Bin. It is the second item deleted for the particular user session. The file will be named Dc2.txt. The entry for the files will be found in the C:\Recycler\%SID%\INFO2 file for the user who deleted the item from the C: drive.

7

8 Rifiuti

9 Vista/W7+ $Recycle.bin Still uses the User SID File names are random, keep ext No longer has Info2 files Uses $I - info $R content

10 Access View using dir /s command Copy out using XP = Xcopy /H c:\$recycle.bin e:\target_dir\recyclebin W7 = Robocopy use /MIR Rifiuti works on these

11 Registry Database containing information on every Windows compatible program installed on PC Information about users and their preferences Hardware Software Network information

12 Purpose Discuss the structure of the Windows Registry. Methods for determining Registry footprints for arbitrary applications and user activity will be presented.

13 The structure of the Registry

14 The various hives or sections of the Registry that are persistent on the system can be found in files located in the %SYSTEMROOT%\system32\config folder. Exception: The file that comprises the configuration settings for a specific user is found in that user s Documents and Settings folder.

15 Registry Organization The Windows registry contains the following: Hives are utilized by the registry to store data on itself. Hives are stored in a variety of files that are dependent on the Windows Operating System that is being utilized.

16 Registry Organization Root Keys HKEY_CLASSES_ROOT (HKCR) Contains file to program mapping for with Windows Explorer. HKEY_CURRENT_USER (HKCU) Contains the profile (settings, etc) about the user that is logged in. HKEY_LOCAL_MACHINE (HKLM) Contains system-wide hardware settings and configuration information. HKEY_USERS (HKU) Contains the root of all user profiles that exist on the system. HKEY_CURRENT_CONFIG (HKCC) Contains the profile used by the computer during start up. Sub Keys These are essentially sub directories that exist under the Root Keys.

17 Registry Organization

18 Windows Security and Relative ID The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group. The Security ID (SID) is used to identify the computer system. The Relative ID (RID) is used to identity the specific user on the computer system. The SID appears as: S

19 SID: S-1-0 Name: Null Authority Description: An identifier authority. SID: S Name: Nobody Description: No security principal. SID: S-1-1 Name: World Authority Description: An identifier authority. SID Examples SID: S Name: Everyone Description: A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system. SID: S-1-2 Name: Local Authority Description: An identifier authority. SID: S-1-3 Name: Creator Authority Description: An identifier authority.

20 SID Security ID NT/2000/XP/2003 HKLM>SAM>Domains>Accounts>Aliases>Members This key will provide information on the computer identifier HKLM>SAM>Domains>Users This key will provide information in hexadecimal User ID Administrator 500 Guest 501 Global Groups ID Administrators 512 Users 513 Guest - 514

21 MRU To identify the Most Recently Used (MRU) files on a suspect computer system: Windows 9x/Me User.dat Windows NT/2000 Search should be made for MRU, LRU, Recent Ntuser.dat Windows XP/2003 Search should be made for MRU, LRU, Recent HKU>UserSID>Software>Microsoft>Windows> CurrentVersion>Explorer>RecentDoc Select file extension and select item

22 Registry Forensics Registry keys have last modified time-stamp Stored as FILETIME structure like MAC for files Not accessible through reg-edit Accessible in binary.

23 The Registry as a log file LastWrite time: last modification time of a file. The forensic analyst may have a copy of the file, and the last modification time, but may not be able to determine what was changed in the file.

24 What s in the Registry 1.Autostart locations 2.User activity

25 1. Autostart locations Used by a great many pieces of malware to remain persistent on the victim system. Example: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

26 User Activity

27 MRU ( most recently used ) lists there are a number of values named for letters of the alphabet; in this case, from a through g. The MRUList entry maintains a list of which value has been most recently used.

28 Registry Each user has own section of the Registry Shows Most recent used (MRU) Searched (Files Named MRU) Typed URLs (Typed URL) Last Commands (Run MRU) Last files saved (Open Save MRU)

29

30 MRU Doc Find Specs MRU reg query ** /s HKLM\Software\Microsoft\Windows\CurrentVersi on\[run\runonce\runservices\runservicesonce] Retrieve the content of all Run, RunOnce, RunServices and RunServiceOnce keys and all subkeys. To identify unusual programs and Trojans.

31 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ Review Most Recently Used (MRU) files. To identify unusual files. reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall. To identify unusual programs and Trojans. C:\>wmic product list > products.txt streams s c: Check any NTFS streams on the C Drive. (sysinternals)

32 Run MRU

33 Typed URLs

34 Search History

35 Last Files Saved

36 Registry Forensics List of applications and filenames of the most recent files opened in windows

37 Investigate Copy files from their location in WINNT\System32\Config Copy from Repair directory Run Regedit and Import to your host OR Copy out using one of the following tools Note back up your Reg first

38 Registry Tools If I have seen further it is by standing on the shoulders of giants. Regdump large text file Reg Query get keys of Interest Regedit view the registry Registrar Lite resplendence.com Keytime shows last registry key write time in a readable format

39 Yaru access live registry / produce reports RegReport full report of exported hives Regedit view the registry tzworks.net Forensic Control free software