Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 5 Windows Forensics II

Transcription

1 Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 5 Windows Forensics II

2 Objectives After completing this chapter, you should be able to: Understand event logs Understand other audit events Understand forensic analysis of event logs Understand Windows password issues Describe some popular Windows forensic analysis tools 2

3 Introduction to Windows Forensics, Part II This chapter: Continues the study of Windows forensics Covers events and event logs Discusses password and authentication issues Describes various popular Windows forensic tools 3

4 Understanding Events Whenever an event occurs, the OS logs the event Event Any occurrence that the OS or a program wants to keep track of or alert the user about Some events are recorded by default Others are recorded based on the audit configuration maintained in the PolAdEvt registry key Systems configured as domain controllers have File Replication and Directory Service event logs Systems configured as domain name servers (DNS) have DNS event logs 4

5 Understanding Events Table 5-1 The event logging system keeps track of different types of logon events 5

6 Event Log File Format Windows event log is stored in a binary format with distinct, recognizable features Each event log consists of a header section and a series of event records Event log is maintained as a circular buffer Event log header Contained in the first 48 bytes of a valid event log file Consists of 12 distinct DWORD values Event record structure Basic header for an event record is 56 bytes 6

7 Windows Event Logs Windows uses an XML format for storing events Supports central collection of event records XML General-purpose specification for markup programming languages Allows the user to define specific elements to aid in sharing structured data among different types of computers with different OSs and applications wevtutil command Retrieves information about the Windows event log that is not readily apparent via the Event Viewer 7

8 Windows Event Logs Figure 5-1 An investigator can list all the event logs available using wevtutil 8

9 Windows Event Logs Figure 5-2 An investigator can view configuration information about specific event logs using wevtutil 9

10 IIS Logs Microsoft s Internet Information Server (IIS) Popular Web server platform IS Web server logs are most often maintained in the %WinDir%\System32\LogFiles directory Each virtual server has its own subdirectory for log files, named for the server itself By default, the log files are in ASCII format Are easily openable and searchable IIS logs will generally have column headers located at the top of the file 10

11 Parsing IIS Logs Managing and configuring IIS through the IIS Management Console Possible only on a system that has IIS installed and running By default, logging is enabled and is configured to use the W3C Extended Log File Format setting Logs are stored in the format exyymmdd.log 11

12 Parsing IIS Logs Table 5-2 Fields in an IIS log (continues) 12

13 Parsing IIS Logs Table 5-2 Fields in an IIS log (continued) 13

14 Parsing IIS FTP Logs FTP logs record the same fields that IIS Web logs do, except for the following: cs-uri-query cs-host cs(user-agent) cs(cookie) cs(referrer) sc-substatus FTP logs are stored in the following location: %WinDir%\System32\LogFiles\MSFTPSVC1\exyymmdd.log 14

15 Parsing DHCP Server Logs Dynamic Host Configuration Protocol (DHCP) Service provided by a server in which the server assigns a client machine an IP address upon request Microsoft server products all provide DHCP service if it is enabled and configured DHCP Service Activity Logs are created by the DHCP service Logs are stored in the following location by default: %SystemRoot%\System32\DHCP Logs are stored on a daily basis 15

16 Parsing DHCP Server Logs Table 5-3 The information in a DHCP log 16

17 Parsing Windows Firewall Logs When logging is enabled, Windows Firewall logs are stored in %SystemRoot%\pfirewall.log Stores data in the file objects.data Located in %SystemRoot%\System32\wbem\Repository\FS\ Windows Firewall log contains a header at the top that describes the software and version, the time format, and the fields 17

18 Using the Microsoft Log Parser Microsoft Log Parser is a powerful and versatile log-parsing tool that uses SQL-like queries Command to get all of the information from the System event log: LogParser.exe -o:datagrid select * from system Accepts three arguments: Input type, specified by the -i switch Output type, specified by the -o switch Query, which is in quotation marks 18

19 Using the Microsoft Log Parser Figure 5-3 An investigator can feed SQL-like queries to Log Parser to get specific information about an event log 19

20 Evaluating Account Management Events Account management category of events Records changes to accounts and group membership Includes: Creation, deletion, and disabling of accounts Modifying which accounts belong to which groups Account lockouts and reactivations Various event IDs are associated with changes to accounts 20

21 Evaluating Account Management Events Table 5-4 Different group membership event IDs 21

22 Interpreting File and Other Object- Access Events Object-access audit category Allows administrators to configure the event logs to record access to various objects on the system Access attempts are recorded in the event logs using three different event IDs: 560, 567, and 562 When a process needs access to some object, it first opens a handle to that object Handle is simply a shorthand way of referring to an object The file will receive a handle ID, and the process will refer to that file by its handle ID 22

23 Examining Audit-Policy Change Events Attackers will frequently attempt to disable auditing Modifications to the audit policy are recorded as event ID 612 entries In the audit policy + symbols indicate which events are being audited symbols show which events are not being audited Audit policy of the domain controller takes precedence over changes made to the local audit policy on an individual computer 23

24 Examining System Log Entries System event log Records events relating to system behavior, including: Changes to the operating system Changes to the hardware configuration Device driver installation Starting and stopping of services When a service is started or stopped, the Service Control Manager sends a stop signal to the service Simultaneously sends a message (event ID 7035) to the System event log 24

25 Examining Application Log Entries Application event log Contains messages from both the operating system and various programs Many utilities send messages to the Application log Especially antivirus and other system-protection programs Virtual Network Computing (VNC) Allows remote connections VNC application records connections to the VNC server, with the IP and port from which the connection originated, in the Application log 25

26 Using EnCase to Examine Windows Event Log Files EnCase parses Windows event log files by means of an EnScript EnScript is provided in the Sweep Case series EnCase does not rely on the Windows API to process the event logs EnCase can process event logs that are reported as corrupt by viewers that rely on the Windows API Investigator can use EnCase to locate event log files with its Conditions feature, which is, in essence, a filtering system 26

27 EnCase Windows Event Log Parser Appears as an available module in the right pane of the Sweep Case Options dialog When the parser has completed its task, it will show bookmarks for each event Arranged in a hierarchical folder structure based on grouping selection Will have the same results in a spreadsheet 27

28 Windows Event Log File Internals Windows event log files Databases with the records related to the system, security, and applications Stored in separate files named SysEvent.evt, SecEvent.evt, and AppEvent.evt, respectively Stored in %SystemRoot%\system32\config folder Each file has a header, a floating footer of sorts, and records To keep the files from becoming fragmented, the OS may allocate large contiguous cluster runs to the event log files 28

29 Repairing Corrupted Event Log Databases Log file will be reported as corrupt when: The four critical fields appearing in both the header and the floating footer are out of sync The file status byte is a value other than 0x00 or 0x08 If a file is reported as corrupt, an investigator can use a hex editor to repair the file status byte The next step in the repair process: synchronize the four critical fields in the header with the current values found in the floating footer 29

30 Understanding Windows Password Storage Windows systems store their user and password data in one of two places: Security Account Manager (SAM) file Active Directory SAM file is located in the %SystemRoot%\System32\Config folder File exists as a registry hive file Active Directory database information resides on the domain controller in a file called ntds.dit Located in the %SystemRoot%\ntds directory 30

31 Hashing Passwords Password is run through a specific algorithm that converts the password into a numeric value This value, called the hash value or hash, is then stored in lieu of the actual password Hashing algorithm Also called hash function Group of algorithms called one-way functions When a particular password is used as the input to the function, it will generate the same hash value Likelihood of two separate passwords generating the same hash value is low 31

32 Hashing Passwords Authentication steps: User first selects a password System calculates the password hash value System records the resulting hash value along with the account name in the SAM or ntds.dit file When a user attempts to authenticate System takes the password the user provides during the authentication attempt, runs it through the hash function, and compares the result to the hash value stored in the password file If the two are the same, the authentication proceeds If the two are different, the authentication fails 32

33 Hashing Passwords Windows hash functions Modern Windows operating systems mainly use two different hash functions NT LanMan (NTLM) hash LanMan (LM) hash 33

34 Cracking Windows Passwords Stored Password cracking on Running Systems Process of taking a password hash and attempting to determine the associated password that generated the password hash Process consists of multiple iterations: Guess a possible password Generate a password hash of the guess using the same hashing algorithm used by the target system Compare the hash value of the guess to the hash of the target account s password If the two match, the guess was the original password 34

35 Exploring Windows Authentication Mechanisms Windows systems use one of three main types of authentication mechanisms to access remote computers: LanMan authentication NTLM authentication Kerberos 35

36 LanMan Authentication Relies on a hash to determine whether a remote user has provided a valid username/password combination LanMan hash is never actually sent across the network during an authentication session Attack methods Replay attack Attacker copies the authentication message as it crosses the wire Resends that message at a later date to impersonate the user 36

37 LanMan Authentication Attack methods (cont d) Known plain-text attack Attacker knows both the encrypted form of a communication and the original message that was encrypted LanMan authentication mechanism starts to break down when the complexity (or lack thereof) of its key is examined 37

38 NTLM and Kerberos Authentication More secure than its predecessor Hash is calculated across the entire case-sensitive password Resulting in a 16-byte hash Hash is created using the MD4 hash algorithm Changes make the NTLM password less susceptible to brute-force cracking Main problem When a client uses the NTLM authentication, the client also sends the LanMan hash as part of the authentication communication 38

39 NTLM and Kerberos Authentication Kerberos Secure option available to Windows computers Relies on a system of security, or access, tickets that are issued by computers designated as ticketgranting authorities Microsoft implementation still uses the NTLM hash as a starting point for identifying that a user knows the correct password Verification of the user s identity takes place between the domain controller and the client 39

40 Sniffing and Cracking Windows Authentication Exchanges Authentication takes places when a process on one system attempts to access a resource on another system When a process needs to access a remote system Attempts to authenticate to remote system by providing credentials for the account whose security context it is using When the user selects a share existing on another system Computer will automatically attempt to authenticate to the remote system by using the current user s account name and password information 40

41 Sniffing and Cracking Windows Authentication Exchanges Sniffing If an attacker controls that remote system, or if the attacker is able to monitor communication between the victim system and the remote system Attacker can potentially sniff the authentication attempt and use it to crack the user s password Cain and Abel Cain has many different capabilities Among them is a network sniffer that is designed to look for passwords exchanged during various types of authentication exchanges Abel acts as a remote sensor for Cain 41

42 Cracking Offline Passwords Certain tools can extract password data from the SAM files of computers Encrypting File System (EFS) Allows data to be stored on a disk in an encrypted format automatically without manual action by user One way to recover files encrypted with EFS Crack the passwords of the users accounts Make a duplicate working copy of the hard drive Boot the computer using the working copy of the drive Log in as the appropriate user, and view the file 42

43 Tool: Helix Helix Customized distribution of the Knoppix Live Linux CD Designed not to touch the host computer in any way Forensically sound Will not automatically mount swap space or any attached devices Focuses on incident response and forensics tools 43

44 Tools Present on Helix CD for Windows Forensics Tools on the Helix3 Pro live bootable CD include: A multi-platform LIVE side for three environments: Mac OS X, Windows, and Linux with one simple to use interface A bootable forensically sound environment to boot any x86 system Several open source forensic applications to assist with data analysis, including cell phone analysis 44

45 Tools Present on Helix CD for Helix Tool: SecReport Windows Forensics Comprises two command-line utilities SecReport collects security information from a Windows-based system Delta compares the results of SecReport Helix Tool: Windows Forensics Toolchest (WFT) Collects security information from a Windows system and provides an automated incident response Capable of running other security tools Produces reports in HTML format 45

46 Tool: Sigverif Built-in Windows tool that searches for unsigned drivers on a system To look for unsigned drivers in Windows 10: Click Start, click Run, type sigverif, and click OK After Sigverif is finished running its check A list of all unsigned drivers installed on the computer is displayed The investigator can find the list of all signed and unsigned drivers found by Sigverif in the Sigverif.txt 46

47 Tool: Word Extractor Hacking tool that extracts human-understandable words from binary computer files Some features of Word Extractor: Replaces nonhuman words with spaces or dots for better visibility Supports drag and drop and text wrapping Saves results as text or RTF files 47

48 Tool: RegScanner and PMDump RegScanner Scans the registry to find values that match a given set of criteria Can find values by keyword, data length, value type, and modified date PMDump Dumps the memory contents of a process to a file without stopping the process PMDump stands for Post-Mortem Dump Investigator can save the dump information to a secondary storage medium 48

49 Tool: System Scanner System Scanner Extracts information about processes, including the IDs of all the threads and handles to DLLs Provides the ability to suspend specific threads of a specific process and to view a process s virtual memory Shows all the processes currently running on the system, the number of threads per process, and the executable path of each process List is updated every five seconds by default, but this is configurable 49

50 Tool: X-Ways Forensics Provides a forensic work environment Some features of X-Ways Forensics: Disk cloning and imaging, including under DOS Examining complete directory structure inside raw image files, even spanned over several segments Native support for FAT, NTFS, ext2, ext3, CDFS, and UDF Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks Viewing and dumping physical RAM and the virtual memory of running processes 50

51 Tool: X-Ways Forensics Some features of X-Ways Forensics (cont d): Various data recovery techniques and file carving Hard disk cleansing to produce forensically sterile media Gathering slack space, free space, interpartition space, and generic text from drives and images File and directory catalog creation for all computer media Easy detection of and access to NTFS alternate data streams (ADS) Mass hash calculation for files 51

52 Tool: Traces Viewer and PE Builder Traces Viewer Allows an investigator to view all media files cached by Internet Explorer Can also remove all Web traces made by Internet Explorer PE Builder Creates a bootable Windows CD-ROM that creates a BartPE (Bart Preinstalled Environment) that offers a complete Win32 environment with network supports; a GUI; and FAT, NTFS, and CDFS - support 52

53 Tool: Ultimate Boot CD-ROM Allows an investigator to run floppy-based diagnostic tools from CD-ROM drives Without the need for an operating system Tool has over 100 diagnostic and system management utilities Types of tools include: CPU tester Memory tester Peripheral tools CPU information tools 53

54 Tool: Ultimate Boot CD-ROM Types of tools include (cont d): System information tools Benchmarking tools BIOS tools Hard disk installation tools Hard disk diagnostic tools Hard disk device management tools Hard disk wiping tools Hard disk cloning tools And more 54

55 Tool: Ultimate Boot CD-ROM Figure 5-4 The Ultimate Boot CD-ROM includes many utilities that a forensic investigator may want to use 55

56 Summary During a live response, an investigator should first collect the volatile information or any other information that can change or be lost Several registry values and settings can impact forensic analysis Analyzing the contents of RAM can help an investigator discover what has been hidden Some tools allow an investigator to dump the contents of process memory without stopping the process 56

57 Summary Registry analysis provides more information to the investigator during a live response The logs generated by the Web server are used for the exploitation of attacks 57