Volatile Data Acquisition & Analysis

Similar documents
Chapter 5 Live Data Collection Windows Systems

15-Minute Linux DFIR Triage. Dr. Phil Polstra Bloomsburg University of Pennsylvania

AccessData Advanced Forensics

Incident Response Toolkit :

RESPONDING TO THE MOST COMMON WINDOWS NT/2000 ATTACKS

Macintosh Forensic Survival Course

Source:

Windows Core Forensics Forensic Toolkit / Password Recovery Toolkit /

10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?

Tanium Incident Response User Guide

Remote Device Mounting Service

Windows Live Acquisition/Triage Using FOSS and AChoir

Blue Team Handbook: Incident Response Edition

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group

NIST SP Notes Guide to Integrating Forensic Techniques into Incident Response

This version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems

ANALYSIS AND VALIDATION

Belkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM

Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication

Linux Command Line Primer. By: Scott Marshall

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Freeware Live Forensics tools evaluation and operation tips

AccessData Forensic Toolkit 5.5 Release Notes

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

AccessData Triage 2.3 Release Notes

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Operating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher

Digital Forensics. Outline. What is Digital Forensics? Outline cont. Jason Trent Laura Woodard

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014

The Big Chill. Freezing Data for Analysis

CIS Project 1 February 13, 2017 Jerad Godsave

Quantifying FTK 3.0 Performance with Respect to Hardware Selection

Windows Forensics Advanced

AccessData Forensic Toolkit Release Notes

Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014

IT Services IT LOGGING POLICY

User Guide for COFEE v1.1.2

AccessData AD Lab Release Notes

ECCouncil Computer Hacking Forensic Investigator (V8)

AccessData AD Enterprise Release Notes

How to create a System Logon Account in Backup Exec for Windows Servers

AccessData Forensic Toolkit Release Notes

User Manual. Admin Report Kit for IIS 7 (ARKIIS)

An Introduction to Incident Detection and Response Memory Forensic Analysis

msis Security Policy and Protocol

SYSTEM SPECIFICATIONS GUIDE

Memory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos

AccessData Imager Release Notes

Pass Microsoft Exam

NCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Vendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

FTK Imager 2.9 Release Notes

AccessData Imager Release Notes

Chrome Nuts and Bolts: Chrome OS / Chromebook forensics. Jad Saliba and Jessica Hyde

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

ACCESSDATA FTK RELEASE NOTES

Lab Working with Linux Command Line

Training for the cyber professionals of tomorrow

AccessData Forensic Toolkit 6.2 Release Notes

CNIT 121: Computer Forensics. 9 Network Evidence

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

Basic Linux Security. Roman Bohuk University of Virginia

Linux Local Security about Passwords and Data NZPAPER.BLOGSPOT.COM. Nz Paper Linux and Web Application Security. Zeeshan Khan 4/15/2013

Product Questions: 486 Version: 12.0

Linux Memory Analysis with Volatility. Andrew Case Digital Forensics Solutions

File System NTFS. Section Seven. NTFS, EFS, Partitioning, and Navigating Folders

Detecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009

AccessData Imager Release Notes

Basic Linux Command Line Interface Guide

Hackveda Training - Ethical Hacking, Networking & Security

AccessData Imager Release Notes

AccessData Triage 2.4 Release Notes

Notes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.

KillTest 䊾 䞣 催 ࢭ ད ᅌ㖦䊛 ᅌ㖦䊛 NZZV ]]] QORRZKYZ TKZ ϔᑈܡ䊏 ᮄ ࢭ

Digital Forensics Lecture 01- Disk Forensics

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

Linux Systems Administration Getting Started with Linux

File systems security: Shared folders & NTFS permissions, EFS Disk Quotas

Ed Ferrara, MSIA, CISSP

AccessData FTK Quick Installation Guide

Software Vulnerability Assessment & Secure Storage

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Contact Details and Technical Information

Support for the HIPAA Security Rule

Running head: FTK IMAGER 1

The Wonderful World of Services VINCE

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced. Chapter 7: Advanced File System Management

Advanced Security Measures for Clients and Servers

Detecting Computer Intrusions: Are You Pwned?

2014 Software Global Client Conference

CNIT 121: Computer Forensics. 14 Investigating Applications

National University of Computer and Emerging Sciences Operating System Lab - 02 Lab Manual

SentinelOne Technical Brief

Shell Items, Eventlogs, Forensics

These views are mine alone and don t reflect those of my employer

Transcription:

Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014

VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical Memory (RAM) Virtual Memory (Pagefile.sys) Hibernation File Virtual Machine RAM (*.vmem) Describes the state of the system at a particular point in time Types of volatile information include: System time Logged-on user(s) Open files Network information Network connections http://technet.microsoft.com/en-us/sysinternals/bb842062 http://www.windowsecurity.com/articles-tutorials/windows_os_security/pstools-suite-part1.html

ACTIVE USERS! Determine who is actively logged on a compromised system is important. The psloggedon command will display all users that are currently active on the local system, in addition to users active on the system via remote resources.! http://technet.microsoft.com/en-us/sysinternals/bb897545

SYSTEM INFORMATION The psinfo command will capture a tremendous amount of volatile data, in addition to specific hardware information that may be useful later in the investigation. Information captured by this utility is as follows: System Uptime Kernel Build Install Date Registered Organization & Owner Processors Information Physical Memory Disk Volume Information (-d switch) Installed Applications (-s switch) Installed hotfixes (-h switch)! By knowing what applications and hotfixes are installed, one may be able to help determine what vulnerabilities are present on the system.

SYSTEM INFORMATION http://technet.microsoft.com/en-us/sysinternals/bb897550

FILE LISTING Another important command to execute is one that captures a complete file listing of all files and directories on the system. This will create a snapshot of all files along with their timestamps. There are several options with the dir command that will document and sort the file listing by access date, modified date or creation date. Some of the more important options are listed below:! /t = gets time stamp /a = shows all files /s = recursive listing /Q = shows files owners /o:d = sorts by date

FILE LISTING Examples of the command are listed below. The following commands will sort the file listing by access data, modified data and creation date, respectively. The following commands will capture a recursive file listing from the root of the C:\ drive. If the incident only warranted a certain directory or user s account, then the last option of the command could be modified.! \dir /t:a /a /s /Q /o:d c:\ \dir /t:w /a /s /Q /o:d c:\ \dir /t:c /a /s /Q /o:d c:\

OPEN NETWORK PORTS Netstat is another utility that can be used for documenting all open ports. As indicated before, there are numerous options available. The four options that should be used are indicated below:! http://technet.microsoft.com/en-us/library/bb490947.aspx! F:\netstat.exe -anob -a = displays all connection and listening ports -n = displays the numerical addresses -b = displays the executable involved -o = displays the owning process ID

OPEN NETWORK PORTS

RUNNING PROCESSES Pslist is a utility that documents all of the running processes currently active on a system. This utility is useful in identifying and documenting any unauthorized processes running on a compromised system. An example of the command and useful options are detailed below:! http://technet.microsoft.com/en-us/sysinternals/bb896682! pslist.exe tdmx -t = process list in tree format -d = shows thread detail -m = shows memory detail -x = shows processes, memory information and threads

RUNNING PROCESSES

ACTIVE DLLs ListDLLs is a utility that will document and display all DLLs that are currently loaded and associated with a specific process or process ID. If a rogue application or process is running, documenting what DLLs are associated with the process could be critical information for later examination and reengineering efforts.! http://technet.microsoft.com/en-us/sysinternals/bb896656! \listdlls.exe uv -u = list unsigned DLLs -v = display DLL version information processname = displays all DLLs loaded by a process pid = displays all DLLs associated with a pid

PHYSICAL NETWORK CONNECTIONS In addition to documenting and recording processes, opened files and active users, it is equally important to record the current network configuration. This will help document the current network settings, MAC address, connected network and assigned IP address. An example of the command and useful options are detailed below:! \ipconfig /all /all = displays detailed information

PHYSICAL NETWORK CONNECTIONS

INSTALLED SERVICES Psservices utility can be used to document and record all installed services on the system. The information can be used as a starting point to see if any of the installed services have known exploits. An example of the command is detailed below:! http://technet.microsoft.com/en-us/sysinternals/bb897542! \psservices.exe

INSTALLED SERVICES

EVENT LOGS The next set of commands is used to deal with event logs. Event logs can be critical in documenting and reporting permission changes, installation activities and user account access, to only name a few. The auditpol /get utility can be used to determine the current audit log policy. This can help determine what policies are currently running on the system and may help explain what logs are and are not seen in the event logs. Psloglist is a utility that will extract all of the event logs from the various event logs in an easily viewable format.! http://technet.microsoft.com/en-us/sysinternals/bb897544! \psloglist.exe -x system (extracts system event logs) \psloglist.exe -x security (extracts security event logs) \psloglist.exe -x application (extracts application event logs)

EVENT LOGS

LOGIN / LOGOFF EVENTS The ntlast utility can be used to only document and record user logon and logoff events. This may be helpful to document so that extensive time is not wasted mining through the extensive event logs (EVT) on a properly configured system. When used with the verbose option (-v), all logon, logoff and duration entries are extracted.! www.mcafee.com/us/downloads/free-tools/ntlast.aspx ntlast.exe v

REMOTE FILES The psfile utility can be used to document and record all files that are remotely open on the system from which it is executed. The utility also has the capability to close any of the open files.! http://technet.microsoft.com/en-us/sysinternals/bb897552

OPEN FILES AND FOLDERS The handle utility can be used to document and record, which program has a certain file and/or directory open. If a rogue application has been identified, this command would help determine what the application is doing by showing what files and/or folders are being accessed by the rogue application.! http://technet.microsoft.com/en-us/sysinternals/bb896655!

OPEN FILES AND FOLDERS

EFS ENCRYPTED FILES One final command that may be useful will identify if any files on the target system are encrypted utilizing NTFS s built-in encryption algorithm. The encryption algorithm is referred to as Encrypting File System (EFS) and is supported on any system running Windows 2000 and newer. Additionally, the hard drive must be formatted as NTFS. The EFS encryption password is directly tied to the user s account that encrypted the file. If EFS encrypted files are identified, it is recommended that the files be exported to a FAT32 formatted thumb drive. By exporting to a FAT32 thumb drive, the encryption will be lost, because FAT32 does not support EFS. In other words, if you are investigating a live box and you have access to the decrypted files, copy the files out before the system is shutdown or the user s account is logoff, rendering the decrypted files unreadable. An example of the command and useful options are detailed below:! C:\cipher /U /N! The /U /N options will identify all encrypted files on all attached volumes.

EFS ENCRYPTED FILES

EFS ENCRYPTED FILES

BATCH FILES All of the data generated from the above commands can be exported to a text file using the output switch (>). An example of this exportation feature would be:! psloggedon.exe > e:\trusted_thumb_drive\active_users.txt! For efficiency, a script could be created to automatically run each of these commands and send all of the outputs to individual files or append all of the outputs (>>) to a single text file. An example of a scripting would be:! date > e:\ trusted_thumb_drive\results.txt time >> e:\ trusted_thumb_drive\results.txt psloggedon.exe >> e:\ trusted_thumb_drive\results.txt psinfo.exe h s d >> e:\psinfo.exe h s d date >> e:\ trusted_thumb_drive\results.txt time >> e:\ trusted_thumb_drive\results.txt! The date and time commands are a great way to document when the incidence response actions were started and finished. Remembering that documentation is a major factor when dealing with an evidentiary scenario. When capturing the system s data and time settings, it is important to document any discrepancies. This information will be critical, if discrepancies do exist. If timeline analysis becomes a necessary analysis tool, then knowing any date and/or time differences would be critical so that examination conclusions are based on accurate facts of the incident.

BATCH FILES Another way to record the volatile data is to set up a forensic workstation and utilize the netcat program. Netcat can be used to send the data from the target system to the forensic workstation over a network connection. On the forensic workstation, the following command will start a netcat session using port 2222 and record the incoming data to a text file named pslist.txt:! nc l p 2222 > pslist.txt! Once the listening port has been established on the forensic workstation, any command can be executed on the compromised system and the volatile data can be recorded on the forensic workstation. The command listed below will execute the pslist command and send the output to the forensic workstation over port 2222:! pslist nc 192.168.0.22 2222

VOLATILE DATA - OS X Volatile Data: Command: Switch Operation: Date and Time date N/A List of Commands Run history N/A List Users id N/A Users Logged On w N/A System Uptime uptime N/A File Time Stamps ls -alru / ls -alrc / ls -alr / l = long listing R = Recursive Listing u = access time c = modification time w/o u or c = create time Network Connections netstat -anp a = display all ports n = indicates numerical addresses Running Processes ps -a N/A Network Config ifconfig N/A Last Logins of Users last N/A Mounted File Systems df -ah a = show all mount points H = human readable sizes Password Hashes cat N/A Open Files lsof N/A

VOLATILE DATA - LINUX Volatile Data: Command: Switch Operation: Users Logged On w N/A Date and Time Date N/A System Uptime uptime N/A File Time Stamps ls -alru / ls -alrc / ls -alr / l = long listing R = Recursive Listing u = access time c = modification time w/o u or c = create time Network Connections netstat -anop a = display all ports n = indicates numerical addresses o = networking timers p = process ID Running Processes Ps -aux N/A Network Config ifconfig N/A Log Data last N/A Kernal Modules lsmod N/A Mounted File Systems df -ah a = show all mount points H = human readable sizes Password Hashes cat N/A Open Files lsof N/A

RAM CAPTURE This process will change / alter evidence. Documentation is very important when deciding to extract physical memory. There is no current method to write-protect physical memory. Why memory should be captured: Running processes Network Connections Configuration Parameters Encryption Keys Passwords Memory-only exploits Data carving (INFO2, lnk files, graphic files, internet artifacts (i.e. session cookies), etc.)

RAM CAPTURE

RAM CAPTURE

RAM CAPTURE

ACCESSDATA S FTK

ACCESSDATA S FTK

VOLATILITY https://code.google.com/p/volatility/ http://www.champlain.edu/documents/lcdi/archive/volatility-plugins.pdf

MANDIANT REDLINE Mandiant offers a free memory acquisition and analysis tool for the Windows and Macintosh platform called Memoryze. This tool is specially designed to aid the incident response team in identifying malicious activity or evidence of such activity in the physical memory. Memoryze is capable of capturing the physical memory and analyzing raw images of physical memory even if the program didn t initially capture it. The feature list is extensive but capable of everything between enumerating all hidden and unhidden running processes to identifying all drivers loaded in memory.! https://www.mandiant.com/resources/download/redline User Guide: https://dl.mandiant.com/ee/library/redline1.11.1_userguide.pdf

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

MANDIANT REDLINE

OSTRIAGE

OSTRIAGE

OSTRIAGE

OSTRIAGE

OSTRIAGE

OSTRIAGE

OSTRIAGE

OSTRIAGE

OSTRIAGE

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback