Anda di halaman 1dari 34

Forensic Tools and Techniques

Part I

Shane Hartman, CISSP, GCIA, GREM


Secure Info Systems
Topics
• Gathering Information
• Helix
• Netcat
• Memory Acquisition
– With Helix
– With Win32DD
– With Winen
• Disk Acquisition
– With Helix
– With FTK
• MD5Sum
• Uptime
• Uname
• Date / Time
• Acquisition Analysis
• Strings
• Mounting the image
• Pasco
Heisenberg's Uncertainty Theorem

• You can't observe or measure anything


without changing it somewhat.

• When working on a live system


– You can make sure you do not influence the data on
the harddrive
– Because it is a live system, the same cannot be said
of memory,, more on that later..
Gathering Information

• Use your own tools


• If you encounter a live system, do not trust
anything on it.
• Have static binaries, you verified ready
• Gather basic information such as
– date/time
– processes
– sessions
– services, etc
Helix

• How do you get this information without effecting


the machine
• Use Helix…
• This is an open source bootable cd
• Used Unix as its OS
• It can be used on live or dead machines
Netcat

• Netcat is your friend


• When you need to move information off a
machine using the network, use Netcat
• Netcat is often referred to as a "Swiss-army knife
for TCP/IP." Its list of features includes:
– Port scanning
– Transferring files
– Port listening
and it can be used as a backdoor….
Netcat
• Netcat is used in conjunction with many tools
including:
– Helix
– Forensic Tool Kit
– And any tool the writes files

– Common usage
• As a listener : nc –l –p 8888 > image.dd
• This tells netcat to listen on port 8888 and anything
coming across will be written in to image.dd file.
• As a writer : ./memdump | ./nc 192.168.1.10 8888
• This send the output of memdump to netcat which
attaches to a remote listener on port 8888 at
192.168.1.10
Memdump - Windows

• Through Helix you can dump the memory of the


system.
• It can be posted to:
– A network share
– External Storage
– A netcat connection
– Works on Windows systems preceding Vista
• Microsoft changed how memory and system was
accesses in Vista forward preventing this process
from working.
Memory Acquisition with Helix
Memory Acquisition with win32dd

• Command line tool for dumping memory


• IR\RAM\win32dd\ win32dd.exe
• Example
• win32dd e:\temp\win32dd_mem.img
• Works on all the versions on windows including
Vista and Windows7 as long as you run it with
administrator privileges
Memory Acquisition with Winen

• Command line tool for dumping memory


• IR\RAM\win32dd\ winen.exe
• Example
• winen e:\temp\winen_mem.img
• Works on all the versions on windows including
Vista and Windows7 as long as you run it with
administrator privileges
Disk Acquisition with Helix
Disk Acquisition with FTK
• Imager can be found on the Helix cd at
IR\Imager\FTKImager
MD5Sum

• Now that you have an image run and md5 hash


on it.
• In IR\FAU\MD5sum will produce a hash for the
image file
• Once complete make a copy and verify it
• Then you can begin work
MD5Deep

• Similar to MD5Sum except you can use this to


create hashes of whole directory structures.

• After extracting a directory from an image you


can run md5deep to hash each file recovered and
then check it later for compromise.

• Ex. Md5deep c:\temp\evidence\case001\*.* -r


• This tells md5deep to go through the entire
directory structure and product a hash of each
file.
More Gathering Information

• System Information
• Uptime
• Uname
• Date/Time
• Process List
• Handle
• ListDlls
• Logon Sessions
• Services
• Netstat
System Information
Uptime - Windows

• Windows utility showing how long the system has


been up.
• This information can be used as part of the
timeline process for your investigation
• On the Helix CD you will find 2 versions
– IR\Cygwin\uptime.exe – produces
• 23:56:30 up 1:41, 0 users, load average: 0.00, 0.00, 0.00
– IR\Microsoft\uptime.exe – produces
• \\test1 has been up for: 0 day(s), 1 hour(s), 41 minute(s), 31
second(s)
Uname –a Windows

• Produces OS type and kernel build


• IR\unxutils\uname.exe –a
– The (-) a function outputs all information
• WindowsNT srql13132257 1 6 x86
Date / Time

• Data and Time utilities are located on the Helix


CD in
– IR\Cygwin\Date.exe and IR\Cygwin\Time.exe
• These are the same utilities in the windows
system but verified.
Process Information Helix
Process List - PSlist
• PSList can be found in the sysinternals directory
• Running multiple tools can give you extra information
Handle
• Gives you insight in what files in what directory
are opened and which PID they are assigned
Listdlls
• Like PSList and Handle, ListDlls shows you what dlls are in
use with what PID. It also shows what version of the dll is
running.
Logon Sessions
Services
Netstat
• Netstat displays both incoming and outgoing
network connections
Acquisition Analysis

• Strings
• Mounting image in Linux
• Mounting image with FTK
• Extracting a file with FTK
• Internet Explore History - Pasco
Strings

• Strings is a utility which looks at a file and tries to show


everything is ASCII text
• Output is messy but sometimes information can be
gathered from this output
• It is located on the Helix CD in
– IR\Sysinternals\Strings.exe
– Format strings –a mem_image.img - producing
aaW
(h4
aaW
aaW
N<@3
9D$
N8W
PWQ
compiling file:C:\WINDOWS\system32\WBEM\evntrprv.mof
(Wed Jan 06 21:25:29 2010.1100001) : Parsing MOF file: C:\WINDOWS\system32\WBEM\hnetcfg.mof
(Wed Jan 06 21:25:29 2010.1100091) : Finished compiling file:C:\WINDOWS\system32\WBEM\hnetcfg.mof
(Wed Jan 06 21:25:29 2010.1100091) : Parsing MOF file: C:\WINDOWS\system32\WBEM\sr.mof
Mounting the image in Linux
• Once you have an image file you can review it on
a Linux system by simply mounting it, just like any
other device.
• Create a directory for the mount such as
– cd /mnt
– mkdir case001
• Mount –o ro, noexec,loop /tmp/case0001.img
/mnt/case0001
• With root access you can now review the file
system
Mounting the image in FTK
• File – add evidence item – image file
Extract a file from the image w/FTK

• Extract a file from the image to do analysis


• Find the file your interested in such as index.dat
• Right-click on the file and extract it to a location
• From here you can run tools on the file to gather
information
• In the case of index.dat it contains information
about where the user has went on the internet
with the browser. More on that to come.
Internet Explorer History - Pasco

• Found on Helix CD in IR\Foundstone directory


• Pasco will read the index.dat file from Internet
Explorer and produce output showing all the
URLs the user visited.
• Ex. Pasco index.dat > user1_ie.txt
• Produces something like this.
• URL http://www.shadowserver.org/wiki/pub/wsplus/wsplus.css Tue Mar 20 21:17:55
2007 Thu Jan 7 03:00:49 2010 wsplus[1].css C9B5QLQV
HTTP/1.1 200 OK ETag: "1b432-d41-3d40a6c0" Content-Length: 3393 Keep-
Alive: timeout=15, max=95 Content-Type: text/css ~U:evil
• URL http://images.google.com/intl/en_ALL/images/logos/images_logo_lg.gif
Wed May 27 22:00:10 2009 Thu Jan 7 03:02:10 2010
images_logo_lg[1].gif C9B5QLQV HTTP/1.1 200 OK Content-Type:
image/gif Content-Length: 9969 X-XSS-Protection: 0 ~U:evil
• This is just the beginning of what is out there…

Anda mungkin juga menyukai