forensic evaluation of windows nt ++ scott ferguson keith gittings casey lunny

Forensic Evaluation of Windows NT ++

Scott Ferguson

Keith Gittings

Casey Lunny

Overview

• Handling of Physical Evidence

• Gathering Evidence

• Gathering and Discovering Passwords

• Investigating the File System

International Organization on Computer Evidence

• www.ioce.org

• Key concepts – Documentation – Preservation

• IOCE proposes a set of principles to be followed during a forensic investigation

IOCE Principles1. When dealing with digital evidence, all of the general forensic and

procedural principles must be applied 2. Upon seizing digital evidence, actions taken should not change that

evidence. 3. When it is necessary for a person to access original digital evidence, that

person should be trained for the purpose. 4. All activity relating to the seizure, access, storage or transfer of digital

evidence must be fully documented, preserved and available for review. 5. An Individual is responsible for all actions taken with respect to digital

evidence whilst the digital evidence is in their possession. 6. Any agency, which is responsible for seizing, accessing, storing or

transferring digital evidence is responsible for compliance with these principles.

Handling of Physical Evidence:Documentation

• Documentation– Begin at start of investigation– Allow no gaps

• Can lead to entire case being called into question• Cases may take years

– Record everything• Including System Time

– CMOS Internal ClocK» May Affect Document Search» GetTime (http://www.forensics-intl.com/gettime.html)

http://www.forensics-intl.com/gettime.html



Handling of Physical Evidence:Documentation

• Work with Partner– Allows for dedicated note-taker– Tape Recorder can serve as partner

• Remember Tape Recorder may be subpoenaed

• Transportation– Transport suspect equipment and documents

to secure location

Handling of Physical Evidence:Chain of Custody

• Chain of Custody– Document everyone who comes in contact– Limit Access only to highly trained

investigators– Safeguard physical machine

• Limit Access

– Use a product such as “Seized” • http://www.forensics-intl.com/seized.html

http://www.forensics-intl.com/seized.html

Handling of Physical Evidence:Collection

• Collection– Collect in order of volatility

registers, cache

routing table, arp cache, process table, kernel statistics, memory

temporary file systems

disk

remote logging and monitoring data that is relevant to the system in question

physical configuration, network topology

archival media


• Options for powering off computer1. Live System

– Least Effective

2. Pull the Plug– Provides Clear Image of System State – Prevents Malicious Code– Possible System Corruption

3. Administrative Shut Down– Provides Proper System Shut Down– Prevents System Corruption– Possible Malicious Code


• Collect Everything– Floppies– CD-Rs, CD-RWs– DVD-Rs– Tapes

Handling of Physical Evidence:Equipment

• Forensic Equipment– Use dedicated machine (preferably)

• Free of unneeded programs

– Avoid Embarrassment• Use legal version of software• Register shareware

Gathering Evidence:Copy, Copy, Copy

• Create Copy of Data– Never work with original data

• Work with the copy– Prevents against

• Changing data (intentionally or unintentionally)• Contaminating data• Destroying data

Gathering Evidence:Making the Copy

• Hard Drive– Remove from suspect

machine– Create bit stream copy

• Image MaSSter (http://www.icsiq.com)

Image MASSter Solo-2 Forensic system ($1,450.00)

http://www.icsiq.com/



Gathering Evidence:Fingerprint and Timestamp

• Fingerprint and Timestamp Copy– Authenticates Copy

• Tools– CRCMD5 – MD5– CRC

Gathering and Discovering Passwords:The Scene

• All passwords are valuable– People often reuse passwords – Encrypted files with no value may have

password of immense value

• Investigate the scene– Common locations

• Under Mouse Pad• Desk Drawers • Rolodex• Magazines

Gathering and Discovering Passwords:The suspect

• Interviewing the Suspect– Ask for password

• Many suspects are willing to divulge password

– Coercive • Offer of computer return• Rubber hose method

– Gather information• Common words• Common things

– Pets Name– Children – Interests

Gathering and Discovering Passwords:Obtaining the password

• Breaking the Encryption– Administration Passwords

• Windows password crackers– L0phtcrak (www.atstake.com)– CAIN

– Password Encrypted Files• AcessData (www.accessdata.com)

Gathering and Discovering Passwords:L0phtcrack

• L0phtCrack is designed to recover passwords for Windows NT– takes the hashes of passwords

and generate the clear text passwords

– Uses two methods • Dictionary Cracking• Brute Force Cracking

Gathering and Discovering Passwords:AccessData Password Recovery Toolkit

AccessACT!Ami ProApproachARJAscendBackupBestCryptBullet Proof FTPCute FTPDataPerfectdBaseEncrypt Magic FldrExcel

FoxBaseFile Maker ProLotus 1-2-3

Mail (MS)MS MoneyMYOBMy Personal check WriterNorton Secret StuffOrganizerOutlookPalm Paradox

PGP Disk File 4.0

PGP Secret Key Ring Pro WriteProject (MS)WinZip & Generic ZippersQ&AQuattro Pro QuickBooksQuickenWinRARScheduler+

Symphony

VersaCheckWordWordPerfectWord ProAdobe PDFWin95/Win98 PWL FilesIE Content AdvisorWE_FTPNetscape MailSource SafePC-Encrypt

Gathering and Discovering Passwords:Circumventing Passwords

• Plaintext Version of Encrypted Files– Some applications store backup copy

• Microsoft Word• .wbk extension

Investigating the File SystemHiding Data

• Changing File Extensions– Easy Method– Ex. (.jpg to .doc)– Don’t use Windows Explorer to locate files– Jasc Quick View Plus (www.jasc.com)

• Identifies files without use of file extension

– Encase (www.encase.com)• Can Identify files that were intentionally mislabeled


• Hiding Directories and Files– Windows allows users

to set files as hidden• Prevents accidental

altering of file• Enables user to hide

any file or directory• Solution:

– Make sure Windows Explorer is set to show hidden files


• NT Streams– Arbitrary data associated with a file

• Used to associate new data objects with file

– Available with Windows NT, XP, 2000• Can not be detected by Windows Explorer or Most

GUI-based programs• Can be detected with SFind (Forensic Toolkit from

Foundstone)

Investigating the File SystemThe Forensic Toolkit

• The Forensic Toolkit (www.foundstone.com)– Contains several Win32 Command line tools that can help you

examine the files on a NTFS disk partition for unauthorized activity.

• AFind – lists files by their last access time without tampering the data the way

that right-clicking on file properties in Explorer will. AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.

• HFind – scans the disk for hidden files. It will find files that have either the

hidden attribute set, or NT's unique and painful way of hiding things by using the directory/system attribute combination. This is the method that IE uses to hide data. HFind lists the last access times.

• SFind– scans the disk for hidden data streams and lists the last access times.

http://www.foundstone.com/


• The Network– File servers at work– Internet sites providing free storage– Clues to existence

• File Cache• Internet history• Network Neighborhood


• Steganography– “to hide in plain sight”– Computer cryptography called “stego”

• Data is hidden in “carriers” • Common carriers are multimedia files• Time consuming

– Difficult to find “stegoed” files• Clues

– Stego software such as S-Tools found on computer– Images appear altered (if poor carrier chosen)


• Altering the System Environment– Mislead examiner about system– Always avoid investigating on actual system– More common on Unix systems– Methods

• Alter specific binary• Alter the entire kernel

– Affects multiple binaries• DLLs

– Enable commonly used code routines to be updated– Altering DLLs will effect many programs

– Tripwire (www.tripwire.com)• Can detect changes to system environment

Investigating the File SystemNontraditional Computer Storage

• Ambient Data– “data stored in non-traditional computer

storage areas and formats”– File Slack– Swap Files– Unallocated Space


• File Slack– File size must be divisible by cluster size (512 bytes

on Windows).– Clusters are made up of sectors (number varies)– RAM data used to pad to end of sector– Hard drive data used to pad to end of cluster– Example:

• Hello+++++++++++++++++++|------------------------(EOF)– RAM Slack is indicated by "+“

– Drive Slack is indicated by "-"


• Unallocated Space– Clusters that are not allocated to a directory

or file but possibly still contain data the user has thought long since erased

– AccessData Forensic Data• Examines Slackspace

Investigating the File SystemAccessData Forensic Toolkit

Investigating Windows Computers

• The Microsoft Corporation has been providing a steady supply of operating systems, each of which builds on the previous version.

• Since newer releases of Windows are based on its predecessor, backwards compatibility with previous versions is provided.

Investigating Windows Computers

• An investigator must be aware of the built-in tools that the Windows operating systems provide.

– Globally Unique Identifiers– Windows Registry– Recycle Bin– Scandisk Log files– Find Program– Windows Email

Globally Unique Identifiers

• PID_GUID values are an essential component of Microsoft’s architecture and can be found in:– Word Document files– Cookies– Windows Registry

• The PID_GUID contains a serial number than can identify which computer a file was created on.

Locating GUID in Word Documents

• Open Microsoft Word and create a new text file.

• Save the file as a Word 97 document, which should be the default (note: this will not work under Office 2000.)

• Use Quick View Plus to open the document and search for the string ‘PID_GUID.’

• The program should find a string similar to this:– PID_GUID_{36FDE49B-5EFC-4DD6-A282-

Abc1234567890}– The last 12 hexadecimal characters at the end of this

string represent the MAC address of the originating computer.

Limitations

• This technique is limited because :

– It assumes that the suspect has not changed the Ethernet card in his/her computer.

– The PID_GUID is no longer included in documents created with newer versions of Microsoft Word.

Locating PID_GUID in Cookies

• Explore the Windows Cookies directory and search for a file ending in “microsoft.txt.”

• Within the file you should see a string similar to this:– MC1V=2&GUID=b0ea5322ab004da78116a0a

10 microsoft.com

Locating PID_GUID in Windows Registry

• In the Registry Editor search for “MachineGUID”

• regedit should return a value similar to this in the data column: – 950f31d7-3d5s-4576-a939-1b2f68a3cddf.

Locating PID_GUID in Windows Registry

Once again, the last 12 digits are from the Network card that was installed in the computer.

Other Uses of the Windows Registry

• The Windows registry is a comprehensive database containing information on every Windows-compatible program that has been installed on the PC.

• The Registry contains information about:– Users– Their preferences– Information on the hardware– Network information

Working with the Registry

• The Registry is a database of values that control the behavior of Windows, including any hosted applications and services.

• The Registry is not an exhaustive collection of configuration settings and parameters; instead, it is a collection of exceptions.

• When an item is listed in the Registry, it defines an exception or a different value for parameters that the process uses instead of its known defaults.

Registry Keys

• HKEY_LOCAL_MACHINE — This Registry subtree contains the configuration parameters pertaining to the local computer system, including both hardware devices and operating system components.

• HKEY_CURRENT_CONFIG — This Registry subtree contains configuration settings for the currently active hardware profile. It is rebuilt each time NT is booted.

• HKEY_CURRENT_USER — This Registry subtree contains configuration and profile information pertaining to the currently logged on user. It is built each time a user successfully logs onto the system.

• HKEY_USERS — This Registry subtree contains the configuration and profile information pertaining to all users of this computer, plus the default profile.

Investigating the Registry

• By exploring the keys within HKEY_CURRENT_USER - Software/Microsoft/Internet Explorer/ you can find all of the current settings, past URL searches, security preferences, download folder settings, and even the startup home page for the current user.

• By searching the TypedURLs directory a list of recently searched web addresses is supplied.

TypedURLs

Explorer/RunMRU

• This key contains a list of the most recent programs launched from the Run window.

HKEY_LOCAL_MACHINE

• HKEY_LOCAL_MACHINE contains the Network/Logon key, which displays the last username used to log onto a network.

• Stores all of the information related to:

– Hardware– Security Account Manager– Software– System

Other Windows Tools

• The Recycle bin is a good place to search for evidence.

• Many users forget that deleted files are placed in the Recycle Bin until they are deliberately emptied or until it fills up and begins overwriting files.

Other Windows Tools

• Scandisk .chk files may contain information a suspect has tried to delete.

• The Scandisk utility will attempt to restore files that it believes have been inadvertently deleted.

• Since Scandisk files can contain pieces of deleted files, useful information that may otherwise be lost is sometimes still sitting in a .chk file.

Other Windows Tools

• The easiest way to find files in Windows is using the built-in Find program.

• The Find tool allows you to sort by name, file type, and date of last modification.

• The Find program in Windows 2000/XP allows you to search for a specific string within a file.

Windows Email

• Email is often a rich source of information about a suspect’s activities.

• Email files in Microsoft systems are not easy to analyze.– Users may download all emails or store them

remotely on a server.– Many different mail applications have their

own file formats and conventions.

Windows Email

• Mail is like any other application in that it uses temporary files and swap space.

• Check the hard drive for messages or check the slack space for remnants of original emails.

• Check the suspects Web history and see is any past sites appear to be an email site.

• You can then use your forensics analysis tool to search for fragments containing the domain of that email provider.