9781284226065_PPT_CH08.pdf

Full Transcript

CHAPTER 8 Windows Forensics Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objective(s) and Key Concepts Key Concepts ▪ Summarize various types of digital forensics. ▪ Windows details ▪ Evidence in volatile data ▪ Windows swap file ▪ Windows logs and directories ▪ Windows Registry Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Learning Objective(s) History of Windows Windows 98/2000 Windows 95/NT Windows XP/Server 2003 Windows Server 2019 Windows 10/ Server 2016 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Windows 3.x Windows Vista/ Windows 7/ Server 2008 History of Windows (Cont.) Universal apps Windows 10 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Edge browser Cortana Issues Pertinent to Forensics ▪ Does it have a firewall? If so, is the firewall automatically on? ▪ Does the version of Windows support the Encrypted File System (EFS), which allows the user to encrypt specific files and folders? Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Does the Windows version in question support 64-bit processing? 64-Bit Processing 64-bit Addresses up to 18,446,744,073,709,551,616 bytes Referred to as x64 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com 32-bit Addresses up to 4,294,967,295 bytes Limited to 4 gigabytes (GB) of RAM Referred to as x86 The Boot Process POST Read MBR Boot Loader Loads NTLDR Switches to 32- or 64-bit Boot Files Min. drivers boot.ini NTOSKRNL Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com BIOS The Boot Process (Cont.) hal.dll Windows Registry Kernel Loading Win32 Subsystem Starts Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Boot Files (cont.) Important Files Ntbootdd.sys Ntoskrnl.exe Hal.dll Smss.exe Winlogon.exe Lsass.exe Explorer.exe Crss.exe Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Ntdetect.com Important Files (Cont.) ▪ The fsutil command Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Important Files (Cont.) ▪ NTFS file system Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Volatile Data Collect a memory dump Compute the hash Perform analysis in an isolated environment Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Volatile memory analysis is a live-system forensic technique in which you: Volatile Data (Cont.) Allocated based on last-in, first-out Most dynamic area of memory process Heap (H) Data can exist between function calls Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Stack (S) Tools PsInfo: operating system details PsLoggedOn: login information ListDLLs: loaded DLLs Netstat: network connections Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com PsList: processes Tools (Cont.) ▪ PsList Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Tools (Cont.) ▪ PsInfo Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Tools (Cont.) ▪ ListDLLs Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Tools (Cont.) ▪ PsLoggedOn Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Tools (Cont.) ▪ The netstat utility Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Windows Swap File ▪ Augments random access memory (RAM) ▪ Used to end in a.swp extension; since Windows XP, called pagefile.sys ▪ Typically found in Windows root directory ▪ Often referred to as virtual memory ▪ hiberfil.sys ▪ Related to the swap file ▪ Can be converted to an image file and processed with Volatility or even simple string searches ▪ May contain password artifacts from applications that were recently run Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ A special place on the hard disk where items from memory can be temporarily stored for fast retrieval Volume Shadow Copy ▪ A Windows service that keeps a record or copy of state changes ▪ Changed blocks are copied to Volume Shadow ▪ Volume Shadow Copy service runs once per day Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Stores state changes in blocks of data that are compared daily Windows Log Files ▪ Files that contain information about events and other activities that occur in Windows ▪ Event Viewer is used to view log files Application System ForwardedEvents Applications and Services Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Security Windows Log Files (Cont.) ▪ Viewing Windows logs Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Windows Directories (Forensically Interesting) C:\Windows documents and settings C:\Users User profile information, documents, pictures, and more for all users, not just the one currently logged on C:\Program Files Programs are installed in subdirectories of this directory C:\Program Files (x86) In 64-bit systems, 32-bit programs are installed here C:\Users\username\Documents Current user’s Documents folder Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Default location to save documents Unallocated/Slack Space and Alternate Data Streams Alternate Data Streams (ADS) ▪ AccessData’s Forensic Toolkit (FTK) enables an investigator to identify all documents in the file system of an image, including the unallocated space ▪ A method of attaching one file to another file, using the NTFS file system ▪ Full-text indexing allows you to: ▪ Build a binary tree-based dictionary of all the words that exist in an image ▪ Search the entire image for those words in seconds ▪ A feature of NTFS that contains metadata for locating a specific file by some criterion, like title Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Unallocated/slack space Index.dat Stores: Web addresses Search queries Recently opened files Use Window Washer or similar utility to view index.dat Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Used by Microsoft Internet Explorer; not in Microsoft Edge Index.dat (Cont.) ▪ Window Washer Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Windows Files and Permissions When cutting and pasting (moving), files and folders retain the original permissions if they are on the same partition Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com When copying and pasting on the same partition, files and folders inherit the rights of the folder they are being copied to Windows Files and Permissions (Cont.) File Modified Date as shown by Windows indicates that there has been a change to the file itself File Created Date the file was “created” on the volume Does not change when working normally with a file File Accessed Date file was last accessed Access can be a move, an open, or any other simple access Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com MAC refers to three critical properties The Registry Multiple users and preferences Program shortcuts and properties sheets Remote administration through network Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Computer hardware configuration Windows Registry (Cont.) ▪ HKEY_CLASSES_ROOT (HKCR) ▪ HKEY_LOCAL_MACHINE (HKLM) ▪ HKEY_USERS (HKU) ▪ HKEY_CURRENT_CONFIG (HCU) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ HKEY_CURRENT_USER (HKCU) The Registry (Cont.) ▪ The Windows Registry Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Important Files Wireless networks Tracking documents Malware Uninstalled software Passwords ShellBag Shimcache SRUM BAM and DAM Amcache Prefetch Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com USB info The Registry: OSForensics User Activity ▪ OSForensics User Activity Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Registry: Shimcache ▪ Shimcache Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Registry: Amcache ▪ Amcache Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Registry: BAM ▪ BAM Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Summary ▪ Windows details ▪ Windows swap file ▪ Windows logs and directories ▪ Windows Registry Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Evidence in volatile data