Computer Hacking

Forensic Investigator
Module VII
Windows Forensics
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Scenario
Ethan works as a technical consultant in a
reputed IT firm.
He plans of using a P2P program to download
full length movies into his computer, which
would definitely breach companies policies.
Not aware of a trojan being loaded into his
system, he downloads his favorite movie, Phone
booth and watches it.
To his shock, Ethans Windows 2000 based
system failed to reboot the next day.
His system administrator, Jake checks his
system and changes the hard disk.
A week later, when the reports came in from the
forensic investigator, Ethan was fired for
company policy breach.
But how did the forensic investigator find out
about Ethans activities?
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
Locating evidence on Windows systems
Gathering volatile evidence
Investigating Windows file slack
Examining file systems
Checking Registry
Importance of Memory dump
System state backup
Investigating Internet traces
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Locating evidence on Windows
system
Gathering volatile evidence
Investigating Windows file slack Examining File systems
Checking Registry Importance of memory dump
System state backup Investigating Internet traces
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Locating Evidence on Windows Systems
Hidden files
Assessing file attributes to find file signature
The registry
Searching Index.dat files
Areas to look for evidence
Files
Slack space
Swap file
Unallocated clusters
Unused partitions
Hidden partitions
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Gathering Volatile Evidence
Collecting volatile data using command prompt in Windows
NT/2000
System date and time
C:/>date ; C:/>time
Currently running processes
Tool - pslist
Currently open sockets
C:/>netstat
Applications listening on open sockets
Tool - fport
Current users logged on
Tool - psloggedon
Systems currently or recently connected.
C:/>nbstat
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Forensic Tool: Pslist
Supports Windows NT/2000/XP
Lists all currently running processes on the system.
Information include:
Time of the process when executed
Time the process has executed in kernel and user modes
Physical memory that the OS has assigned the process
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Forensic Tool: fport
Lists all open TCP/IP and UDP ports
Maps the ports to their running processes with their
PID,
Process name, and
Path
Useful in locating unknown open ports and their related
applications
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Forensic Tool - Psloggedon
Displays locally logged on users
Also displays users who are logged on through resources for
either the local or a remote computer
Runs a search on the computers present in the network
neighborhood and informs if the user is currently logged on
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Investigating Windows File Slack
File Slack
The space existing at the end of the file of the last
cluster.
Contains data from computers memory.
Identifies network logon names, passwords and
other sensitive information associated with
computer.
File slacks can be gathered from a hard disk drive or a floppy diskette by
using Encase Forensic edition tool
Examiner connects to target computer and selects media
Bit-level copy of the original media is created
It is checked again by generating its hash value
Investigation using keyword searches, hash analysis, file signature analysis,
and Enscripts present in Encase tool
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Run dir /o:d under c:/%systemroot%/system32> in DOS prompt
Enables the investigator to examine
The time and date of the installation of the operating system
The service packs, patches, and sub-directories that automatically update
themselves very often
For example: drivers etc
Importance should be given to recently dated files
Examining File Systems
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
A program that displays all the unsigned drivers and related files in the
computer
A signed file indicates the authenticity and quality associated to a file
from its manufacturer
Any unsigned files can indicate presence of infected driver files placed
by hackers
Most of the driver files are signed by the operating system
manufacturer such as Microsoft
Helps in finding the unsigned files present in the system
Built-in Tool: Sigverif
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Word Extractor
Hacking tool that interprets human words from machine
language
Helps in many ways like finding a cheat in a game, finding
hidden text or passwords in a file (exe, bin, dll), etc...
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Checking Registry
HKEY_LOCAL_MACHINE
\Software\Microsoft\Windows\CurrentVersion\Run
\Software\Microsoft\Windows\CurrentVersion\RunOnce
\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
\Software\Microsoft\Windows\CurrentVersion\RunServices
\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Same for
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Reglite.exe
Searches Registry
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Resplendent Registrar 3.30
Controls system configuration
Reliable registry backup
Repair broken Windows configurations
Remote access to systems on a network
http://www.resplendence.com/registrar
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Microsoft Security ID
Microsoft Security IDs are available in Windows
Registry
For accessing IDs, process is as follows:
Go to Registry Editor and view:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\ProfileList
Present under the ProfileList key
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Windows CD-KEY Revealer
This program reveals CD-KEY of a Windows
operating system
Helps in investigating the ownership license of
the OS software
Download this tool from
http://www.eccouncil.org/cehtools/win-
cdkey.zip
Note: This slide is not in your courseware
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Importance of Memory Dump
Memory dump refers to copying data from one place to
another without formatting
Used to diagnose bugs
Helps in analyzing memory contents during program failure
The memory dumps contains information in binary, octal or
hexadecimal forms
Memory dump information can be checked using
dumpchk.exe
A memory dump file records all
information that made a computer
to stop abruptly
Windows keeps a list of all the
small memory dump files in the
%SystemRoot%/Minidump folder
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Manual Memory Dumping in
Windows 2000
Right-click My Computer, and click Properties
Advanced tab -> Startup and Recovery
Select Complete memory dump and ensure that a valid
dump file location is entered
Connect the Null modem cable to the servers serial port
Editing boot.ini file
Copy the typical boot up entry and add it at the end of the boot.ini
file
Add and mark the following description as Debug boot
/debug /debugport=com1 /baudrate=57600
Click Debug boot after rebooting the system
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Memory Dumping in Windows XP and
Pmdump
In Windows XP
By default, stores information to Pagefile.sys on the system
root drive
Enables offline analysis tools
Contains small memory dump which uses upto 64 kb space.
Stored in %systemroot%/Minidump folder
PMDump
A tool that dumps the memory contents of processor to a file without
stopping the process
Stands for Post Mortem Dump
The dump information is saved on some secondary storage medium
like magnetic tape or disk
Supports Windows 2000/XP/NT
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
System State Backup
Useful for forensic analysis of a Windows system
Windows backup or registry backup will not suffice
A full system state backup stores the following:
Active Directory
The boot files.
The COM+ class registration database.
The Registry
The system volume
The IIS metabase.
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How to Create a System State Backup?
Start -> Programs -> Accessories -> System Tools -> Backup.
In Backup tab, check the System State box
Select the Schedule Job tab and click Add Job button
Click Yes and choose media options
Media type,
Location and
Backup name.
Click Next and recheck that Normal option is selected, then click Next
In the case of backing-up to disk, there will not be a need for verifying data.
Click Next
Choose whether you want to append to or replace any existing backups. Click
Next
Schedule the backup accordingly. Click Next
Set the account under which the backup should be run.
Click Finish
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Investigating Internet Traces
Internet Explorer investigations
Cookies
Windows 2000/XP
<c:\Documents and
settings\%username%\Cookies>
Windows 95/98/ME
<c:\Windows\Cookies>
History
Temporary Internet files
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool - IECookiesView
Displays details of all cookies stored on
the computer
View the contents of each cookie as well
as save the cookies to a readable text file
Also enables the user to view references
to deleted cookies
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool - IE History Viewer
It parses and prints the history of visited URLs
Reads the NFO and INFO2 files from recycle bins of the
Windows and also from the Netscape cache file "fat.db"
and Netscape history file "Netscape.hst"
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Forensic Tool: Cache Monitor
Offers real time view of current state cache
Offers an interface to modify data
Also does the following:
Verify the configuration of dynamic caches.
Verify the cache policies
Monitor cache statistics
Monitors data flowing through the caches.
Data in the edge cache
View data offloaded to the disk
Manage the data in the cache
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
CD-ROM Bootable Windows XP
Following are the methods of creating Bootable
CD-ROM for Windows XP:
Bart PE (Bart Preinstalled Environment)
Provide a complete Win32 environment with network support
Rescuing files to a network share, virus scan etc
Ultimate Boot CD
Provide shared internet access .
Can Modify NTFS volumes,
Recover deleted files,
Create new NTFS volumes, scanning viruses etc.
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Bart PE Screenshot
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Ultimate Boot CD-ROM
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
List of Tools in UB CD-ROM
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
List of Tools in UB CD-ROM
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
List of Tools in UB CD-ROM
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
List of Tools in UB CD-ROM
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
List of Tools in UB CD-ROM
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Summary
File Slack identifies network logon names, passwords and
other sensitive information associated with computer
The investigator must look for renamed files, changed
extensions and file attributes as they can be used to hide data
Sigverif is a built-in Windows program that displays all the
unsigned drivers and related files in the computer
Memory dump refers to copying data from one place to
another without formatting
System state backup is useful for forensic analysis of a
Windows system