Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
-
Upload
clubhack -
Category
Technology
-
view
1.798 -
download
3
Transcript of Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Advance Digital Forensic
2
Agenda
What is Computer Forensic?
Gathering evidence from windows memory
Advance registry forensic.
Analyzing network data to collect evidence
3
Computer Forensics – the laws
First Law of Computer Forensics
There is evidence of every action.
Harlan Carvey’s Corollary :
Once you understand what actions or conditions create or modify an artifact, then the absence of that artifact is itself an artifact.
4
Tip of the “Digital” Iceberg
Data as seen by a casual observer using common tools (Explorer Window, cmd shell, web browser etc. )
Data as seen by Forensic Investigators using his sophisticated toolkit. May include deleted data, hidden data, unauthorized information and records of illegal activity!
5
Windows Memory Forensic
Extracting windows login credentials from RAM image.Extracting running processes.Extracting user assist keys from RAMViewing registry keys for all open process.
6
Volatility modules used1. hivescan {python volatility hivescan -f
<filename>}2. hivelist {python volatility hivelist -f
<filename> -o <offset value>3. Hashdump {volatility hashdump -f
<filename> (-y System Hive Offset)(-s SAM Hive Offset)
Use of CAIN & Abel to crack the hashes obtained.
Extracting windows login credentials from RAM image.
7
Extracting user assist keys from RAM
Load the image in Encase and search for the keyword HRZR_EHACNGU {which is “UEME_RUNPATH”}. Keywords are HRZR_EHACNGU.*[\.]rkr
HRZR_EHACNGU.*[\.]yaxDecrypt the results using ROT13-decryptor.
Advance Registry Forensic
9
Windows Registry
Registry files are essentially databases containing information and settings for
HardwareSoftwareUsersPreferences
A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat. In Win XP, the registry files are available in C:\windows\system32\config folder
10
Mining Windows RegistryMultiple forensic avenues in the registry!
System and User-specific settingsUserAssistMuiCacheMRU ListsProgramsCacheStreamMRUShellbagsUsbstorIE passwordsand many more!
11
Mining Windows Registry
Multiple forensic avenues in the registry!System and User-specific settings- NTUSER.DATUserAssist - HKCU/software/microsoft/windows/currentversion/Explorer/UserAssistMuiCache - HKCU/Software/Microsoft/Windows/ShellNoRoam/MUICacheMRU Lists - HKCU/software/microsoft/windows/currentversion/Explorer/RunMRUProgramsCache –HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/StartPageStreamMRU - HKCU/software/microsoft/windows/currentversion/Explorer/StreamMRUShellbags – HKCU/Software/Microsoft/Windows/Shell/BagMRUUsbstor - HKLM/System/CurrentControlSet/Enum/USBStorand many more!
Demo
12
Tools to analyze registry
Regripper {open source tool. Developed by Harlen Carvey. Coding is done in PERL language}Windows registry analyzerWindows registry recovery.Timestamp Dcode.
Network Forensic
14
The Security Process and Network Forensics
15
Overall approach
Study the network architecture.
Determine network traffic capture mechanisms at appropriate points and get a copy of the capture file.
Determine devices that should/could be generating logs, especially those that are pertinent to case in hand.
Determine vendors of these devices.
Determine logging functionality, and logging configuration.
Assemble appropriate log analysis tools, and objectives of the analysis
String searchesPattern searches
16
Tools for analyzing captured network traffic
Network Miner
Netwitness
Wireshark
Winhex
Case study of Network Forensic
18
19
Thank you!
Questions and Answers!!
Kush Wadhwa, EnCE, CEH, RHCEContact Number : +919717188544Email Address: - [email protected]