Live Forensics Investigations Computer Forensics 2013.
-
Upload
dwight-ryan -
Category
Documents
-
view
250 -
download
6
Transcript of Live Forensics Investigations Computer Forensics 2013.
Live Investigations Necessary because
computer cannot be shut down E.g.: important server
nature of evidence is too volatile E.g.: Malware investigations
cost consideration remote forensics
Live Investigations Special challenges:
Interaction with life system changes the status of the life system Consequence:
Need to document carefully what is being done Use scripts Use automated gathering tools
System can be root-kitted Interaction with system is not usually at the lowest level
possible
Live Investigations Became normal only recently
Always seemed better to work directly with hard drive If necessary construct a clone of the life system
Tools for capturing volatile evidence have increases
Live Investigation Need to be preplanned
Bring all the tools, do not interrupt evidence gathering, document every step
Remote gathering of data Possible to install forensics module
Allows routine investigations via network connection Installs a trusted agent on each potential target
machine Agent communicates via a secure connection Once triggered, agent collects data and sends them
through a one-way connection to a collector
Remote gathering of data Forensics Agent
Forensically sound data collection Fully configurable Best practice Cross-platform Can be used stand-alone or remotely
Remote gathering of dataTest Windows Linux
Users logged on psloggedon.exe w
System uptime psinfo.exe uptime
File timestamps dir, attrib ls
Network connections netstat, fport.exe netstat
Running processes pslists.exe ps
Loaded DLLs listdlls.exe -
Network configuration netstat.exe, arp.exe, ipconfig.exe netstat, ifconfig
Installed services psservice.exe -
Log data auditpol.exe, ntlast.exe, psloglist.exe last
Kernel modules - lsmod
Mounted filesystems - df
Registry regdmp.exe -
Password hashes pwdump3.exe cat
Open files handle.exe lsof
Remote gathering of data Application specific data
Browser history, skype chat logs, ... Memory capture
Live Forensics Usually use a toolkit
User-level rootkits No influence since you are using your own tools
System-level rootkits Norm among rootkits Do usually not lie consistently:
Use several ways / tools to ask the same question Automatically look for inconsistencies
Anti-rootkit-defense Run various antivirus tools
Preparing the Toolkit Label the toolkit. Check for dependencies with Filemon or
ListDLL. Lots of dependencies lots of MAC changes. Lots of dependencies easy to run into a
trojaned utility Create an MD5 of the toolkit. Write protect any floppies.
Storing Obtained Data Save data on the hard drive of target.
(Modifies System.) Record data by hand. Save data on removable media.
Includes USB storage. Save data on a remote system with netcat or
cryptcat.
Storing Obtained Data with netcat Quick on, quick off target system. Allows offline review.
Establish a netcat listener on the forensic workstation. Redirect into a file.
Establish a netcat funneler on the target system to the forensic workstation.
Cryptcat does the same, but protects against sniffing.
Obtaining Volatile Data
Store at least System date and time. List of current users. List of current processes. List of currently open sockets. Applications listed on open socket. List of systems with current or recent
connections to the system.
Obtaining Volatile Data: Procedure Execute a trusted cmd.exe Record system time and date. Determine who is logged on. Record file MAC. Determine open ports. List all apps associated with open ports.
Obtaining Volatile Data: Procedure List all running processes. List current and recent connections. Record the system time and date. Document the commands used during initial
response.
Examples
Use Fport to look at open ports. Use a list of ports to find suspicious
ports, i.e. those used by known Trojans, sniffers or spyware.
www.doshelp.com/trojanports.htm
Examples
If at your home system, fport shows a suspicious port use and netstat shows a current connection to this port, then kill the process.
Examples Knowing what processes are running does not
do you any good. You need to know what they are doing. At least, know the typical processes.
ExamplesAssume generic monitoring of systems.Look for Unusual resource utilization or process
behavior. Missing processes. Added processes. Processes with unusual user identification.
Examples: Detecting and Deleting Trojans Use port scanning tools, either on host
machine or remote machine. Fport (Windows) Superscan (Windows) Nmap
netstat (for open connections)
Examples: Detecting and Deleting Trojans Identify the Trojan on the disk. Find out how it is being initiated and prevent
the process. Reboot the machine and delete the Trojan.
Example Do an internet search on svchost. Process checks the service portion of the
registry to start services that need to run. Use Tasklist /SVC in a command prompt
Malware investigations Run malware in a virtual machine
Problem: Malware can detect it is running in a virtual machine
Run malware on a life system Dangerous for the environment
Can limit network connectivity Try to observe malware effects
Live system: Need to run monitoring tools
E.g. regmon, filemon Can be detected by malware
Use differential analysis Do system analysis on images taken before and after
infection
Malware investigations Physical targets
Malware runs in native habitat Without hypervisors, emulators, ...
Example: TRUMAN – The reusable unknown malware analysis net Two physical computers
Windows machine for malware client Linux machine for supervisor
Makes dd-images after executing samples, ... Simulates internet services such as SMTP, FTP, IRC
Provides Memory analysis with volatility Registry analysis with regdiff.pl, dumphive, RegRipper Packer identification Network traffic analysis NTFS ADS streams Hashes of system files
Malware investigations Physical target
Deep Freeze: Prevents permanent changes to computer
FOG Cloning and imaging software
Malware investigations Analysis Cycle
Create Baseline
Reimage target
Transfer malware
Preexecution
Execute malware
Suspend VM
dump memory
Postexecution
Analyze hard disk