Scribd
Upload
30 views25 pages

Unit-2 1

The document outlines the procedures and tools for conducting live data collection and investigation on Windows systems, emphasizing the importance of obtaining volatile data before powering off the system. It details the creation of a response toolkit, methods for transferring and encrypting data, and the documentation required during the investigation process. Key tools and commands for gathering system information, monitoring processes, and ensuring data integrity are also highlighted.

Uploaded by

enuguprasanna23
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
30 views25 pages

Unit-2 1

The document outlines the procedures and tools for conducting live data collection and investigation on Windows systems, emphasizing the importance of obtaining volatile data before powering off the system. It details the creation of a response toolkit, methods for transferring and encrypting data, and the documentation required during the investigation process. Key tools and commands for gathering system information, monitoring processes, and ensuring data integrity are also highlighted.

Uploaded by

enuguprasanna23
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 25

Live Data Collection

Windows Systems
Live Investigation Goals

•Obtain enough information to determine


appropriate response.
•Considerations include totality of the
circumstances
Learn before responding
Two goals:
•Confirm there is an incident
•Retrieve volatile system data
Won’t be there after system powered off
Creating a Response Toolkit

•Without affecting any potential evidence, plan


to obtain all relevant information.
•By collecting trusted files on a CD, you are
better equipped to respond:
•Quickly
•Professionally
•Successfully
Some Common Tools and
Sources
•Cmd.exe •md5sum etree.org
•PsLoggedOn SysInt •rmtshare NTRK
•rasusers NTRK •netcat atstake
•netstat •cryptcat sourceforge
•fport FS •PsLogList FS
•PsList SysInt •ipconfig
•ListDLLs FS •PsInfo SysInt
•nbstat •PsFile SysInt
•arp •PsService SysInt
•kill NTRK •auditpol NTRK
•doskey
Tool Interface Categories

•Graphical or command line


GUI or CLI
•Since GUI programs create windows, have
pull down menus, and generally do “behind
the scenes” interaction,using them during
an investigation.
Preparing the Toolkit

•Label response toolkit media with:


•Case number
•Time and date
•Name of investigator
•Presence of output files?

•Check for dependencies (Filemon)


•Create toolkit checksum
•Write protect any toolkit floppies
Storing Information Obtained
During the Initial Response
•Live refers to a currently powered on system.
•Environment untrusted
•Unexpected should be anticipated.
Four options
•Save the retrieved data to a hard dive
•Record data in a notebook by hand
•Save data onto the response floppy disk or other

removable storage medium


•Save data on a remote system using net or cryptcat
Transferring Data with Netcat

•Netcat can create a connection between the


target system and the forensic workstation
•Allows you to review information offline
•After the data transfer is complete, you will
need to break the connection.
•On the forensic workstation
Integrity with md5sum
•Protect the integrity of retrieved files.
• Among other places, you can get md5sum for windows
from etree.org
•Perform the md5sum in the front of witnesses.

•Process Summary

•Run trusted commands on NT Server


•Send output to forensics box with NetCat
•Md5sum files
•Perform off-line review
Encrypting Data with
Cryptcat
•Cryptcat has the same syntax and functions
as netcat
• Encrypted data transfer

•Encrypting files means that:

•Attacker’s sniffer cannot compromise your information


(Unless your passphrase is compromised.)
•Encryption nearly eliminates risk of data contamination

or injection

11
Volatile Data for Live
Response
Only available prior to system power off.

Possible data items include:


•System date and time
•Currently logged on users
•Time/date stamps for entire file system
•Currently running processes
•Currently open sockets
•Applications listening on open sockets
•Systems that have current or recent connections to the
•system
Investigation Organization and
Documentation
Two reasons to document
Gather information that may become evidence
Protect organization

Notes
•Before starting, create tool hashes
•Use a form to plan and document response.
•Good policy to have a witness sign the form and verify
•each MD5 sum.
Collecting Volatile Data
•Execute trusted cmd.exe
•Record system time and date
•Determine logged users
•For all files, record modification, creation and access
times.
Determine open ports.
List applications associated with open ports
List all running processes
List current and recent connections
Document commands used during initial response
Gathering Data One
•For all files, record modification, creation, and access times
• Dir

•Determine open ports


• Fport
•Enumerate all running processes on the target system
• psList
•Note, to identify abnormal processes, you first need to
• have identified normal processes i.e. done a
• baseline.
Gathering Data Two

•List current and recent connections


• Netstat can determine current connections as well
as the remote IP address of those connections

•Arp(Address resolution protocol) cache contains IP addresses mapped to


MAC addresses
•Use nbtstat(command) to access the remote NetBIOS
(Network Basic Input/Output System) name cache
Gathering Data Three

Use:
doskey /history
to display the command history of the current
command shell
Scripting Initial Response

•Many technical steps performed during the initial


response can be incorporated into a batch script.

•For example
In Depth Live Response

•Date and time commands


•PsLoggedOn
•Netstat
•PsList
•Fport(Frsky port “RX protocol” – a
communication interface between the RX (receiver)
and FC (flight controller))
•Safeback or EnCase.
In Depth Response Tools

•Auditpol NTRK (determines the audit policy of the system)


•Reg NTRK
•Regdump NTRK
•Pwdump3e
•NTLast FS
•Sfind FS
•Afind FS
•Dumpel NTRK
Collecting Live Response
Data
•Review
• Event logs
• Registry

•Obtain system passwords


•Dump system RAM
Obtaining Event Logs during Live
Response

•Auditpol discovers which audit policies exist

•NTLast allows you to monitor successful and


failed system logons

•Dumpel can retrieve remote logs


Live Response: Reviewing the
Registry

Regdump creates an enormous text file from


a registry.

Reg query extracts just the Registry key


values of interest
System Passwords

•Use pwdump3e to dump the passwords from


the SAM (serial access memory) file
•Crack them with John or similar tool or
•Use Rainbow tables
•You may also want to dump system RAM
(random access memory)
A rainbow table is a precomputed table for caching the
outputs of a cryptographic hash function, usually for
cracking password hashes.
Thank you

You might also like