Cyberguardians

Windows Forensics and Incident Recovery

Notes

Windows Event Log

-clearing the Security Event Log generates event ID 517

-Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia"

-Logon events http://support.microsoft.com/default.aspx?kbid=174073

-Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714

-More security Events http://support.microsoft.com/kb/174074/

CMD Line History

- doskey /history or the RunMRU registry key

File Associations

- C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile

- ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command

- if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change back

Hidden Files

- To view hidden files ---> C:\> dir /ah; using the attrib command will list out all file attributes

Scheduled commands

- Sometimes malicious code is scheduled; use at cmd or schtasks.exe to view scheduled tasks

File Signatures

- located in the first 20 bytes of a file; MZ is found in executables; look 4 mismatch of signature and extension

- a good list of file headers http://www.techpathways.com/uploads/headersig.txt

File Times(MAC Times, Modified Accessed Created)

- C:\>dir /ta ----> lists in order last accessed

- The Unix touch cmd has been ported to windows http://www.dwam.net/docs/aintx/

- if auditing is enabled, changes to MAC times create events with ID 560 in the eventlog

FileBinding-

- Elitewrap will combine 2 files and compress http://homepage.ntlworld.com/chawmp/elitewrap/

- GUI version inPEct http://sysdlabs.hypermart.net/proj/inpect.txt

ADS(Alternate Data Stream)

- Lads will detect this http://www.heysoft.de/Frames/f_sw_la_de.htm

- Also Streams from sysinternals http://www.sysinternals.com/utilities/streams.html

- the best way to remove an ADS is to copy the file, delete the old, and rename

- ADS can also be created as directories ---> echo "FooBar" > :ads.txt

- This adds an executable to a common txt file -> C:\ads>type c:\windows\system32\notepad.exe > myfile.txt:np.exe

- Call it like this -> C:\ads>start .\myfile.txt:np.exe , the full path works also

- vb scripting can be hidden in ads and launched --> C:\ads>wscript //E:vbs myfile.txt:ads.txt

Registry Hiding

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation is a common hiding place because it is not used by the OS. Strings or small programs can be hidden in this key http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/gettimezoneinformation.asp

Document Metadata

- Strings from sysinternals will also find metadata http://www.sysinternals.com/utilities/strings.html

- rhdtool from MS will remove metadata http://www.microsoft.com/downloads/details.aspx?FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360&displaylang=en

OLE Storage

-Merge Streams will combine files http://www.ntkernel.com/w&p.php?id=23

Steganography

- Free Tools at http://home.earthlink.net/~emilbrandt/stego/software.html (S-Tools4)

- Hydan is also popular http://www.crazyboy.com/hydan/

Windows Server Port List

- http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

NTFS Conversion

- to convert from FAT to NTFS --> C:\>convert /FS:NTFS c:\

NSA Templates

- you can download OS templates for windows secedit(Local Security Policy) http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1

GPO settings

- gpresult.exe can be run to find policy settings http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Login Restrictions

- you can modify lockout settings using the net accounts cmd to allow for unlimited paswd attemps

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194739

IIS Application mappings

- using the MMC, bring up application mappings and disable all uneccessary mappings

- IIS Lockdown and URLscan can provide additional security for ISS servers

Windows File Protection

- backup copies of protected files are restored from cache if modified or deleted %SYSTEMROOT%\system32\dllcache

- the cmd line utility sfc can be used to replace modified files

Perl lib Win32::AdvNofity

- allows you to creat your own WFP, for example a static website, which will monitor for defacements and automatically replace the file and notify you. http://idnopheq.perlmonk.org/perl/packages/x86/Win32/

Patch Management

- Download MBSA here http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

- Shavlik Trial http://www.shavlik.com/pDownloadForm4.aspx?productid=1

Web Vulnerability Assessment

- Free tools available at http://www.ntobjectives.com/freeware/index.php

Centralized Logging

- ntsyslog, kiwi syslog daemon, dumpevt.exe(somarsoft)

- port reporter provides mapping logs http://support.microsoft.com/?id=837243

Volatile Information Recovery

- C:\>date /t && time /t , recovers system date and time for comparision

- systeminfo.exe , native on XP or newer will show uptime also, psinfo.exe from sysinternals

- psloggedon.exe from sysinternals shows remote and local logged on users

- netusers.exe from somarsoft will also show previously logged on users with the /h switch

- C:\>net session will displya any active remote connections

- C:\>net use * \\<ip>\c$ /u:Administrator <password> , to remote log on

- to list process out pulist from resource kit, or pslist from sysinternals, using the /t switch with pslist will display processes in a tree. Trojaned processes often will fall outside the tree

- listdlls.exe from sysinternals will give you version information along with the command used to start the process

- handle.exe from sysinternals lists out everything the process is accessing

- c:\>tasklist /svc native to XP lists out processes along with window title information

- tlist from the windows debug kit is very functional http://www.microsoft.com/whdc/ddk/debugging/default.mspx

- svchost is a windows generic process that shows up multiple times. To find out what they are mapped to review the following reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

Remote Shell

- Net use \\machine\ipc$ /user:machine\administrator

- psexec \\machine cmd

Process Info Guidelines, at minimum collect the following:

-Process identifiers (PIDs) for each process running on the system (provided by most all tools)

-Process name (provided by most all tools)

-Length of time the process has been running (pslist.exe)

-Command line used to launch each process (listdlls.exe, cmdline.exe, tlist.exe)

-Full path to the executable file that each process was launched from (cmdline.exe, tlist.exe)

-User context that each process runs under (handle.exe, pulist.exe)

-Services running under each process (tlist.exe, tasklist.exe)

Additionally, the investigator will also want to collect the following:

-Handles used by each process (handle.exe)

-Modules (DLLs) used by each process (listdlls.exe)

Process Memory

- using pmdump.exe from http://www.ntsecurity.nu/toolbox/pmdump/ you can extract whats in memory for a given PID

 - dd from http://users.erols.com/gmgarner/forensics/ will slice out entire physical memory contents

 - c:\>dd if=\\.\physicalmemory of=c:\win2k-physmem.dd bs=4096

Network Stat & Connections

- promiscdetect from http://www.ntsecurity.nu/toolbox/promiscdetect/ will find interfaces in promiscuous mode, locally

- netstat lists may 0.0.0.0 connections which results from apps binding to the INADDR_ANY constant

- on XP or newer, netstat -ano, the -o option lists the PID

- nbtstat -s, lists current netbios over tcpip sessions

- fport from http://www.foundstone.com/resources/freetools.htm will map ports with the full path of process

- net use lists out all shares currently mapped

- net share lists out all resource shared out on the system

- net session lists active SMB sessions made to the system over the network

- net file lists out any files in use by an active net session

Clipboard info

-pclip.exe from http://unxutils.sourceforge.net/ will dump clipboard info to STDOUT

Command History

- C:\> doskey /history will show command line history

Service & Drivers

- net start will list all services running but not device drivers

- sc.exe from resource kit and native on XP or newer

- drivers.exe from resource kit and driverquery on XP or newer provide alot of driver related info

GPO settings

- can be used to determine how a system was compromised is settings were changed

- GPList from http://www.ntsecurity.nu/toolbox/gplist/ shows GPO's applied on a system

- GPResult.exe from Resouce kit shows settings of current user only

Protected Storage

- pstoreview.exe from http://www.ntsecurity.nu/toolbox/pstoreview/ can reveal user info in PS

MAC Information

- dir with /tw , /ta. /tc will give specific mac time information

- macmatch found here http://www.ntsecurity.nu/toolbox/macmatch/ will search a given time period

File permissions

- cacls, native to windows, will show permissions of any given file

File integrity

- md5deep from http://md5deep.sourceforge.net/ will calculate md5 hashes for you

Recycle Bin Analysis

- Rifiuti from http://www.foundstone.com/resources/forensics.htm will parse the INFO2 file

Registry Analysis

- reg.exe from resource kit will pull out any keys from the registry that your looking for form the cmd line

- HKEY_LOCAL_MACHINE or CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is most popular for malware

- keytime.pl from the book will show last write times for any given registry key

User Accounts

- most often compromised machines contain a new account(s) created by the hacker that needs to be anaylyzed

- last logon, time created, # of logins, and permissions will all be useful information

Event Logs

- Auditpol.exe from RK can be used to verify the level of logging set on the system

- dumpel.exe from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp will grab all el data

- D:\>psloglist –s –x system , from http://www.sysinternals.com/Utilities/PsLogList.html can be used remotely

File Analysis

- strings from http://www.sysinternals.com/Utilities/Strings.html will retreive ascii/unicode from hex

- bintext from http://www.foundstone.com/resources/proddesc/bintext.htm is a gui w/ a good filter

- ms has a dll lookup online http://support.microsoft.com/dllhelp/

- dependencywalker from http://www.dependencywalker.com/ has a gui to show all file dependencies

- WordLeaker will rip out word metadata, along with revision history, available at http://www.elligre.tk/madelman/madelman/index.php/archivos/2005/02/23/wordleaker-extracting-info-from-word-files/

- fdte from http://www.digital-detective.co.uk/freetools/fdte.asp will grab hidden dates & times from a binary

- you can view pdf metadata by using Adobe Reader, FILE | Document Properties

CA Identity Theft Law(SB 1386) - affects all companies doing business in CA

- http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Know What To Look For

- The goal of any incident investigation should be to determine whether an incident occurred, and if so, how was it able to occur(RCA)

Infection Vectors

- common vectors: email, p2p, IM, web browser, OS/application buffer overflows, default/weak passwords

Malware Footprints

- often leave new files and directories

- added to startup C:\Documents and Settings\<user>\Start Menu\Programs\Startup

- added to run in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- afind(foundstone) or macmatch(ntsecurity) can be used to find recently modified/created files/dirs

- can be a scheduled task(at cmd) and creates a job in C:\WINNT\Tasks

- example (2K) c:\>at 11:00pm /every:5,10 cmd /c "sol.exe"

- example (XP) c:\> schtasks /create /tn Solitaire2 /tr sol.exe /sc onlogon

- often malware changes how the system handles .exe files, HKEY_CLASS_ROOT\exefile\shell\open\command

- original value "%1"%*, other extension modified are .bat, .com, or .txt

- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon can also be modified too

- Shell should be set to "Explorer.exe"

- abnormal processes, inparticular svchost.exe is often mimicked(scvhost or svchosts) or duplicated

- malware can often be set up as a windows service, using srvany.exe (resource kit)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q137/8/90.asp&NoWebContent=1&NoWebContent=1

- example C:\>path\instsrv.exe <Service Name> path\srvany.exe, by editing the following registry entry

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name, you can run any app or executable

Rootkits

- popular Windows RK site is Greg Hoglund's site http://www.rootkit.com

- user-mode rootkit simply replaces files with trojaned verions or uses DLL injection to overwrite while in memory

- kernel-mode rootkit overides the TCB and hooks into all system calls

- a good way to remove is to boot into Safe Mode and remove entries in Run key and actual files themselves

- http://www.windows-ir.com/fsp.html, runs on windows/linux, requires perl(requires Win32::GUI, Digest::MD5, and Digest::SHA1, use c:\>perl>ppm install <module>), can run on any port(default 7070)

- setup of the First Repsonders Utility(FRU) requires Win32::GUI, Win32::Lanman, Win32::Perms, Win32::API::Prototype, Win32::TaskScheduler, Win32::DriveInfo, Win32::IPConfig. Requires a CD Burner and you must also download the following 3rd party utilites: cmd.exe(clean), (sysInternals psloggedon, pslist, psloglist, psinfo, listdlls, handle), tlist from MS Debugging Tools, (DiamondCS cmdline, iplist, openports), (FoundStone rifiuti), (NTSecurity.nu promiscdetect) and reg and auditpol from MS.

- FRU also requires the following perl scripts getos.pl, pclip.pl, e_cmd.pl, service.pl, getsys.pl, tasks.pl, regdump.pl, mdmchk.pl, shares.pl, dt.pl, and ip.pl

- the clean cmd.exe should be placed in the root directory of the CD-rom

- The File Client Component(fcli.pl) should be installed as apart of the FSP, it allows suspect files to be copied off

- netcat can be used as a port scanner; D:\tools>nc -v -w 2 -z 10.1.1.15 <port range> ; will display open ports on given range.

- Adding an echo and dropping the z will grab bannners; D:\tools>echo QUIT | nc -v -w 2 10.1.1.15 0-1024 ;

- portqry is microsoft's version; http://support.microsoft.com/?kbid=310099

Sniffers

- netmon is built in by microsoft; http://support.microsoft.com/kb/148942/EN-US/ ; can also be run remotely via SMS