Slashdot Mirror
Windows Forensics and Incident Recovery
The intended audience, according to the author, is "anyone with an interest in Windows security, which includes Windows system and security administrators, consultants, incident response team members, students and even home users." The author assumes the reader is familiar with basic networking (including TCP/IP) and has some Windows administration skills. Some programming ability, though not actually required, will help out greatly with reading and understanding the many examples provided, and will let you make your own modifications (this is encouraged by the author throughout the book).
The chapter on data hiding was a real eye-opener -- it's amazing the things Microsoft has implemented as part of the operating system (and included applications) that can be used to hide things. Discovering the hidden information is talked about, as well how it is hidden. Sample topics include file attributes, alternate data streams, OLE and stenography. This is an excellent chapter with many examples; I found myself stopping after each subject to try out each of the discussed techniques.
The next chapter delves into incident preparation. Carvey addresses some of the things that administrators can do to harden their systems. He goes over the application of security policies in general, as well as intelligent assignment of file permissions. He then covers Windows File Protection and how it is implemented, and includes a perl script to implement your own file watcher. He touches briefly on patch management and anti-virus programs, then moves into monitoring. He provides quite a few scripts, and discusses other means by which you can monitor your system.
The next chapter describes tools that can be used in incident response. This chapter has quite a lot of information and took me the longest to get through, because of all the tools mentioned that I had to download and check while I was reading the book. Carvey uses a mixture of his own perl scripts and programs that can be downloaded from places like Sysinternals, Foundstone, DiamondCS and others. All of the tools used are open source (or are at least freely available). That equips the reader with a low-cost toolkit, especially important to the home user or small business owner who cannot afford to buy the commercial equivalent. Carvey does acknowledge, though, that there are quite a few commercial tools with great functionality out there.
The first part of the incident-response tools chapter deals with the collection of volatile information (processes, services, etc.); this is a vital part of live analysis. The second part deals with the collection of non-volatile information (the content of the Windows registry, file MAC times and hashes, etc.) and tools for analyzing files. Carvey also shows how some of the tools complement each other, and that there is not one almighty tool that will find all the data you need. (This is also proven by example in a later chapter when he talks about rootkits.)
The next chapter deals with developing a security methodology, and it's handled differently than in most books: the author presents the material as a series of dreams that a Windows system administrator has, showing how an individual can come up with and fine tune a methodology as incidents happen. Carvey has used this approach before in a series of articles entitled "No Stone Unturned" for SecurityFocus.com, and the creative approach appeals to me. As he moves from dream to dream, you can relate to the admin's circumstances (and mistakes), and how be and becomes better at responding to different incidents.
The next chapter talks about what to usefully look for with the tools the book has introduced. It discusses infection vectors, types of malware and rootkits, and demonstrates tools and techniques for detecting them. This is where the author makes a clear point of why you would need to run several different tools, even if some overlap. His example uses an installed rootkit; running a particular program from a previous chapter, he shows that it fails to find that anything untoward is running -- it takes another program from the same chapter to actually reveal the rootkit's presence. By cross referencing the output for both programs, you can see why you should run more then one type of analysis tool for certain areas to make sure you are not missing anything.
Finally, the author dedicates an entire chapter to his own Forensic Server Project, a two-pronged approach to live forensic analysis which uses two machines simultaneously. The first piece, the Forensic Server Module, is the listener software; this runs on a clean PC where the data will be sent from the compromised system. The other piece, called the First Responder Utility, runs several of the programs and scripts from the incident tools chapter on the compromised system . After installing everything needed for both parts of this system, I followed the author's instructions on how to run it. What a slick tool! I ran it from a couple of PCs on my home network and was able to get a lot of the information that was described in the book as well as hash values for each log file that was produced, and a general log of everything the First Responder Unit did. The whole principle of this is that when you have an incident there will be very little interaction with the compromised system, since everything is scripted to begin with.
The framework that this software constitutes is very flexible. I was able to add two new features to the Forensic Server Module and the First Responder Utility with very little code. The first addition I made was to mark all the logs as read-only on the file system after they were written from the Forensic Server module. The next addition I made was to add a perl script to scan the c:\ drive of the PC that the First Responder Utility was running on. After I made both additions, I tested everything out, and it worked great. I had my extra log files and they were all read-only. My hat goes off to the author for coming up with and including this in the book, a really nice piece of software.
You can purchase Windows Forensics and Incident Recovery from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
Fuck you, spammer.
From article:
" Sample topics include file attributes, alternate data streams, OLE and stenography"
Should that be Steganography?
I'm willing to bet that he doesn't have a hardware drive copier that supports SATA. And his software doesn't recognize reiser4 or xfs.
I'm willing to bet you're wrong. A SATA-PATA converter is 20 bucks, if thats what it takes. And even if you don't recreate the files, you can still search bit for bit for tags like "JFIF" which denote the start of a jpeg file, and then just grab the data to see what the jpeg file is of.
Believe me, linux is not beyond the long arm of the law. When the FBI raids the big warez sites, do you think those are all windows machines? They manage to get convictions.
I don't need no instructions to know how to rock!!!!
i'm sure most police forensics people have a copy of dd and netcat :)
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
If you're going to repost other people's posts, at least preserve the formatting, you lazy turd.
1) This is no "one" tool accepted in court, many tools are accepted and it is almost always the competency of the examiner and only rarely is the tool that is ever called into question. Companies like Guidance Software (makers of Encase) would like you to think that way...
2) Most dedicated computer forensic tools, especially those for examining hard drive images, can work with any filesystem from FAT12 to xfs on a RAID 5 set. Again, the burden falls on the examiner to know the proper tools/methods for examining these file structures.
3) SATA drives can be copied with any dedicated hardware copier (such as Logicube's MD5 or Solitaire), but dd combined with an SATA interface will work just fine. Any memory image (RAM, IDE, SCSI, SATA, etc.) can be imaged with just dd, even over a network.
4) "Average nerds and hackers are so far ahread of the forensics guys"...what nonsense. Computer forensic analysts are without a doubt some of the most talented people in IT period. Computer forensics is multi-discipline and analysts typically have backgrounds in engineering, programming, criminology, and languages. And why are you assuming that most computer forensics experts are in law enforcement? The best analysts are in the private sector, military, and government intelligence.
Or here if you'd rather not use an affiliate link and pay someone who didn't do anything more than type a few words into a search box.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
While that is intended no doubt to be amusing, I use a Win2K pro system to develop.
At times I have Diablo II running in a window, DevStudiodebuggins ome app. A couple of multi megabyte spreadsheets open in OpenOffice, And of course FireFox.
To ensure that the hardware is as unstable as possible, this runs on a dual P4, with a Matrox and an nVidia card, both dual head for a total of 4 displays - all with a mere 512Mb of RAM.
Ironically, FireFox is the real system resource hog.
I have to close it down every two weeks to free up some system memory. It does get restarted about once a month when my domain passwords expire - its the only damned way to ensure that some cached credentials dont lock me out of everything.
He is just spamming with his amazon account.
EnCase (which by the way supports reiserfs), iLook and SMART are perhaps the three most common drive analysis tools. Dont discount forensics guys, perhaps your local pd might not have a lot of knowledge, but the fbi, air force and several other agencies all have labs developing and deploying technology to do digital forensics, and i doubt theyre hiring idiots.
That's not entirely true.
The local Computer Investigation B. has some prety sofisticated stuff, all there software is used much the same way you described in court.
There was a case a few years back here where a guy had some files on his linux box that were incriminating. He set a script to do 10 DOD wipes. That's writing 1's and 0's 7 times over the HD, X 10.
The lab was able to 1:1 the drive, then recreate every file that was saved to the HD since the purchase date.
My friend runs this lab, he said his record is 15 reformats, and still recovered data. He recently had his first SATA case, he was able to dup the drive, and, since the guy had never reformated, and was on his first linux install, he had no problems!
Remember, the NSA can ALWAYS do it, most of the time before hackers can! They in turn hand down the info (as needed) to the FBI, CIB, and finally in the form of books, like this guy did.
It wouldn't suprise me if SATA has been cracked from day 1 release to the public. And xfs, the same.
My 2cents worth, take it for face value, it's all I got.
There are all kinds of ways to image a SATA drive. It's a non-issue. Worse comes to worst, we boot your system up in DOS and acquire it via crossover cable.
EnCase supports Reiser3. I don't know whether Reiser4 is so radically different from Reiser3 that we can't decode the filesystem currently, but I'm sure we could roll it out the door quickly if there was a large need. We've done it for our customers before.
We can't yet do XFS, but we could still recover quite a bit of data from unallocated. As others have noted, all you need to get an image is good old dd.
In many respects, savvy forensics investigators are far ahead of most criminals. Police forces band together to create high tech task forces, and they tend to have plenty of budget (e.g. they have their own clean rooms for manufacturing damaged hard drive parts). With all the ways that Windows and most applications leak information, it requires an extreme amount of discipline to avoid littering your hard drive with evidentiary artifacts.
It sounds like you do need a book.
cheers,
Jon
That is why any good investigator keeps more than one tool in his kit. Personally I have a bootable windows environment that I custom build for doing work with Windows. And for a system like yours I pop out my handy bootable Linux CD. It is based off of Gentoo and has more than enough bells and whistles to handle reiser or xfs and pretty much anything else you care. If I need something more I tweak the packages and kernel and recompile. Once you have that bit for bit copy you have all the time you need to work on it. And FYI there are many many packages that "hold water" in a court of law. I will also be giving a lecture in December at a nearby university on computer forensics. Funny how arrogant attitudes like that in most cases get you busted when you think you are smarter than those doing the looking.
I can just see the "sharing violation" and "file in use" message boxes flying everywhere.
The solution to this is to go beneath the file system. Read raw sectors from the disk and interpret FAT or NTFS yourself. You run the risk of corrupt data if a file changes while you're reading it, but it's about the only way to snag registry files and the like while the system is up and running.
AccessData FTK Imager is capable of doing just that, and it was used for this purpose in Operation Firewall. It was also used to create disk images of mounted BestCrypt virtual drives (hint to baddies: dismount your BestCrypt virtual drives before leaving your desk).
Disclaimer: I work for AccessData.
...and I'd have to say that the review was pretty thorough. I couldn't put the book down when I first got it (which would probably be true for any other self described nerd on here). Here's the link to the book's web site if you want to read anything about it. There is a sample chapter there as I'm sure there probably is on amazon or bn.com.