Slashdot Mirror
Windows Forensic Analysis
Don Wolf writes "Computer forensics is a rapidly growing discipline and an even faster growing business. Whether it's the natural progression of technological science pertaining to crime or perhaps the digression of a few elite information security professionals, computer forensics is every so slowly gaining credibility in the otherwise PhD dominated field of criminal science. Computer evidence continues to be showcased in some of the most high-profile and controversial court cases in history, from the murder case of Lasie Peterson to the multi-billion dollar Enron scandal. Whether society will allow it or not, computer forensics geeks will play pivotal roles in the prevalence of justice." Keep reading for the rest of Don's review.
Windows Forensic Analysis DVD Toolkit
author
Harlan Carvey
pages
416
publisher
Syngress
rating
9
reviewer
Don Wolf
ISBN
9781597491563
summary
Incident Response and Cybercrime Investigation Secrets
While on the road to computer forensic enlightenment I realized early on that many parallels existed between computer forensics and incident response. A number of great authors have published books on incident response, one of which is a gentleman by the name of Harlan Carvey. So when a friendly but cleverly personalized bookstore email rolled in with Harlan's newest book showcased, I thought it might be worthwhile to see what he's been up to.
The book titled "Windows Forensic Analysis", takes a hands-on and in-depth approach to forensic discovery of Windows systems. Some may scoff at the mere suggestion that a point-and-click operating system necessitates the granular analysis of forensics, but make no mistake, beyond Windows' simplicity are numerous complex elements, sometimes cryptic, and many undocumented.
Always looking for a tip here and there, I found more Windows forensics tips here than I have anywhere else. While I've read only about half-a-dozen books on operating system forensics, this one stands out because the material is clearly drawn from the author's experience which, in my opinion, lends real credibility to the book. Granted, technical books are always reviewed for accuracy and truthfulness, but this one carries its own weight with the sheer amount of tips and real-life sidebars. No hash tables, no unnecessary screen dumps, and certainly no reprinted Microsoft documentation. The author does a great job on footnoting and includes plenty of links to additional information. Additionally, there are sections dedicated for FAQ's, as well as "tools and traps".
Having read the book through, I can tell you it flows well from chapter to chapter and continues to draw you in, somewhat unusual for a technical reference — when was the last time you were drawn into a textbook? I'm not sure how one decides to organize the chapters, but I suspect it was not a random decision. Looking back I can see that there is a logical order to the chapter sequence, perhaps suggesting an order in which to forensically process a Windows computer. The book starts with 'live' response, followed by memory analysis, registry analysis, file analysis, and finally rootkit detection — analysis in order of volatility I suppose.
I've heard a lot of praise regarding this books chapter on registry analysis, some claiming it to be worth the price of the book alone. Don't be mislead to believe that it is the crux or single focus of the book, it's not. In my opinion the reason the chapter stands out is because most forensics analysts I've met aren't particularly strong in the area of registry analysis and therefore may find the chapter a revelation. It's true, the chapter is strong and offers exceptional insight, however, I found the book to be almost equally weighted chapter by chapter.
I personally found the chapter regarding memory analysis to be a stand-out. RAM has the potential to store a ton of evidence, however, it's always been viewed as extremely volatile. Not only is it likely to be flushed with a power-cycle, but it's also susceptible to be purged simply through the normal actions of a computer user, or in our case, forensic analysts. I was happy to see a good section on the pros and cons of dumping the many different areas of physical memory. The author proves that there is life after a reboot and demonstrates how to recover at least partial RAM contents from various areas.
Overall there is plenty of theory, plenty of technique, and plenty of command-line examples. On the subject of command-line examples, the author provides a great collection of scripts and examples on the accompanying DVD. The examples all appear to work as describe, a rarity given the many possible computer configurations, just the same the author is thoughtful enough to point out possible exceptions and explanations when there is an opportunity for a particular command or technique to fail.
If I can quote a comment made by one of my associates, he said "The book provided more than just tips and techniques, it provides food for thought and helps one develop their own personal approach to Windows forensics". I totally agree. Furthermore, I found that while I learned a few new things, I also finished the book with lots of questions in mind. Is that a shortcoming of the book? No. Based on the detailed coverage of the book, I was able to identify my own shortcomings and areas I need to explore further. If you want to pursue Windows forensics and already have a good understanding of the principals and ethics of computer forensics, I highly suggest starting with this book.
You can purchase Windows Forensic Analysis DVD Toolkit from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The book titled "Windows Forensic Analysis", takes a hands-on and in-depth approach to forensic discovery of Windows systems. Some may scoff at the mere suggestion that a point-and-click operating system necessitates the granular analysis of forensics, but make no mistake, beyond Windows' simplicity are numerous complex elements, sometimes cryptic, and many undocumented.
Always looking for a tip here and there, I found more Windows forensics tips here than I have anywhere else. While I've read only about half-a-dozen books on operating system forensics, this one stands out because the material is clearly drawn from the author's experience which, in my opinion, lends real credibility to the book. Granted, technical books are always reviewed for accuracy and truthfulness, but this one carries its own weight with the sheer amount of tips and real-life sidebars. No hash tables, no unnecessary screen dumps, and certainly no reprinted Microsoft documentation. The author does a great job on footnoting and includes plenty of links to additional information. Additionally, there are sections dedicated for FAQ's, as well as "tools and traps".
Having read the book through, I can tell you it flows well from chapter to chapter and continues to draw you in, somewhat unusual for a technical reference — when was the last time you were drawn into a textbook? I'm not sure how one decides to organize the chapters, but I suspect it was not a random decision. Looking back I can see that there is a logical order to the chapter sequence, perhaps suggesting an order in which to forensically process a Windows computer. The book starts with 'live' response, followed by memory analysis, registry analysis, file analysis, and finally rootkit detection — analysis in order of volatility I suppose.
I've heard a lot of praise regarding this books chapter on registry analysis, some claiming it to be worth the price of the book alone. Don't be mislead to believe that it is the crux or single focus of the book, it's not. In my opinion the reason the chapter stands out is because most forensics analysts I've met aren't particularly strong in the area of registry analysis and therefore may find the chapter a revelation. It's true, the chapter is strong and offers exceptional insight, however, I found the book to be almost equally weighted chapter by chapter.
I personally found the chapter regarding memory analysis to be a stand-out. RAM has the potential to store a ton of evidence, however, it's always been viewed as extremely volatile. Not only is it likely to be flushed with a power-cycle, but it's also susceptible to be purged simply through the normal actions of a computer user, or in our case, forensic analysts. I was happy to see a good section on the pros and cons of dumping the many different areas of physical memory. The author proves that there is life after a reboot and demonstrates how to recover at least partial RAM contents from various areas.
Overall there is plenty of theory, plenty of technique, and plenty of command-line examples. On the subject of command-line examples, the author provides a great collection of scripts and examples on the accompanying DVD. The examples all appear to work as describe, a rarity given the many possible computer configurations, just the same the author is thoughtful enough to point out possible exceptions and explanations when there is an opportunity for a particular command or technique to fail.
If I can quote a comment made by one of my associates, he said "The book provided more than just tips and techniques, it provides food for thought and helps one develop their own personal approach to Windows forensics". I totally agree. Furthermore, I found that while I learned a few new things, I also finished the book with lots of questions in mind. Is that a shortcoming of the book? No. Based on the detailed coverage of the book, I was able to identify my own shortcomings and areas I need to explore further. If you want to pursue Windows forensics and already have a good understanding of the principals and ethics of computer forensics, I highly suggest starting with this book.
You can purchase Windows Forensic Analysis DVD Toolkit from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I stumbled across this guide to deconstructing a C++ exception.
http://blogs.msdn.com/slavao/archive/2005/01/30/363428.aspx
Lots of this is applicable to any platform, not just Windows.
However I did have a friend who ended up working for the feds 'Internet Crimes Division'. I.E. Child Porn. There are a lot of neat tools out this, write blockers and whatnot.
:)
However, what I am really writing to say is that people used to ask him what he did for a living, and he'd respond:
"Oh, I'm in the child porn business."
Guys who are in that line of work tend to have rather dark senses of humor
..getting certified in your local area? Texas, for example, requires you have a P.I. license for computer forensic work, but online resources on how to actually GET one are mighty scarce...
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
If you look at all the requirements to getting a P.I. license in Texas, you can't help but come to the conclusion that a very powerful law enforcement political lobby has over the years carefully and craftily influenced and "engineered" the legislation in such a way that there seems to be overt intent that the whole P.I. industry to be owned, operated, and staffed by former or retired cops, to the exclusion of everyone else. The laws don't explicitly prohibit someone coming from a non-former-law-enforcement career from getting their P.I. license, but the barriers to entry in the field are structured such that it is almost totally impractical for someone who's not an ex-cop to actually achieve getting their license.
In other words, the whole P.I. industry has been hijacked in order to make it become a protected, lucrative, cushy-job, 2nd-career market for retired cops to get rich, and the "good ol' boy" network now keeps it that way.
That class, which was a 400 level State University class taught me every registry key and every hiding place Windows uses to record everything the user does. Its scary.
Hiding place?
Windows has to store the result of all your pointing and clicking and radio button selection somewhere. How do you expect the back button in Windows Explorer to work, for example, if your last visited directory wasn't recorded somewhere?
The only scary part in all this is the registry itself. Almost as bad is that if you don't have an intimate understanding of the registry, you most certainly don't understand Windows, both from an architectural perspective, and from a day to day operational one as well. And, unsurprisingly, most (sysadmins included) don't understand the registry.
Just a couple weeks ago I was a juror in a child pornography case, I was in the unique position of being the only geek on the jury in this case that was all about computer evidence.
The case was simple, the defendant had been caught by his wife viewing the explicit material, the wife took the computer tower to the police along with several floppy disks (this was 6 years ago). The defendant had deleted all the materials, but the forensics expert found the recently viewed material still on the hard drive.
The computer forensics expert detailed how he recovered the material, by imaging the hard drive and recovering the access dates. The floppies also contained some explicit materials, again which were deleted but then recovered, apparently it was impossible to recover the access dates on the floppy files, the forensic expert testified that some of the dates were in fact accurate, and some not, when from my brief overview, it was obvious that most of the dates were innacurate, so basically the forensics expert screwed up and didn't know what he was talking about in regards to the dates recovered from the floppy.
The interesting part of the case was that the defendent was charged with 53 counts of "sexual exploitation of children, possession" (having child porn) and 2 counts of "sexual exploitation of children, creating, making, or preparing". Those last 2 counts were charged because the defendant copied the pictures onto a floppy disk, not because he filmed it or put it on a website, he was making a backup of the files. I'm relieved to say that the jury agreed that making a backup of the files is not the same as "creating, making, or preparing", but we did find the guy guilty for possession.
For anyone thinking about getting into this field, you're likely to have to view a lot of really f*ing disgusting photos, then look at them closely and document everything about those photos. You really are going to need a good stomach for viewing that stuff, I know I probably couldn't do it because just seeing the photos submitted as evidence was enough to almost make me sick, I couldn't imagine having that guys job and have to be exposed to those things all the time.
Physical memory analysis is an up and coming challenge for many law enforcement agencies. How can you guarantee that a suspect's computer was not infected by some bad memory-only malware? Current tools only address the hard drive and what it contains. There has been a lot of research into physical memory analysis over the past few years:
Rootkit.com: has been researching physical memory for years http://www.rootkit.com/newsread.php?newsid=130, but in a slightly different context (hiding vs finding).
BlackHat Talks:
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf
http://www.blackhat.com/presentations/bh-usa-07/Butler_and_Kendall/Presentation/bh-usa-07-butler_and_kendall.pdf
Papers: http://www.stormingmedia.us/50/5037/A503754.html
FatKit: http://www.4tphi.net/fatkit/
Contests: The Digital Forensics Research Workshop is running a Challenge to see who can create the best linux physical memory analysis tool: http://dfrws.org/2008/challenge/index.shtml
Now the commercial world is entering the fray: http://www.hbgary.com/hbgary_responder_datasheet.pdf
I'm looking forward to using some tools that don't require me to keep a notebook of esoteric command lines and a usb key full of dependencies. Not to mention some report friendly output. Should be a good year!
That baseball might be a good clue, let's investigate that first.
Patient Info:
CPU: Dual AMD dual core Opteron 276 processors.
Sound Card: SoundBlaster Audigy II
Video Card: ATI Radeon 8800 GT
Memory: 4 GB PC 2700 ECC-Registered.
Hard Disk: 2x 500GB, 1x 200GB
Power Supply: 550W
Notes: Prior to death, subject complained of memory loss, cognitive difficulty after recovering from sleep mode, frequent lock-ups, severe lethargy after sleeping, confusion and sluggishnes when completing complex tasks. Previous medical history notes several near-fatal seizures, necessitating the "re-learning" of basic functions on several different occasions. Cause of seizures is as yet sill unknown, as episodes appeared to happen seemingly at random, usually during inopportune moments. Previous physician notes that resuscitation of the patient was long and time consuming. Resuscitation was further complicated by the fact that the patient was revied in a "hypnotized" state, refusing tto cooperated with medicall staff unless the correct 16-digit alphanumeric "key" was spoken to them, with the key changing after each resuscitation.
Previous Treatments Administered By Last Attending Physician:
Prescribed one (1) copy of Linux, but patient refused.
Time Of Death: 0832, 0901, 1055, 1129, 1344, 1508
Method Of Death: Fatal Error
Cause Of Death: Windows
Precedures performed in determining occurence of death:
Subject was BSOD on arrival
Unresponsive to verbal stimuli: (shouting, cursing)
Unresponsive to Sensory stimuli: (hitting, smacking with keyboard)
Additional Notes / Instructions:
As Coroner, it is recommended that the law enforcement agencies involved with the death of the subject investigate Mr. William Henry Gates III, and Steven Anthony Ballmer. Both subjects have known employment at Microsoft Corp. It has been determined by the Office Of The Coroner that a product known colloquially as "Windows", which was/is compiled, manufactured, and sold by Microsoft, while under the direct supervision and control of Mr. Gates and Mr. Ballmer, despite widespread reports of patients expiring from complications and/or adverse reactions after ingesting "Windows".
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
How hard is it to slipstream a Knoppix CD with truecrypt and all of your codecs, open the case of your laptop and disconnect the hard drive (just in case), pull the battery out of your laptop so you can just pull the plug and have instant off, find a hotspot to download your porn at, boot up on the Knoppix CD, create an encrypted truecrypt volume in RAM to download your child porn directly into, download the porn, dismount the truecrypt volume, insert a USB flash drive to copy the truecrypt volume to, then just hit the power button?
Now you have covered your bases and have no record of the password anywhere, not even mistakenly written to a swap file, and if you want to view your porn, you just boot up on the live CD again and copy the truecrypt volume from the flash drive into RAM, disconnect the flash drive (again, just in case), view your porn all completely in RAM and when you're done, just pull the plug and poof, all evidence gone.
I don't understand why people can't just take simple precautions.
The soylentnews experiment has been a dismal failure.
There are cases where the use of MD5, which is considered broken quite thoroughly, will get the case thrown out of court. See Bruce Schneier's blog entry about the MD5 defense. Time to upgrade your hash algorithm. Some smart lawyers are able to use the fact that MD5 is broken to make a judge believe that the evidence could have been doctored to produce an MD5 collision with planted evidence.