the pc as victim reviewing an active

the pc as victim

reviewing an active system q Computers change state by: § User interaction § Process execution § Data transfers § Power cycles

what is lost when you power down q. Registers, cache contents q. Memory contents q. State of network connections q. State of running processes q. Contents of storage media q. Contents of removable and back up media

plan for live systems Step Windows 2000/NT UNIX Establish a new shell cmd. exe Bash Record system date and time Date, time W Who is logged on Loggedon W Record open sockets Netstat List processes that open sockets Fport Lsof List currently running processes Pslist Ps List systems recently connected Nbtstat Netstat Record system time Date, time W Record steps taken doskey Script, vi, history

bios q System uses during boot process to identify hard drives and storage devices that contain OS q Check BIOS for § Drive geometry of evidence media § Boot sequence of system q Boot from clean floppy with OS q Review BIOS q Geometry is different (# of cylinders is different) q Failure to log configuration from BIOS means booting from imaged disk may fail if not aligned on correct cylinder boundaries q The boot process can be altered! What does this mean?

forensic duplication tools q. All data must be imaged q. Tool should handle read errors q. No changes to original data q. Scientific testing (validation) q. Check sum

methodology q Safety net § Process of safeguarding magnetic media § Insures evidence not destroyed § Guarantees accuracy and integrity of data q For HD boot from floppy (A: ) § Virus free § Back-up software § Prevent writes § Document condition of disk

creating a boot disk q Format a: /U /S § IO. sys § Msdos. sys § Command. com § Drvspace. bin (delete it) q Use diskedit to alter io. sys § Tools to find all occurrences of C: § 11 instances of a reference to C: § Change to A: § Use MD 5

generating a host image q Attach to the suspect system a write-protected, verified system disk with: q Operating system, duplication software, & then reboot q Generate an image of the suspect system disk q Mount it on a verified system q Advantages of this approach include: § Not affecting the operational environment of the suspect system because you're examining an image of it on another system § Preserving the original evidence for subsequent legal proceedings

back up images q. DAT is cheapest q. Zips (removable HDs) format & verify q. CD ROM as second level backup q. Safeback only does a minimum of a partition § Physical drive is entire drive § Logical drives partition on a physical drive (0 or 1) § Backing up logical drives misses partition table

duplication q Determine need for duplication q 3 approaches § Image storage medium by removing it and attaching to forensic station § Image by attaching a hard drive to suspect computer § Hard drive must be scrubbed § Large enough to accommodate data § Image the storage medium by sending the disk image over a closed network § Allows multiple images to be gathered at the same time q Perform checksums on original and image

create duplicate q. Prompts for location to create an audit file q 4 modes of operation § § Backup Restore Verify Copy (backup and restore at the same time)

hard drives q IDE vs SCSI drives q Terminology § Platters, cylinders, sectors, tracks q Partitioning § Partition types (see p. 69 K&H) q Drive letters § 3 absolutes: A: & B: are floppies § C: is booted partition

hard drives MBR Unused C: MBR Unused areas can be written to -- up to 31 K of data Unused D: Master Boot record has partition table that defines # of drives

chain of custody q List of people that touched or had control of evidence q Evidence tag § Consent & signature § Receipt & transfer § Description q A list of office staff near evidence q State of the system when found q Serial numbers q Peripherals attached q Prevent future access with seized

avoiding technical mishaps q Altering time and date stamps q Terminating rogue processes q Patching the system before investigation q Not recording commands executed on the system q Using tools that require a GUI q Writing over evidence by installing software drivers q Writing over evidence by running programs that store on hard drive

cautions q. Never allow suspect to touch the computer after decision to investigate § Remove/restrict under subterfuge q. Remove computer or HD to secure area q. Beware of magnetic devices to erase q. Be aware of burn boxes to destroy diskettes q. Confiscate all storage media (check keychain for Trek)

copying your data q Bit stream image is the first step § § § Whole data not just files Safeback (standard for law enforcement) Ghost www. symantec. com Dd UNIX utility Diskcopy/V Snapback www. cdp. com § Byte Back www. toolsthatwork. com www. forensics-intl. com

attrib R, Read-only file A, Archive file S, System file H, Hidden file /S, Processes files in all directories in the specified path To display the attribute settings of all files in the current directory: ATTRIB To display the attributes of a directory: ATTRIB directoryname To display the attributes of a file: ATTRIB filename To set or remove attributes of a file or directory: ATTRIB [ + | - R] [ + | - A] [ + | - S] [ + | - H] [directory|filename] [/S] + Sets an attribute. - Clears an attribute. To display the attributes of a file named "news 86": ATTRIB news 86 To assign the Read-Only attribute to the file "report. txt", use: ATTRIB +R report. txt To remove the System and Hidden attributes from "record. txt": ATTRIB -S -H record. txt To hide the directory "c: secret: " ATTRIB +H c: secret To hide the files (but not the directories) in the C: directory: ATTRIB +H c: *. *

chkdsk CHKDSK [path] [/F] [/V] path Specifies the drive and directory to check. /F Fixes errors on the disk. /V Displays the full path and name of every file on the disk.

drivprm The DRIVPARM command can only be invoked through Config. sys. The DRIVPARM command modifies the parameters of an existing physical drive. It does not create a new logical drive. The settings specified in the DRIVPARM command override the driver definitions for any previous block device. DRIVPARM=/D: number [/C] [/F: factor] [/H: heads] [/I] [/N] [/S: sectors] [/T: tracks] /D: number Specifies the physical drive number can be range from 0 to 255. Drive number 0 corresponds with drive a: , Drive number 1 corresponds with drive b: , and so on. how could this be used?

find FIND [/V] [/C] [/N] [/I] "string" "filename 1" "filename 2" "filename. . . " /V /C /N /I String Filename Displays all lines NOT containing the specified string. Displays only a count of lines containing the string. If used with /V, FIND displays a count of the lines that do not contain the specified string. Displays line numbers with the lines. If /C and /N are used together, /N is ignored. Ignores the case of characters in string. By default FIND is case sensitive and searches for an exact character match. The text string to be found. String must be in inverted commas. The file(s) to be searched. If filename does not contain spaces, it does not need to be enclosed in inverted commas.

find To display all lines from the file "pencil. ad" that contain the string "Pencil Sharpener": FIND "Pencil Sharpener" pencil. ad If the string contains quotation marks, these must be doubled: FIND "This paper is ""for discussion only. "" It is not a final report. " report. doc To search the current directory for the string "PROMPT" in all. BAT files: FOR %f in (*. bat) DO FIND "PROMPT" %f To search your hard disk to find and display the filenames on drive C that contain the string "CPU", you can use the pipe "|" to direct the results of a DIR command to FIND: DIR c: /s /b | FIND "CPU" Remember, the default output from DIR can be upper and/or lower case depending on how a file was saved. To catch all instances of "CPU", "cpu". etc. either use the /L switch with DIR (to force lower case output), or the /I switch with FIND (to ignore case in string).

lastdrive Used to designate the maximum number of drives (real and virtual) recognized by the operating system. The LASTDRIVE command can only be invoked from Config. sys. LASTDRIVE=x LASTDRIVEHIGH=x x A single letter (A to Z) representing the last valid drive that MSDOS is to recognize. (Default is Z) Note: a trailing colon should not be included.

path The PATH command is used to view or modify the Path environmental variable and is synonymous with "SET PATH=". To set a path: or PATH path 1 [; path 2. . . ]] PATH=path 1 [; path 2. . . ]] To add directories to an existing Path environmental variable: PATH %path%; path 3 [; path 4. . . ]] To clear all path settings: PATH ; To display the current path settings: PATH 1. To add the directory c: downloads to the regular path, enter PATH %path%; c: downloads 2. To add a directory name that contains a space, enclose the name in inverted commas: PATH %path%; c: "program files"dos or PATH %path%; "c: program filesdos"

del or erase To delete a file: DEL [path] filename [/P] To delete all files in a directory (with confirmation): DEL path or DEL path *. * To delete all files in a directory (without confirmation): DEL path ? *. * DEL path ** (in Dos 7. 0 - confirmation is required in Dos 7. 1) Filename /P The file to delete. Forces confirmation before deleting each file.

mode The MODE series of commands is used to control the computers links with its peripherals. 1. Display lines and columns 2. Display configuration 3. Printer configuration 4. Serial port configuration 5. Device status 6. Redirect printing from parallel to serial port 7. Set typematic rate 8. Set code page (character set) for international use MODE CON[: ] [COLS=c] [LINES=n] C The number of characters per line. c can be 40 or 80 (Default: 80). N The number of lines displayed on the screen. n can be 25, 43, or 50 (Default: 25). MODE CON Lines=50 MODE [device] [/STATUS] Device The name of the device. Default: all installed devices.

deltree Delete directory and subdirectories To delete a directory and all the subdirectories and files contained therein: DELTREE [/Y] directory To delete all the files and subdirectories but leave the directory itself: DELTREE [/Y] directory*. * To delete a file: DELTREE [/Y] filename directory The directory to be deleted. /Y Suppresses prompts for confirmation before deleting

deltree To delete the TEMP directory on drive C, including all files and subdirectories of the TEMP directory: DELTREE c: temp To delete all the files and subdirectories in the "temp" directory leaving an empty "temp" directory for future use, and avoiding the prompt for confirmation: DELTREE /Y c: temp*. * To delete the read-only file text. doc in the c: data directory (without resetting the attributes): DELTREE /Y c: datatext. doc

format FORMAT drive: [/Switches] /V[: label] Specifies a volume label. /S Copies system files to the formatted disk (to make a boot disk). /B Allocates space on the formatted disk for system files. /C Tests clusters that are currently marked "bad. “ By default, if a disk contains clusters that have been marked as "bad", FORMAT does not retest the clusters; it simply leaves them marked "bad". /AUTOTEST Formatting proceeds without further user input or warning messages. All sectors previously marked bad on the hard drive are retested (i. e. equivalent to including the /C switch)².

more The MORE command reads standard input from a pipe or redirected file and displays one screen of information at a time. MORE filename MORE < filename command | MORE [path][filename] Command a command whose output is to be displayed. filename file(s) to display one screen at a time MORE clients. new MORE < clients. new TYPE clients. new | MORE

prompt To change the command prompt: PROMPT [text] text Any series of alphanumeric characters including the following special codes: $P Current drive and path $E Escape code (ASCII code 27) $N Current drive $G > $V Windows version number $L < $D Current date $B | $T Current time $Q = $_ Carriage return and linefeed $$ $ $H Backspace (erases previous character) To reset the prompt to its default ($N$G): PROMPT $N$G

shell Specifies the command interpreter you want MS-DOS to use. The SHELL command can only be invoked from Config. sys. SHELL=filename [path] [parameters] filename The full filename and path of the command interpreter to be used path The path to the command interpreter parameters Any command-line parameters or switches that can be used with the specified command interpreter If Command. com is in the root directory and is to be loaded with its default values, the following line is optional: SHELL=c: command. com c: /P

switches SWITCHES= /F /K /N /E[: n] Invoked from config. sys /F /K /N Skips the two-second delay after displaying the "Starting MSDOS. . . " message during startup. Forces an enhanced keyboard to behave like a conventional keyboard. If Ansi. sys is installed, its K switch should also be used. Disables the F 5 and F 8 keys used to bypass commands in Config. sys and Autoexec. bat. It does not disable the Ctrl-F 5 and Ctrl-F 8 keys which bypass loading Drvspace. bin; to disable these keys, see DRVSPACE.

vol Displays a disk's volume label and serial number. Can be used with LABEL to identify a drive VOL [drive: ] VOL E:

copy The prime use of COPY is to copy one or more files to another location but it can also be used to combine (concatenate) files and to type directly to a file, printer, or other device COPY source [destination] [/V] [/Y | /-Y] source The file(s) to be copied. Although this must be a single parameter, it may include multiple files specified using wildcards (* or ? ). It may also be a valid device (e. g. , CON) Destination The directory and/or filename for the new file(s). If destination. . . is not specified source is copied to the current directory with the same name and creation date as the original. file /A Forces COPY to treat the file as an ASCII test file /B Forces COPY to treat the file as a binary file /V Verifies that new files can be read (does not compare with the original - see VERIFY). /Y No warning prompt before overwriting a file (default when COPY is used in a batch file). /-Y Displays a warning and requires confirmation before overwriting a file (default when COPY is used from the command line).

type The TYPE command is used to display the contents of an ASCII text file on screen. TYPE filename 1. 2. 3. To display the contents of HOLIDAY. MAR: TYPE holiday. mar If the file is too long to fit on a single screen: TYPE holiday. mar | MORE To pipe the contents of GO. TXT to a DEL command requiring confirmation before deleting all files in a directory. TYPE go. text | DEL *. * If the first two characters of GO. TXT contain a "Y" or "y" followed by an [Enter], the files will be deleted. Anything else and the operation will be skipped.

fdisk FDISK is a menu driven utility used to configure and/or display information about the partitions on a hard disk. Before a hard disk can be recognized by DOS (or any other compatible operating system), a Master Boot Record (MBR) must be established. The MBR defines areas of the disk to be a(n): • Primary Partition and/or • Extended Partition CAUTION: Using FDISK to modify or delete partitions on a hard drive renders all the data associated with that partition unavailable – I. e. , deleted! FDISK [/X] To display a summary of the partition structure on all hard drives: FDISK [/STATUS] To create partitions without going through the standard FDISK menus: FDISK [/X] drive [/PRI: size] [/EXT: size] [/LOG: size] [/PRMT | /Q] FDISK /MBR To rewrite the Master Boot Record of the primary drive without altering the partition table information: FDISK /CMBR drive To rewrite the Master Boot Record of any drive (drive) without altering the partition table information:

pipes & redirection A number of Dos commands send output to the screen and/or require input from the user. Redirection is a mechanism whereby the output of a command can be fed either to some other device (a printer or file) or to another program or command. There are four redirection functions: > Redirect output >> Append < Redirect input | Pipe 1. 2. 3. To print out a sorted directory listing of all files in the Windows directory: DIR c: windows /o/a > PRN To create a file containing the directory listing of the same directory: DIR c: windows /o/a > c: datadirectorieswindows. txt DIR c: windowssystem /o/a >> c: datadirectorieswindows. txt

batch files COPY CON COPYFILE. BAT {ENTER} EDIT COPYFILE. BAT {ENTER} FORMAT A: {ENTER} COPY *. * {ENTER} DIR A: {ENTER} CTRL+Z or Save, Exit from the menu To run the file Type: COPYFILE {ENTER} or

copy COPY source 1 + source 2 +. . . destination [/V] [/Y | /-Y] 1. 2. 3. 4. To combine "mar 89. rpt", "apr 89. rpt" and "may. rpt" into one file named "report. rpt" in the current directory: COPY mar 89. rpt + apr 89. rpt + may 89. rpt report. rpt To combine all files in the current directory on the current drive that have the extension ". rpt" into one file named "combined. rpt": COPY *. rpt combined. rpt To combine a series of files that have ". txt" extensions with their corresponding ". ref" files to make new files with the same file names but with ". doc" extensions (ie "file 1. txt" is combined with "file 1. ref" to form "file 1. doc", and so on). COPY *. txt + *. ref *. doc To combine first all files with the ". txt" extension, then all files with the ". ref" extension into one file named "combin. doc": COPY *. txt + *. ref combin. doc

fc Compares two files or sets of files and displays the differences between them. FC [/Switches] file 1 file 2 /B /L /LBn /N /C /T /W FC c: test 1. txt c: test 2. txt Performs a binary comparison. This is the default mode for comparing files when file 1 has an extension of. EXE, . COM, . SYS, . OBJ, . LIB, or. BIN. Compares files as ASCII. This is the default mode for comparing files when file 1 does not have an extension of. EXE, . COM, . SYS, . OBJ, . LIB, or. BIN. Sets the number of lines for the internal line buffer. If the files being compared have more than this number of consecutive differing lines, FC cancels the comparison. Default value of n: 100 Displays the line numbers on an ASCII comparison. Disregards the case of letters Does not expand tabs to spaces. By default, tabs are treated as spaces with 1 tab = 8 spaces. Compresses tabs and multiple spaces to a single space for the comparison.

mem The MEM command is used to display a table showing how memory (RAM) is currently allocated MEM [/Switches] None Displays the status of the computer's used and free memory /C Lists the programs that are currently loaded into memory and shows how much conventional and upper memory each program is using. /D Lists the programs and internal drivers that are currently loaded into memory. /F Lists the free areas of conventional and upper memory. /M progname Shows how the program (progname) is currently using memory. /P Pauses after each screenful of information. /H Brief help (same as /? ).

mem/c/p

xcopy Copies files and directory trees. XCOPY source [destination] [/Switches] source destination /E /S /T W 1. The file(s) to be copied. Although this must be a single parameter, it may include multiple files specified using wildcards (* or ? ). The location and/or name(s) of new files. Scope: By default, XCOPY will confine its operation to files in the source directory. Copies the complete subdirectory structure of source and all files therein but does not copy empty subdirectories. Copies the subdirectory structure of source but does not copy any files and does not copy empty subdirectories. To include empty subdirectories, use with the /E switch. XCOPY will not copy a folder's attributes (eg. 'hidden'). These have to be set as required using Windows Explorer or ATTRIB.

xcopy 1. To copy all files and subdirectories from the data directory to the disk in drive a: xcopy c: data a: /s or xcopy c: data*. * a: /s 2. To copy all files and subdirectories from the data directory created/modified since 1 st Jan. 1997 to the disk in drive a: should be: xcopy c: data a: /s /d: 1/1/97

diskcopy DISKCOPY is used to duplicate floppy disks. Any data on the destination disk is overwritten. DISKCOPY drive 1: [drive 2: ] [/1] [/V] [/M] drive 1 Drive containing disk to be copied from (and to, if the computer has only one floppy drive). drive 2 Drive containing disk to be copied to (if different from drive 1). /V Verifies that the information is copied correctly. /M Force multi-pass copy using memory only.

dos commands & utilities q www. evilpigeon. net/tutorials/commands/ q http: //www. butterwick 0. freeserve. co. uk/tutor/menu. html q http: //www. maem. umr. edu/~batch/batchtoc. htm q http: //home 7. inet. tele. dk/batfiles/ q http: //www. simtel. net/pub/msdos/ q http: //www. ntfs. com/products. htm q http: //www. opus. co. tt/dave/index. htm

searching for evidence q. Know what you are looking for q. Create list of terms q. Use text search tools to find data q. Check hacker sites for names of programs q. Anti-virus web sites for information on recent infections and registry entries

evidence on the hard drive q Hard disk drives § § § Files Erased files File slack Hidden partitions Encrypted files Compressed data (zip) Windows swap file Windows temp files Application temp files Encrypted files Hidden files/folders

knowing how data is written q Read and write in blocks of data (clusters) § Files not stored in 1 piece or contiguous q Fixed blocks have even number of sectors q Low level format creates the sectors (at factory) q Clusters at high level format done by OS q Floppies can have low and high level formats at same time q Bad sectors are marked

tracking files q 2 areas of vulnerability § Signal strength of bits provide ghosts--Border areas on tracks may still contain previous signal § Guard region on tracks—variances in readwrite head leave scraps of data q Overwriting with 0 s and 1 s not a guarantee —original signal may be stronger and leave data in guard regions

tools used to eliminate data q Delete and erase individual (or groups of) files § Check recycle bin § Recovery with Unerase or Undelete (DOS) q Disk scrubbers § Fdisk and Format (DOS) § Format only writes a new empty root-it does not erase data clusters § Fdisk simply rearranges partition space § 3 -Pass std www. dss. mil/isec/nispom. htm Do. D 5220 -22 M § Tools include: Evidence eliminator, File Monster, East-tec eraser, Wipe. Info

shredding data q Simple deletes of files/folders q Recycle bin deletes q Shredding tools § Shred 2 q Email shredding § § Email is persistent Simple delete Archived Backups

file slack q. Storage space between end of file and the end of the last cluster assigned to a specific space. q. Space filled with random data from memory when the file is closed 512 bytes File_A File Slack File A deleted File_B Parts of File_A + File slack

swap files q. Memory fills up q. Sends to swap file § Dynamic (disappears on shut down) § Static (stays and goes to unallocated space on HD)

unallocated (erased file space) q Storage space on HD available to be overwritten by the OS when new files are created § File name remains § Data remains § File slack remains q Contents may be fragments of deleted files § Deletes § Out of space errors § HD reformats

swap file q. Windows relies on a swap file q. Swaps disk space for RAM q. Acts as scratch pad (write behind) q. Any work can pass through

shadow (ghost) data q Data written in binary 0 and 1 in concentric rings (tracks) q Horizontal head alignment and vertical head placement is different each time data is written and rewritten to the same track. q Limits effectiveness of disk scrubbers q www. metanet. org/mnt/lib/homebrew_stm. html -not completely reliable yet q Use multiple over writes on all disks § Security. tao. ca/secure_del. shtml

examining slack, unallocated and swap File System Layer Location of Evidence DOS/Windows Linux Application storage Files Information Classification Directories/folder Directories Storage space allocation FAT Inode & data bitmaps Blocking format Clusters Blocks Data Classification Partitions Physical Absolute sectors or C/H/S Absolute sectors

organizing for a search Make 2 bitstream copies of original Label copies and work only 1 Remove original from work area Benchmark drive file with MD 5 List files § Determine compressed or encrypted § Check dates q Build a list of words to search for using TXTSEARCH (NTI) or Encase q Unlinked clusters must be re-linked q Deleted files recovered q q q

knowing how data is written q Data stored in fixed length blocks as clusters q Size of clusters varies by type & storage capacity of media q FAT tracks clusters allocated to a file q FAT uses cluster numbers to find data q FAT 12, 16, 32 each have different number of clusters q Sectors are units of storage of 512 bytes (4096 bits)

looking at the fat q. Using Norton Unerase Wizard to find the lost filenames § In place replacement will wipe out forensic data! q. Use Diskedit/w to find deleted files § Block allocation table is a chain for OS to follow when reconstructing a file § Blocks can have 3 values: pointer to next, EOF if the last one (FF F 8) or bad (FF F 7)

looking at the fat q. Deleting a file causes FAT to have a sigma character (E 5) in first byte, sets file size to 0 and marks all blocks as available q. Reconstruction uses file size and clusters to re-create q. Add your initials to name to identify later

places where data can live Timed Backup Slack Temp Slack Original Document Swap Temp Print

forensic data locations q Slack § Space left over at the end of data and last cluster/block § Does every file have slack space? § Amount of slack ~half the block size—the larger the block, the more slack § Cannot access slack—OS won’t allow a read past EOF q Swap § WORD documents contain random data (use hex editor or Notepad) q Unallocated § Blocks not currently in use § Files deleted have freed-up space until overwritten

step by step q. Install hard drive on forensic box q. Install as secondary controller q. Forensic box set to boot from primary or floppy q. Make a bit stream image of drive q. Authenticate hard drive q. Document date and time

file recovery q Non-invasive read to determine deletes q Restore deleted files q File Recovery tools § Norton Unerase Wizard

md 5 --checksums

comparing files q DOS prompt q Syntax : CRCMD 5 /h drive § Returns unique check sums for files on specified drive

shred

virtual shredding

active records management

document control v. Active Rights Management technology • Documents • Web • Email v. Based on policies for key distribution v. Federal law (2000) allowed electronic documents the same legal standing as paper: Are they equal if sender can shred them remotely? v. If sender has 30 day limit and recipient has a 7 year legal obligation?

any vulnerabilities?

demonstration Get. Free

examining ms office q Tracking Changes set q Properties q Open in Notepad to find evidence

linking to suspect q MAC address § Ipconfig/all or winipfg q Hidden file folders (notepad) § Details about environment stored in memory

windows system q Sysedit § View autoexec. bat. Config. sys, Windows passwords q Regedit § § Auto complete functions in IE (web sites) Network information Run history Software installed (if hidden) q Password files § Find *. pwl § PWLTool www. webdon. com

locating saved information

demonstration Hiding Files & Directories

forensic toolkits q Forensic toolkit www. foundstone. com § NT specific, command line q NTI www. forensics-intl. com § Any OS, command line q Coroner’s Toolkit www. fish. com § UNIX-specific, live system q Forensi. X www. all. net § Linux, GUI q Encase www. encase. com § Popular with police, GUI

hardware units q ICS –www. ics-iq. com q Forensic Computers www. forensic-computers. com