Week 5 - Live Incident Response - Windows Flashcards
What is Live Response?
Live response is investigation of the suspect system while it is powered on.
Used to:
- immediately extract INFORMATION that can be immediately used (rather than data). So instead of making a memory dump that has to be analysed later, we extract INFORMATION that can be IMMEDIATELY used.
- give context to further LDF and PM forensic processes
- can get information that is harder or impossible to get with PM forensics or LDF
The info extracted is case dependant.
For example a kidnapping - location of victim
Can slo be suspect device dependant - to establish use of encryption (& type and full or partial disk etc) / anti forensic software to determine next steps.
In time critical situations also used to immediately determine: what network connections and logged in users there are on a system without having to parse a memory dump first
When is Live Incident Response needed?
- Every time LDF is being considered
- Live response is used to gather information about the system to make informed decsions
- Based on this does the current set-up require LDF? - If info is more important than data preservation & time is critical
- threat to life
- terrorism etc
Considerations when conduction Live Response
- Reduce interaction with the system as much as possible.
- have a strategy beforehand
- use Live Response to answer specific questions. Know the questions beforehand, be flexible with new information & adapt strategy where needed. - Most info can be extracted from acquired RAM & disks, so is Live Response (interacting with the system) necessary?
- Sometimes you don’t know what will be relevant
- err on side of caution (reasonably) collecting too much:
defined by known relevance to the case, defined by law (e.g right to privacy) & defined by impact on the case
Live Response in Windows
Windows still most popular PC OS found in homes and businesses.
- subject to the greatest amount of exploits
- subject to greatest amount of forensic research
( Some businesses do exclusively use macs and in server environments Linux is most common.)
List some common Windows artifacts
Artifacts will be dependant on what is relevant in the case.
- System time is ALWAYS relevant (always need to know offset compared to a specifc time source).
- Presence of encryption is USUALLY relevant
Common artifacts include:
- Active network connections
- Currently running processes / services
- Logged in users
- Currently open files (local / network)
- Active shares
This is small example of them.
Example of Windows Live Response Info Collection methodolody for a malware analysis case
- Run trusted (not comprimised) command shell from toolkit
- Document system date and time, and compare to reliable time source
- ## Acquire contents of physical memory (anything after this step is INFO gathering so making sure we have changed as little as poss). You may decide to do this later in a diffrent life at risk case. If encryption is used then this memory dump may contain passwords for de-cryption OR it may kill the machine. Gathering a forensic copy of the open files before doing this memory dump may be a good alternative
- Gather hostname, user, and operating system details
- Gather system status and environment details
- Identify users logged onto the system
- Inspect network connections and open ports
- Examine DNS queries and connected hostnames
- Examine running processes
- Correlate open ports to associated processes and programs
- Examine services and drivers
- Inspect open files
- Examine command line history
- Identify mapped drives and shares
- Check for unauthorized accounts/resources using “net” commands
- Determine scheduled tasks
- Collect clipboard contents
- Determine audit policy
Windows Live Response Tools: Encryption Detection
Establishing presence of encryption is one of the most important things in live response.
Need to know if any is present so you know if you need to acquire the data from a running system or if you can get the data later.
Encryption utility included in Windows is Bitlocker (bde)
All about Windows Bitlocker
Bitlocker (bde)
Can be managed / detected from command line with command:
manage-bde.exe
For example to get an overview of which parts of the disk(s) are encrypted with Bitlocker use: manage-bde.exe-status
It also gives detailed info about the encryption process, if it has been completed or how many percent. Most importantly it also gives info about the key protecters that are used to protect that volume.
Another method of detecting full disk encryption - boot sector
Another method of detecting full disk encryption is by looking at the volume boot sector (see example on presentation)
Bitlocker can be detected using the manage-bde.exe command but with something like truecrypt full disk encryption this was may be the only way to find out it is detected.
Another method of detecting full disk encryption - looking for volume mount points & crydd tool.
Another method of encryption detection is looking for volume mount points.
Use a tool like Crydd
crydd.exe –list
Gives overview of all the mount points of all the volumes on your system (see image) Highlighted ones are PGP encrypted disks. So gives indication that encryption is used - maybe full disk or a volume or container.
Other methods for detecting encrypion in Windows.
- Investigate registry mount points to find out which folders are mounted and where they point to. Can use special tools tools like First or some Linux live cds or Windows Explorer & Disk Management
- Command line tools like tasklist to see running processes
- Have a good look at the system tray (the icons at the bottom for quick access - not necessarily accurate but may indicate if encryption software icon seen)
Windows Live Response Toolkits
FREE
- First (part of the Euopean Union FREETOOL project - LE can create an account)
- DEFT (full tool kit and light version). Linux distribution
- KAPE (developed Eric Zimmerman FBI) A full artifact parser and extracter. Free tools still maintained. use a lot of dynamic link libraries of the system you are investigating
- WIN-UFO a downloadable tool that combines around 100 popular freeware PC forensics and system information tools into a single portable package.
Develop your own toolkit. Get colleague to test your tools as well as you.
COMMERCIAL TOOLS:
- Prodiscover IR or Encase Endpoint Investigater that run over network in a client server configuration.
What info might you gather from these toolkits?
Date and Time
Volatile Memory
» Dump of physical memory
» Swap file / Hibernation file
Network Connections
» Open TCP andUDP ports
» NetBIOS, neighbouringnetworkconnections
» ARP cache
» IPConfigsettings
User Accounts
» Currentlylogged on users
Processes
» Running Processes
» Running Services
» ScheduledJobs
» LoadedDrivers
» Hooks
Files
» Open Files
Screen Capture (maybe gather a capture of the screen)
Inbuilt Windows command line utilities may gather a lot of the same info. List some Windows inbuilt toolkits that may be helpful
List of helpful Windows inbuilt utilities (some require admin rights):
Date /t time /t
Hostname (gives name of machine)
Whoami (gives logged in user)
Ver (gives version of windows)
Quser (gives info about logged on suers)
Netstat–ano (netstat commands give lots of various info about network connections)
Netstat-anb
Ipconfig /all (lots of info about ip configuration)
Ipconfig /displaydns
Net user (lists users)
Arp–a (correlation between ip and mac addresses on your network)
Tasklist–v (info about all running tasks)
Nbtstat –S (nbtstat displays various NetBIOS statistics over IP/TCP)
Net sessions (The NET command is used to manage open files and user sessions)
List some other inbuilt Windows Utilities that may give important info
Some require admin rights
-Cipher (to detect EFS Encrypted File Systems). Cipher /c gives a list of all encrypted files.
- Manage-bde (Bitlocker). manage-bde -status to get list of bitlocker encrypted drives
- Wevtutil (Event Logs). This gives example about event logs for example wevtutil el will give all event logs running on a system.
- Wmic (to query Windows Management Instrumentation CLI). For example use command wmic /? to query all
- Vssadmin (volume Shadow Service). vssadmin list shadows
and Mklink /d c:\mountpnt \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\
This is an admin tool for volume shadow tool to give list of all volume shadow copies that exist on the system. These are also called restore points built when something important happens to your system or once every 24 hours if running comnstantly. Give option to go back in time for aa lot of registy or system files. Once you have located the restore points you can mount them in a sub directory for furtehr investigation using command Mklink.
In the above example he mounted hard disk volume shadow copy 4 on the regisrty c:\mountpnt need the trailing backslash otherwise won’t work.
