Practical Windows Forensics

Lora Fulton [email protected]

Eric Jacobsen [email protected]
July 20, 2001
MIT Security Camp
 Overview
• BU is building its toolkit for Windows
security incident handling.
• We will attempt to share what we’ve
learned about doing forensics in the
Windows environment.

July 20, 2001

MIT Security Camp
 Agenda
• Windows at Boston University
– Who we once were
– Why we felt we needed to change
– What we’ve changed
• Our Windows Forensics procedures
– Goals
– What we do
• Questions and Comments
July 20, 2001
MIT Security Camp
 History
• M$ Windows at BU, prior to 2001.
– Limited experience with Windows servers, still
perceived as a desktop operating system.
– Security responsibilities pushed off to local
systems administrators.
– “We will deal with problems as they come up.”
– No interest in forensics, just fix the problem
and move on.
July 20, 2001
MIT Security Camp
 Impetus to Change
• Victims of our Residential Networking (ResNet)
Initiative were flooding our abuse/security mail
queues with complaints.
• Arrival of BackOrafice/Sub7 trojans with potential
to do great harm inside our firewall.
• Administrative push towards Exchange servers,
Terminal servers, Active Directory services.

July 20, 2001

MIT Security Camp
 Impetus to Change
• Hardware vendors shipping products with
Windows based components (Xerox printers,
IBM ESS, Card Access systems, e.g.)
• Public terminal rooms with Windows
desktops

July 20, 2001

MIT Security Camp
 Changes
• Added Lora Fulton to the full-time security staff.
• Build information distribution channels for
Windows security information.
• Develop an understanding of what needs to be
done to secure a Windows system.
• Efforts to promote Virus Protection for all
Windows systems.
• Adapt existing Unix Forensics checklist to the
Windows platform.
July 20, 2001
MIT Security Camp
 Forensics Goals
• Our methods are not intended to collect evidence
for law enforcement, just for our own education.
• Reduce the amount of time required to conduct an
investigation (and therefore freeing a system up
for repair work quicker).
• Ability to identify widespread problems so we can
notify our community about them (identification
of an attack signature or footprint).

July 20, 2001

MIT Security Camp
 Basic Procedure
• Follow checklist, collect all data from
system(s)
• Interview with systems administrator /
primary users
• Analyze available data to determine
source and method of attack
• Apply information to detect other
compromises
July 20, 2001
MIT Security Camp
 Preparation
• Try to have a theory of what happened
before investigating the system.
• Don’t show your cards to others.
• Don’t show your cards to yourself
– Prove what happened, not what you think
happened. (Don’t believe your own
theories)

July 20, 2001

MIT Security Camp
 Pre-inspection Procedures
• Make Appointment
– Meeting place/directions
• Admin account and password
• List of intended uses
– File/Pint/Web/FTP/DC/PDC/TS/Desktop

July 20, 2001

MIT Security Camp
 Gather Tools
• Clip board
– New checklists
– Scratch paper (no notebooks – unless for LE)
– Sample srvinfo and pstat printouts
• Tool Kit
– CD case with pockets
– Spare floppies/zip disks , blank disk labels
– Copy of srvinfo, fport, plus any other tools you like
– Service Packs/Resource Kit/ Other CDs
July 20, 2001
MIT Security Camp
 System Information
& Basic Configuration
• Hostname, IP Address (ipconfig /all or srvinfo)
• System Location, Owner, Administrator
• Hardware Platform, CPU type
• Operating System, including service
pack (winver or srvinfo)
• Hot Fixes Applied (add/remove programs)
• Anti-Virus Software (installed/updated)
July 20, 2001
MIT Security Camp
 Date & Time / Disk Layout
• Date & Time Zone
– Compare to a wristwatch and record
difference
• Uptime (srvinfo again)
• What drives and shares are present
– Local Disks/Networked Drives
• What File System Type is being used
– NTFS/FAT/FAT32
July 20, 2001
MIT Security Camp
 System Services
• Processes
– Task Manager / Processes Tab
– save to bitmap using paint from accessories
– pstat from Microsoft's Resource Kits
• Services
– netstat –an >c: \temp\hostname\netstatlog.txt
– more c:\temp\hostname\netstatlog.txt
– fport (foundstone.com)
• tcp/ip process to port
– srvinfo again
July 20, 2001
MIT Security Camp
 System Logs
• Event logs
– Are they enabled?
– Review and take copy if possible
• Auditing
– Never enabled?
• IIS/FTP logs
• Are they even being read?
July 20, 2001
MIT Security Camp
 Unauthorized Changes
• Search for changes to files
– Search for files modified & created by date
• W2k=Search NT=Find (from start menu)
– Search for hidden files & folders
• dir /S /ah >c:\temp\hostname\dirahout.txt
• edit c:\temp\hostname\dirahout.txt & search on date
• Search for changes to the registry
– DumpReg (Somarsoft.com) – only if sure of date
• Able to sort by modified time on NT systems
• Option to only show keys changed since date

July 20, 2001

MIT Security Camp
 Other
• Copy of users & groups
– Export lists in W2K & showmbrs from RK
– User Manager in NT4 (clipboard to paint trick)
• Check temp files (c:\winnt\temp, c:\temp, etc)
• Zip copy of c:\temp\hostname folder
• Intended use(s)
• Remote port scan
July 20, 2001
MIT Security Camp
 Findings
• What did they do with the system?
– Trojan Software
– Added Hidden (or non-hidden) directories
– Added new accounts
– Cracking the SAM

July 20, 2001

MIT Security Camp
 Summary
• Is the system compromised?
– At what privilege level?
• Via what mechanism?
• When did the compromise first occur?
• Where did the intruders come from?
• Where else did they attack from here?

July 20, 2001

MIT Security Camp
 Follow-up

• Incident Reports
• User/Admin educational opportunity
• Chance to promote usage of central
resources
• Update Incident Database
• File all notes/disks, etc – in safe place

July 20, 2001

MIT Security Camp
 Questions and Comments
• This is a work in progress. We invite
your feedback.
• [email protected] Subject: Security Camp
/ Windows Checklist

July 20, 2001

MIT Security Camp