MODULE 3

POST-MORTEM FORENSICS
 DEFINITION
• Postmortem computer forensics…is basically
performing a data autopsy on a dead system.…
In this case, "dead,"…meaning that that
computer's been powered down,…not that
the computer's broken
 INTRODUCTION
• Forensic examination of Windows systems is
an important part of analyzing malicious code,
providing context and additional information
that help us understand the functionality and
origin of malware.
• live system analysis can be considered surgery,
forensic examination can be considered an
autopsy of a computer impacted by malware.
 CHAPTER OVERVIEW
• This chapter describes forensic examination
techniques for recovering useful information
from a forensic duplicate of a hard drive, and
provides examples of common artifacts that
malware creates on a Windows computer.
 Forensic Examination of Compromised
Windows Systems
• Given the number of vulnerabilities that exist in Microsoft
applications, it is incumbent upon digital investigators to be aware
that malicious code is not only found in executable files, but may
be embedded in Microsoft Word or Excel files, or may be
delivered through Web-based attacks involving ActiveX controls.
• Therefore, in addition to inspecting executables, it may be
necessary in some cases to examine Microsoft Office documents
and Web pages.
• At the same time, it is infeasible to inspect every executable, Word
document, and Web page on a subject system for malicious code.
• To provide the necessary focus and ultimately locate key evidence,
digital investigators employ a number of techniques.
 Continue
 TEMPORAL ANALYSIS
• Computers are meticulous keepers of time. Each file on a Windows computer has a creation,
last modified, and last accessed date.
• In addition, the New Technology File System (NTFS) maintains additional dates for each
file, including the date when the file’s MFT record was last modified and those associated
with $FILE_NAME attribute within the MFT record.
• In the example below, the creation and last modified dates of the file are January 23, 2008,
whereas all of the other date stamps in the MFT indicate that the file was placed on the
system on February 10, 2008. This difference is not necessarily evidence of date stamp
tampering, because extracting a file from an archive (e.g., a zip or rar file) can transfer the
original creation and last modified date stamps of a file onto the file system.
• Because dates in the $FILE_NAME attribute are changed infrequently after a file is created,
it is generally suspicious when dates in the $STANDARD_INFORMATION attribute predate
those in the $FILE_NAME attribute, although some files exhibit this behavior naturally.
• In short, when file system date stamps have been tampered with, it is generally evident
from inconsistencies such as those shown in Figure 4.1, and the fact that values in the
$FILE_NAME attribute will generally reflect the actual date a piece of malware was placed
on the system.
 Continue….
• Windows also records the date and time of certain activities in the registry, event
logs, and various other system and application files. All of these date stamps can be
useful for creating a timeline to determine the sequence of events on the computer.
• All of these date stamps can be useful for creating a timeline to determine the
sequence of events on the computer.
• However, there are other ways to utilize all of this temporal information. For
instance, creating a histogram of dates from the file system may reveal a spike in
activity related to the malware, giving the digital investigator a period of focus.
• Figure 4.2 shows a histogram of Modified Accessed Created (MAC) times
generated using EnCase, showing somewhat higher levels of activity at 5:29 p.m.
and 5:44 p.m. In this figure, the grey column at 5:29 p.m. contains three dots,
indicating that there are too many items to display. Closer inspection of the files in
these time periods reveals their relation to the installation of malicious code.
 Continue….
• As a rule, always extend this type of temporal
analysis to earlier time periods in case the attack
began earlier than anyone realized initially.
• In addition, digital investigators should
experiment with various approaches to analyze
date stamps in the file system.
• Correct interpretation of date stamps in Windows
file systems requires knowledge and experience.
FUNCTIONAL ANALYSIS

• loading a forensic duplicate into a virtual

environment using LiveView allows a digital
investigator to execute and experiment with
malware, to better understand its
functionality.
 CONTINUE…..
• EnCase has a Physical Disk Emulation (PDE) module that can be used to
make a forensic duplicate available as a disk for analysis using tools.
• There are also utilities, such as VMware DiskMount GUI, and VDKWin
for mounting a VMWare virtual disk file on a Windows forensic
workstation for analysis.
 RELATIONAL ANALYSIS
• A simple example of relational analysis relates to trust
relationships between a compromised system and other systems
on the network.
• For instance, some malware spreads to computers with shared
accounts or targets systems that are listed in the “system32\
drivers\etc\lmhosts” file on the compromised Windows system.
• Alternately, an examination of mounted network shares may
reveal that a user on the compromised machine inadvertently
clicked on malware that was stored on a file server.
• In such cases, discovering such relationships between the
compromised system and other computers on the network may
lead digital investigators to other compromised systems and
additional useful evidence.
 CONTINUE…..
• Another common and effective use of relational analysis arises when a
worm spreads across a network and there are network-level logs that
record the incident.
• Other infected hosts can be located by searching network logs for the
Internet Protocol (IP) address that connected to the compromised computer
at the time of infection.
CONTINUE…..
 CONTINUE…..
• Another form of relational analysis involves looking for commonality or
interactions between the malware and other objects on the compromised
computer.
• In the simplest case, the folder where the malware resides may contain
additional pieces of malware or associated log files.
• Alternately, the file system permissions or flags set on a piece of malware
may be distinctive enough to be useful for finding other files with the same
settings.
• As an example, Windows can assign “ownership” of a file to a particular
user account.
• If this account is not in widespread use on the system, a digital
investigator could look for other files that are assigned the same user
account.
• In some cases, malware is programmed to download additional
components or create files on a compromised system.
• For instance, one bot generated a “.reg” file to reconfigure the system, and
used a simple batch script to load these changes into the Registry (e.g.,
W32.Spybot.ANDM).
• Once the components that relate to a piece of malware have been
identified, digital investigators can look for them on the compromised
system and in network traffic.
• In one case, the malware was programmed to connect out to a server
periodically, and it maintained a log of these connections. Once this log
file was discovered on one system, digital investigators were able to locate
other compromised systems in two ways: 1) searching network-level logs
for all connections to the remote server, and 2) looking for the presence of
this log on computers.
 Correlation and Reconstruction
• Whenever feasible, a forensic examination relating to malware
should extend beyond a single compromised computer, as malicious
code is often placed on the computer via the network, and most
modern malware has network-related functionality.
• Discovering other sources of evidence, such as servers that the
malware contacts to download components or instructions, can
provide useful information about how malware got on the computer
and what it did once it was installed.
• A major aspect of investigative reconstruction is determining the
intrusion vector and surrounding activities, because uncovering how
malware came onto a system often gives insight into its operation
and capabilities.
• Common intrusion vectors that should be explored include:
 CONTINUE…..

•Given the potential that intruders covered their tracks or the intrusion vector left little or no
trace on the compromised system, the importance of network logs in this type of investigation
cannot be over stressed, including NetFlow, IDS, and firewall logs.
•These logs can show use of specific exploits, malware connecting to external IP addresses,
and the names of files being stolen.