Forensic Evaluation of Windows NT ++

• Scott Ferguson

• Keith Gittings

• Casey Lunny

Overview

• Handling of Physical Evidence

• Gathering Evidence

• Gathering and Discovering Passwords

• Investigating the File System

International Organization on Computer Evidence

• www.ioce.org

• Key concepts

• Documentation
• Preservation

• IOCE proposes a set of principles to be followed during a forensic investigation

IOCE Principles

• When dealing with digital evidence, all of the general forensic and procedural principles must be applied

• Upon seizing digital evidence, actions taken should not change that evidence.

• When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.

• All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.

• An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.

• Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

Handling of Physical Evidence: Documentation

• Documentation

• Begin at start of investigation
• Allow no gaps
• Can lead to entire case being called into question
• Cases may take years
• Record everything
• Including System Time
• CMOS Internal ClocK
• May Affect Document Search
• GetTime (http://www.forensics-intl.com/gettime.html)

Handling of Physical Evidence: Documentation

• Work with Partner

• Allows for dedicated note-taker
• Tape Recorder can serve as partner
• Remember Tape Recorder may be subpoenaed

• Transportation

• Transport suspect equipment and documents to secure location

Handling of Physical Evidence: Chain of Custody

• Chain of Custody

• Document everyone who comes in contact
• Limit Access only to highly trained investigators
• Safeguard physical machine
• Limit Access
• Use a product such as “Seized”
• http://www.forensics-intl.com/seized.html

Handling of Physical Evidence: Collection

• Collection

• Collect in order of volatility

Handling of Physical Evidence: Collection

• Options for powering off computer

• Live System
• Least Effective
• Pull the Plug
• Provides Clear Image of System State
• Prevents Malicious Code
• Possible System Corruption
• Administrative Shut Down
• Provides Proper System Shut Down
• Prevents System Corruption
• Possible Malicious Code

Handling of Physical Evidence: Collection

• Collect Everything

• Floppies
• CD-Rs, CD-RWs
• DVD-Rs
• Tapes

Handling of Physical Evidence: Equipment

• Forensic Equipment

• Use dedicated machine (preferably)
• Free of unneeded programs
• Avoid Embarrassment
• Use legal version of software
• Register shareware

Gathering Evidence: Copy, Copy, Copy

• Create Copy of Data

• Never work with original data

• Work with the copy

• Prevents against
• Changing data (intentionally or unintentionally)
• Contaminating data
• Destroying data

Gathering Evidence: Making the Copy

• Hard Drive

• Remove from suspect machine
• Create bit stream copy
• Image MaSSter (http://www.icsiq.com)

Gathering Evidence: Fingerprint and Timestamp

• Fingerprint and Timestamp Copy

• Authenticates Copy

• Tools

• CRCMD5
• MD5
• CRC

Gathering and Discovering Passwords: The Scene

• All passwords are valuable

• People often reuse passwords
• Encrypted files with no value may have password of immense value

• Investigate the scene

• Common locations
• Under Mouse Pad
• Desk Drawers
• Rolodex
• Magazines

Gathering and Discovering Passwords: The suspect

• Interviewing the Suspect

• Ask for password
• Many suspects are willing to divulge password
• Coercive
• Offer of computer return
• Rubber hose method
• Gather information
• Common words
• Common things
• Pets Name
• Children
• Interests

Gathering and Discovering Passwords: Obtaining the password

• Breaking the Encryption

• Administration Passwords
• Windows password crackers
• L0phtcrak (www.atstake.com)
• CAIN
• Password Encrypted Files
• AcessData (www.accessdata.com)

Gathering and Discovering Passwords: L0phtcrack

• L0phtCrack is designed to recover passwords for Windows NT

• takes the hashes of passwords and generate the clear text passwords
• Uses two methods
• Dictionary Cracking
• Brute Force Cracking

Gathering and Discovering Passwords: AccessData Password Recovery Toolkit

Gathering and Discovering Passwords: Circumventing Passwords

• Plaintext Version of Encrypted Files

• Some applications store backup copy
• Microsoft Word
• .wbk extension

Investigating the File System Hiding Data

• Changing File Extensions

• Easy Method
• Ex. (.jpg to .doc)
• Don’t use Windows Explorer to locate files
• Jasc Quick View Plus (www.jasc.com)
• Identifies files without use of file extension
• Encase (www.encase.com)
• Can Identify files that were intentionally mislabeled

Investigating the File System Hiding Data

• Hiding Directories and Files

• Windows allows users to set files as hidden
• Prevents accidental altering of file
• Enables user to hide any file or directory
• Solution:
• Make sure Windows Explorer is set to show hidden files

Investigating the File System Hiding Data

• NT Streams

• Arbitrary data associated with a file
• Used to associate new data objects with file
• Available with Windows NT, XP, 2000
• Can not be detected by Windows Explorer or Most GUI-based programs
• Can be detected with SFind (Forensic Toolkit from Foundstone)

Investigating the File System The Forensic Toolkit

• The Forensic Toolkit (www.foundstone.com)

• Contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity.
• AFind  
• lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will.  AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.
• HFind
• scans the disk for hidden files. It will find files that have either the hidden attribute set, or NT's unique and painful way of hiding things by using the directory/system attribute combination. This is the method that IE uses to hide data. HFind lists the last access times.
• SFind
• scans the disk for hidden data streams and lists the last access times.

Investigating the File System Hiding Data

• The Network

• File servers at work
• Internet sites providing free storage
• Clues to existence
• File Cache
• Internet history
• Network Neighborhood

Investigating the File System Hiding Data

• Steganography

• “to hide in plain sight”
• Computer cryptography called “stego”
• Data is hidden in “carriers”
• Common carriers are multimedia files
• Time consuming
• Difficult to find “stegoed” files
• Clues
• Stego software such as S-Tools found on computer
• Images appear altered (if poor carrier chosen)

Investigating the File System Hiding Data

• Altering the System Environment

• Mislead examiner about system
• Always avoid investigating on actual system
• More common on Unix systems
• Methods
• Alter specific binary
• Alter the entire kernel
• Affects multiple binaries
• DLLs
• Enable commonly used code routines to be updated
• Altering DLLs will effect many programs
• Tripwire (www.tripwire.com)
• Can detect changes to system environment

Investigating the File System Nontraditional Computer Storage

• Ambient Data

• “data stored in non-traditional computer storage areas and formats”
• File Slack
• Swap Files
• Unallocated Space

Investigating the File System Nontraditional Computer Storage

• File Slack

• File size must be divisible by cluster size (512 bytes on Windows).
• Clusters are made up of sectors (number varies)
• RAM data used to pad to end of sector
• Hard drive data used to pad to end of cluster
• Example:
• Hello+++++++++++++++++++|------------------------(EOF)
• RAM Slack is indicated by "+“
• Drive Slack is indicated by "-"

Investigating the File System Nontraditional Computer Storage

• Unallocated Space

• Clusters that are not allocated to a directory or file but possibly still contain data the user has thought long since erased
• AccessData Forensic Data
• Examines Slackspace

Investigating the File System AccessData Forensic Toolkit

Investigating the File System AccessData Forensic Toolkit

Investigating Windows Computers

• The Microsoft Corporation has been providing a steady supply of operating systems, each of which builds on the previous version.

• Since newer releases of Windows are based on its predecessor, backwards compatibility with previous versions is provided.

Investigating Windows Computers

• An investigator must be aware of the built-in tools that the Windows operating systems provide.

• Globally Unique Identifiers
• Windows Registry
• Recycle Bin
• Scandisk Log files
• Find Program
• Windows Email

Globally Unique Identifiers

• PID_GUID values are an essential component of Microsoft’s architecture and can be found in:

• Word Document files
• Cookies
• Windows Registry

• The PID_GUID contains a serial number than can identify which computer a file was created on.

Locating GUID in Word Documents

• Open Microsoft Word and create a new text file.

• Save the file as a Word 97 document, which should be the default (note: this will not work under Office 2000.)

• Use Quick View Plus to open the document and search for the string ‘PID_GUID.’

The program should find a string similar to this:

• The program should find a string similar to this:

• PID_GUID_{36FDE49B-5EFC-4DD6-A282-Abc1234567890}
• The last 12 hexadecimal characters at the end of this string represent the MAC address of the originating computer.

Limitations

• This technique is limited because :

• It assumes that the suspect has not changed the Ethernet card in his/her computer.
• The PID_GUID is no longer included in documents created with newer versions of Microsoft Word.

Locating PID_GUID in Cookies

• Explore the Windows Cookies directory and search for a file ending in “microsoft.txt.”

• Within the file you should see a string similar to this:

• MC1V=2&GUID=b0ea5322ab004da78116a0a10 microsoft.com

Locating PID_GUID in Windows Registry

• In the Registry Editor search for “MachineGUID”

• regedit should return a value similar to this in the data column:

• 950f31d7-3d5s-4576-a939-1b2f68a3cddf.

Locating PID_GUID in Windows Registry

Other Uses of the Windows Registry

• The Windows registry is a comprehensive database containing information on every Windows-compatible program that has been installed on the PC.

• The Registry contains information about:

• Users
• Their preferences
• Information on the hardware
• Network information

Working with the Registry

• The Registry is a database of values that control the behavior of Windows, including any hosted applications and services.

• The Registry is not an exhaustive collection of configuration settings and parameters; instead, it is a collection of exceptions.

• When an item is listed in the Registry, it defines an exception or a different value for parameters that the process uses instead of its known defaults.

Registry Keys

• HKEY_LOCAL_MACHINE — This Registry subtree contains the configuration parameters pertaining to the local computer system, including both hardware devices and operating system components.

• HKEY_CURRENT_CONFIG — This Registry subtree contains configuration settings for the currently active hardware profile. It is rebuilt each time NT is booted.

• HKEY_CURRENT_USER — This Registry subtree contains configuration and profile information pertaining to the currently logged on user. It is built each time a user successfully logs onto the system.

• HKEY_USERS — This Registry subtree contains the configuration and profile information pertaining to all users of this computer, plus the default profile.

Investigating the Registry

• By exploring the keys within HKEY_CURRENT_USER - Software/Microsoft/Internet Explorer/ you can find all of the current settings, past URL searches, security preferences, download folder settings, and even the startup home page for the current user.

• By searching the TypedURLs directory a list of recently searched web addresses is supplied.

TypedURLs

Explorer/RunMRU

• This key contains a list of the most recent programs launched from the Run window.

HKEY_LOCAL_MACHINE

• HKEY_LOCAL_MACHINE contains the Network/Logon key, which displays the last username used to log onto a network.

• Stores all of the information related to:

• Hardware
• Security Account Manager
• Software
• System

Other Windows Tools

• The Recycle bin is a good place to search for evidence.

• Many users forget that deleted files are placed in the Recycle Bin until they are deliberately emptied or until it fills up and begins overwriting files.

Other Windows Tools

• Scandisk .chk files may contain information a suspect has tried to delete.

• The Scandisk utility will attempt to restore files that it believes have been inadvertently deleted.

• Since Scandisk files can contain pieces of deleted files, useful information that may otherwise be lost is sometimes still sitting in a .chk file.

Other Windows Tools

• The easiest way to find files in Windows is using the built-in Find program.

• The Find tool allows you to sort by name, file type, and date of last modification.

• The Find program in Windows 2000/XP allows you to search for a specific string within a file.

Windows Email

• Email is often a rich source of information about a suspect’s activities.

• Email files in Microsoft systems are not easy to analyze.

• Users may download all emails or store them remotely on a server.
• Many different mail applications have their own file formats and conventions.

Windows Email

• Mail is like any other application in that it uses temporary files and swap space.

• Check the hard drive for messages or check the slack space for remnants of original emails.

• Check the suspects Web history and see is any past sites appear to be an email site.

• You can then use your forensics analysis tool to search for fragments containing the domain of that email provider.