Thursday, October 25, 2007

Windows Forensics and Incident Recovery

Windows Forensics and Incident Recovery


Windows Event Log

-clearing the Security Event Log generates event ID 517

-Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia"

-Logon events

-Logon types;en-us;140714

-More security Events

CMD Line History

- doskey /history or the RunMRU registry key

File Associations

- C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile

- ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command

- if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change back

Hidden Files

- To view hidden files ---> C:\> dir /ah; using the attrib command will list out all file attributes

Scheduled commands

- Sometimes malicious code is scheduled; use at cmd or schtasks.exe to view scheduled tasks

File Signatures

- located in the first 20 bytes of a file; MZ is found in executables; look 4 mismatch of signature and extension

- a good list of file headers

File Times(MAC Times, Modified Accessed Created)

- C:\>dir /ta ----> lists in order last accessed

- The Unix touch cmd has been ported to windows

- if auditing is enabled, changes to MAC times create events with ID 560 in the eventlog


- Elitewrap will combine 2 files and compress

- GUI version inPEct

ADS(Alternate Data Stream)

- Lads will detect this

- Also Streams from sysinternals

- the best way to remove an ADS is to copy the file, delete the old, and rename

- ADS can also be created as directories ---> echo "FooBar" > :ads.txt

- This adds an executable to a common txt file -> C:\ads>type c:\windows\system32\notepad.exe > myfile.txt:np.exe

- Call it like this -> C:\ads>start .\myfile.txt:np.exe , the full path works also

- vb scripting can be hidden in ads and launched --> C:\ads>wscript //E:vbs myfile.txt:ads.txt

Registry Hiding

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation is a common hiding place because it is not used by the OS. Strings or small programs can be hidden in this key

Document Metadata

- Strings from sysinternals will also find metadata

- rhdtool from MS will remove metadata

OLE Storage

-Merge Streams will combine files


- Free Tools at (S-Tools4)

- Hydan is also popular

Windows Server Port List


NTFS Conversion

- to convert from FAT to NTFS --> C:\>convert /FS:NTFS c:\

NSA Templates

- you can download OS templates for windows secedit(Local Security Policy)

GPO settings

- gpresult.exe can be run to find policy settings

Login Restrictions

- you can modify lockout settings using the net accounts cmd to allow for unlimited paswd attemps

IIS Application mappings

- using the MMC, bring up application mappings and disable all uneccessary mappings

- IIS Lockdown and URLscan can provide additional security for ISS servers

Windows File Protection

- backup copies of protected files are restored from cache if modified or deleted %SYSTEMROOT%\system32\dllcache

- the cmd line utility sfc can be used to replace modified files

Perl lib Win32::AdvNofity

- allows you to creat your own WFP, for example a static website, which will monitor for defacements and automatically replace the file and notify you.

Patch Management

- Download MBSA here

- Shavlik Trial

Web Vulnerability Assessment

- Free tools available at

Centralized Logging

- ntsyslog, kiwi syslog daemon, dumpevt.exe(somarsoft)

- port reporter provides mapping logs

Volatile Information Recovery

- C:\>date /t && time /t , recovers system date and time for comparision

- systeminfo.exe , native on XP or newer will show uptime also, psinfo.exe from sysinternals

- psloggedon.exe from sysinternals shows remote and local logged on users

- netusers.exe from somarsoft will also show previously logged on users with the /h switch

- C:\>net session will displya any active remote connections

- C:\>net use * \\\c$ /u:Administrator , to remote log on

- to list process out pulist from resource kit, or pslist from sysinternals, using the /t switch with pslist will display processes in a tree. Trojaned processes often will fall outside the tree

- listdlls.exe from sysinternals will give you version information along with the command used to start the process

- handle.exe from sysinternals lists out everything the process is accessing

- c:\>tasklist /svc native to XP lists out processes along with window title information

- tlist from the windows debug kit is very functional

- svchost is a windows generic process that shows up multiple times. To find out what they are mapped to review the following reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

Remote Shell

- Net use \\machine\ipc$ /user:machine\administrator

- psexec \\machine cmd

Process Info Guidelines, at minimum collect the following:

-Process identifiers (PIDs) for each process running on the system (provided by most all tools)

-Process name (provided by most all tools)

-Length of time the process has been running (pslist.exe)

-Command line used to launch each process (listdlls.exe, cmdline.exe, tlist.exe)

-Full path to the executable file that each process was launched from (cmdline.exe, tlist.exe)

-User context that each process runs under (handle.exe, pulist.exe)

-Services running under each process (tlist.exe, tasklist.exe)

Additionally, the investigator will also want to collect the following:

-Handles used by each process (handle.exe)

-Modules (DLLs) used by each process (listdlls.exe)

Process Memory

- using pmdump.exe from you can extract whats in memory for a given PID

- dd from will slice out entire physical memory contents

- c:\>dd if=\\.\physicalmemory of=c:\win2k-physmem.dd bs=4096

Network Stat & Connections

- promiscdetect from will find interfaces in promiscuous mode, locally

- netstat lists may connections which results from apps binding to the INADDR_ANY constant

- on XP or newer, netstat -ano, the -o option lists the PID

- nbtstat -s, lists current netbios over tcpip sessions

- fport from will map ports with the full path of process

- net use lists out all shares currently mapped

- net share lists out all resource shared out on the system

- net session lists active SMB sessions made to the system over the network

- net file lists out any files in use by an active net session

Clipboard info

-pclip.exe from will dump clipboard info to STDOUT

Command History

- C:\> doskey /history will show command line history

Service & Drivers

- net start will list all services running but not device drivers

- sc.exe from resource kit and native on XP or newer

- drivers.exe from resource kit and driverquery on XP or newer provide alot of driver related info

GPO settings

- can be used to determine how a system was compromised is settings were changed

- GPList from shows GPO's applied on a system

- GPResult.exe from Resouce kit shows settings of current user only

Protected Storage

- pstoreview.exe from can reveal user info in PS

MAC Information

- dir with /tw , /ta. /tc will give specific mac time information

- macmatch found here will search a given time period

File permissions

- cacls, native to windows, will show permissions of any given file

File integrity

- md5deep from will calculate md5 hashes for you

Recycle Bin Analysis

- Rifiuti from will parse the INFO2 file

Registry Analysis

- reg.exe from resource kit will pull out any keys from the registry that your looking for form the cmd line

- HKEY_LOCAL_MACHINE or CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is most popular for malware

- from the book will show last write times for any given registry key

User Accounts

- most often compromised machines contain a new account(s) created by the hacker that needs to be anaylyzed

- last logon, time created, # of logins, and permissions will all be useful information

Event Logs

- Auditpol.exe from RK can be used to verify the level of logging set on the system

- dumpel.exe from will grab all el data

- D:\>psloglist –s –x system , from can be used remotely

File Analysis

- strings from will retreive ascii/unicode from hex

- bintext from is a gui w/ a good filter

- ms has a dll lookup online

- dependencywalker from has a gui to show all file dependencies

- WordLeaker will rip out word metadata, along with revision history, available at

- fdte from will grab hidden dates & times from a binary

- you can view pdf metadata by using Adobe Reader, FILE | Document Properties

CA Identity Theft Law(SB 1386) - affects all companies doing business in CA


Know What To Look For

- The goal of any incident investigation should be to determine whether an incident occurred, and if so, how was it able to occur(RCA)

Infection Vectors

- common vectors: email, p2p, IM, web browser, OS/application buffer overflows, default/weak passwords

Malware Footprints

- often leave new files and directories

- added to startup C:\Documents and Settings\\Start Menu\Programs\Startup

- added to run in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- afind(foundstone) or macmatch(ntsecurity) can be used to find recently modified/created files/dirs

- can be a scheduled task(at cmd) and creates a job in C:\WINNT\Tasks

- example (2K) c:\>at 11:00pm /every:5,10 cmd /c "sol.exe"

- example (XP) c:\> schtasks /create /tn Solitaire2 /tr sol.exe /sc onlogon

- often malware changes how the system handles .exe files, HKEY_CLASS_ROOT\exefile\shell\open\command

- original value "%1"%*, other extension modified are .bat, .com, or .txt

- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon can also be modified too

- Shell should be set to "Explorer.exe"

- abnormal processes, inparticular svchost.exe is often mimicked(scvhost or svchosts) or duplicated

- malware can often be set up as a windows service, using srvany.exe (resource kit)

- example C:\>path\instsrv.exe path\srvany.exe, by editing the following registry entry

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name, you can run any app or executable


- popular Windows RK site is Greg Hoglund's site

- user-mode rootkit simply replaces files with trojaned verions or uses DLL injection to overwrite while in memory

- kernel-mode rootkit overides the TCB and hooks into all system calls

- a good way to remove is to boot into Safe Mode and remove entries in Run key and actual files themselves
Forensics Server Projet(POC for automated system info collection)

-, runs on windows/linux, requires perl(requires Win32::GUI, Digest::MD5, and Digest::SHA1, use c:\>perl>ppm install ), can run on any port(default 7070)

- setup of the First Repsonders Utility(FRU) requires Win32::GUI, Win32::Lanman, Win32::Perms, Win32::API::Prototype, Win32::TaskScheduler, Win32::DriveInfo, Win32::IPConfig. Requires a CD Burner and you must also download the following 3rd party utilites: cmd.exe(clean), (sysInternals psloggedon, pslist, psloglist, psinfo, listdlls, handle), tlist from MS Debugging Tools, (DiamondCS cmdline, iplist, openports), (FoundStone rifiuti), ( promiscdetect) and reg and auditpol from MS.

- FRU also requires the following perl scripts,,,,,,,,,, and

- the clean cmd.exe should be placed in the root directory of the CD-rom

- The File Client Component( should be installed as apart of the FSP, it allows suspect files to be copied off

- netcat can be used as a port scanner; D:\tools>nc -v -w 2 -z ; will display open ports on given range.

- Adding an echo and dropping the z will grab bannners; D:\tools>echo QUIT | nc -v -w 2 0-1024 ;

- portqry is microsoft's version;


- netmon is built in by microsoft; ; can also be run remotely via SMS
- windump is another w32 tcpdump;