sign in sign up
<<
Home , Windows File Protection

Windows Forensics and Incident Recovery

Harlan Carvey

A Addison-Wesley

Boston • San Francisco • New York • Toronto • Montreal London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Contents

Preface xiii

Chapter 1 Introduction 1 Definitions 1 Intended Audience 3 Book Layout 4 Defining the Issue 6 The Pervasiveness and Complexity of Windows Systems 8 The Pervasiveness of High-Speed Connections 10 The Pervasiveness of Easy-to-Use Tools 11 Purpose 11 Real Incidents 16 Where To Go For More Information 20 Conclusion 21

Chapter 2 How Incidents Occur 23 Definitions 23 Purpose 24 Incidents 25 Local vs. Remote 25 Manual vs. Automatic 34 Lowest Common Denominator 35 Attacks Are Easy 37 Summary 52

Chapter 3 Data Hiding 55 File Attributes 56 The Hidden Attribute 60 File Signatures 62 File Times 68 File Segmentation 81

vii viii Contents

File Binding 81 NTFS Alternate Data Streams 83 Hiding Data in the Registry 92 Office Documents 95 OLE Structured Storage 101 Steganography 102 Summary 104

Chapter 4 Incident Preparation .105 Perimeter Devices 107 Host Configuration 110 NTFS Ill Configuring the System with the SCM 112 Group Policies 117 Getting Under the Hood 118 User Rights 118 Restricting Services 128 Permissions 132 Audit Settings and the Event Log 133 Windows File Protection 134 WFP and ADSs 144 Patch Management 145 Anti-Virus 147 Monitoring 147 Summary 172

Chapter 5 Incident Response Tools 179 Definitions 181 Tools for Collecting Volatile Information 182 Logged On User(s) 185 Process Information 189 Process Memory 202 Network Information and Connections 205 Clipboard Contents 215 Command History 216 Services and Drivers 217 Information 220 Contents ix

Tools for Collecting Non-Volatile Information 224 Collecting Files 224 Contents for the Recycle Bin 232 Registry Key Contents and Information 235 Scheduled Tasks 241 User Information 241 Dumping the Event Logs 244 Tools for Analyzing Files 246 Executable files 246 Process Memory Dumps 252 Microsoft Word Documents 252 PDF Documents 254 Summary 256

Chapter 6 Developing a Methodology 259 Introduction 261 Prologue 262 First Dream 263 Second Dream 269 Third Dream 276 Fourth Dream 284 Fifth Dream 292 Summary 304

Chapter 7 Knowing What to Look For 307 Investigation Overview 309 Infection Vectors 314 Malware Footprints and Persistence 317 Files and Directories 318 Registry Keys 325 Processes 327 Open Ports 328 Services 329 Rootkits 331 AFX Windows Rootkit 2003 332 Detecting Rootkits 337 Preventing Rootkit Installations 353 Summary 354 Contents

Chapter 8 Using the Forensic Project 357 The Forensic Server Project 358 Collecting Data Using FSP 362 Launching the Forensic Server 363 Running the First Responder Utility 366 File Client Component 373 Correlating and Analyzing Data Using FSP 377 Infected Windows 2003 System 378 A Rootkit on a System 380 A Compromised Windows 2000 System 385 Future Directions of the Forensic Server Project 385 Summary 387

Chapter 9 Scanners and Sniffers 389 Port Scanners 390 Netcat 392 Portqry 394 Nmap 396 Network Sniffers 403 NetMon 404 Netcap 404 Windump 405 Analyzer 407 Ethereal 410 Summary 416

Appendix A Installing Perl on Windows 417 Installing Perl and Perl Modules 418 Perl Editors 422 Running Perl Scripts 423 Setting Up Perl for Use with this Book 426 Win32::Lanman 426 Win32::TaskScheduler 426 Win32::File::Ver 427 Win32::API::Prototype 427 Win32::Perms 428 Win32::GUI 428 Contents xi

Win32::File0p 429 Win32::Drivelnfo 429 Win32::IPConfig 432 Summary 432

Appendix B Web Sites 435 Searching 436 Sites for Information about Windows 436 Anti-Virus Sites 437 Program Sites 438 Security Information Sites 439 Perl Programming and Code Sites 440 General Reading 441

Appendix C Answers to Chapter 9 Questions 443 FTP Traffic Capture 443 Netcat Traffic Capture 444 Null Session Traffic Capture 445 IIS Traffic Capture 445 Nmap Traffic Capture 446

Appendix D CD Contents 447

Index 449