Win32 -Evidence Gathering by bzs12927

VIEWS: 37 PAGES: 9

									                 Win32 – Evidence Gathering


                           adrian.leuenberger@csnc.ch




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60          Security Event – April 28, 2004   Page 1
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                     Agenda




                              1.     Introduction
                              2.     Primary decisions
                              3.     The usual places
                              4.     Hidden files
                              5.     Obfuscated files
                              6.     Privacy tools
                              7.     Questions



GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60          Security Event – April 28, 2004   Page 2
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                              1
                                                                        Limitations




             What this presentation covers
                       Tools and techniques that can be used during the
                       course of a forensic investigation
                       Focus on not so well known aspects


             What this presentation will not cover
                       Due to the limited time, only very specific aspects can
                       be covered


             Why?
                       Additional topic in Compass’ portfolio



GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60             Security Event – April 28, 2004        Page 3
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                          Decisions



             Plan
                       Identification
                       Acquisition
                       Analysis
                       Presentation


             Will this case be brought to court?
                       Non-liturgical forensics turning liturgical


             Do we need the expertise of others?

             Much more...
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60             Security Event – April 28, 2004        Page 4
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                                      2
                                                                     The usual places




             So then... Where is the data?
                       Recycle bin
                       Recent documents
                       Temp folders
                       Local drives
                       Internet Explorer cache
                       Outlook folders
                       Prefetch folder
                       Deleted files on the hard disk
                       Pagefile.sys
                       Slack space
                       Memory
                       System caches
                       …and many more…

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60             Security Event – April 28, 2004             Page 5
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                      Hidden files - I




             ADS (alternate data streams)
                       Also known as NTFS streams
                       Available since NT3.1
                       Rarely known even these days
                       For compatibility reasons with MAC file system


             Problems
                       No Microsoft tools for manipulation -> invisible
                       Some Virus scanners still do not recognize ADS
                       Even if the ADS is really large, nothing is visible




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60             Security Event – April 28, 2004             Page 6
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                                         3
                                                             Hidden files - II




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60       Security Event – April 28, 2004         Page 7
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                             Hidden files - III




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60       Security Event – April 28, 2004         Page 8
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                                  4
                                                                     Hidden files - IV




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004           Page 9
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                  Obfuscated files - I




             Microsoft Office documents
                       Contain sensitive information
                          Personal information
                          Comments
                          Old file versions in file
                          Names of previous authors
                          Network and hard disk information
                          Etc.


             Remove Hidden Data Tool
                       Available from Microsoft for Office XP and above
                       Removes all metadata from documents

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004           Page 10
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                                         5
                                                                  Obfuscated files - II




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004             Page 11
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                  Obfuscated files - III




             PDF documents
                       Might contain sensitive information which is badly
                       obfuscated.


             Really obfuscate sensitive information
                       Directly in the image format
                       Replace the text




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004             Page 12
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                                           6
                                                                  Obfuscated files - IV




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004            Page 13
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                          Privacy tools




             These tools might render forensic tools
             useless
                       Privacy Tools
                       Hard disk Encryption


             User Permissions




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004            Page 14
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                                          7
                                                                      Forensic tools




             Tools of the trade
             Commercial
                       Encase (www.guidancesoftware.com)
                       Forensic Toolkit (www.accessdata.com)
                       SMART (www.asrdata.com)
                       SafeBack (www.forensics-intl.com)
                       Many more…
             Open source
                       SleuthKit (www.sleuthkit.org)
             Other resources
                       The Ultimate Collection of Forensic Software
                       (www.tucofs.com)

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004         Page 15
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                          Summary




             Should a user be able to delete his/her
             data?

             Is the virus scanner able to handle NTFS-
             Streams?

             Are there Word documents that are
             anonymized the easy way?

             Are the settings of the Office products
             secure?
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004         Page 16
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                                       8
                                                                   Summary




             ISACA Evidence Lab
                       3 day hands-on course
                       August 30th – September 1st
                       Walter Sprenger and Christoph Schnidrig
                       http://www.isaca.ch/files/EL_04.pdf




GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60            Security Event – April 28, 2004   Page 17
Fax+41 55-214 41 61
info@csnc.ch www.csnc.ch




                                                                             9

								
To top