You are on page 1of 29

Windows

9

:




, -
-
. ,
, , (
, ) . :
,
.
( ,
, ).
, ? ,
.
, . (EnCase, FTK,
ProDiscover . .) .
, , ,
, ,
, . , ,
,

. ,
, ,
.
( ,
)
, .


. (
), , ,
, MAC ( , )
( ) . ,
,
. ,
, , ,
EnCase,
, .
, , , , .

/
, ,

.
, ,
. ., .
, ,
. - ,
.
,
. , ,
, , -
, .
, , ,
Perl. , Perl
, , , . . , Perl
, ,
-
SQL-
,
. , ,
.
,
RegRipper (www.regripper.net). ,
, Perl,
, Perl-. ,
Perl ,
, , Python. (Dave Roth)
Perl.


, ,
. ,
, ,
. , ,
, , . ,
- ,
, , .
!
, .
(
), .
, ,
, ,
, . ,
, ,
. ,
, ,
, - .
,
, ( )
. , , ,

;
, .

. ,
, . , , ,
,
. ( ) ,
, ,
. ,
,
( ) .
, , (
, ?),
.
. , ,
, ,
. , ,
- ,
- .
( ), ,
, ,
. ,
, , ?
? , , -
, ? ,
, ?
,
, - . , ?
, . ,
,
. , , -, ,
SQL-.
-. - IIS (Internet Information Server) Microsoft,
Microsoft SQL Server,
xp_cmdshell -,
-. , ,
ProDiscover, -,
xp_cmdshell -.
:

intrusion_20081030 ProDiscover 5.0.


-, .
xp_cmdshell - (
), ProDiscover;
ex081002.log ex081003.log.

. , , , .
, (xp_cmdshell),
( ProDiscover 5.0), (
). ,
, .
? ?

, ? ? grep
(Search) Windows (,
FTK Imager, (Start),
(Search) (For Files and
Folders))? ? ,
, ? , ;
, ,
.
,
,

.

.
,
. ,

. ,
, ,
, , , .

. -,
;
. ,
, Windows,
Security.
, . ,
.
SAM
, NTUSER.DAT
.
, , .
, , , Microsoft,
.
, , ,
, Forensic CaseNotes QCC Information Security
(www.qccis.com/?section=casenotes). Forensic CaseNotes
. ,
. , CaseNotes ,
, ,
. 9.1.

. 9.1. Forensic CaseNotes


.
. 9.1 .
(Exhibit List).
, , .
.
(Hours). , ,
; .
. ,
(Analysis). ,
. ,

. , ,
, .
CaseNotes ,
( , . .)
.
, ,
, -
, , .
, , ,
.
.
? . .
, , ,
Microsoft ,
( ); ,
, , . .;
, , ,
,
. , ,
.
, ,
CaseNotes , .
, CaseNotes
, , CaseNotes, ,

.

NoteCase
(http://notecase.sourceforge.net). NoteCase ,
, . -,
,
Microsoft Word.
Microsoft Word;
, (Adobe) (PDFCreator)
PDF. ,
CaseNotes,
Microsoft Word Excel,
Excel .
,
.
. ,
- .
?
, (
) ,
(, ) ,
, , , .


.
?
, ,
.
, , ,
.
,
, , ,
.


,
, .

dd
dd , ,
. dd Linux/UNIX, (
, http://linuxreviews.org/man/dd)
.
, ;

.
dd, - (George
M. Garner, Jr.), Windows Forensic
Acquisition Utilities (http://gmgsystemsinc.com/fau).
, ( ),
, -,
.


dd

, , dd,
,
dd
. , , .
- ,
,
, dd (SUSE Linux 9),
.
,
(dd, split . .) .
dcfldd (http://dcfldd.sourceforge.net)
dd, Windows. dcfldd
(Nick Harbour). - Sourceforge, dcfldd,
GNU dd
, , ,
. .
,
(
- , ),
, .


dd
,
. .
, ,
(
,
, . .), ( )
. ,
,
( ) .
?
,
, dd,
,
.
.

. -,
, . ,
, ,
, , :
?.
, , ,
. , ,
, ,

.
- ;
( ) .
-,
, , ,
, ,
.
.

FTK Imager
FTK Imager, FTK Imager Lite,
AccessData.com (www.accessdata.com). FTK Imager Lite
FTK Imager,
- -. - AccessData.com
, FTK Imager,
- -.
, FTK Imager
. ,
EnCase, EnCase (
), .E0x FTK Imager
, dd. , FTK Imager
, SUSE Linux 9
ReiserFS. , FTK Imager
,
, -
Windows , USB (
/ ).
FTK Imager .vmdk
VMware. , ,
VMware, ,
. , ,
.vmdk ( .vmem,
) . FTK Imager
(Add an Evidence Item),
,
(Create Disk Image), .vmdk ( .E0x) dd,
SMART .E0x. ,
.vmdk , , ,
.
,
, -, ,
.
, .
, - ,
, ,
, ?
,
. ,
,
, .
,
, .

10


CFReDS (NIST).
-

Hacking
Case
(www.cfreds.nist.gov/Hacking_Case.html) dd,
, EnCase EWF ( Expert Witness;
Expert Witness EnCase) ,
.
,
, Digital Forensics Tool Testing (http://dftt.sourceforge.net),
(Brian Carrier).
, ,
,
,
.
(Lance Mueller)

ForensicKB.com
(www.forensickb.com/search?q=practical).

(~400 ),
Windows XP, .E0x/EWF.
EnCase, : FTK Imager
dd EWF.
, .


, -
,
, .
,
, -,
, . .
( , . .) .

The SleuthKit
The Sleuth Kit (TSK; www.sleuthkit.org)

Autopsy Forensic Browser. TSK ,
-. TSK
Windows;
Autopsy Forensic Browser
Windows ( Windows,
Cygwin).
TSK Windows ,
Linux, . -, ,
,
. ,
-, ,
, :
[] 1 2 3

11

FTK Imager,
-. FTK Imager
, , ,
, EnCase Guidance Software.
type Windows,
, :
D:\images>type image.001 > image_all.img
D:\images>type image.002 >> image_all.img
D:\images>type image.003 >> image_all.img

TSK , dd, EWF (. . Expert


Witness/EnCase) AFF (www.sleuthkit.org/sleuthkit/desc.php). fls.exe ( 3
TSK) Windows
(dd), EWF , :
D:\tools\tsk>fls -i list
Supported image format types:
raw (Single raw file (dd))
ewf (Expert Witness format (encase))
split (Split raw files)

- SleuthKit - ,
,
. ,
(http://wiki.sleuthkit.org/index.php?title=FS_Analysis)

(http://wiki.sleuthkit.org/index.php?title=Timeline)
TSK.
, - TSK
(http://wiki.sleuthkit.org/index.php?title=Main_Page).
TSK
dls -.

-:
dls A image.dd > unalloc.dls

-
,
grep , ,
, IP- .
:
fsstat f ntfs image.dd

fsstat ,
-. ,
Windows XP :
FILE SYSTEM INFORMATION
----------------------------------------File System Type: NTFS
Volume Serial Number: 98B0A679B0A65D8E

12
OEM Name: NTFS
Version: Windows XP

,
fsutil.exe. , (
), fsstat.exe,
:
C:\>fsutil fsinfo volumeinfo C:\
C:\>fsutil fsinfo ntfsinfo C:


;
.
, TSK fls.exe
(http://wiki.sleuthkit.org/index.php?title=Fls),
,

mactime.pl. , -,
:
D:\tools\tsk>fls -m c: -r d:\cases\xp\xp.001

-m
( C:\).
,
, mactime.pl ex-tip ( ,

(Michael
Cloppert);
https://www2.sans.org/reading_room/whitepapers/forensics/32767.php),
.



, fls.exe TSK, mactime.pl ex-tip,
,

. , ,
. ,
, ,
Windows, ( ,
),
( ex-tip McAfee OnAccessScan,
,
setupapi.log . .). , ,
( - TSK fls.exe). ,
,
, ex-tip,
, , ,
.

,
,

Zeitline
(http://projects.cerias.purdue.edu/forensics/timeline.php).

13

TSK

PDF-

CyberGuardians
(www.cyberguardians.org/docs/ForensicsSheet.pdf).
- Sourceforge Selective File Dumper
Windows, FUNDL ( File Undeleter, .

TSK
(http://sfdumper.sourceforge.net/fundl.htm).



.
.


, . , ,
,
(. . dd),
,
. . 2008 Technology Pathways
ProDiscover 5.0,
EWF. DFRWS 2008 (Michael Cohen)
PyFlag Windows. 2008
Sleuthkit,
, Windows.
( ,
Autopsy Forensic Browser ( Cygwin-
)) dd,
EWF ( libewf) AFF ( afflib; www.afflib.org).

PyFlag
DFRWS 2008 (Michael Cohen)
Windows PyFlag
(www.pyflag.net/cgi-bin/moin.cgi/PyFlagWindows).
PyFlag PyFlagWindows WinPyFlag.
,
. PyFlag
Linux, PyFlag ,
Windows. PyFlag
Windows - PyFlagWiki
FlagHTTPServer.py, ,
- http://127.0.0.1:8000. . 9.2
PyFlag, Firefox Windows.

14

. 9.2. PyFlag Firefox Windows.


PyFlag , ,
Linux. PyFlag TSK
-,
. PyFlag Volatility,
.
DFRWS 2008
(www.dfrws.org/2008/rodeo.shtml) PyFlag
, ( ,
-), , .

ProDiscover Basic
ProDiscover ,
, 3;
2008 . ,
Windows,
, , , .
, ,
, ProDiscover.
(Chris Brown), Technology Pathways
Computer Evidence: Collection and Preservation,
(Basic) ProDiscover.
Basic ,
.
ProDiscover ,
-, . ,
, ProDiscover, ,
, pds-. .pds

15

. pds-,
( FTK Imager,
).

-
, - ,
,
.
(
) - (
, ,
, -, . .)
. ,
(SmartMount ASRData Mount Image Pro
GetData), Virtual Disk Driver (VDK;
http://chitchat.at.infoseek.co.jp/vmware/vdk.html), .
VDK ,
- .
VDKWin (http://petruska.stardock.net/Software/VMware.html),
. 9.3, ,
,
.

. 9.3. VDKWin.
VDKWin ( )
vdk.sys,
? , ,
;

16

, ( ), ,
-,
( ,
). ,
- , ,
, , , ,
, .
IMDisk (
1.1.3 5 2008 , . www.ltr-data.se/opencode.html),
,
,
. . 9.4 IMDisk,
(H:\) .

. 9.4. IMDisk, H:\.

Microsoft ( )
, Virtual CD-ROM Control Panel for XP.
Windows XP -,
.iso (
CD- DVD-) .
, Microsoft (http://msdn.microsoft.com/en-us/subscriptions/aa948864.aspx;
), RaDaJo
(http://radajo.blogspot.com/2006/09/mounting-cddvd-iso-imagesin-windows.html) help.net
(http://weblogs.asp.net/pleloup/archive/2004/01/15/58918.aspx).

17


,
.
(, INFO2 Windows, 5),
.


, ,
, .
,

. , , - .
(Jesse Kornblum) MD5Deep
(http://md5deep.sourceforge.net), -
MD5 , - SHA-1, SHA-256, Tiger Whirlpool.
,
, .
-
, , , , ,
. - VirusTotal (www.virustotal.com)
, .
, ,
, , .
,
.
ssdeep
(http://ssdeep.sourceforge.net), -.
,
.

, ,
, 9899 .


, ,
.
, ,
.
, ,
Perl-, ,
, ,
/ ,
. , ,
Windows XP Vista (. 5).
UltraEdit (www.ultraedit.com),
, .
( ,
Perl- , ),
.

18

Perl, ,

. ,
UltraEdit, , ,
.
, :
Cygnus Hex Editor Free Edition (www.softcircuits.com/cygnus/fe)
XVI32 (www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm)
Free Hex Editor Neo HDD Software
(www.hhdsoftware.com/Products/home/ hex-editor-free.html)
HexEdit (www.physics.ohio-state.edu/~prewett/hexedit)
, , ,
, , .

(http://en.wikipedia.org/wiki/Comparison_of_hex_editors)
, , ,

.


, , , , ,
, ( ).
,
,
.
(, ,
, (
))
. ,
, ,
, .

, ,
, (
)
, .
,
, ,
. ,
, - , ,
,
.
, ,
, , ,
.
, , ,
, (, Microsoft SQL Server
TCP- 1433, ) .
, ,

19

,
, .

,
,
. ,
( ,
)
.

, ,
. , 2008
Microsoft , MS08-067
(http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx)
Windows Server.
Windows XP ,
, ,
, ,
, ,
.
,
, ,
, , .
,
LiveView (http://liveview.sourceforge.net) (,
LiveView,
), , , ,
. , Baseline Security
Analyzer (http://technet.microsoft.com/en-us/security/cc184924.aspx) Microsoft,
,
.

. ,
,
, .
, Nmap
(www.Nmap.org). , Nmap
,
Zenmap Nmap .


, Nmap
,
Nmap. ,

fe3d
(http://projects.icapsid.net/fe3d), ,
Nmap . ,
Nmap Perl-,
Nmap::Scanner, Nmap::Parser Nmap::Parser::XML.
Nmap,
(. . . .) .

20


.
, ,
. Nessus
(www.nessus.org/nessus) Sara (www-arc.com/sara), Nessus
. 100
(http://sectools.org)
.


,
, . ,
: , -
,
.

Windows

Wireshark
(www.wireshark.org)

NetworkMiner
(http://sourceforge.net/projects/networkminer).
.
Wireshark 1.0.3
Windows. Wireshark
( ),
. . 9.5 Wireshark.

. 9.5. Wireshark 1.0.3.


Wireshark, ,
TCP-. ,
Wireshark, (Analyze)
TCP- (Follow TCP Stream)
. Wireshark
, TCP.
, (
). , -,
, ,

. Wireshark UDP SSL-.

21



, ,
.

- ,
;
, ,
. , ,
- .
. -,
, IP- .
(1) , ( IP-), (2)
, , ,
( tcpvcon.exe,
netstat.exe , ),
. -,
( TCP) ,
. ,
(. . ,
).
Wireshark (Statistics),
,
,
. ,

.
.
,
, , ,
.
Wireshark, ,
tshark, tcpdump dumpcap. - Wireshark,
, , .

,
tcpdump 68 ,
. windump
(www.winpcap.org/windump), , tshark
dumpcap,
.
NetworkMiner 0.85 () Windows.
NetworkMiner - Sourceforge
Windows, ,

PCAP. , NetworkMiner
, .

22

NetworkMiner

. . 9.6,
NetworkMiner
( , ,
. .) .

. 9.6. NetworkMiner 0.85 ().


Linux tcpxtract (http://tcpxtract.sourceforge.net)
(Nick Harbour),
, . Tcpxtract

. tcpxtract Windows,
NetworkMiner .
NetworkMiner - Sourceforge
,
. NetworkMiner
, p0f (http://lcamtuf.coredump.cx/p0f.shtml),
,
, ( Nmap). . 9.7 ,
NetworkMiner ,
,
.

. 9.7. NetworkMiner, ,
.
( )

PacketMon
(www.analogx.com/contents/download/network/pmon.htm). ,
PacketMon ,
, Wireshark NetworkMiner, ,
.
( , ),

ngrep
(http://ngrep.sourceforge.net/download.html), grep,

, .

; ,
,
. ,
,

23

. , , ,
,
, ,
.
tcpdump, , dd ,
- .

2008 NetWitness Investigator,

http://download.netwitness.com/download.php?src=DIRECT. Investigator,
.pcap,
, . Investigator
NextGen
,
.
,
.


Snort
,
, Snort (www.snort.org).
().
Snort, ,
, ,
.
Snort ,
( ),
, ,
. Snort .pcap
,
, ngrep
, , .
,
. ,
.
, , ,
, , ,
. Snort ( ,
),
, ,
, .


,
, ,
,
.
;
,

24

, (,
. .), .



ASCII Unicode Windows,
, .
. ,
. , SessionManager,
Session Manager. ,
, Windows NT,
WindowsNT. ,
. ,
ASCII Unicode. DWORD
(4 ), ,
. DWORD 0 ,
,
1.
- . ,

. ,
, , .
, ,
,
, ,
.
( , FTK X-Ways
Forensics, ),
.
-
GNU utilities for Win32 (http://unxutils.sourceforge.net). UNIX , ,
UNIX,
Windows.

.
, grep
Windows. , , grep for
Windows;

Sourceforge
(http://gnuwin32.sourceforge.net/packages/grep.htm), InterLog
(http://pages.interlog.com/~tcharron/grep.html).
.
, ,
, ,
. ,
SB-1386
, Visa. ,

. , ,

Spider
(www.cit.cornell.edu/security/tools),

25

( , - . .) ,
.
Spider ,
.
ccsrch
(http://sourceforge.net/projects/ccsrch). csrch Windows,
,
.

(PAN) ,
, .
ccsrch, , ,
, .
, :

(www.regularexpressions.info);
(http://en.wikipedia.org/wiki/Credit_card_number);

(www.regularexpressions.info/creditcard.html).



,
, ,
. ,
,
. ,
, , , , 16 ,
,
(. . , ,
), ,
, .
, , ,
, ,
.
(
), ,
.


, ,
. ,
: ,
Perl-.
, , ,
.
,
,
.

26

.
, , ( )
.
-

.
(
,
).

,

, .
,
, ,
.

,
. ,
.

.


: , .
?
: , . .
, ,
, .
? , (. . )
, ?
IIS-, ,
SQL-? ,
,
; , Perl-,
Log Parser Microsoft.
:
?
: ,
(IP-), ,
,
( , ,
) . ,
.

27

: (. .
, ,
), ?
?
: .
, ,
, PyFlag.

28


dd
FTK Imager

The SleuthKit
PyFlag
ProDiscover Basic
-



2
3
7
7
7
9
10
10
13
14
15
17
17
17
18
18
20
23
25
26
26

29

http://computer-forensics-lab.org

:
..
..
..