Forensic Analysis of a Windows

2000 Server Operating System

Joshua Young
CS585F – Fall 2002
 Scenario
• Computer is still in its original environment
• Computer is on
• Computer appears connected to the
internet.
• Computer and room have not yet been
touched
• Evidence handling procedures are already
in place
 Take Pictures…
(Video if possible)
Lots and Lots of Pictures…
 Intro to WinHex
• Hex Editor Plus
• Many Forensic Uses, especially for the novice
– Disk Cloning, Ram Capture, Hex Searches, Spanned
Files
• Small (can fit on a floppy)
• Inexpensive
– Free limited trial Version
– $100 for full version (with variations in between)
• http://www.winhex.com
Ram Capture Before Unplugging
RAM Export
 Get Password Hashes
• Use PWDUMP from floppy to floppy
• While this causes a small change to the
disk, the hashes are not easily recovered
once the machine is off
– Win 2000 encrypts the hashes. Even if you
use a boot disk to access the NTFS partition
and recover the SAM file, password crackers
will not be able to break it.
LophtCrack 4 Foiled
 PWDump2
• Any changes to the Hard Disk would be
minor.
• Source Code is available, so the impact
could be independently verified
• Only works if the person logged on has
administrative rights
PWDump2 to the rescue
 Freeze the System
• Once we have the RAM….
• And the Password Hashes…..
• Pull the plug
 Don’t Forget Other Media
• Collect all other media for analysis (similar
analysis to Hard Disk)
– Floppies
– CDRoms
– Zip Disks
– Smart Cards / Memory Sticks
• If media has software on it, record name, serial
number, and whether it was original media or
not.
• If possible, check serial numbers with vendors to
see if any of it violates copyright law.
 Computer
• Used Linux Bootable Toolbox 2.0
– Genuine Intel Pentium II
– Speed: 348.49 Mhz
– Cache: 512Kb
– Flags: fpu vme de pse tsc msr …etc
• Memory
– Main 129,835,008
• Fdisk
Device Boot Start End Blocks ID System
/dev/hda1 * 1 832 6289888+ 7 HPFS/NTFS
 Prep Destination disk(s)
• To be on the safe side, before cloning the
hard disk, it is a good idea to wipe the
drive that will house the clone. This helps
eliminate any question that data found on
the disk could have originated on your
system.
• I used QuickWiper as an example
QuickWiper
Clone the Hard Disk
(bit for bit copy)
Create Hash of Disk (2 or more
different types if possible)
 Time Stamp the Evidence
• Using a service such as digistamp, it is a
good idea to timestamp the evidence to
help prove that you made no additional
changes to the media.
 Begin the Analysis
• Never work on the original media. Always
use the copy.
• I conducted my analysis within windows
itself.
• First I cracked the passwords so I could
log in.
LophtCrack 2.5
 Map Files
• Use known good version of cmd.exe file
• Pipe lists to text files
• Get several files
– By date (creation, last access, last write, etc.)
– By extension (pics, docs, zips, etc. )
– By type (hidden, system, read-only, etc.)
• Import into excel or database for analysis
• Notepad is not adequate for large text
files. I used TextPad to view, search, etc.
 Dir Command
• Dir c: /Q /S /TA >d:FileList1.txt
• Q displays owner
• S causes recursive list
• TA displays last access time
• Took about 5 minutes to run
• Produced a 4.5 Meg File
 Objective

• Focus on typical use of the computer

• Focus on possible illegal activities
– Illegal Material (Piracy and/or outlawed content)
– Hacking
– Unauthorized Data
• Focus on Information Collection
– Contacts
– Account Numbers
– Passwords
 I searched for 4 types of data
• Configuration
– System Information
– Networking Parameters
– Installed Programs
• Regular
– documents, email, keyword, zipped, etc.
• Deleted
– Recycle Bin
– Marked for deletion but still recoverable
– Left Over Registry Entries
• Hidden
– Slack/Free Space
– Steganalysis
– Encrypted
– Altered File Types
– Streams
 System Info
• On top of data obtained by the Linux
Bootable Toolkit (shown before), the
information contained under the start
menu/settings/control panel details the
system
– All Administrative tools are there
– Date/Time, System, Hardware Settings
– Disk Tools
– Computer Management Application
 Specific things to look for in
configuration
• Web Site(s)
• FTP Site(s)
• Terminal Services
• DNS or Mail Services Running
• Log Files
– EventViewer
– C:\WINNT\system32\LogFiles\
 Network Parameters
• Simple IPConfig command
• Windows Network Dialog
– Start Menu/Settings/Network and Dialup
Connections
IPConfig
 Specific things to look for in
network settings
• Dial-Up Accounts (to contact for logs)
• VPN’s set up
• Whether it’s got multiple IP’s
• Protocols Installed
• Sharing Configuration
 Installed Programs
• Add/Remove Programs
• Hard Disk
– List files by .exe, .com, .bat, .zip, .msi
• Services
• Registry
– Regedit
– Deleted Apps may leave key values or
Components installed
• Programs that run at start up
 Dir *.msi /s
(Microsoft Installer Files)
Regedit Search for ‘Transcender’
 Start Up Programs
• Start Menu For each user
• Regkey:
– HKEY_LOCAL_MACHINE
– HKEY_CURRENT_USER
• Software/microsoft/windows/currentversion
– Run
– Runonce
– Runonceex
 Specific things to look for in
Installed Programs
• Hacking/Cracking Tools
– Encryption
– Data Hiding
– Sniffers
– Password Crackers
• Illegal Software
– Bootleg Software
• Registered Software
• Development Tools
• Financial Software
 Regular Data
• Pictures
• Office Docs (Word, Wordperfect, Excel, etc.)
• Emails
• Wav Files
• Movie Files
• PDF Files
• Search for ‘Common File Types’ on
www.google.com returns many sites that list
common extensions and their viewers.
 Finding and Viewing Data
• Dir or Windows Search
• Some Apps contain recent file lists
• Regedit search
• Some must be viewed individually, but some can
be viewed all at once
– Example, lview pro for images
• Be sure to include hidden files
– Search parameter
– Attrib command
• Be sure to check attachments folder for email
 Advantages to Lview
• Opens all common image files
• Presents in many formats (slideshow,
contact sheet, etc.)
• Preview pane
• Can pass a file list from command line
(obtained by something like the Dir
command)
• Does not rely on extension
– Will open .jpg file even if extension is wrong
 If Docs are encrypted…
• Several Inexpensive utilities can break
passwords on many common files.
– AccessData
– Cain
• Keys may be found written down or stored
electronically in plaintext (via textfiles)
 Deleted Data
• Recycle Bin
• Marked For Delete but recoverable
– Trial Version of Norton doesn’t work on NT
– WinHex will list deleted files, but has limited
recovery capability (fragmentation hinders it).
• Registry Search
– Keys are often left over
• Important to do on an unaltered copy of
the drive
 Web Info
• History
• Cache
• Cookies
• Tools I tried didn’t work
 Hidden Data
• Important to do these tests on an
unaltered copy of the drive
• Free/Slack/Swap Space
• Staganalysis
• Encryption
• Altered File Types
• Streams
 Free/Slack/Swap Space
• Swap Space is a file on Windows
• Free Space is space marked available to
write to in Windows
• Slack Space is unused space at the end of
a file
• Used WinHex
Free Space
 Altered File Types
• Software can detect files via their headers
• Most apps will open their own files
correctly if pointed to them directly
• Some applications serve as multipurpose.
For example, word opens most document
types. LViewPro opens most image types.
 Alternate Data Streams
• Originated to provide compatibility with
Macintosh Hierarchical File System (HFS)
• Invisible using standard windows browsing
utilities.
• Free program Lads will display all streams
 Steganalysis and Encryption
• Both very effective at hiding data, especially
when used together.
• Detection is difficult, but actually recovering the
data can be unfeasible for most analysts.
• Most common means of detection is the
presence of software utilities used for
Steganography or Encryption
• Most common means of recovery is poor
password security. Either passwords are found
via other applications or written down.
 Conclusion
• Was able to accumulate a considerable
amount of information from a default
Windows 2000 Server machine
• Several tools and techniques didn’t work
as described in research. Windows is
getting better.
• If secured correctly, I don’t know that I
would have been able to recover much
information at all.