Practical Windows Forensics

Table of Contents

Practical Windows Forensics

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book 

Errata

Piracy

Questions

1. The Foundations and Principles of Digital Forensics

What is digital crime?

Digital forensics

Digital evidence

Digital forensic goals

Analysis approaches

Summary

2. Incident Response and Live Analysis

Personal skills

Written communication

Oral communication

Presentation skills

Diplomacy

The ability to follow policies and procedures

Team skills

Integrity

Knowing one's limits

Coping with stress

Problem solving

Time management

Technical skills

Security fundamentals

Security principles

Security vulnerabilities and weaknesses

The Internet

Risks

Network protocols

Network applications and services

Network security issues

Host or system security issues

Malicious code

Programming skills

Incident handling skills

The hardware for IR and Jump Bag

Software

Live versus mortem

Volatile data

Nonvolatile data

Registry data

Remote live response

Summary

3. Volatile Data Collection

Memory acquisition

Issues related to memory access

Choosing a tool

DumpIt

FTK Imager

Acquiring memory from a remote computer using iSCSI

Using the Sleuth Kit

Network-based data collection

Hubs

Switches

Tcpdump

Wireshark

Tshark

Dumpcap

Summary

4. Nonvolatile Data Acquisition

Forensic image

Incident Response CDs

DEFT

Helix

Live imaging of a hard drive

FTK imager in live hard drive acquisition

Imaging over the network with FTK imager

Incident response CDs in live acquisition

Linux for the imaging of a hard drive

The dd tool

dd over the network

Virtualization in data acquisition

Evidence integrity (the hash function)

Disk wiping in Linux

Summary

5. Timeline

Timeline introduction

The Sleuth Kit

Super timeline – Plaso

Plaso architecture

Preprocessing

Collection

Worker

Storage

Plaso in practice

Analyzing the results

Summary

6. Filesystem Analysis and Data Recovery

Hard drive structure

Master boot record

Partition boot sector

The filesystem area in partition

Data area

The FAT filesystem

FAT components

FAT limitations

The NTFS filesystem

NTFS components

Master File Table (MFT)

The Sleuth Kit (TSK)

Volume layer (media management)

Filesystem layer

The metadata layer

istat

icat

ifind

The filename layer

Data unit layer (Block)

blkcat

blkls

Blkcalc

Autopsy

Foremost

Summary

7. Registry Analysis

The registry structure

Root keys

HKEY_CLASSES_ROOT or HKCR

HKEY_LOCAL_MACHINE

HKEY_USERS or HKU

HKEY_CURRENT_USER or HKCU

Mapping a hive to the filesystem

Backing up the registry files

Extracting registry hives

Extracting registry files from a live system

Extracting registry files from a forensic image

Parsing registry files

The base block

Hbin and CELL

Auto-run keys

Registry analysis

RegistryRipper

Sysinternals

MiTeC Windows registry recovery

Summary

8. Event Log Analysis

Event Logs - an introduction

Event Logs system

Security Event Logs

Extracting Event Logs

Live systems

Offline system

Event Viewer

Event Log Explorer

Useful resources

Analyzing the event log – an example

Summary

9. Windows Files

Windows prefetch files

Prefetch file analysis

Windows tasks

Windows Thumbs DB

Thumbcache analysis

Corrupted Windows.edb files

Windows RecycleBin

RECYCLER

$Recycle.bin

Windows shortcut files

Shortcut analysis

Summary

10. Browser and E-mail Investigation

Browser investigation

Microsoft Internet Explorer

History files

History.IE5

IEHistoryView

BrowsingHistoryView

MiTeC Internet History browser

Cache

Content.IE5

IECacheView

Msiecf parser (Plaso framework)

Cookies

IECookiesView

Favorites

FavoritesView

Session restore

MiTeC SSV

Inprivate mode

WebCacheV#.dat

ESEDatabaseView

Firefox

Places.sqlite

MozillaHistoryView

Cookies.sqlite

MozillaCookiesView

Cache

MozillaCacheView

Other browsers

E-mail investigation

Outlook PST file

Outlook OST files

EML and MSG files

DBX (Outlook Express)

PFF Analysis (libpff)

Other tools

Summary

11. Memory Forensics

Memory structure

Memory acquisition

The sources of memory dump

Hibernation file

Crash dump

Page files

Processes in memory

Network connections in memory

The DLL injection

Remote DLL injection

Remote code injection

Reflective DLL injection

API hooking

Memory analysis

The volatility framework

Volatility plugins

imagecopy

raw2dmp

imageprofile

pslist

psscan

pstree

psxview

getsids

dlllist

handles

filescan

procexedump

memdump

svcscan

connections

connscan

sockets

sockscan

Netscan

hivelist and printkey

malfind

vaddump

apihooks

mftparser

Summary

12. Network Forensics

Network data collection

Exploring logs

Using tcpdump

Using tshark

Using WireShark

Fields with more information

Knowing Bro

Summary

appA. Building a Forensic Analysis Environment

Factors that need to be considered

Size

Environment control

Security

Software

Hardware

Virtualization

Virtualization benefits for forensics

The distributed forensic system

GRR

Server installation

Client installation

Browsing with the newly-connected client

Start a new flow

appB. Case Study

Introduction

Scenario

Acquisition

Live analysis

The running processes

Network activities

Autorun keys

Prefetch files

Browser analysis

Postmortem analysis

Memory analysis

Network analysis

Timeline analysis

Summary

Practical Windows Forensics

Practical Windows Forensics

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: June 2016

Production reference: 2220616

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham 

B3 2PB, UK.

ISBN 978-1-78355-409-6

www.packtpub.com

Credits

About the Authors

Ayman Shaaban (@aymanshaaban) has been working as a security researcher for Kasperksy Lab since May 2014. He worked in the Egyptian national CERT as a digital forensics engineer for 5 years. During his career, Ayman has participated in building digital forensics labs, provided analysis for cases with national and international scopes, and delivered training courses on digital forensics analysis for different high-profile entities.

Ayman is a certified GSEC, GCIH, GCFA, and CFCE. He also has a BSc in communication and electronics, an information security diploma from ITI, and is working on his master's degree in information security. Ayman can be found on LinkedIn at http://eg.linkedin.com/in/aymanshaaban.

I would like to thank my family and my friends for their continuous support. Also, I want to thank all my current and past colleagues in Kaspersky Lab, EG-CERT, and Nile University for their support and dedication.

Konstantin Sapronov works as the deputy head of the Global Emergency Response Team at Kaspersky Lab. He joined Kaspersky Lab in 2000 and has been in his current position since August 2011. His previous position was group manager of the virus lab in China since 2007, and he has been responsible for establishing and developing the virus lab at Kaspersky Lab's office in China. Prior to this, he worked as a virus analyst and head of the Non-Intel Platform Group in the virus lab at Kaspersky Lab's HQ in Moscow, specializing in reverse engineering and the analysis of malware, exploits, and vulnerabilities. Konstantin is the author of several analytical articles on malware for Unix and other information security topics.

Konstantin holds degrees from the Moscow Power Engineering Institute (a technical university) and the Moscow State University of Economics, Statistics and Information Technology.

First of all, many thanks to all my family—my parents, my wife, and my daughter, who have always supported me. Also, I would like to thank all the people I have worked with all these years at our company for their support, professionalism, and willingness to help.

About the Reviewers

Jim Swauger has over 18 years of experience in the digital forensics field, starting as a computer forensics specialist with the Ohio Attorney General's Computer Crime Unit and then moving on to being the technical security investigator for a top financial institution before becoming an expert consultant with Binary Intelligence. At Binary Intelligence, a firm that specializes in complex cellphone forensic services, Jim manages advanced mobile device Chip-Off, JTAG, and ISP extractions and subsequent forensic data analyses. Jim is an avid Linux user and proponent of using open source resources in digital forensic investigations. His clients include law enforcement and government agencies, corporations, and law firms.

Dr. Stilianos Vidalis was born and raised in Mykonos, a Greek island in Cyclades. He moved to the UK in 1995 to study computer science. He holds a PhD in the threat assessment of micro-payment systems. He is currently the Director of Training for the Cyber Security Centre at the University of Hertfordshire. He lectures on the subjects of cyber security and digital forensics and undertakes consultancy for a number of private and public organizations.

His involvement in the information operations arena began in 2001. Since then, he has participated in high-profile, high-value projects for large international organizations and governments. He has collected and analyzed information for prestigious European financial institutions, applying international standards under the context of risk and threat assessment. He trained the British Armed Forces (Tri-Service) in penetration testing and digital forensics for a number of years.

During his career, Dr. Vidalis has developed and published in peer-reviewed scientific journals his own threat-assessment methodology and other aspects of his work on threat agent classification, vulnerability assessment, early warning systems, deception in CNO,  identity theft, and computer criminal profiling.

Zhouyuan Yang has a master's degree in advanced security and digital forensics. His research areas include host- and network-based security, forensics, penetration testing, and IDP/S systems.

Currently, he is a researcher at Fortinet's Fortiguard Labs on the zero-day team, focusing on network security and vulnerability research.

I would like to thank my father, Qisheng Yang, who gives his full love supporting my career dreams.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Free access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.

Preface

Regardless of your level of experience in the field of information security in general, Practical Windows Forensics will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence properly, and walk you through the various stages of the analysis process.

We start by discussing the principles of the digital forensics process and move on to learning about the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and nonvolatile data. This will be followed by recovering data from hard drives and learning how to use multiple tools to perform registry and system log analyses.

Next, you will be taught how to analyze browsers and e-mails as they are crucial aspects of investigations. We will then go on to extract data from a computer's memory and investigate network traffic, which is another important checkpoint. Lastly, you will learn a few ways in which you can present data, because every investigator needs a work station where they can analyze forensic data.

What this book covers

Chapter 1, The Foundations and Principles of Digital Forensics, explains the importance of the principles of the digital forensics process and the approaches that are usually used to conduct an analysis.

Chapter 2, Incident Response and Live Analysis, discusses the hardware and software that the responder should have to perform incident response properly. Incident response is a very important process that needs to be conducted carefully to properly collect all the available evidence, which will be analyzed in the analysis phase.

Chapter 3, Volatile Data Collection, discusses how to collect the volatile data of the system. Volatile data, such as system memory, is very important and can tell what is happening in the system in the running time. So, to conduct post mortem analysis on this kind of evidence, we need to acquire the evidence first. Also, it changes very quickly, and collecting it in the right way is a very important issue.

Chapter 4, Nonvolatile Data Acquisition, talks about the acquisition of nonvolatile data, such as the hard drive, and how to collect such data forensically in order to not change the integrity of this evidence.

Chapter 5, Timeline, discusses Timeline, which shows all the system and user activities on the system in chronological order. It helps building the whole picture of the incident. And we will show you how to do it with the plaso framework.

Chapter 6, Filesytem Analysis and Data Recovery, gives you a good understanding of the most famous file systems. To perfectly understand how the tools work, either for analysis or recovery, the reader needs to understand how the files are stored in the file system in the partitioned hard drive.

Chapter 7, Registry Analysis, discusses the structure of the registry and some tools used to perform analyses. When MS Windows operates, almost all actions are mapped in the registry. The registry files are considered the Windows database. Registry forensics can help answer a lot of issues, from what kind of application has been installed on the system to user activities, and many more.

Chapter 8, Event Log Analysis, explains that the MS Windows system has good features out of the box, we just need to know how to use them. One of these features is logging. Logging can help to figure out what has happened on the system. It logs all the events on the system including security events or other events related to the applications within the system.

Chapter 9, Windows Files, tell us that MS Windows has a lot of artifacts, which are created in the currently running Windows. During analysis, these artifacts can be used to prove or refute hypotheses, or in some cases uncover new interesting information with evidential value.

Chapter 10, Browser and E-mail Investigation, talks about the Internet, and the World Wide Web of course, is the main channel of information that users use to exchange data. Browsers are the most common tools that are used to do that. So, the investigation of browsers is important when analysts try to investigate user’s activity. There are a lot of browsers and we will cover the most popular among them: IE, FF, and Chrome.

E-mail still remains a way to communicate with people in the computer world, especially in a corporate environment. This chapter will cover e-mail formats and explain how to read e-mails from PFF files for analysis and to trace senders.

Chapter 11, Memory Forensics, discusses how memory is the working space for the operating system. It the past, memory forensics was optional, but now there are a few very powerful tools that allow us to extract a lot of evidential information from the memory and take digital forensics to a new level.

Chapter 12, Network Forensics, discusses how network forensics provides another perspective to the incident. Network traffic can reveal a lot of information about the behavior of malicious activity. Together with other sources of information, networks will speed up the investigation process. You will also learn not only about the traditional tools, such as Wireshark, but also about the powerful Bro framework.

Appendix A, Building a Forensic Analysis Environment, discusses the creation of convenient work environment to conduct the digital forensics analysis in the digital forensics lab at an enterprise scale. After the previous chapters we should now have realized how important incident response is for digital forensics processes and how necessary it is to deal with both of them accurately.

Appendix B, Case Study, uses an infected machine to illustrate how to conduct primary analysis on different types of evidences and we will go through live analysis along with the post-mortem analysis.

What you need for this book

There are no special requirements for this book.

Who this book is for

If you have previous experience in information security or did some digital forensic analysis before and want to extend your skill set about digital forensics this is the perfect guide for you. This book will provide you with the knowledge and core skills necessary to use free and open source tools mostly under Linux operating system and undertake forensic analysis of digital evidence with them.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: In the destination machine, which is the handler machine, you need to run the network listener from the same receiver.exe folder.

Any command-line input or output is written as follows:

dd conv=sync, noerror bs=64K if=/dev/sda | pv | dd

    of=/media/Elements/HD_image/image.dd

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Now from the source machine, run the FTK Lite program, and then open Create Disk image