Fundamental Computer Investigation for Windows

Barbara Chung, CISSP, CISMChief Security Advisor, US Ed

Microsoft Corporationbchung@microsoft.com

Agenda• Prepare• Assess• Acquire• Analyze• Report

Computer Investigation Model

•Notify and acquire authorization•Review policies and laws•Identify team members•Prepare for evidence acquisition

•Build investigation toolkit•Collect the data•Store and Archive

•Analyze network data•Analyze host data•Analyze storage media

•Gather and organize•Write the report

Assess: Initial Decision Making

• Preventing further damage should be the first concern

• Investigation is secondary unless there are national security issues

• You may be required to report to authorities: consult with your legal team

AssessEstablish ScopeIdentify Required Resources

Assess• Notify decision makers: – if no written response policies and procedures exist, you

should obtain written authorization to conduct the investigation

– Document all actions that you take• Priorities*:– Prevent further harm– Restore services (if necessary)– Investigate incident

* Absent national security or life safety issues

Assess

Review policies and laws that might pertain: • Do you have legal authority?• Internal privacy policies for employees, contractors,

others?• Consult with legal regarding:– Possible compromise of personal data– State/federal privacy laws– Criminal/civil liability for improper

interception of electronic communications– Viewing sensitive or privileged info

Assess

• Customer privacy and confidentiality issues:– All data should be transferred securely, stored locally, not

easily accessible.– Maintain data and documentation per local policy or as

advised by legal counsel/law enforcement.– Maintain digital copies of evidence,

printouts of evidence, and the chain of custody for all evidence, in case of legal action in secure storage.

Assess

Identify Investigation Team Members• Ideally the team is established before they are needed.• Assign one technical lead; clarify responsibilities• A small team minimizes risk to

confidential data and information leaks• Engage a trusted external investigation

team if you do not have the internalexpertise

• Ensure that each team member has thenecessary clearance and authorization

Assess

Prioritize your actions and justify resources• Describe the situation, its potential severity, potentially

affected parties, and (if available) the suspected party or parties.

• Identify the impact and sensitivity of the investigation on your organization.

• Analyze the business impact of the incident throughout the investigation.

• Analyze affected intangible resources

Assess

AssessDocument the scope• Affected networks• The number affected computers and types• Detailed network topology• External storage and remote computers• Capture network traffic if live analysis

is required – Be aware of internal policy around the use of network capture

tools, be sure you have clearance/authorization.• Examine the state of software applications and OS on

machines that may be affected: application logs, system logs, Sysinternals pstools.

• Examine affected file and application servers: Sysinternalstools as pstools, psfile, shareenum, internal Windows security logs.

• Ensure that volatile realtime data is securely stored.

AssessBest practices• Build a timeline and map everything to it.• Identify and interview anyone who might be involved, such as

sysadmins and users• Document interview outcomes• Retrieve info (logs) from internal and external

facing network devices that might be in theattack path

• Identify public IP address and domain ownership (Windows Sysinternals Whois, or the American Registry for Internet Numbers

AssessPrepare for Evidence Acquisition• Detailed document containing:

– Initial estimate of impact– Network topology identifying affected systems– Summaries of interviews– Outcomes of legal and third party interactions– Reports and logs generated during

assessment phase– A proposed course of action

Acquire the Data

AssessPrepare for Evidence Acquisition• Detailed document containing:

– Initial estimate of impact– Network topology identifying affected systems– Summaries of interviews– Outcomes of legal and third party interactions– Reports and logs generated during

assessment phase– A proposed course of action

Acquire the DataBuild the Toolkit• Core tools and personnel should be identified before

they are needed• Make adjustments as needed for the current

situation– Tools (such as WOLF where MS PSS is involved)– Personnel

Build the Toolkit

• Laptop– H/W and tools used only for the investigation– Storage device is forensically sterile

• Different OS and patches• Application media• Backup devices• Blank Media• Basic Networking Equipment• Cables

Build the Toolkit

• Proving accuracy of data acquisition tools is generally easier if you use well-known computer forensics software.

• The tools must not modify the access time of files.

Build the Toolkit

List each OS you will support and ensure you have the necessary tools:

• Include a tool to collect and analyze metadata.• Include a tool for creating bit-to-bit and logical copies.• Include tools to collect and examine volatile data, such as the

system state– Microsoft Sysinternals

• ListDLLs, LogonSessions, PendMoves, Autoruns, ProcessExplorer– Other Windows Tools

• Systeminfo, Ipconfig, Netstat, Arp– Dedicated forensics software, for example:

• Encase (Guidance Software)• The Forensic Toolkit (FTK) (AccessData)• ProDiscover (Technology Pathways)

• Tools should be archived and preserved to allow for future verification of data

Build the Toolkit

• Generate checksums and digital signatures on files and other data: the File Checksum Integrity Validator (FCIV) tool. – This tool is available through Microsoft Knowledge Base article

841290, Availability and description of the File Checksum Integrity Verifier utility.

Build the Toolkit: Worksheets and Samples

• Link to the Fundamental Computer Investigation Guide for Windows on the Microsoft Download Center– Chain of Custody Log– Impact Analysis Worksheet– Sample Internal Investigation Report

• Appendix C. Sample Worksheets in Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of Justice, an agency of the U.S. Department of Justice:– Computer Evidence– Hard Drive Evidence– Removable Media

Build the Toolkit: Preparing Personnel

• At least part of the team should have some formal investigation training

• List of nonprofit agencies, organizations, Federal law enforcement agencies, and academic institutions that provide computer forensic training, see "Appendix G. Training Resources List" in Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of Justice, an agency of the U.S. Department of Justice.

Collect the Data

• If a machine is infected with a rootkit, it will probably return lots of false information; you must check for this first

• Sysinternals’ RootkitRevealer, but there is no single tool or methodology that will answer the question for you. See:– Mark Russinovich’s TechEd vid

Advanced Malware Cleaning (chapter on rootkits)

Collect the Data

• Collecting data locally offers greater control over computers and data

• Remote collection is sometimes necessary

Collect the Data: Process1. Create accurate documentation that will

allow the data to be identified and authenticated later– Who performed the action and why they did it.

What were they attempting to accomplish?– How they performed the action, including the

tools they used and the procedures they followed.

– When they performed the action (date and time) and the results.

Collect the Data: Process2. Determine which methods to use– Online only when necessary, since you risk

altering original evidence– Use offline methods when possible (uses bit-wise

copy of the original data)

Collect the Data: Process3. Identify and document potential data sources– Servers: role, logs, files and applications– Logs from internal/external network devices that may

be in the path of attack: firewalls, routers, proxy servers, network access servers, IDS systems

– Internal hardware components: NICs, PCMCIA cards, external port types such asFirewire, USB, PCMCIA

– Storage devices: hard disks, network storage devices, removable media, mobile devices

Collect the Data: Process4. Collecting Volatile Data– Carefully consider the order in which it is collected

Collect the Data: Process5. Collecting Data from Storage Media– Volatile data collection is complete before turning

off the computer to remove device?– Remove device and collect data using another

computer?– Create a bit-wise copy of the evidence in another

location?• Use industry-accepted software,

such as EnCase by Guidance Software, or FTK by AccessData

– Document internal devices, configuration information, type ofdevice and condition

Collect the Data: Process6. Verify collected data– Use checksums, digital signatures– You can use the

Microsoft File Checksum Integrity Verifier (FCIV) tool to compute an MD5 or SHA1 cryptographic hash of the content of a file

Collect the Data: Store and Archive

Best Practices– Physically secure and store in tamper-proof location– Document who has physical and network access to

the evidence– Make at least two copies—one stored securely

offsite– Ensure evidence is secured both

physically and digitally– Document chain of custody, with

check/in-check/out info

Analyze the Data

Analyze Network Data• Not always necessary• Be prepared for large amounts of data: focus on

specific criteria• Examine firewall, proxy server, IDS, remote

access server logs• View network sniffs where data

might help identify activities. • Encrypted sessions cannot be

viewed, but time of connection,or endpoints may be valuable

Analyze Host DataHost Data– Lots of data, so identify and search for what you are

seeking: Sysinternals Strings may be useful– \\Windows\prefetch contains info such as when and

where apps were launched– OS Data: clock drift info, data in memory, processes

running or scheduledto run (Sysinternals Autoruns)

– Running apps, processes, network connections (SysinternalsProcessExplorer, LogonSession,PSFile.)

Analyze the Data: Storage Media• If possible use offline analysis• Create a diagram of the directory

structure• Determine if encryption was used (EFS). See "

Encrypting File System in Windows XP and Windows Server 2003" on Microsoft TechNet.

• If necessary, uncompress files• Identify files of interest• Use file viewers to view contents

Analyze the Data: Storage Media• File Resources:

– Hash sets for well-known software: National Software Reference Library – Filespecs.com– Wotsit’s Format: wotsit.org– ProcessLibrary.com– Microsoft's DLL Help– Sysinternals Streams for Alternate Data Streams

• Metadata: Encase by Guidance Software, The Forensic Toolkit (FTK) by AccessData, or ProDiscover by Technology Pathways.

• Registry Resources:– Windows Server 2003 Resource Kit Registry Reference– RegEdit, Windows Sysinternals RegMon for Windows, and

Registry Viewer by AccessData

Report

Report: Gather and Organize• Identify parts of the documentation that are

relevant to the investigation.• Identify facts to support the conclusions you will

make in the report.• Create a list of all evidence to be submitted with

the report.• List any conclusions you wish to make in your

report.• Organize and classify

Report: Write the Report• Purpose of Report. • Author(s) of Report. • Incident Summary. Introduce the incident and explain

its impact. The summary should be written so that a non-technical person such as a judge or jury would be able to understand what occurred and how it occurred.

• Evidence• Details: evidence, analysis methods, findings, etc.• Conclusion. • Supporting documents.

Report

Resources• Fundamental Computer Investigation Guide for Windows:

http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx

• Windows Sysinternals: http://www.microsoft.com/technet/sysinternals/default.mspx

• Channel 9: Mark Russinovich, chat re: Windows Security• Microsoft Windows Security Resource Kit:

http://www.microsoft.com/mspress/books/6418.aspx• Microsoft Security Risk Management Guide:

http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/default.mspx

Other Resources• Microsoft Security Awareness Toolkit and

Guide

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.