How Did They Find THAT?: Implementing the New Microsoft Fundamental Computer Investigation Guide for Windows

SEC 313

Kai Axford, CISSP, MCSESr. Security StrategistMicrosoft Corporationhttp://blogs.technet.com/kaiaxford

Agenda

The Problem: Investigating illegal / improper activity on your computers and networks

The Guide: Four-step investigative process

The Tools: Demos of Sysinternals, EnCase, Forensic Toolkit, Etc.

The Man: Best practices and caveats for investigators

A Growing Problem

Internet connectivity and technological

advances are now part of landscapeYour computing resources may be exposedto improper or even criminal activitiesNeed best practices and tools for investigating illegal activityWant to avoid exposing the organization to legal and financial risks

The Fundamental Computer Investigation Guide for WindowsBest practices and tools to conduct

computer investigations of suspicious activityTested guidance about collecting, preserving, analyzing and reporting on key data in investigation

Types of Questionable/Illegal Activities

Unauthorized intrusions

into network resources

Browsing illicit

materials Identity theft

IP piracyTampering

with or deleting files

Financial fraud

Harassment (cyber-

stalking)

Harassment (sexual)

Company What Happened

T.J. Maxx (Jan

2007)

45.7 Million debit and credit card records lost

DuPont (March

2007)

Insider stole IP causing over $400 Million in

damages

ParisExposed.com

(June 2007)

JUNE 13--The operators of an X-rated Paris Hilton

web site exposed the credit card numbers and

identities of about 750 subscribers who signed

up after the site recently returned online.

Real-life Examples

Our Example:

Ray Chow, Enterprise Systems Administrator of Woodgrove National Bank (WNB) Believes information illegally obtained from Human Resources file serverNeeds to use sound investigative methodsWill report findings to upper management

The Guide provides you with a 4-step Best Practices methodology for your investigation

Assess the situation

Acquire key data

Analyze data

Report results

Step 1: Assess the Situation

Decide whether or not to involve law enforcement

Assess the situation

• End internal investigation

• Contact law enforcement

agency (see appendix)• Provide assistance

Should law enforcemen

t be involved?

Continue internal investigation

Yes

No

Maybe?

Step 1: Assess the Situation (cont’d.)

Meet with management and legal advisorsCollectively review policies and lawsIdentify possible team membersAssess the situation & the business impactPrepare to acquire evidence

Volatile and Non-Volatile

Assess the situation

Step 2: Acquire Key Data

Build your toolkit!! Collect evidence of access to HR files at serverCollect volatile evidence at clientCollect evidence of access to HR files at clientConsider data storage protection and archival

Acquire key data

Step 3: Analyze Data

Analyze data obtained from server Analyze data obtained from host

Analyze data

Step 4: Report Results

Gather all background, documentation, notesIdentify data relevant to investigationIdentify facts that support conclusionList evidence to be submitted in reportList conclusionsBased on above, create report

Be Objective! Just like the CSI: Miami crew!!

Report results

Tools for Your Investigation

Event Log

Use to document unauthorized file and folder access

Acquire key data

AccessChk*

Shows what folder permissions a user hasProvides evidence that user has opportunity

Acquire key data

PsLoggedOn*

Shows if a user is logged onto a computing resource

Acquire key data

RootKit Revealer

Reveals rootkits, which take complete control of a computer and conceal their existence from standard diagnostic tools

Acquire key data

PsExec

Allows investigator to remotely obtain information about a user’s computer - without tipping them off or installing any applications on the user’s computer

Acquire key data

Sysinternals tool: DU*

Allows investigator to remotely examine the contents of user’s My Documents folder and any subfolders

Acquire key data

Digital ForensicsFirst and foremost: Kai is not an attorney. Always consult your local law enforcement agency and legal department first!

Digital forensics is SERIOUS BUSINESSYou can easily shoot yourself in the foot by doing it incorrectlyGet some in-depth training…this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your own.)

I just want to spend a few minutes showing you somecommon forensic tools and how they can help

EnCase (Guidance Software, Inc.)

http://www.guidancesoftware.comVery popular in private corporations EnScript Macro Language allows for creation of powerful scripts and filters to automate tasks Safely preview a disk before acquisition Picture gallery shows thumbnails of all images Virtually boot disk image using VMware to allow first-hand view of the system

Forensic Tool Kit (AccessData Corp.)

http://www.accessdata.com/Full indexed searches in addition to Regex searches Preprocess of all files, which makes for faster searchingData is categorized by type (document, image, email, archive, etc.) for easy sorting Ability to rule out “common files” using

the Known File Filter plug-inDetection of encrypted/compressed files

Open Source Forensics Tools

The Sleuth Kit (TSK) and AutopsyWritten by Brian Carrier (www.sleuthkit.org)TSK is command line; Autopsy provides GUI for TSK Runs on *nix platforms Client server architecture allows multiple examiners to use one central server Allows basic recovery of deleted data and searching Lots of manual control to the investigator, but is light on the automation

Open Source Forensics Tools (cont’d.)

Helix (http://www.e-fense.com/helix/) Customized Knoppix disk that is forensically safe Includes improved versions of ‘dd’ Terminal windows log everything for good documentation Includes Sleuthkit, Autopsy, chkrootkit, and others Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools

demo

Cool Tools

Anti-ForensicsBe Aware of activity in the Anti-Forensics area!! There are active efforts to produce tools to thwart your forensic investigation.

Metasploit’s Anti-Forensic Toolkit*, Defiler’s Toolkit, etc.

TimestompTransmogrifySlackerSAM juicer

Stay Alert! Stay Alive!

*Courtesy of Vinnie Liu at Metasploit Project.

timestomp @ worknormal

• after setting values (-z “Monday 05/05/2005 05:05:05 AM”)

• example EnCase weakness (-b)

ResourcesSecurity Minded – Kai’s Bloghttp://blogs.technet.com/kaiaxford

File System Forensic Analysis. Brian Carrier ISBN: 0-321-26817-2

Digital Evidence and Computer Crime. Eoghan Casey. ISBN: 012162885X

Fundamental Computer Investigation Guide For Windows http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx

Incident Response: Investigating Computer Crime. Kevin Mandia & Chris ProsiseISBN: 007222696X

Windows Forensic Analysis. Harlan Carvey.ISBN: 159749156X

“How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab”. Berinato, Scott. May 2007. http://www.cio.com

Evaluation Forms

Questions?

Kai Axford, CISSP, MCSESr. Security StrategistMicrosoft Corporationhttp://blogs.technet.com/kaiaxford

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.