Thursday, November 7, 2013

Live forensic on Windows

In the last posts, I talked about the processes of IT Forensic. Those are just theories as one might say. Hence, today, let's get more real and technical. How about what can we do to perform live forensic on Windows systems sounds to you?

Before we touch that, why do we need to do live forensic at the first place? For a few reasons:
a) It is a production server and the Business Owner or System Admin would not let you shut down the system/server for offline forensic
b) The server/system is at a location that you could not go there physically
c) We afraid that we may lost crucial information e.g. malware that runs in memory only if we were to shut down the system immediately

Next, what info or data should we gather? What tools to use? In IT Forensic, we normally talk about using trusted binaries. Why is it important? Because on a hacked or malware infected machines, it is not uncommon for the attacker/malware to install rootkits or replace some common commands/binaries of the system/server in order to hide or cover their tracks. Running these binaries might not give you the real output or info as they should be. Therefore, the first steps is to prepare a forensic kit (e.g. write protected USB stick, CD) with your trusted binaries/tools.

Back to what info or data to gather.... Below are the lists of what we should gather and how or using what tool can we gather it (yes, I know some of them are not of trusted binaries but there are also advantages in running them. Can you see those advantages? Answers below :) ) . Basically, we will need these free and great software suites:
a) Sysinternals Suite -
b) Nirsoft -
c) Redline (for memory dump and analysis) -

What to Acquire
Tools/Commands to Use (Output is saved to a file)
Hostname, OS version, system info, list of software installed
·         Psinfo –h –s –d > targethost\psinfo-hsd.txt
System info
·         Systeminfo > targethost\systeminfo.txt
Current system date
·         Date /t > targethost\date.txt
Current system time
·         Time /t > targethost\time.txt
Registry dump
·         Regedit /E targethost\registry.txt
Current IP address
·         Ipconfig /all > targethost\ipconfig.txt
·         Awatch /stab targethost\awatch.txt
·         Networkinterfacesview targethost\networkinterfacesview.csv

Running current process list
·         Pslist –t > targethost\pslist-d.txt
·         Pslist –x > targethost\pslist-x.txt
Current network connection list
·         Netstat –anb > targethost\netstat-anb.txt
·         Netstat –anr > targethost\netstat-anr.txt
·         Tcpvcon –an > targethost/tcpvcon-an.txt
·         Cports.exe /scomma targethost\cports.csv
Current list of current logon sessions
·         Psloggedon > targethost\psloggedon.txt
List of auto start applications
·         Autorunsc –a –c > targethost\autorunsc.csv
Environment variables
·         Set > targethost\set.txt
List of services
·         Psservice > targethost\psservice.txt
System event log records
·         Psloglist –x > targethost\psloglist-x.txt
Last user activity records
·         Lastactivityview /scomma  targethost\lastactivityview.csv
Windows turn on/off time records
·         Turnontimesview /scomma  targethost\turnontimesview.csv
Windows user login/logoff records
·         Winlogonview /scomma  targethost\winlogonview.csv
List of installed software
·         Myuninst /stab targethost\myuninst.csv
List of loaded dlls
·         Listdlls > targethost\listdlls.txt
List of user accounts
·         Net user > targethost\net-user.txt
·         Userprofilesview /scomma  targethost\userprofilesview.csv
Browser history
·         IE
·         Mozilla
·         Chrome
·         Opera
·         Safari
·         Iecacheview /stab  targethost\iecacheview.csv
·         Iehv /stab targethost\iehv.csv
·         Mozillacacheview /scomma targethost\mozillacacheview.csv
·         Mozillahistoryview /scomma targethost\mozillahistoryview.csv
·         Mzcv /stab targethost\mzcv.csv
·         Chromecacheview /scomma targethost\chromecacheview.csv
·         Chromehistory /scomma targethost\chromehistoryview.csv
·         Chromecookiesview /scomma targethost\chromecookiesview.csv
·         Operacacheview /scomma targethost\operacacheview.csv
·         Safarihistoryview /scomma targethost\safarihistoryview.csv
·         Safaricacheview /scomma targethost\safaricacheview.csv
Using Redline Comprehensive Collector tool to acquire full memory dump, page file data, running processes, registry data etc.
·         Runredlineaudit.bat

Have fun!

Oh wait... what are the advantages of running (carefully) "untrusted" binaries as well?
By comparing the output of trusted binaries vs untrusted binaries, it may give us some clues that the "untrusted binaries" had been modified or "rookitted". We then can analyse this binary in order to track down other malicious binaries  that might get installed on the system as well.