E-Book, Englisch, 350 Seiten
Carvey Windows Forensic Analysis Toolkit
4. Auflage 2014
ISBN: 978-0-12-417174-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Advanced Analysis Techniques for Windows 8
E-Book, Englisch, 350 Seiten
ISBN: 978-0-12-417174-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Harlan Carvey has updated Windows Forensic Analysis Toolkit, now in its fourth edition, to cover Windows 8 systems. The primary focus of this edition is on analyzing Windows 8 systems and processes using free and open-source tools. The book covers live response, file analysis, malware detection, timeline, and much more. Harlan Carvey presents real-life experiences from the trenches, making the material realistic and showing the why behind the how. The companion and toolkit materials are hosted online. This material consists of electronic printable checklists, cheat sheets, free custom tools, and walk-through demos. This edition complements Windows Forensic Analysis Toolkit, Second Edition, which focuses primarily on XP, and Windows Forensic Analysis Toolkit, Third Edition, which focuses primarily on Windows 7. This new fourth edition provides expanded coverage of many topics beyond Windows 8 as well, including new cradle-to-grave case examples, USB device analysis, hacking and intrusion cases, and 'how would I do this' from Harlan's personal case files and questions he has received from readers. The fourth edition also includes an all-new chapter on reporting. - Complete coverage and examples of Windows 8 systems - Contains lessons from the field, case studies, and war stories - Companion online toolkit material, including electronic printable checklists, cheat sheets, custom tools, and walk-throughs
Mr. Carvey is a digital forensics and incident response analyst with past experience in vulnerability assessments, as well as some limited pen testing. He conducts research into digital forensic analysis of Window systems, identifying and parsing various digital artifacts from those systems, and has developed several innovative tools and investigative processes specific to the digital forensics analysis field. He is the developer of RegRipper, a widely-used tool for Windows Registry parsing and analysis. Mr. Carvey has developed and taught several courses, including Windows Forensics, Registry, and Timeline Analysis.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Windows Forensic Analysis Toolkit;4
3;Copyright Page;5
4;Contents;8
5;Preface;12
5.1;Intended Audience;13
5.2;Organization of This Book;13
5.3;DVD Contents;16
6;Acknowledgments;18
7;About the Author;20
8;About the Technical Editor;22
9;1 Analysis Concepts;24
9.1;Introduction;24
9.2;Analysis concepts;27
9.2.1;Windows versions;27
9.2.2;Analysis principles;29
9.2.2.1;Goals;30
9.2.2.2;Tools versus processes;32
9.2.2.3;The tool validation myth-odology;32
9.2.2.4;Locard’s exchange principle;34
9.2.2.5;Avoiding speculation;34
9.2.2.6;Direct and indirect artifacts;36
9.2.2.7;Least frequency of occurrence;39
9.2.3;Documentation;41
9.2.4;Convergence;42
9.2.5;Virtualization;43
9.3;Setting up an analysis system;45
9.4;Summary;48
10;2 Incident Preparation;50
10.1;Introduction;50
10.2;Being prepared to respond;52
10.2.1;Questions;53
10.2.2;The importance of preparation;56
10.2.3;Logs;59
10.3;Data collection;64
10.3.1;Training;68
10.4;Business models;69
10.5;Summary;71
11;3 Volume Shadow Copies;72
11.1;Introduction;72
11.2;What are “volume shadow copies”?;73
11.2.1;Registry keys;75
11.3;Live systems;76
11.3.1;ProDiscover;79
11.3.2;F-Response;80
11.4;Acquired images;82
11.4.1;VHD method;84
11.4.2;VMWare method;88
11.4.3;Automating VSC access;91
11.4.4;ProDiscover;94
11.5;Windows 8;96
11.6;Summary;97
11.7;Reference;97
12;4 File Analysis;98
12.1;Introduction;99
12.2;MFT;99
12.2.1;File system tunneling;107
12.2.2;TriForce;108
12.3;Event logs;109
12.3.1;Windows Event Log;113
12.4;Recycle bin;117
12.5;Prefetch files;120
12.6;Scheduled tasks;124
12.7;Jump lists;127
12.8;Hibernation files;133
12.9;Application files;134
12.9.1;Antivirus logs;135
12.9.2;Skype;136
12.9.3;Apple products;137
12.9.4;Image files;139
12.10;Summary;141
12.11;References;141
13;5 Registry Analysis;142
13.1;Introduction;143
13.2;Registry analysis;144
13.2.1;Registry nomenclature;145
13.2.2;The registry as a log file;147
13.2.3;USB device analysis;147
13.2.4;System hive;161
13.2.4.1;Services;162
13.2.4.2;Bluetooth;164
13.2.5;Software hive;165
13.2.5.1;Application analysis;165
13.2.5.2;NetworkList;168
13.2.5.3;NetworkCards;171
13.2.5.4;Scheduled tasks;171
13.2.6;User hives;173
13.2.6.1;WordWheelQuery;174
13.2.6.2;Shellbags;175
13.2.6.3;MenuOrder;179
13.2.6.4;MUICache;180
13.2.6.5;UserAssist;181
13.2.6.6;Photos;182
13.2.6.7;Virtual PC;183
13.2.6.8;TypedPaths;184
13.2.7;Additional sources;185
13.2.7.1;RegIdleBackup;185
13.2.7.2;Volume shadow copies;185
13.2.7.3;Virtualization;186
13.2.7.4;Memory;186
13.2.8;Tools;187
13.3;Summary;189
13.4;References;190
14;6 Malware Detection;192
14.1;Introduction;193
14.2;Malware Characteristics;193
14.2.1;Initial infection vector;195
14.2.2;Propagation mechanism;197
14.2.3;Persistence mechanism;198
14.2.4;Artifacts;202
14.3;Detecting Malware;206
14.3.1;Log analysis;207
14.3.1.1;Dr. Watson logs;211
14.3.2;AV scans;212
14.3.2.1;AV write ups;213
14.3.3;Digging deeper;215
14.3.3.1;Packed files;216
14.3.3.2;Digital signatures;218
14.3.3.3;Windows File Protection;219
14.3.3.4;Alternate data streams;219
14.3.3.5;PE file compile times;222
14.3.3.6;Master boot record infectors;223
14.3.3.7;Registry analysis;226
14.3.3.8;Internet activity;227
14.3.3.9;Additional detection mechanisms;229
14.3.4;Seeded sites;230
14.4;Summary;232
14.5;References;232
15;7 Timeline Analysis;234
15.1;Introduction;235
15.2;Timelines;235
15.2.1;Data sources;237
15.2.2;Time formats;238
15.2.3;Concepts;240
15.2.4;Benefits;242
15.2.5;Format;244
15.2.5.1;Time;245
15.2.5.2;Source;245
15.2.5.3;System;246
15.2.5.4;User;246
15.2.5.5;Description;247
15.2.5.6;TLN format;248
15.3;Creating Timelines;248
15.3.1;File system metadata;250
15.3.2;Event logs;256
15.3.2.1;Windows XP;256
15.3.2.2;Windows 7;258
15.3.3;Prefetch files;261
15.3.4;Registry data;262
15.3.5;Additional sources;265
15.3.6;Parsing events into a timeline;266
15.3.7;Thoughts on visualization;269
15.4;Case Study;270
15.5;Summary;273
16;8 Correlating Artifacts;276
16.1;Introduction;276
16.2;How-Tos;277
16.2.1;Correlating Windows shortcuts to USB devices;278
16.2.2;Demonstrate user access to files;280
16.2.3;IE browser analysis;283
16.2.4;Detecting system time change;287
16.2.5;Who ran defrag?;289
16.2.6;Determine data exfiltration;290
16.2.7;Finding something “new”;294
16.3;Summary;296
17;9 Reporting;298
17.1;Introduction;298
17.2;Goals;299
17.2.1;Incident triage;301
17.3;Case Notes;302
17.3.1;Documenting your analysis;304
17.4;Reporting;307
17.4.1;Format;307
17.4.2;Executive summary;308
17.4.3;Body;310
17.4.3.1;Background;310
17.4.3.2;Analysis;311
17.4.3.3;Conclusions;313
17.4.4;Writing tips;314
17.4.5;Peer review;316
17.5;Summary;317
18;Index;318
Chapter 1 Analysis Concepts
This chapter provides a foundation for analysis discussed in the rest of the book. We discuss core analysis concepts so that they can be built upon in the following chapters of the book. Keywords
Concepts; analysis; framework; set up Chapter Outline Introduction 1 Analysis concepts 4 Windows versions 4 Analysis principles 6 Goals 7 Tools versus processes 9 The tool validation myth-odology 9 Locard’s exchange principle 11 Avoiding speculation 11 Direct and indirect artifacts 13 Least frequency of occurrence 16 Documentation 18 Convergence 19 Virtualization 20 Setting up an analysis system 22 Summary 25 Information in This Chapter Analysis Concepts Setting Up An Analysis System Introduction
If you’ve had your eye on the news media, or perhaps more appropriately the online lists and forums over the past couple of years, there are a couple of facts or “truths” that will be glaringly obvious to you. First, computers and computing devices are more ubiquitous in our lives. Not only do most of us have computer systems, such as desktops at work and school, laptops at home and on the go, but we also have “smart phones,” tablet computing devices, and even smart global positioning systems (GPSs) built into our cars. We’re inundated with marketing ploys every day, being told that we have to get the latest-and-greatest device, and be connected not just to WiFi, but also to the ever-present “4G” (whatever that means …) cellular networks. If we don’t have a phone-type device available, we can easily open up our laptop or turn on our tablet device and instantly reach to others using instant messaging, email, Twitter, or Skype applications. The second truth is that as computers become more and more parts of our lives, so does crime involving those devices in some manner. Whether it’s “cyberbullying” or “cyberstalking,” identity theft, the “advanced persistent threat (APT),” or intrusions and data breaches that result in some form of data theft, a good number of real-world physical crimes are now being committed through the use of computers, and as such, get renamed by prepending “cyber” to the description of the crime. As we began to move a lot of the things that we did in the real world to the online world (i.e., banking, shopping, filing taxes), we became targets for cybercrime. Organizations become targets (and subsequently, victims) of online crime, simply because they have something someone wants, be it data or computing power. What makes this activity even more insidious and apparently “sophisticated” is that we don’t recognize it for what it is, because conceptually, the online world is simply so foreign to us. If someone shatters a storefront window to steal a television set, there’s a loud noise, possibly an alarm, broken glass, and someone fleeing with their stolen booty. Cybercrime doesn’t “look like” this; often, something isn’t stolen and then absent, so much as it’s copied, and then used for malicious purposes. The data (credit card numbers, personally identifiable information, etc.) still exists in its original location, but is now also in the possession of someone who intends to sell it to others. Other times, the crime does result in something that is stolen and is removed from our ownership, but we may not recognize that immediately, because we’re talking about 1s and 0s in the “ether” of cyberspace, not a car that should be sitting in your driveway, in plain view. These malicious activities also appear to be increasing in sophistication. In many cases, the fact that a crime has occurred is not evident until someone notices a significant decrease in an account balance, which indicates that the perpetrator has already gained access to systems, gathered the data needed, accessed that bank account, and left with the funds. The actual incidents are not detected until days after (in some cases, weeks or even months) they’ve occurred. In other instances, the malicious activity continues and even escalates after we become aware of it, because we’re unable to transition our mindset from the real world (lock the doors and windows, post a guard at the door, etc.) to the online world, and effectively address the issue. Clearly, no one person, and no organization, is immune. The early part of 2011 saw a number of high-visibility computer security incidents splashed across the pages (both web and print) of the media. The federal arm of the computer consulting firm HBGary suffered an embarrassing exposure of internal, sensitive data, and equally devastating was the manner in which it was retrieved. RSA, owned by EMC and the provider of secure authentication mechanisms, reported that they’d been compromised. On April 6, Kelly Jackson Higgins published a story (titled “Law Firms Under Siege”) at DarkReading.com that revealed that law firms were becoming a more prevalent target of APT actor groups. The examples continue on through 2012 and into 2013, but the point is that there’s no one specific type of attack, or victim that gets targeted. The end of 2012 saw some banks and other organizations falling victim to massive distributed denial of service attacks, and the spring of 2013 saw a specific group in China, and even specific individuals, identified as being responsible for long-term and long-standing data theft attacks on US companies. Shortly thereafter, a group in India was identified as being responsible for other attacks, predominantly against targets in Pakistan. Anyone can be a target. In order to address this situation, we need to have responders and analysts who are at least as equally educated, knowledgeable, and collaborating as those committing these online crimes. Being able to develop suitable detection and deterrence mechanisms depends on understanding how these online criminals operate, how they get in, what they’re after, and how they exfiltrate what they’ve found from the infrastructure. As such, analysts need to understand how to go about determining which systems have been accessed, and which are used as primary jump points that the intruders use to return at will. They also need to understand how to do so without tipping their hand and revealing that they are actively monitoring the intruders, or inadvertently destroying data in the process. These goals are best achieved by having knowledgeable groups of responders working together, and sharing information across arbitrary boundaries. In this book, we’re going to focus on the analysis of Windows computer systems, laptops, desktops, servers, because they are so pervasive. This is not to exclude other devices and operating systems; to the contrary, we’re narrowing our focus to fit the topic that we’re covering into a manageable volume. Our focus throughout this book will be primarily on the Windows 7 operating system, and much of the book, after Chapter 2, will be tailored specifically to the analysis of forensic images acquired from those systems. I will be including information regarding Windows 8 artifacts, where appropriate, throughout the book. While there are some notable differences between Windows 7 and Windows 8, the simple fact is that there are also some similarities, so I will attempt to highlight those in addition to pointing out some of what is different. However, at this writing, analysts should be more concerned with what is available in Windows 7, as understanding data structures and developing skills in addressing the available data will be very beneficial when analyzing a Windows 8 system. In this chapter, we’re going to start our journey by discussing and understanding the core concepts that set the foundation for our analysis. It is vitally important that responders and analysts understand these concepts, as it is these core concepts that shape what we do and how we approach a problem or an incident. Developing an understanding of the fundamentals allows us to create a foundation upon which to build, allowing analysts to be able to address new issues effectively, rather than responding to these challenges by using the “that’s what we’ve always done” methodology, which may be unviable. Analysis concepts
Very often when talking to analysts, especially those who are new to the field, I find that there are some concepts that shape not only your thought processes but also your investigative processes and how we look at and approach the various problems and issues that we encounter. For new analysts, without a great deal of actual experience to fall back on, these fundamental analysis concepts make up for that lack of experience and allow them to overcome the day-to-day challenges that they face. Consider how you may have learned to acquire images of hard drives. Many of us started out our process of learning by first removing the hard drive from the computer system, and hooking it up to a write-blocker. We learned about write-blockers that allowed us to acquire an image of a hard drive to another hard drive, as well as those...
