Professional Documents
Culture Documents
Version 1.0 Published: January 2007 For the latest information, please see microsoft.com/technet/SolutionAccelerators
2007 Microsoft Corporation. This work is licensed under the Creative Commons Attribution- onCommercial !icense. To view a cop" of this license# visit http$%%creativecommons.or&%licenses%b"-nc%2.'% or send a letter to Creative Commons# '() *oward +treet# 'th ,loor# +an ,rancisco# California# -(.0'# /+A.
Contents
Overview ...........................................................................................1 Computer 0nvesti&ation Model............................................................. 0nitial 1ecision-Makin& 2rocess...........................................................2 Chapter +ummar"............................................................................) Audience.........................................................................................) Caveats and 1isclaimers....................................................................) 3eferences and Credits......................................................................( +t"le Conventions.............................................................................( +upport and ,eedback.......................................................................( Chapter 1: Assess the Situation...........................................................5 otif" 1ecision Makers and Ac4uire Authori5ation..................................' 3eview 2olicies and !aws...................................................................6 0dentif" 0nvesti&ation Team Members..................................................7 Conduct a Thorou&h Assessment........................................................7 2repare for 7vidence Ac4uisition.........................................................Chapter 2: Acquire the Data..............................................................11 8uild a Computer 0nvesti&ation Toolkit................................................. Collect the 1ata................................................................................ +tore and Archive............................................................................) Chapter 3: Analyze the Data..............................................................15 Anal"5e etwork 1ata......................................................................'
Anal"5e *ost 1ata...........................................................................6 Anal"5e +tora&e Media.....................................................................6 Chapter 4: eport the !nvesti"ation..................................................1#
9ather and :r&ani5e 0nformation.......................................................;rite the 3eport.............................................................................20 Chapter 5: Applie$ Scenario %&a'ple................................................23 +cenario........................................................................................2) Assess the +ituation........................................................................2( Ac4uire 7vidence of Confidential 1ata Access......................................2' 3emote 7vidence Collection..............................................................2< !ocal 7vidence Collection.................................................................)0
Anal"5e Collected 7vidence..............................................................)) 3eport the 7vidence........................................................................)6 Applied +cenario !ab Confi&uration....................................................)7 Appen$i&: esources.........................................................................41
2reparin& =our :r&ani5ation for a Computer 0nvesti&ation.....................(. ;orksheets and +amples.................................................................(2 3eportin& Computer-3elated Crimes..................................................(2 Trainin&.........................................................................................(' Tools.............................................................................................(' Ac(nowle$"'ents.............................................................................53 !n$e&................................................................................................55
Overview
Internet connectivity and technolo ical advances e!pose computers and computer net"or#s to criminal activities such as unauthori$ed intrusion, financial fraud, and identity and intellectual property theft. %omputers can be used to launch attac#s a ainst computer net"or#s and destroy data. &'mail can be used to harass people, transmit se!ually e!plicit ima es, and conduct other malicious activities. (uch activities e!pose or ani$ations to ethical, le al, and financial ris#s and often re)uire them to conduct internal computer investi ations. *his uide discusses processes and tools for use in internal computer investi ations. It introduces a multi'phase model that is based on "ell'accepted procedures in the computer investi ation community. It also presents an applied scenario e!ample of an internal investi ation in an environment that includes +icrosoft, -indo"s,.based computers. *he investi ation uses -indo"s (ysinternals tools /advanced utilities that can be used to e!amine -indo"s.based computers0 as "ell commonly available -indo"s commands and tools. (ome of the policies and procedures invo#ed in investi ations that result from computer security incidents mi ht also e!ist in disaster recovery plans. 1lthou h such plans are beyond the scope of this uide, it is important for or ani$ations to establish procedures that can be used in emer ency and disaster situations. 2r ani$ations should also identify and mana e security ris#s "herever possible. For more information, see the (ecurity 3is# +ana ement 4uide.
*he four investi ation phases and accompanyin processes in the fi ure should be applied "hen "or#in "ith di ital evidence. *he phases can be summari$ed as follo"s:
Assess the situation. 1naly$e the scope of the investi ation and the action to be ta#en. Ac uire the data. 4ather, protect, and preserve the ori inal evidence. Anal!"e the data. &!amine and correlate di ital evidence "ith events of interest that "ill help you ma#e a case. #eport the investigation. 4ather and or ani$e collected information and "rite the final report. 8etailed information about each of the phases is provided in the chapters of this uide.
:ou should determine "hether or not to involve la" enforcement "ith the assistance of le al advisors. If you determine that la" enforcement is needed, then you need to continue the internal investi ation unless la" enforcement officials advise you other"ise. ;a" enforcement mi ht not be available to assist in the investi ation of the incident, so you must continue to mana e the incident and investi ation for later submission to la" enforcement. 8ependin on the type of incident bein investi ated, the primary concern should be to prevent further dama e to the or ani$ation by those person/s0 "ho caused the incident. *he investi ation is important, but is secondary to protectin the or ani$ation unless there are national security issues. If la" enforcement is not involved, your or ani$ation may have e!istin standard operatin procedures and policies that uide the investi ation process. 3efer to the 73eportin %omputer'3elated %rimes7 section in 1ppendi!: 3esources in this uide for types of crimes that need to be reported to la" enforcement.
:verview
Chapter Summary
*his uide is comprised of five chapters and an appendi!, "hich are briefly described in the follo"in list. *he first four chapters provide information about the four phases of the internal investi ation process: %hapter <: 1ssess the (ituation e!plains ho" to conduct a thorou h assessment of the situation and prepare for the internal investi ation. %hapter 2: 1c)uire the 8ata provides uidance about ho" to ather di ital evidence. %hapter =: 1naly$e the 8ata e!amines the standard techni)ues of evidence analysis. %hapter >: 3eport the Investi ation e!plains ho" to "rite the investi ation outcome report. %hapter ?: 1pplied (cenario &!ample describes a fictional scenario that depicts unauthori$ed access to confidential information. 1ppendi!: 3esources includes information about ho" to prepare for a computer investi ation, contact information for reportin computer'related crimes and obtainin computer investi ation trainin , "or#sheets that can be used in computer investi ations, and lists of certain computer investi ation tools.
Audience
*his uide is intended for I* professionals in the @nited (tates "ho need a eneral understandin of computer investi ations, includin many of the procedures that can be used in such investi ations and protocols for reportin incidents.
Style Conventions
*his uidance uses the style conventions that are described in the follo"in table. $lement &old font Italic font <Italic> Monospace font 'ote Important %eaning (i nifies characters typed e!actly as sho"n, includin commands, s"itches, and file names. @ser interface elements also appear in bold. *itles of boo#s and other substantial publications appear in italic. Placeholders set in italic and an le brac#ets BItalicC represent variables. 8efines code and script samples.
1lerts the reader to supplementary information. 1lerts the reader to essential supplementary information.
8ependin on the scope of the incident and absent any national security issues or life safety issues, the first priority is to protect the or ani$ation from further harm. 1fter the or ani$ation is secure, restoration of services /if needed0 and the investi ation of the incident are the ne!t priorities. 8ecisions you ma#e may be )uestioned as much as the evidence. 9ecause computer evidence is comple!, different investi ations /such as those conducted by an opposin party0 may ma#e different decisions and reach different conclusions.
Incurrin criminal or civil liability for improper interception of electronic communications. %onsider "arnin banners. Gie"in sensitive or privile ed information. (ensitive data that may compromise the confidentiality of customer information must only be made available as part of investi ation'related documentation if it directly pertains to the investi ation. &nsure the follo"in customer privacy and confidentiality issues are addressed: 1ll data should be transferred securely, stored on local computers /not net"or# servers0, and should not be easily accessible. 1ll data /includin documentation0 should be maintained for the period specified by le al advisors or local policy after the computer investi ation is closed. If the data is part of a potential criminal case, consult "ith the la" enforcement a ency investi atin the case. If the case is a civil case, consult "ith your or ani$ationFs le al advisors. 1lso, revie" any data retention issues related to the (arbanes'2!ley 1ct of 2002 or other le al re)uirements for data retention.
+aintain di ital copies of evidence, printouts of evidence, and the chain of custody for all evidence, in case of le al action. Preservation of the chain of custody is accomplished by havin verifiable documentation that indicates "ho handled the evidence, "hen they handled it, and the locations, dates, and times of "here the evidence "as stored. (ecure stora e of evidence is necessary, or custody cannot be verified.
<
Identify the impact and sensitivity of the investi ation on your or ani$ation. For e!ample, assess "hether it involves customer data, financial details, health care records, or company confidential information. 3emember to evaluate its potential impact on public relations. *his assessment "ill li#ely be beyond the e!pertise of I*, and should be done in conHunction "ith mana ement and le al advisors. 1naly$e the business impact of the incident throu hout the investi ation. ;ist the number of hours re)uired to recover from the incident, hours of do"ntime, cost of dama ed e)uipment, loss of revenue, and value of trade secrets. (uch an assessment should be realistic and not inflated. *he actual costs of the incident "ill be determined at a later date. 1naly$e affected intan ible resources, such as future impact on reputation, customer relationships, and employee morale. 8o not inflate the severity of the incident. *his analysis is for informational purposes only to help understand the scope of the incident. *he actual impact "ill be determined at a later date. *his assessment "ill li#ely be beyond the e!pertise of I*, and should be done in conHunction "ith mana ement and le al advisors. @se the follo"in best practices to identify, analy$e, and document the infrastructure and computers that are affected by the situation. +uch of this uidance could have already been follo"ed as part of a ris# assessment process to prepare a disaster recovery plan. Identify the net"or#/s0 that are involved, the number of computers affected, and the type of computers affected. 2btain the net"or# topolo y documentation, "hich should include a detailed net"or# dia ram that provides infrastructure information about servers, net"or# hard"are, fire"alls, Internet connections, and other computers on the net"or#. Identify e!ternal stora e devices and any remote computers that should be included. &!ternal stora e devices could include thumb drives, memory and flash cards, optical discs, and ma netic dis#s. %apture the net"or# traffic over a period of time if live analysis is re)uired. *his type of analysis is only needed if you believe there is on oin suspicious traffic on the net"or#, and is typically only performed after auditin and lo in have been e!hausted as sources of evidence. +icrosoft, -indo"s, IP and -indo"s (erver, 200= include built'in net"or# capture tools such as Aetcap and 3asdia that can capture local net"or# traffic "ithout havin to install products such as Aetmon or &thereal. @se tools such as -indo"s Aet"or# +onitor /Aet+on0 and -indo"s (ysinternals *8I+on for net"or# data analysis. -indo"s (ysinternals tools can be do"nloaded from the -indo"s (ysinternals pa e on +icrosoft *echAet.
!'portant etwork sniffin& >capturin& network traffic? can be a breach of privac"# dependin& on the scope of the capture. =ou should therefore be ver" cautious about deplo"in& network capture tools on "our network.
@se tools to e!amine the state of soft"are applications and operatin systems on computers that are li#ely affected. @seful tools for this tas# include the -indo"s application lo s, system lo s, and -indo"s (ysinternals Ps*ools. &!amine affected file and application servers. @se -indo"s (ysinternals tools such as Ps*ools, PsFile, (hare&num and internal -indo"s security lo s to e!amine and document activity on these servers.
!'portant +ome of the information &athered durin& this assessment >such as runnin& processes and data in memor"? is captured b" "our tools in real time. =ou must ensure that an" records or lo&s &enerated are securel" stored to prevent losin& this volatile data.
In addition, the follo"in best practices can help you obtain a complete understandin of the situation. 9uild a timeline and map everythin to it. 1 timeline is especially important for lobal incidents. 8ocument any discrepancies bet"een the date and time of hosts, such as des#top computers, and the system date and time, such as the -indo"s *ime service in -indo"s (erver 200=. Identify and intervie" anyone "ho mi ht be involved in the incident, such as system administrators and users. In some situations, such people mi ht be e!ternal to the or ani$ation. Intervie"in users and affected personnel often provides ood results and insi hts into the situation. Intervie"s should be conducted by e!perienced intervie"ers. 8ocument all intervie" outcomes. :ou "ill need to use them later to fully understand the situation. 3etrieve information /lo s0 from internal and e!ternal facin net"or# devices, such as fire"alls and routers, "hich mi ht be used in the possible attac# path. (ome information, such as IP address and domain name o"nership, is often public by its nature. For e!ample, you can use the -indo"s (ysinternals -hois tool or the 1merican 3e istry for Internet Aumbers to identify an o"ner of an IP address.
!'portant Creatin& consistent# accurate# and detailed documentation throu&hout the computer investi&ation process will help with the on&oin& investi&ation. This documentation is often critical to the pro@ectAs success and should never be overlooked. As "ou create documentation# alwa"s be aware that it constitutes evidence that mi&ht be used in court proceedin&s. 8efore "ou be&in the
.0
neBt phase# ensure that "ou have obtained a responsible decision makerAs si&noff on the documentation that "ou created durin& the assessment phase.
!'portant ;hen usin& tools to collect data# it is important to first determine whether or not a rootkit has been installed. 3ootkits are software components that take complete control of a computer and conceal their eBistence from standard dia&nostic tools. 8ecause rootkits operate at a ver" low hardware level# the" can intercept and modif" s"stem calls. =ou cannot find a rootkit b" searchin& for its eBecutable# because the rootkit removes itself from the list of returned search results. 2ort scans do not reveal that the ports the rootkit uses are open# because the rootkit prevents the scanner from detectin& the open port. Therefore# it is difficult to ensure that no rootkits eBist. :ne available tool "ou can use is the MicrosoftD ;indowsD +"sinternals 3ootkit3evealer.
-hen ac)uirin data over a net"or#, you need to consider the type of data to be collected and the amount of effort to use. %onsider "hat data you need to obtain that "ould support the prosecution of the offendin parties. For e!ample, it mi ht be necessary to ac)uire data from several computers throu h different net"or# connections, or it mi ht be sufficient to copy a lo ical volume from Hust one computer. *he recommended data ac)uisition process is as follo"s: <. %reate accurate documentation that "ill later allo" you to identify and authenticate the evidence you collect. &nsure that you note any items of potential interest and lo any activities that mi ht be of importance later in the investi ation. 5ey to a successful investi ation is proper documentation, includin information such as the follo"in : -ho performed the action and "hy they did it. -hat "ere they attemptin to accomplishE 6o" they performed the action, includin the tools they used and the procedures they follo"ed. -hen they performed the action /date and time0 and the results. 2. 8etermine "hich investi ation methods to use. *ypically, a combination of offline and online investi ations is used. In offline investi ations, additional analysis is performed on a bit'"ise copy of the ori inal evidence. /1 bit'"ise copy is a complete copy of all the data from the tar eted source, includin information such as the boot sector, partition, and unallocated dis# space.0 :ou should use the offline investi ation method "henever possible because it miti ates the ris# of dama in the ori inal evidence. 6o"ever, this method is only suitable for situations in "hich an ima e can be created, so it cannot be used to ather some volatile data. In an online investi ation, analysis is performed on the ori inal live evidence. :ou should be especially careful "hen performin online analysis of data because of the ris# of alterin evidence that mi ht be re)uired to prove a case. =. Identify and document potential sources of data, includin the follo"in : (ervers. (erver information includes server role, lo s /such as event lo s0, files, and applications. ;o s from internal and e!ternal facin net"or# devices, such as fire"alls, routers, pro!y servers, net"or# access servers /A1(0, and intrusion detection systems /I8(0 that may be used in the possible attac# path. Internal hard"are components, such as net"or# adapters /"hich include media access control /+1%0 address information0 and P%+%I1 cards. 1lso note e!ternal port types, such as Fire"ire, @(9, and P%+%I1.
.)
(tora e devices that need to be ac)uired /internal and e!ternal0, includin hard dis#s, net"or# stora e devices, and removable media. 8onJt for et portable mobile devices such as Poc#etP%, (martphone devices, and +P= players such as KuneL. >. -hen you must capture volatile data, carefully consider the order in "hich you collect the data. Golatile evidence can be easily destroyed. Information such as runnin processes, data loaded into memory, routin tables, and temporary files can be lost forever "hen the computer is shut do"n. Information about tools and commands that can help ather this information is available in the 7*ools7 section of 1ppendi!: 3esources in this uide. ?. @se the follo"in methods to collect data from stora e media and record stora e media confi uration information: If you need to remove any internal stora e devices, turn off the computer first. 6o"ever, before you turn off the computer you should verify that all volatile data has been captured "henever possible. 8etermine "hether to remove the stora e device from the suspect computer and use your o"n system to ac)uire the data. It may not be possible to remove the stora e device because of hard"are considerations and incompatibilities. *ypically, you "ould not disconnect stora e devices such as 31I8 devices, stora e devices "ith a hard"are dependency /for e!ample, le acy e)uipment0, or devices in net"or# stora e systems such as stora e area net"or#s /(1As0. %reate a bit'"ise copy of the evidence in a bac#up destination, ensurin that the ori inal data is "rite'protected. (ubse)uent data analysis should be performed on this copy and not on the ori inal evidence. (tep'by'step uidance for ima in is beyond the scope of this uide but is an inte ral part of evidence collection.
!'portant /se industr" accepted tools when ac4uirin& a bit-wise cop". ,or eBample# 7nCase b" 9uidance +oftware or ,TE b" Access1ata.
8ocument internal stora e devices and ensure that you include information about their confi urations. For e!ample, note the manufacturer and model, Humper settin s, and the si$e of the device. In addition, note the type of interface and the condition of the drive. M. Gerify the data you collect. %reate chec#sums and di ital si natures "hen possible to help establish that the copied data is identical to the ori inal. In certain circumstances /for e!ample, "hen a bad sector e!ists on the stora e media0 it may be impossible to create a perfect copy. &nsure that you have obtained the best copy possible "ith the available tools and resources. :ou can use the +icrosoft File %hec#sum Inte rity Gerifier /F%IG0 tool to compute an +8? or (61< crypto raphic hash of the content of a file.
.(
&nsure that no unauthori$ed personnel has access to the evidence, over the net"or# or other"ise. 8ocument "ho has physical and net"or# access to the information. Protect stora e e)uipment from ma netic fields. @se static control stora e solutions to protect stora e e)uipment from static electricity. +a#e at least t"o copies of the evidence you collected, and store one copy in a secure offsite location. &nsure that the evidence is physically secured /for e!ample, by placin the evidence in a safe0 as "ell as di itally secured /for e!ample, by assi nin a pass"ord to the stora e media0. %learly document the chain of custody of the evidence. %reate a chec#'in / chec#'out list that includes information such as the name of the person e!aminin the evidence, the e!act date and time they chec# out the evidence, and the e!act date and time they return it. 1 sample Wor)sheet * Chain of Custod! +og ,ocumentation document is included "ith the "or#sheets referenced in 1ppendi!: 3esources in this uide.
the connection and "hether a suspected party established a session "ith a specific server.
.7
deployed. For more information about &F( see 7*he &ncryptin File (ystem7 on +icrosoft *echAet. &!ternal &F( recovery tools are also available, such as 1dvanced &F( 8ata 3ecovery by &lcomsoft. =. If necessary, uncompress any compressed files and archives. 1lthou h most forensic soft"are can read compressed files from a dis# ima e, you mi ht need to uncompress archive files to e!amine all files on the media you are analy$in . >. %reate a dia ram of the directory structure. It mi ht be useful to raphically represent the structure of the directories and files on the stora e media to effectively analy$e the files. ?. Identify files of interest. If you #no" "hich files "ere affected by the security incident, you can focus the investi ation on these files first. *he hash sets created by the Aational (oft"are 3eference ;ibrary can be used to compare "ell' #no"n files /such as operatin system and application files0 to the ori inals. *hose files that match can normally be eliminated from the investi ation. :ou can also use informational sites such as filespecs.com, -otsitFs Format, Process;ibrary.com, and +icrosoft 8;; 6elp to help you cate ori$e and collect information about e!istin file formats as "ell as to identify files. M. &!amine the re istry, the database that contains -indo"s confi uration information, for information about the computer boot process, installed applications /includin those loaded durin startup0, and lo in information such as username and lo on domain. For re istry bac# round information and detailed descriptions of re istry content, see the -indo"s (erver 200= 3esource 5it 3e istry 3eference. Garious tools are available for analy$in the re istry, includin 3e &dit, "hich ships "ith the -indo"s operatin system, -indo"s (ysinternals 3e +on for -indo"s, and 3e istry Gie"er by 1ccess8ata. 7. (earch the contents of all athered files to help identify files that may be of interest. Garious intelli ent searches can be performed usin tools described in the 7*ools7 section in 1ppendi!: 3esources of this uide. For e!ample, you can use the -indo"s (ysinternals (treams tool to reveal "hether there are any A*F( alternate data streams used on files or folders. A*F( alternate data streams can hide information "ithin a file by causin it to appear to contain $ero bytes of data "hen vie"ed throu h -indo"s &!plorer althou h the file actually contains hidden data. Q. (tudy the metadata of files of interest, usin tools such as &ncase by 4uidance (oft"are, *he Forensic *ool#it /F*50 by 1ccess8ata, or Pro8iscover by *echnolo y Path"ays. File attributes such as timestamps can sho" the creation, last access, and last "ritten times, "hich can often be helpful "hen investi atin an incident. R. @se file vie"ers to vie" the content of the identified files, "hich allo" you to scan and previe" certain files "ithout the ori inal application that created them. *his approach protects files from accidental dama e, and is often more cost effective than usin the native application. Aote that file vie"ers are specific to each type of fileS if a vie"er is not available, use the native application to e!amine the file. 1fter you analy$e all of the available information, you may be able to reach a conclusion. 6o"ever, it is important to be very cautious at this sta e and ensure that you do not blame the "ron party for any dama es. 6o"ever, if you are certain of your findin s, you "ill be ready to be in the 3eport the Investi ation phase.
M. 2r ani$e and classify the information you ather to ensure that a clear and concise report is the result. 3eference the follo"in 7-rite the 3eport7 section and Sample * Internal Investigation #eport.doc /in 1ppendi!: 3esources in this uide0 to help or ani$e the information.
2.
)ote 1urin& an investi&ation "ou will likel" collect valuable information about the use of computer investi&ation processes. =ou mi&ht also &ain eBperience and a better understandin& of operational and securit"-related procedures. =ou should review "our eBistin& operational and incident response documentation and incorporate the knowled&e "ou &ain durin& an investi&ation. 0f "ou do not have such documentation or wish to adopt an industr" standard format# "ou can use the MicrosoftD :perations ,ramework >M:,? documentation templates and &uidance. ,or more information about M:, visit the Microsoft :perations ,ramework home pa&e.
Scenario
It has been brou ht to the attention of 3ay %ho", the &nterprise (ystems 1dministrator of -ood rove Aational 9an#, that someone "as bra in about #no"in the salary of many different ban# employees. 3ay learned the name of the employee "ho claimed to #no" this informationO+i#e 8anse lio. +i#e "or#s in the loan department and should not have access to any 6uman 3esources /630 files. -ood rove Aational 9an# has a policy that relates to the proper use of ban# computers. *his policy states that there is no e!pectation of privacy "hen usin company computers for any purpose, includin e'mail services and access to -eb sites. *he policy also states that no pro rams "ill be loaded on any computers "ithout the "ritten permission of the I* 8irector, and that any attempts to circumvent pass"ords or obtain unauthori$ed access to ban# files "ill be rounds for termination or le al prosecution. *he policy also allo"s the I* staff to install any net"or# monitorin devices, includin sniffers or other pac#et capture devices, to maintain net"or# security or to investi ate possible abuses. 3ay "ants to ensure that he uses accepted computer investi ation procedures to investi ate this issue and report his findin s. 3ay believes that information mi ht have been ori inally obtained from the 63 file server and plans to follo" the four'phase computer investi ation model sho"n in the follo"in fi ure:
!'portant +ee the CApplied +cenario !ab Confi&urationC section at the end of this chapter for information about how to emulate this scenario and follow alon& usin& the tools.
Figure 0.(. +ogical diagram of computers involved in the investigation 3ay then considers different options for proceedin "ith the investi ation. 9ecause some of the information he needs to ac)uire is volatile data, 3ay decides to be in the internal computer investi ation by analy$in live data. 6e "ill then ma#e an ima e of +i#e 8anse lioJs drive and e!amine the static evidence. 3ay creates a @(9 drive that includes the appropriate investi ative tools for a live investi ation. /*he 7*ools7 section in 1ppendi!: 3esources in this uide describes the tools that are referenced in this chapter.0 3ayFs ne!t tas# is to duplicate the suspected partyFs hard dis# in a "ay that protects and preserves the evidence if he locates information that re)uires him to report the case to la" enforcement.
2'
3ay notes items of potential interest, documents "hat is needed to be able to identify and authenticate the collected evidence later in the investi ation, and creates an audit lo of actions performed durin the investi ation.
26
Figure 0.-. Securit! event log entries that indicate user account mdanseglio accessed the 030405/#*A1-3.6ls file in the 1#2Internal2/a!roll folder First, 3ay creates ne" Pevidence and Ptools folders on the @(9 drive. *o ensure the inte rity of the evidence files he creates, 3ay "ill perform an +8'? crypto raphic hash on any files he copies from +i#eJs computer to the evidence folder. +8'? crypto raphic hashes are created by runnin an al orithm on a file to create a uni)ue <2Q'bit Tfin erprintU of the contents of the file. If someone )uestions the inte rity of the data collected by 3ay /for e!ample, to imply the file may have been edited at a later time0, 3ay can provide the ori inal +8'? chec#sum value for comparison and validation. 3ay e!ports the lo set to a @(9 drive that is labeled 630<. 6e "ill use this same @(9 drive for all his evidence collection.
)ote Connectin& a /+8 drive to a ;indowsFbased computer adds an entr" to the Setupapi.lo" file and alters the followin& re&istr" ke"$ *+%,-.OCA.-/AC*!)%0Syste'0CurrentControlSet0%nu'0Stora"e0 e'ova1le/e$ia
3ay decides to determine "hat permissions are assi ned to the 63PInternal folder by runnin the -indo"s (ysinternals 1ccess%h# tool on the server. *his tool sho"s "hat permissions the specified user or roup has to files, re istry #eys, or -indo"s services. 3ay runs the tool from his @(9 drive, "hich appears as drive F:, by typin the follo"in at a command prompt: f:\tools>accesschk mdanseglio c:\hr\internal
27
)ote The +"sinternals AccessChk tool re4uires an installation process and will leave a footprint on the local drive in the followin& re&istr" ke"$ *+%,-C2 %)3-2S% 0So4tware0Sysinternals0AccessCh(
3ay notes that the mdanse lio user account has read and "rite permissions to the P9enefits, PPayroll, and P3evie"s subfolders under P63PInternal as sho"n in the follo"in screen shot:
Figure 0... AccessCh) results that indicate user account mdanseglio has read and write permissions to the 1#2Internal su7folders 3ay suspects that errors in the confi uration of the 63 server permissions allo"ed +i#e 8anse lio to access the 63PInternal folder. 3ay spends a fe" minutes investi atin +i#e 8anse lioJs user ri hts and notices that he is a member of a roup called branch0<m rs. *his roup has read and "rite permissions to the 63PInternal folders. 3ay "ants to #no" "hether +i#e 8anse lio is currently lo ed on to any servers on the net"or#. 3ay uses Ps;o ed2n, a tool that displays locally lo ed on users as "ell as users "ho are lo ed on throu h resources to either the local computer or a remote one. 3ay inserts his @(9 stic# into his computer and types the follo"in at the command prompt: f:\tools>psloggedon mdanseglio *he results, sho"n in the follo"in screen shot, indicate that +i#e 8anse lio is lo onto -A9'6N'F(< at this time. ed
Figure 0.0. /sloggedon results indicating that user account mdanseglio is logged on to W'&*18*FS1 3ay removes +i#e 8anse lio from the branch0<m rs roup and rechec#s his user ri hts to the 63PInternal folder. 1fter further revie" of the (ecurity event lo s and the results of 1ccess%h# to loo# for other possible incorrect permission confi urations to the 63PInternal folder, 3ay be ins investi atin the contents of +i#e 8anse lioJs computer usin remote investi ative techni)ues.
2<
<.
3ay accesses the @(9 drive and the Ptools folder that contains his command'line tools /includin Ps&!ec and the File %hec#sum Inte rity Galidator /F%IG0 tool0. j: cd tools 2. Aote the e!amination start date and time.
3ay pipes the results of the date and time commands to record the start time of his investi ation into a ne" mdevidence.t6t file that is created in the Pevidence folder on his @(9 drive. /3ay "ill obtain the system time on +i#e 8anse lioJs computer in step =.0 In addition, 3ay loo#s for any discrepancy bet"een the 9I2( date and time and the actual date and time. date /t > j:\evidence\mdevidence.txt time /t >> j:\evidence\mdevidence.txt =. 2btain basic information about the tar et computer.
3ay runs a series of native -indo"s commands to obtain information about +i#eJs computer. j: cd tools
2-
s steminfo >> j:\evidence\mdevidence.txt ipconfig /all >> j:\evidence\mdevidence.txt arp !a >> j:\evidence\mdevidence.txt netstat !" >> j:\evidence\mdevidence.txt schtasks >> j:\evidence\mdevidence.txt
)ote 2s7Bec &athers information remotel" b" usin& services that are alread" on the tar&et computer# such as Cmd and 0pconfi&. 2s7Bec can also be used to load services across the network to run on the tar&et computer. 3a" does not want to install an" applications on MikeGs computerHhe onl" runs services that are supported b" the ;indows I2 operatin& s"stem on MikeAs computer.
>. /1PIs0.
3un remote tools that use local application pro rammin interfaces
3ay no" runs several tools to determine "hether other computers have files open on +i#eJs computer, the processes that are runnin on the computer, and to obtain the (ystem and (ecurity event lo s from the computer. psfile \\hqloan164 >> j:\evidence\mdevidence.txt pslist !t \\hqloan164 >> j:\evidence\mdevidence.txt psloglist !s \\hqloan164 >> j:\evidence\mdevidence.txt psloglist !s sec \\hqloan164 >> j:\evidence\mdevidence.txt PsFile sho"s files opened remotely. *his tool uses remote -indo"s 1PIs and does not need to be loaded on the tar et computer. Ps;ist sho"s information about runnin processes and threads on a computer. *his tool uses remote -indo"s 1PIs and does not need to be loaded on the tar et computer. Ps;o ;ist dumps the contents of the computerFs &vent lo by defaultOno additional parameter is needed. 3ay runs this command "ith the sec parameter to obtain the (ecurity event lo . ?. %reate a record of all tas#s. -indo"s automatically trac#s all the commands that are e!ecuted at a command prompt. 3ay uses the 8os#ey command to capture this record and pipes the history information into a file called mdevidence*dos)e!.t6t. doske /h > j:\evidence\mdevidence!doske .txt M. Perform an +8? chec#sum on the evidence files.
3ay uses the F%IG tool to perform an +8? chec#sum on the evidence files. fciv j:\evidence\mdevidence.txt >> j:\evidence\md#mdevidence.txt
)otes 1ispla" limitations mi&ht cause the precedin& command to displa" on more than one line. 0t should be entered as a sin&le line at the command prompt.
)0
The ,C0J tool computes and verifies cr"pto&raphic hash values. This tool is available throu&h Microsoft Enowled&e 8ase article <(.2-0# CAvailabilit" and description of the ,ile Checksum 0nte&rit" Jerifier utilit".C
3ay "ants to remotely revie" the folders on +i#e 8anse lioJs computer. *o do so, he uses Ps&!ec to open a command prompt on +i#eFs computer. 1t the command prompt, 3ay enters the follo"in commands: psexec \\hqloan164 cmd cd c:\doc$ments and settings\mdanseglio\m doc$ments dir /s 1lthou h all users are re)uired to #eep documents on the net"or# server, 3ay notices that +i#e 8anse lio has a Personal folder on his computer. *his folder includes a spreadsheet and a P!!!pi!set subfolder. 1fter remotely revie"in the folders on +i#eFs computer, 3ay is ready to report his findin s and move to +i#eJs computer to investi ate locally. Jill (hrader, the 63 8epartment +ana er, calls 3ay on his cell phone and as#s about the status of 3ayJs investi ation. 3ay e!plains that he has collected the follo"in information: +i#e 8anse lioFs user account had read and "rite permissions to the 63PInternal folder because he "as mista#enly added to the branch0<m rs roup, "hich has permissions to that folder and its subfolders. +i#eFs computer has a Personal folder on its hard dis# that contains at least one spreadsheet. +i#eFs computer contains t"o unauthori$ed pro rams that enable him to monitor net"or# traffic and scan the net"or# for services and computers. +i#eFs computer has a lar e collection of ima e files on its hard dis# that 3ay suspects are porno raphic ima es.
3ay plans to perform the follo"in tas#s on +i#eJs computer: (earch the drive for evidence of confidential files. 1c)uire copies of any suspect files. &!amine the files.
).
3ay lo s on to +i#eJs computer usin the 1dministrator account to access +i#eJs personal folder. 3ay uses the follo"in basic procedure after he connects the evidence collection @(9 drive to +i#eJs computer: <. 1ccess +i#e 8anse lioJs Personal folder. 3ay accesses +i#eFs Personal folder "ith the follo"in commands. c: cd %doc$ments and settings\mdanseglio\m doc$ments\personal% 2. Aote e!amination start date and time.
3ay pipes the results of the 8ate and *ime commands to record the start time of his investi ation. 6e pipes the results into a ne" mdevidence(.t6t file that is created in the Pevidence folder on the @(9 drive. date /t > f:\evidence\mdevidence&.txt time /t >> f:\evidence\mdevidence&.txt
)ote The /+8 drive is desi&nated as drive ,$ on MikeGs computer.
=.
3ay uses the 8ir command to e!amine the contents of +i#eJs Personal folder. First, 3ay pipes the results to the screen to vie" the results and notices a spreadsheet file and the P!!!pi!set folder. *hen 3ay pipes the results of the 8ir command to the evidence file usin three different parameters: /tc to sho" creation time, /ta to sho" last accessed time and /t" to sho" last "ritten time. dir /ta >> f:\evidence\mdevidence&.txt dir /tc >> f:\evidence\mdevidence&.txt dir /t' >> f:\evidence\mdevidence&.txt >. 1ccess the @(9 drive.
3ay accesses the @(9 drive and the Ptools folder that contains his command'line tools. f: cd tools ?. 4ather +i#e 8anse lioFs file information.
3ay uses the 8u utility to e!amine the contents of +i#e 8anse lioJs +y 8ocuments folder and any subfolders. 6e uses the .l ? parameter to search to a depth of five folders. First, 3ay e!amines the results on the screen /sho"n in the follo"in screen shot0 before he pipes the evidence to the mdevidence(.t6t file. d$ (l # d$ (l # >> f:\evidence\mdevidence&.txt
)2
Figure 0.5. #esults of running the ,u utilit! M. %opy suspect files to the PevidenceVfiles folder.
1lthou h 3ay created an ima e of +i#e 8anse lioJs entire drive, he decides to copy the files in +i#e 8anse lioJs Personal folder to a ne" folder named evidence9files that he creates on the @(9 drive. 6e "ill e!amine the folder and files durin the analysis process.
)ote 3a" obtained a cop" of the ori&inal file durin& the ima&in& process. *e can perform a hash on the ori&inal file found on the live drive if he wishes to compare this file to the cop" of the file on his /+8 drive.
3ay uses the Icopy command "ith the /s parameter to copy subfolders, the /e parameter to copy subfolders even if they are empty, the /# parameter to retain the read'only attribute on destination files if present on the source files, and the /v parameter to verify each file as it is "ritten to the destination file to ma#e sure that the destination files are identical to the source files. f: md evidence)files c: cd \doc$ments and settings\mdanseglio\m doc$ments\personal xcop *.* f:\evidence)files /s /e /k /v 7. &!amine the contents of the 3ecycle 9in.
3ay )uic#ly revie"s the contents of the 3ecycle 9in on +i#e 8anse lioFs computer, "hich contains numerous deleted files as sho"n in the follo"in fi ure. 3ay #no"s the drive ima e process obtained a copy of these files if he "ants to revie" the files later. 1fter he notes the contents of the 3ecycle 9in, 3ay is ready to revie" the evidence he collected remotely and locally.
))
)(
Figure 0.4. #esults of running /slist on %i)e ,anseglio;s computer 2. 1ccess the @(9 drive.
3ay accesses the @(9 drive and the Ptools folder that contains his command'line tools. j: cd tools =. ;oo# for suspect strin s in the spreadsheet file.
3ay loo#s for the strin TconfidentialU in his copies of the files from +i#eJs Personal folder. *o do so, he uses the Find command "ith the /I parameter /this parameter i nores the case of characters "hen searchin for the strin 0 and the /c parameter /this parameter provides the number of lines that contain the strin 0. First, 3ay pipes the results to the screen. It appears that the 030405/#*A1-3.6ls file contains a match, as sho"n in the follo"in screen shot. *herefore 3ay runs the command a second time to pipe the results to an mdevidence*review.t6t file. j: cd \evidence)files find /i /c %confidential% *.* find /i /c %confidential% *.* > j:\evidence\mdevidence! revie'.txt
)ote 1ispla" limitations mi&ht cause the precedin& command to displa" on more than one line. 0t should be entered as a sin&le line at the command prompt.
)'
Figure 0.3. #esults of the search for <confidential=> found in 030405/#* A1-3.?+S >. 3ay first copies 030405/#*A1-3.6ls to the PevidenceVfiles folder and then uses the (trin s tool to list 1(%II and @nicode strin s contained in the spreadsheet file. strings j:\evidence)files\+,+-+6./!011,.xls *he results /sho"n in the follo"in screen shot0 indicate that the spreadsheet file contains payroll information. 3ay runs the (trin s tool a ain and pipes the results into his mdevidence*review.t6t file. strings j:\evidence)files\+,+-+6./!011,.234 >> j:\evidence\mdevidence!revie'.txt
)ote 1ispla" limitations mi&ht cause the precedin& command to displa" on more than one line. 0t should be entered as a sin&le line at the command prompt.
)6
Figure 0.10. #esults of running the Strings utilit! on the spreadsheet file 3ay feels confident that he has located an unauthori$ed copy of an 63 payroll file on +i#e 8anse lioJs computer.
)7
Anal!sis. *his section includes the results of the local and remote investi ations, "hich prove that se!ually e!plicit ima es "ere do"nloaded, permissions "ere incorrectly confi ured, and a confidential file that contains payroll information "as accessed. Conclusion. *his section summari$es the outcome of the investi ation and includes recommendations to avoid similar incidents in the future. Supporting documents. *his section includes net"or# dia rams and a list of the computer investi ation procedures and technolo ies used in the investi ation. 1fter submittin his report, 3ay "aits for the authori$ation to perform additional investi atory steps or "hatever other actions mana ement mi ht "ant him to perform.
)ote 7ver" investi&ation ma" be different. =ou should use tools that are appropriate for the re4uired task and that help "ou obtain the information "ou seek# but it is alwa"s a &ood idea to &ather more evidence than "ou mi&ht need.
1fter you install the operatin system on each computer, run 8cpromo on -A9'6N'8% to install 1ctive 8irectory and 8A(.
)<
@a7le 0.(. Groups and Bsers #eferenced in the Applied Scenario +a7 4roups @sers
&nterprise (ystem 1dministrator 3ay %ho" 8omain 1dmins 63 +43( 9ranch0<+ rs 3ay %ho" Jenny 4ottfried, 3oland -in#ler, Jill (hrader +i#e 8anse lio, Auria 4on$ale$
2n the file server -A9'6N'F(<, the 8omain 1dmins roup is added as a member of the local 1dministrators roup.
0R0Q0MP3'1<=R.!ls /*his folder contains all (ysInternal tools and the F%IG tool as listed in the 7*ools7 section in 1ppendi!: 3esources.0 0R0Q0MP3'1<=R.!ls /*his folder contains several .Hp files that include !!! as part of the file name. (everal !!!W.W files "ere deleted from this folder and reside in the 3ecycle 9in.0 /*his folder contains all (ysInternal tools and the F%IG tool as listed in the 7*ools7 section in 1ppendi!: 3esources.0 /*his folder contains all (ysInternal tools and the F%IG tool as listed in the 7*ools7 section in 1ppendi!: 3esources.0
P8ocuments and (ettin sPmdanse lioP+y 8ocumentsPPersonal P8ocuments and (ettin sPmdanse lioP+y 8ocumentsPPersonalP!!!pi!set P*ools
)-
Configure Auditing
2n the domain controller -A9'6N'8%, the Audit o7Cect access policy is confi ured to audit both (uccess and Failure. *his confi uration is set throu h the 8omain (ecurity Policy ++% and the 8omain %ontroller (ecurity Policy ++%. 2n the file server -A9'6N'F(<, auditin is confi ured for the 8omain @sers roup on the P63PInternal folder. *o achieve this confi uration, ri ht'clic# the folder and select /roperties= Securit!= Advanced= and then Auditing. *hen enter the ,omain Bsers roup.
Appendi3$ Resources
*his appendi! provides information about various resources that you can use to conduct a computer investi ation.
Include tools to collect and e!amine volatile data, such as the system state. (ome e!amples from -indo"s (ysinternals include ;ist8;;s, ;o on(essions, Pend+oves, 1utoruns, and Process&!plorer. -indo"s tools include (ysteminfo, Ipconfi , Aetstat, and 1rp. Include a tool to enerate chec#sums and di ital si natures on files and other data, such as the File %hec#sum Inte rity Galidator /F%IG0 tool. *his tool is available throu h +icrosoft 5no"led e 9ase article Q><2R0, 1vailability and description of the File %hec#sum Inte rity Gerifier utility. If you need to collect physical evidence, include a di ital camera in the tool#it. In addition, ensure that your tool#it meets the follo"in criteria:
8ata ac)uisition tools are sho"n to be accurate. Provin accuracy is enerally easier if you use "ell'#no"n computer forensics soft"are. *he tools do not modify the access time of files. *he e!aminerFs stora e device is forensically sterile, "hich means the dis# drive does not contain any data, before it is used. :ou can determine "hether a stora e device is forensically sterile by runnin a chec#sum on the device. If the chec#sum returns all $eros, it does not contain any data. *he e!aminerFs hard"are and tools are used only for the computer investi ation process and not other tas#s.
:ou should first consult "ith your le al advisors to determine "hether it is necessary to report specific computer'related crimes to appropriate authorities at the local, state, federal, or international level, dependin on the scope of the crime. +ost li#ely, your local or state authorities "ould be the first ones to contact. If it is a computer'related federal crime, then you mi ht need to report the crime to local offices of federal la" enforcement. 1s noted earlier, this uidance is only intended for use in the @nited (tates.
AppendiB$ 3esources
()
@nited (tates la" enforcement a encies that investi ate Internet'related crime include the follo"in : Federal 9ureau of Investi ation /F9I0 @nited (tates (ecret (ervice /@(((0 @.(. Immi ration and %ustoms &nforcement /I%&0 @.(. Postal Inspection (ervice 9ureau of 1lcohol, *obacco, Firearms and &!plosives /1*F0 @.(. 8ru &nforcement 1dministration /8&10
*hese a encies have offices throu hout the @nited (tates, and contact information is available in local telephone directories or throu h Internet searches. 4enerally, federal crimes can be reported by telephonin the local office of an appropriate la" enforcement a ency and re)uestin the 8uty %omplaint 1 ent. If the or ani$ation has Hoined the &lectronic %rimes *as# Force /&%*F0, Infra4ard, or the International 6i h *echnolo y %rime Investi ation 1ssociation /6*%I10, then the appropriate contact person may already be #no"n. %ontactin someone "ho is #no"n and #no"s your or ani$ation simplifies the reportin process. +any a encies have trained a ents "ho speciali$e in computer hac#er cases.
((
1ppropriate a encies :our local F9I office @nited (tates (ecret (ervice Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
:our local F9I office If imported, @.(. Immi ration and %ustoms &nforcement Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
@nited (tates (ecret (ervice :our local F9I office @nites (tates (ecret (ervice /Financial %rimes 8ivision0 F*% %onsumer %omplaint Form Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
:our local F9I office ;ocal 1*F field division office ;ocal hi h technolo y crimes tas# force or police a ency
:our local F9I office @nited (tates (ecret (ervice /Financial %rimes 8ivision0 F*% %onsumer %omplaint Form If securities fraud or investment'related (P1+ e' mail, (&% %enter for %omplaints and Informant *ips Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
AppendiB$ 3esources
('
1ppropriate a encies :our local F9I office ;ocal hi h technolo y crimes tas# force or police a ency
Pass"ord traffic#in
:our local F9I office @nited (tates (ecret (ervice Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
:our local F9I office ;ocal hi h technolo y crimes tas# force or police a ency
*rademar# counterfeitin
:our local F9I office If imported, @.(. Immi ration and %ustoms &nforcement Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
)raining
6ave at least some incident response team members attend formal computer investi ation trainin . -ithout relevant trainin , it is unli#ely that the team "ill be effective in the investi ation. In fact, uns#illed e!aminers could ne atively affect the investi ation by accidentally destroyin volatile evidence. For a list of nonprofit a encies, or ani$ations, Federal la" enforcement a encies, and academic institutions that provide computer forensic trainin , see 71ppendi! 4. *rainin 3esources ;ist7 in Forensic &!amination of 8i ital &vidence: 1 4uide for ;a" &nforcement by the Aational Institute of Justice, an a ency of the @.(. 8epartment of Justice.
)ools
&very investi ation "ill li#ely be different. *he tools you use should be appropriate for obtainin the information you see#, but it is al"ays a ood idea to ather more evidence than you mi ht need.
(6
*his section provides information about the -indo"s (ysinternals tools and other -indo"s tools that can help you conduct an internal computer investi ation. *ool types are represented by icons in the first column of the follo"in table: @a7le A.-. @ool @!pes Icon 8escription *his icon represents a command'line tool.
*his icon represents a tool "ith a 4@I interface that re)uires installation and alters the tar et drive.
*he follo"in tables provide information about numerous tools that you can use in computer investi ations.
1utorunsc vQ.?=
8is#mon
8is#Gie"
AppendiB$ 3esources
(7
@ool t!pe
'ame 8u v<.=
Filemon v7.0=
6andle v=.2
8isplay open files and the process that opened those files.
;ist8;;s v2.2?
8isplay all the 8;;s that are currently loaded, includin "here they are loaded and their version numbers /prints the full path names of loaded modules0. ;ist active lo on sessions
8isplay file rename and delete commands that "ill be e!ecuted the ne!t time the computer is started. 8isplay serial and parallel port activity /"ill also sho" a portion of the data bein sent and received0. 8isplay files, re istry #eys, and other obHects that processes have open, "hich 8;;s they have loaded, o"ners of processes, etc. &!ecute processes remotely.
Portmon v=.02
PsFile v<.0<
PsInfo v<.7<
(<
@ool t!pe
8isplay users lo
ed on to a computer.
Ps(ervice v2.2
3e mon v7.0=
3oot#it3evealer
(hare&num v<.M
(can file shares on a net"or# and vie" their security settin s to eliminate improperly applied settin s. 3eveal A*F( alternate data streams.
(treams v<.?=
(trin s v2.=
*%PGcon v2.=>
*%PGie" v2.>
8isplay all open *%P and @8P endpoints and the name of the process that o"ns each endpoint.
AppendiB$ 3esources
(-
@ool t!pe
*o#enmon v<.0<
8isplay security'related activity, includin lo on, lo off, privile e usa e, and impersonation.
Windows @ools
@a7le A.0. Windows @ools Information @ool t!pe 'ame 1rp ,escription 8isplay 1ddress 3esolution Protocol /13P0 tables.
8ate
8ir
8os#ey
Ipconfi
Aet
Aetstat
*ime
'0
@ool t!pe
'ame Find
(chtas#s
Gol
8isplay the dis# volume label and serial number, if they e!ist.
6ostname
8isplay the host name portion of the full computer name of the computer. Nuery, display, or disconnect open files or files opened by net"or# users. File %hec#sum Inte rity Gerifier. @se to compute a +8? or (61< crypto raphic hash of the content of a file. @se to e!amine metadata associated "ith a file.
2penfiles
F%IG
Aotepad
3e
@se to vie", modify, e!port, save or delete, re istry #eys, values, and hives. 4ather net"or# trace information from the command line.
Aetcap
(c
@se to communicate "ith the (ervice %ontroller and services. /(c )uery is useful for dumpin all services and their states.0 Gie" or modify file name e!tension associations.
1ssoc
AppendiB$ 3esources
'.
@ool t!pe
'ame Ftype
,escription Gie" or modify file types used in file name e!tension associations.
4presult
*as#list
+9(1
3sop.msc
3asdia
%ollect dia nostic information about remote services and place that information in a file.
Acknowledgments
*he (olution 1ccelerators ' (ecurity and %ompliance roup /(1'(%0 "ould li#e to ac#no"led e and than# the team that produced the Fundamental Computer Investigation Guide for Windows. *he follo"in people "ere either directly responsible or made a substantial contribution to the "ritin , development, and testin of this solution. Authors= Contri7utors= and Writers Galentine 9oiar#ine ' Wadeware LLC 3oss %arter ;aura %happell ' Protocol nal!sis Institute Paul %ullimore *homas Nuilty ' "# Consulting and Investigations$ Inc% Paul (later ' Wadeware LLC 5en (tavinoha $ditor (teve -ac#er ' Wadeware LLC #eviewers John 1ddeo ' #imension #ata *echnical (er eant &ric 1pple ' Was&ington 'tate Patrol %urt 9ryson ' Was&ington (utual 6arlan %arvey ' Windows Forensics and Incident Recover! Fred %otton ' #efense Computer Investigations )raining Program (tacia ;. Jac#son ' Loc*&eed (artin Information )ec&nolog! 8etective (er eant (cott Jarmon ' Was&ington 'tate Patrol +ar# +en$ ' #igital Evidence 'cientist +i#e +en$ ' +ewlett Pac*ard +artin Aova# ' ,ational Institute of -ustice John 3edd GII . Infinite Consulting James (ibley ' #eput! #istrict ttorne!$ Count! of 'anta Clara$ C 8etective *odd *aylor ' Was&ington 'tate Patrol #eviewers D%icrosoftE (ha"n 1ebi, 5ate 9aroni, 3ich 9enac#, %hristopher 9udd, 8eric# %ampbell, %hase %arpenter, *om %lo"ard, Jason %ooper, 4re %ottin ham, +i#e 8anse lio,
%harles 8enny, 5arl 4run"ald, John 6o"ie, %hristopher Johnsen, ;esley 5iplin , *roy ;arson, +ar# +iller, 9ob +c%oy, %rai Aelson, (anHay Pandit, 1le!andre 6ollanda (ilva, +i#e (mith';oner an /roduct %anagers 1lain +eeus Jim (tuart /rogram %anager Glad Pi in #elease %anager 5arina ;arson @esters 4aurav (in h 9ora *hammarai (elvi 3aHendran ' Infos!s )ec&nologies Ltd% GiHayanand (enniappan ' Infos!s )ec&nologies Ltd%
Inde3
A
1ccess8ata....................................................<=, <7 1c)uire the data. .2, =, ?, R, <<, <?, <M, <R, 2?, =0, =< 1naly$e the data....................2, =, Q, <?, <M, <R, == 1rp............................................................2Q, =0, >< 1ssess the situation...................2, =, ?, 7, R, <R, 2> 2nline analysis.....................................................<?
P
Pend+oves..........................................................>< Process&!plorer...................................................>< PsFile.........................................................Q, 2?, 2Q Ps;ist.............................................................2Q, =0 Ps;o ;ist.................................................2Q, =0, ><
B
9I2(.....................................................................2Q
R
3eport the investi ation.........................................2
C
%rypto raphic hash..................................2Q, 2R, ?0
S
(chtas#s.........................................................2Q, =0 (hare&num............................................................Q (ysinternals...Q, <M, <7, 2?, 27, 2Q, 2R, =0, =<, =2, ==, =?, =M, ><, >M, >7, >Q (ysteminfo...........................................................2? (ystinernals....................................................><, >M
D
8ocumentation...............................................<>, >2
E
&ncryption............................................................<M
F
File %hec#sum Inte rity Gerifier /F%IG0. <=, 2Q, 2R, =0, =Q, ><, ?0 Fire"all.....................................................20, 2Q, =0
T
*%PGcon..............................................................>Q *%PGie"..............................................................>Q *8I+on............................................................Q, >R *he Forensic *ool#it......................................<7, >< *ime.....................................................................=< *o#enmon............................................................>R *ools..Q, <<, <2, <=, <M, <7, 2>, 2?, 27, 2Q, =Q, =R, ><, >?, >M, >R *rainin ..........................................................>?, ?=
G
4uidance (oft"are..................................<=, <7, ><
I
Intrusion detection system /I8(0....................<2, <? Ipconfi .....................................................2Q, =0, ><
L
;o on(essions.....................................................><
N
Aetstat................................................2?, 2Q, =0, ><
W
-indo"s %ommand ;ine *ools...R, 2?, 2Q, 2R, =0, =<, =>, ><, >R, ?0 -indo"s Aet"or# +onitor /Aet+on0.....................Q