Fundamental Computer Investigation Guide For Windows

Fundamental Computer Investigation Guide for Windows
Version 1.0 Published: January 2007 For the latest information, please see microsoft.com/technet/SolutionAccelerators
2007 Microsoft Corporation. This work is licensed under the Creative Commons Attribution- onCommercial !icense. To view a cop" of this license# visit http$%%creativecommons.or&%licenses%b"-nc%2.'% or send a letter to Creative Commons# '() *oward +treet# 'th ,loor# +an ,rancisco# California# -(.0'# /+A.
Contents
Overview ...........................................................................................1 Computer 0nvesti&ation Model............................................................. 0nitial 1ecision-Makin& 2rocess...........................................................2 Chapter +ummar"............................................................................) Audience.........................................................................................) Caveats and 1isclaimers....................................................................) 3eferences and Credits......................................................................( +t"le Conventions.............................................................................( +upport and ,eedback.......................................................................( Chapter 1: Assess the Situation...........................................................5 otif" 1ecision Makers and Ac4uire Authori5ation..................................' 3eview 2olicies and !aws...................................................................6 0dentif" 0nvesti&ation Team Members..................................................7 Conduct a Thorou&h Assessment........................................................7 2repare for 7vidence Ac4uisition.........................................................Chapter 2: Acquire the Data..............................................................11 8uild a Computer 0nvesti&ation Toolkit................................................. Collect the 1ata................................................................................ +tore and Archive............................................................................) Chapter 3: Analyze the Data..............................................................15 Anal"5e etwork 1ata......................................................................'
Anal"5e *ost 1ata...........................................................................6 Anal"5e +tora&e Media.....................................................................6 Chapter 4: eport the !nvesti"ation..................................................1#
9ather and :r&ani5e 0nformation.......................................................;rite the 3eport.............................................................................20 Chapter 5: Applie$ Scenario %&a'ple................................................23 +cenario........................................................................................2) Assess the +ituation........................................................................2( Ac4uire 7vidence of Confidential 1ata Access......................................2' 3emote 7vidence Collection..............................................................2< !ocal 7vidence Collection.................................................................)0
Anal"5e Collected 7vidence..............................................................)) 3eport the 7vidence........................................................................)6 Applied +cenario !ab Confi&uration....................................................)7 Appen$i&: esources.........................................................................41
2reparin& =our :r&ani5ation for a Computer 0nvesti&ation.....................(. ;orksheets and +amples.................................................................(2 3eportin& Computer-3elated Crimes..................................................(2 Trainin&.........................................................................................(' Tools.............................................................................................(' Ac(nowle$"'ents.............................................................................53 !n$e&................................................................................................55
Overview
Internet connectivity and technolo ical advances e!pose computers and computer net"or#s to criminal activities such as unauthori$ed intrusion, financial fraud, and identity and intellectual property theft. %omputers can be used to launch attac#s a ainst computer net"or#s and destroy data. &'mail can be used to harass people, transmit se!ually e!plicit ima es, and conduct other malicious activities. (uch activities e!pose or ani$ations to ethical, le al, and financial ris#s and often re)uire them to conduct internal computer investi ations. *his uide discusses processes and tools for use in internal computer investi ations. It introduces a multi'phase model that is based on "ell'accepted procedures in the computer investi ation community. It also presents an applied scenario e!ample of an internal investi ation in an environment that includes +icrosoft, -indo"s,.based computers. *he investi ation uses -indo"s (ysinternals tools /advanced utilities that can be used to e!amine -indo"s.based computers0 as "ell commonly available -indo"s commands and tools. (ome of the policies and procedures invo#ed in investi ations that result from computer security incidents mi ht also e!ist in disaster recovery plans. 1lthou h such plans are beyond the scope of this uide, it is important for or ani$ations to establish procedures that can be used in emer ency and disaster situations. 2r ani$ations should also identify and mana e security ris#s "herever possible. For more information, see the (ecurity 3is# +ana ement 4uide.
Computer Investigation Model

1ccordin to -arren 4. 5ruse II and Jay 4. 6eiser, authors of Computer Forensics: Incident Response Essentials, computer forensics is 7the preservation, identification, e!traction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.7 *he computer investi ation model in the follo"in fi ure or ani$es the different computer forensics elements into a lo ical flo".
*he four investi ation phases and accompanyin processes in the fi ure should be applied "hen "or#in "ith di ital evidence. *he phases can be summari$ed as follo"s:
Assess the situation. 1naly$e the scope of the investi ation and the action to be ta#en. Ac uire the data. 4ather, protect, and preserve the ori inal evidence. Anal!"e the data. &!amine and correlate di ital evidence "ith events of interest that "ill help you ma#e a case. #eport the investigation. 4ather and or ani$e collected information and "rite the final report. 8etailed information about each of the phases is provided in the chapters of this uide.
Initial Decision-Making Process

9efore you be in each of the eneral investi ation phases you should apply the initial decision'ma#in process sho"n in the follo"in fi ure.
:ou should determine "hether or not to involve la" enforcement "ith the assistance of le al advisors. If you determine that la" enforcement is needed, then you need to continue the internal investi ation unless la" enforcement officials advise you other"ise. ;a" enforcement mi ht not be available to assist in the investi ation of the incident, so you must continue to mana e the incident and investi ation for later submission to la" enforcement. 8ependin on the type of incident bein investi ated, the primary concern should be to prevent further dama e to the or ani$ation by those person/s0 "ho caused the incident. *he investi ation is important, but is secondary to protectin the or ani$ation unless there are national security issues. If la" enforcement is not involved, your or ani$ation may have e!istin standard operatin procedures and policies that uide the investi ation process. 3efer to the 73eportin %omputer'3elated %rimes7 section in 1ppendi!: 3esources in this uide for types of crimes that need to be reported to la" enforcement.
:verview
Chapter Summary
*his uide is comprised of five chapters and an appendi!, "hich are briefly described in the follo"in list. *he first four chapters provide information about the four phases of the internal investi ation process: %hapter <: 1ssess the (ituation e!plains ho" to conduct a thorou h assessment of the situation and prepare for the internal investi ation. %hapter 2: 1c)uire the 8ata provides uidance about ho" to ather di ital evidence. %hapter =: 1naly$e the 8ata e!amines the standard techni)ues of evidence analysis. %hapter >: 3eport the Investi ation e!plains ho" to "rite the investi ation outcome report. %hapter ?: 1pplied (cenario &!ample describes a fictional scenario that depicts unauthori$ed access to confidential information. 1ppendi!: 3esources includes information about ho" to prepare for a computer investi ation, contact information for reportin computer'related crimes and obtainin computer investi ation trainin , "or#sheets that can be used in computer investi ations, and lists of certain computer investi ation tools.
Audience
*his uide is intended for I* professionals in the @nited (tates "ho need a eneral understandin of computer investi ations, includin many of the procedures that can be used in such investi ations and protocols for reportin incidents.
Caveats and Disclaimers

*his uidance does not constitute le al advice, and is not a substitute for individuali$ed le al and other advice from le al advisors. :ou should al"ays consult your le al advisors before you decide "hether to implement any of the described processes. *he tools and technolo ies described in this uide are current at the time of its release, and may chan e in the future. It is also important to understand that le al restrictions may limit your ability to implement these procedures. For e!ample, the @nited (tates has many la"s related to the ri hts of people "ho are suspected of committin illicit acts. @nless le al restrictions are specifically referenced in e!istin policies and procedures established by the or ani$ation, it is important that you obtain le ally bindin "ritten approvals from le al advisors, mana ement, and #ey sta#eholders throu hout the internal investi ation.
)ote This &uide does not include information about incident response polic" and procedure development# specific data ima&in& product &uidance# &uidance about buildin& a forensics lab# or computer investi&ations in non-;indows environments. ,or information about incident response polic" and procedure development# see the Microsoft :perations ,ramework >M:,? ;eb site.
,undamental Computer 0nvesti&ation 9uide ,or ;indows
Re erences and Credits

*he information in this uide is based on information provided by reco ni$ed industry e!perts and other uidance, includin the follo"in publications: Forensic &!amination of 8i ital &vidence: 1 4uide for ;a" &nforcement by the Aational Institute of Justice, an a ency of the @.(. 8epartment of Justice. 4uide to Inte ratin Forensic *echni)ues into Incident 3esponse P8F document by the Aational Institute of (tandards and *echnolo y. 73F%=227 ' 4uidelines for &vidence %ollection and 1rchivin 7 by 8. 9re$ins#i and *. 5illalea.
Style Conventions
*his uidance uses the style conventions that are described in the follo"in table. $lement &old font Italic font <Italic> Monospace font 'ote Important %eaning (i nifies characters typed e!actly as sho"n, includin commands, s"itches, and file names. @ser interface elements also appear in bold. *itles of boo#s and other substantial publications appear in italic. Placeholders set in italic and an le brac#ets BItalicC represent variables. 8efines code and script samples.
1lerts the reader to supplementary information. 1lerts the reader to essential supplementary information.
Support and !eed"ack

*he (olution 1ccelerators . (ecurity and %ompliance /(1(%0 team "ould appreciate your thou hts about this and other (olution 1ccelerators. Please contribute comments and feedbac# to sec"ishDmicrosoft.com. -e loo# for"ard to hearin from you. (olution 1ccelerators provide prescriptive uidance and automation for cross'product inte ration. *hey present proven tools and content so you can plan, build, deploy, and operate information technolo y "ith confidence. *o vie" the e!tensive ran e of (olution 1ccelerators and for additional information, visit the (olution 1ccelerators pa e on +icrosoft *echAet.
Chapter #$ Assess the Situation

*his chapter describes ho" to conduct a thorou h assessment of the situation, ho" to establish scope, and the re)uired resources for an internal investi ation. @se the five' step process sho"n in the follo"in fi ure.
Figure 1.1. Assessment phase of the computer investigation model
%oti y Decision Makers and Ac&uire Authori'ation

*o conduct a computer investi ation, you first need to obtain proper authori$ation unless e!istin policies and procedures provide incident response authori$ation. *hen you need to conduct a thorou h assessment of the situation and define a course of action. @se the follo"in best practices: If no "ritten incident response policies and procedures e!ist, notify decision ma#ers and obtain "ritten authori$ation from an authori$ed decision ma#er to conduct the computer investi ation. 8ocument all actions you underta#e that are related to this investi ation. &nsure there is a complete and accurate documented summary of the events and decisions that occurred durin the incident and the incident response. *his documentation may ultimately be used in court to determine the course of action that "as follo"ed durin the investi ation.
8ependin on the scope of the incident and absent any national security issues or life safety issues, the first priority is to protect the or ani$ation from further harm. 1fter the or ani$ation is secure, restoration of services /if needed0 and the investi ation of the incident are the ne!t priorities. 8ecisions you ma#e may be )uestioned as much as the evidence. 9ecause computer evidence is comple!, different investi ations /such as those conducted by an opposin party0 may ma#e different decisions and reach different conclusions.
Review Policies and (aws

1t the start of a computer investi ation it is important to understand the la"s that mi ht apply to the investi ation as "ell as any internal or ani$ation policies that mi ht e!ist. Aote the follo"in important considerations and best practices: 8etermine if you have le al authority to conduct an investi ation. 8oes your or ani$ation have policies and procedures that address the privacy ri hts of employees, contractors, or other persons usin your net"or#E 8o any such policies and procedures specify the circumstances in "hich monitorin is allo"edE +any or ani$ations state in their policies and procedures that there is no e!pectation of privacy in the use of the or ani$ationFs e)uipment, e'mail, -eb services, telephone, or mail, and that the company reserves the ri ht as a condition of employment to monitor and search these resources. (uch policies and procedures should be revie"ed by the or ani$ationFs le al advisors, and all employees, contractors, and visitors should be notified of their e!istence. If you are uncertain about your authority, contact your mana ement, your le al advisors, or /if necessary0 your local authorities. %onsult "ith your le al advisors to avoid potential issues from improper handlin of the investi ation. *hese issues may include: %ompromisin customersF personal data. Giolatin any state or federal la", such as federal privacy rules.
Incurrin criminal or civil liability for improper interception of electronic communications. %onsider "arnin banners. Gie"in sensitive or privile ed information. (ensitive data that may compromise the confidentiality of customer information must only be made available as part of investi ation'related documentation if it directly pertains to the investi ation. &nsure the follo"in customer privacy and confidentiality issues are addressed: 1ll data should be transferred securely, stored on local computers /not net"or# servers0, and should not be easily accessible. 1ll data /includin documentation0 should be maintained for the period specified by le al advisors or local policy after the computer investi ation is closed. If the data is part of a potential criminal case, consult "ith the la" enforcement a ency investi atin the case. If the case is a civil case, consult "ith your or ani$ationFs le al advisors. 1lso, revie" any data retention issues related to the (arbanes'2!ley 1ct of 2002 or other le al re)uirements for data retention.
Chapter .$ Assess the +ituation
+aintain di ital copies of evidence, printouts of evidence, and the chain of custody for all evidence, in case of le al action. Preservation of the chain of custody is accomplished by havin verifiable documentation that indicates "ho handled the evidence, "hen they handled it, and the locations, dates, and times of "here the evidence "as stored. (ecure stora e of evidence is necessary, or custody cannot be verified.
Identi y Investigation )eam Mem"ers

8eterminin "ho should respond to an incident is important to conductin a successful internal computer investi ation. Ideally, team membership should be established before the team is needed for an actual investi ation. It is important that investi ation teams be structured appropriately and have the appropriate s#ills. :our or ani$ation could establish team membership as part of a disaster recovery plannin process. @se the follo"in best practices as uidance for formin an investi ation team: Identify a person "ho understands ho" to conduct an investi ation. 3emember that the credibility and s#ills of the person performin the investi ation are often scrutini$ed if a situation results in le al proceedin s in a court of la". Identify team members and clarify the responsibilities of each team member. 1ssi n one team member as the technical lead for the investi ation. *he technical lead usually has stron technical s#ills and is e!perienced in computer investi ations. In investi ations that involve suspected parties "ho are technically s#illed, you mi ht need to select investi ation team members "ho are more s#illed than the suspected parties. 5eep the investi ation team as small as possible to ensure confidentiality and to protect your or ani$ation a ainst un"anted information lea#s. &n a e a trusted e!ternal investi ation team if your or ani$ation does not have personnel "ith the necessary s#ills. &nsure that every team member has the necessary clearance and authori$ation to conduct their assi ned tas#s. *his consideration is especially important if any third' party personnel, such as consultants, are involved in the investi ation.
!'portant The volatile nature of di&ital evidence makes it critical to conduct investi&ations in a timel" manner. 8e sure to secure availabilit" of all team members for the duration of an" investi&ation.
Conduct a )horough Assessment

1 thorou h, clearly documented assessment of the situation is re)uired to prioriti$e your actions and Hustify the resources for the internal investi ation. *his assessment should define the current and potential business impact of the incident, identify affected infrastructure, and obtain as thorou h an understandin as possible of the situation. *his information "ill help you define an appropriate course of action. @se the follo"in best practices to conduct a thorou h assessment: @se all available information to describe the situation, its potential severity, potentially affected parties, and /if available0 the suspected party or parties.
<
Identify the impact and sensitivity of the investi ation on your or ani$ation. For e!ample, assess "hether it involves customer data, financial details, health care records, or company confidential information. 3emember to evaluate its potential impact on public relations. *his assessment "ill li#ely be beyond the e!pertise of I*, and should be done in conHunction "ith mana ement and le al advisors. 1naly$e the business impact of the incident throu hout the investi ation. ;ist the number of hours re)uired to recover from the incident, hours of do"ntime, cost of dama ed e)uipment, loss of revenue, and value of trade secrets. (uch an assessment should be realistic and not inflated. *he actual costs of the incident "ill be determined at a later date. 1naly$e affected intan ible resources, such as future impact on reputation, customer relationships, and employee morale. 8o not inflate the severity of the incident. *his analysis is for informational purposes only to help understand the scope of the incident. *he actual impact "ill be determined at a later date. *his assessment "ill li#ely be beyond the e!pertise of I*, and should be done in conHunction "ith mana ement and le al advisors. @se the follo"in best practices to identify, analy$e, and document the infrastructure and computers that are affected by the situation. +uch of this uidance could have already been follo"ed as part of a ris# assessment process to prepare a disaster recovery plan. Identify the net"or#/s0 that are involved, the number of computers affected, and the type of computers affected. 2btain the net"or# topolo y documentation, "hich should include a detailed net"or# dia ram that provides infrastructure information about servers, net"or# hard"are, fire"alls, Internet connections, and other computers on the net"or#. Identify e!ternal stora e devices and any remote computers that should be included. &!ternal stora e devices could include thumb drives, memory and flash cards, optical discs, and ma netic dis#s. %apture the net"or# traffic over a period of time if live analysis is re)uired. *his type of analysis is only needed if you believe there is on oin suspicious traffic on the net"or#, and is typically only performed after auditin and lo in have been e!hausted as sources of evidence. +icrosoft, -indo"s, IP and -indo"s (erver, 200= include built'in net"or# capture tools such as Aetcap and 3asdia that can capture local net"or# traffic "ithout havin to install products such as Aetmon or &thereal. @se tools such as -indo"s Aet"or# +onitor /Aet+on0 and -indo"s (ysinternals *8I+on for net"or# data analysis. -indo"s (ysinternals tools can be do"nloaded from the -indo"s (ysinternals pa e on +icrosoft *echAet.
!'portant etwork sniffin& >capturin& network traffic? can be a breach of privac"# dependin& on the scope of the capture. =ou should therefore be ver" cautious about deplo"in& network capture tools on "our network.
@se tools to e!amine the state of soft"are applications and operatin systems on computers that are li#ely affected. @seful tools for this tas# include the -indo"s application lo s, system lo s, and -indo"s (ysinternals Ps*ools. &!amine affected file and application servers. @se -indo"s (ysinternals tools such as Ps*ools, PsFile, (hare&num and internal -indo"s security lo s to e!amine and document activity on these servers.
Chapter .$ Assess the +ituation
!'portant +ome of the information &athered durin& this assessment >such as runnin& processes and data in memor"? is captured b" "our tools in real time. =ou must ensure that an" records or lo&s &enerated are securel" stored to prevent losin& this volatile data.
In addition, the follo"in best practices can help you obtain a complete understandin of the situation. 9uild a timeline and map everythin to it. 1 timeline is especially important for lobal incidents. 8ocument any discrepancies bet"een the date and time of hosts, such as des#top computers, and the system date and time, such as the -indo"s *ime service in -indo"s (erver 200=. Identify and intervie" anyone "ho mi ht be involved in the incident, such as system administrators and users. In some situations, such people mi ht be e!ternal to the or ani$ation. Intervie"in users and affected personnel often provides ood results and insi hts into the situation. Intervie"s should be conducted by e!perienced intervie"ers. 8ocument all intervie" outcomes. :ou "ill need to use them later to fully understand the situation. 3etrieve information /lo s0 from internal and e!ternal facin net"or# devices, such as fire"alls and routers, "hich mi ht be used in the possible attac# path. (ome information, such as IP address and domain name o"nership, is often public by its nature. For e!ample, you can use the -indo"s (ysinternals -hois tool or the 1merican 3e istry for Internet Aumbers to identify an o"ner of an IP address.
Prepare or *vidence Ac&uisition

*o prepare for the 1c)uire the 8ata phase, you should ensure that you have properly determined the actions and outcome of the 1ssess the (ituation phase. 1 detailed document containin all information you consider relevant provides a startin point for the ne!t phase and for the final report preparation. In addition, understand that if the incident becomes more than Hust an internal investi ation and re)uires court proceedin s, it is possible that all processes used in atherin evidence mi ht be used by an independent third party to try and achieve the same results. (uch a document should provide detailed information about the situation and include the follo"in : 1n initial estimate of the impact of the situation on the or ani$ationFs business. 1 detailed net"or# topolo y dia ram that hi hli hts affected computer systems and provides details about ho" those systems mi ht be affected. (ummaries of intervie"s "ith users and system administrators. 2utcomes of any le al and third'party interactions. 3eports and lo s enerated by tools used durin the assessment phase. 1 proposed course of action.
!'portant Creatin& consistent# accurate# and detailed documentation throu&hout the computer investi&ation process will help with the on&oin& investi&ation. This documentation is often critical to the pro@ectAs success and should never be overlooked. As "ou create documentation# alwa"s be aware that it constitutes evidence that mi&ht be used in court proceedin&s. 8efore "ou be&in the
.0
neBt phase# ensure that "ou have obtained a responsible decision makerAs si&noff on the documentation that "ou created durin& the assessment phase.
Chapter +$ Ac&uire the Data

*his chapter discusses ho" to ac)uire the data that is necessary for the investi ation. (ome computer investi ation data is fra ile, hi hly volatile, and can be easily modified or dama ed. *herefore, you need to ensure that the data is collected and preserved correctly prior to analysis. @se the three'step process sho"n in the follo"in fi ure.
Figure (.1. Ac uisition phase of the computer investigation model
,uild a Computer Investigation )oolkit

:our or ani$ation "ill need a collection of hard"are and soft"are tools to ac)uire data durin an investi ation. (uch a tool#it mi ht contain a laptop computer "ith appropriate soft"are tools, operatin systems and patches, application media, "rite'protected bac#up devices, blan# media, basic net"or#in e)uipment, and cables. Ideally, such a tool#it "ill be created in advance, and team members "ill be familiar "ith the tools before they have to conduct an investi ation.
)ote +ee the C2reparin& =our :r&ani5ation for a Computer 0nvesti&ationC and CToolsC sections of AppendiB$ 3esources in this &uide for a list of su&&ested software tools that can be included in the computer investi&ation toolkit and for &uidelines to follow when buildin& a toolkit.
Collect the Data

8ata collection of di ital evidence can be performed either locally or over a net"or#. 1c)uirin the data locally has the advanta e of reater control over the computer/s0 and data involved. 6o"ever, it is not al"ays feasible /for e!ample, "hen computers are in loc#ed rooms or other locations, or "hen hi h availability servers are involved0. 2ther factors, such as the secrecy of the investi ation, the nature of the evidence that must be athered, and the timeframe for the investi ation "ill ultimately determine "hether the evidence is collected locally or over the net"or#.
!'portant ;hen usin& tools to collect data# it is important to first determine whether or not a rootkit has been installed. 3ootkits are software components that take complete control of a computer and conceal their eBistence from standard dia&nostic tools. 8ecause rootkits operate at a ver" low hardware level# the" can intercept and modif" s"stem calls. =ou cannot find a rootkit b" searchin& for its eBecutable# because the rootkit removes itself from the list of returned search results. 2ort scans do not reveal that the ports the rootkit uses are open# because the rootkit prevents the scanner from detectin& the open port. Therefore# it is difficult to ensure that no rootkits eBist. :ne available tool "ou can use is the MicrosoftD ;indowsD +"sinternals 3ootkit3evealer.
-hen ac)uirin data over a net"or#, you need to consider the type of data to be collected and the amount of effort to use. %onsider "hat data you need to obtain that "ould support the prosecution of the offendin parties. For e!ample, it mi ht be necessary to ac)uire data from several computers throu h different net"or# connections, or it mi ht be sufficient to copy a lo ical volume from Hust one computer. *he recommended data ac)uisition process is as follo"s: <. %reate accurate documentation that "ill later allo" you to identify and authenticate the evidence you collect. &nsure that you note any items of potential interest and lo any activities that mi ht be of importance later in the investi ation. 5ey to a successful investi ation is proper documentation, includin information such as the follo"in : -ho performed the action and "hy they did it. -hat "ere they attemptin to accomplishE 6o" they performed the action, includin the tools they used and the procedures they follo"ed. -hen they performed the action /date and time0 and the results. 2. 8etermine "hich investi ation methods to use. *ypically, a combination of offline and online investi ations is used. In offline investi ations, additional analysis is performed on a bit'"ise copy of the ori inal evidence. /1 bit'"ise copy is a complete copy of all the data from the tar eted source, includin information such as the boot sector, partition, and unallocated dis# space.0 :ou should use the offline investi ation method "henever possible because it miti ates the ris# of dama in the ori inal evidence. 6o"ever, this method is only suitable for situations in "hich an ima e can be created, so it cannot be used to ather some volatile data. In an online investi ation, analysis is performed on the ori inal live evidence. :ou should be especially careful "hen performin online analysis of data because of the ris# of alterin evidence that mi ht be re)uired to prove a case. =. Identify and document potential sources of data, includin the follo"in : (ervers. (erver information includes server role, lo s /such as event lo s0, files, and applications. ;o s from internal and e!ternal facin net"or# devices, such as fire"alls, routers, pro!y servers, net"or# access servers /A1(0, and intrusion detection systems /I8(0 that may be used in the possible attac# path. Internal hard"are components, such as net"or# adapters /"hich include media access control /+1%0 address information0 and P%+%I1 cards. 1lso note e!ternal port types, such as Fire"ire, @(9, and P%+%I1.
Chapter 2$ Ac4uire the 1ata
.)
(tora e devices that need to be ac)uired /internal and e!ternal0, includin hard dis#s, net"or# stora e devices, and removable media. 8onJt for et portable mobile devices such as Poc#etP%, (martphone devices, and +P= players such as KuneL. >. -hen you must capture volatile data, carefully consider the order in "hich you collect the data. Golatile evidence can be easily destroyed. Information such as runnin processes, data loaded into memory, routin tables, and temporary files can be lost forever "hen the computer is shut do"n. Information about tools and commands that can help ather this information is available in the 7*ools7 section of 1ppendi!: 3esources in this uide. ?. @se the follo"in methods to collect data from stora e media and record stora e media confi uration information: If you need to remove any internal stora e devices, turn off the computer first. 6o"ever, before you turn off the computer you should verify that all volatile data has been captured "henever possible. 8etermine "hether to remove the stora e device from the suspect computer and use your o"n system to ac)uire the data. It may not be possible to remove the stora e device because of hard"are considerations and incompatibilities. *ypically, you "ould not disconnect stora e devices such as 31I8 devices, stora e devices "ith a hard"are dependency /for e!ample, le acy e)uipment0, or devices in net"or# stora e systems such as stora e area net"or#s /(1As0. %reate a bit'"ise copy of the evidence in a bac#up destination, ensurin that the ori inal data is "rite'protected. (ubse)uent data analysis should be performed on this copy and not on the ori inal evidence. (tep'by'step uidance for ima in is beyond the scope of this uide but is an inte ral part of evidence collection.
!'portant /se industr" accepted tools when ac4uirin& a bit-wise cop". ,or eBample# 7nCase b" 9uidance +oftware or ,TE b" Access1ata.
8ocument internal stora e devices and ensure that you include information about their confi urations. For e!ample, note the manufacturer and model, Humper settin s, and the si$e of the device. In addition, note the type of interface and the condition of the drive. M. Gerify the data you collect. %reate chec#sums and di ital si natures "hen possible to help establish that the copied data is identical to the ori inal. In certain circumstances /for e!ample, "hen a bad sector e!ists on the stora e media0 it may be impossible to create a perfect copy. &nsure that you have obtained the best copy possible "ith the available tools and resources. :ou can use the +icrosoft File %hec#sum Inte rity Gerifier /F%IG0 tool to compute an +8? or (61< crypto raphic hash of the content of a file.
Store and Archive

-hen evidence is collected and ready for analysis, it is important to store and archive the evidence in a "ay that ensures its safety and inte rity. :ou should follo" any stora e and archival procedures that e!ist "ithin your or ani$ation. 9est practices for data stora e and archival include the follo"in :
.(
Physically secure and store the evidence in a tamperproof location.
&nsure that no unauthori$ed personnel has access to the evidence, over the net"or# or other"ise. 8ocument "ho has physical and net"or# access to the information. Protect stora e e)uipment from ma netic fields. @se static control stora e solutions to protect stora e e)uipment from static electricity. +a#e at least t"o copies of the evidence you collected, and store one copy in a secure offsite location. &nsure that the evidence is physically secured /for e!ample, by placin the evidence in a safe0 as "ell as di itally secured /for e!ample, by assi nin a pass"ord to the stora e media0. %learly document the chain of custody of the evidence. %reate a chec#'in / chec#'out list that includes information such as the name of the person e!aminin the evidence, the e!act date and time they chec# out the evidence, and the e!act date and time they return it. 1 sample Wor)sheet * Chain of Custod! +og ,ocumentation document is included "ith the "or#sheets referenced in 1ppendi!: 3esources in this uide.
Chapter -$ Analy'e the Data

*his chapter discusses different approaches and "ell'accepted industry best practices for analy$in the evidence that is athered durin the 1c)uire the 8ata phase of an internal investi ation. @se the three'step process sho"n in the follo"in fi ure.
Figure -.1. Anal!sis phase of the computer investigation model

!'portant :nline anal"sis of data# which eBamines a computer directl" while it is runnin&# is often necessar". :nline anal"sis is t"picall" performed because of time constraints on an investi&ation or to capture volatile data. =ou should be especiall" careful when performin& online anal"sis to ensure that "ou minimi5e the risk to other evidence.
Analy'e %etwork Data

In many investi ations it is not necessary to analy$e net"or# data. Instead, the investi ations focus on and e!amine ima es of the data. -hen net"or# analysis is re)uired, use the follo"in procedure: <. &!amine net"or# service lo s for any events of interest. *ypically, there "ill be lar e amounts of data, so you should focus on specific criteria for events of interest such as username, date and time, or the resource bein accessed. 2. &!amine fire"all, pro!y server, intrusion detection system /I8(0, and remote access service lo s. +any of these lo s contain information from monitored incomin and out oin connections and include identifyin information, such as IP address, time of the event, and authentication information. :ou mi ht "ant to e!amine the lo data in a tool that is suited for data analysis, such as +icrosoft, (N; (erverL 200?. =. Gie" any pac#et sniffer or net"or# monitor lo s for data that mi ht help you determine the activities that too# place over the net"or#. In addition, determine "hether connections you e!amine are encryptedObecause you "ill not be able to read the contents of an encrypted session. 6o"ever, you can still derive the time of
the connection and "hether a suspected party established a session "ith a specific server.
Analy'e .ost Data

6ost data includes information about such components as the operatin system and applications. @se the follo"in procedure to analy$e the copy of the host data you obtained in the 1c)uire the 8ata phase. <. Identify "hat you are loo#in for. *here "ill li#ely be a lar e amount of host data, and only a portion of that data mi ht be relevant to the incident. *herefore, you should try to create search criteria for events of interest. For e!ample, you mi ht use the +icrosoft -indo"s, (ysinternals (trin s tool to search the files located in the P-indo"sPPrefetch folder. *his folder contains information such as "hen and "here applications "ere launched. For information about ho" to use the (trin s tool and send or pipe the results to a te!t file, see %hapter ?: 1pplied (cenario &!ample in this uide. 2. &!amine the operatin system data, includin cloc# drift information, and any data loaded into the host computerFs memory to see if you can determine "hether any malicious applications or processes are runnin or scheduled to run. For e!ample, you can use the -indo"s (ysinternals 1uto3uns tool to sho" you "hat pro rams are confi ured to run durin the boot process or lo in. =. &!amine the runnin applications, processes, and net"or# connections. For e!ample, you can loo# for runnin processes that mi ht have an appropriate name but are runnin from non'standard locations. @se tools such as -indo"s (ysinternals Process&!plorer, ;o on(ession, and P(File to perform these tas#s. (ee the 7*ools7 section in 1ppendi!: 3esources of this uide for information about these tools.
Analy'e Storage Media

*he stora e media you collected durin the 1c)uire the 8ata phase "ill contain many files. :ou need to analy$e these files to determine their relevance to the incident, "hich can be a dauntin tas# because stora e media such as hard dis#s and bac#up tapes often contain hundreds of thousands of files. Identify files that are li#ely to be relevant, "hich you can then analy$e more closely. @se the follo"in procedure to e!tract and analy$e data from the stora e media you collected: <. -henever possible, perform offline analysis on a bit'"ise copy of the ori inal evidence. 2. 8etermine "hether data encryption "as used, such as the &ncryptin File (ystem /&F(0 in +icrosoft -indo"s. (everal re istry #eys can be e!amined to determine "hether &F( "as ever used on the computer. For a list of the specific re istry #eys, see the 78eterminin If &F( is 9ein @sed on a +achine7 section in the article 7&ncryptin File (ystem in -indo"s IP and -indo"s (erver 200=7 on +icrosoft *echAet. If you suspect data encryption "as used, then you need to determine "hether or not you can actually recover and read the encrypted data. :our ability to do so "ill depend upon different circumstances, such as the version of -indo"s, "hether or not it is a domain'Hoined computer, and ho" &F( "as
Chapter )$ Anal"5e the 1ata
.7
deployed. For more information about &F( see 7*he &ncryptin File (ystem7 on +icrosoft *echAet. &!ternal &F( recovery tools are also available, such as 1dvanced &F( 8ata 3ecovery by &lcomsoft. =. If necessary, uncompress any compressed files and archives. 1lthou h most forensic soft"are can read compressed files from a dis# ima e, you mi ht need to uncompress archive files to e!amine all files on the media you are analy$in . >. %reate a dia ram of the directory structure. It mi ht be useful to raphically represent the structure of the directories and files on the stora e media to effectively analy$e the files. ?. Identify files of interest. If you #no" "hich files "ere affected by the security incident, you can focus the investi ation on these files first. *he hash sets created by the Aational (oft"are 3eference ;ibrary can be used to compare "ell' #no"n files /such as operatin system and application files0 to the ori inals. *hose files that match can normally be eliminated from the investi ation. :ou can also use informational sites such as filespecs.com, -otsitFs Format, Process;ibrary.com, and +icrosoft 8;; 6elp to help you cate ori$e and collect information about e!istin file formats as "ell as to identify files. M. &!amine the re istry, the database that contains -indo"s confi uration information, for information about the computer boot process, installed applications /includin those loaded durin startup0, and lo in information such as username and lo on domain. For re istry bac# round information and detailed descriptions of re istry content, see the -indo"s (erver 200= 3esource 5it 3e istry 3eference. Garious tools are available for analy$in the re istry, includin 3e &dit, "hich ships "ith the -indo"s operatin system, -indo"s (ysinternals 3e +on for -indo"s, and 3e istry Gie"er by 1ccess8ata. 7. (earch the contents of all athered files to help identify files that may be of interest. Garious intelli ent searches can be performed usin tools described in the 7*ools7 section in 1ppendi!: 3esources of this uide. For e!ample, you can use the -indo"s (ysinternals (treams tool to reveal "hether there are any A*F( alternate data streams used on files or folders. A*F( alternate data streams can hide information "ithin a file by causin it to appear to contain $ero bytes of data "hen vie"ed throu h -indo"s &!plorer althou h the file actually contains hidden data. Q. (tudy the metadata of files of interest, usin tools such as &ncase by 4uidance (oft"are, *he Forensic *ool#it /F*50 by 1ccess8ata, or Pro8iscover by *echnolo y Path"ays. File attributes such as timestamps can sho" the creation, last access, and last "ritten times, "hich can often be helpful "hen investi atin an incident. R. @se file vie"ers to vie" the content of the identified files, "hich allo" you to scan and previe" certain files "ithout the ori inal application that created them. *his approach protects files from accidental dama e, and is often more cost effective than usin the native application. Aote that file vie"ers are specific to each type of fileS if a vie"er is not available, use the native application to e!amine the file. 1fter you analy$e all of the available information, you may be able to reach a conclusion. 6o"ever, it is important to be very cautious at this sta e and ensure that you do not blame the "ron party for any dama es. 6o"ever, if you are certain of your findin s, you "ill be ready to be in the 3eport the Investi ation phase.
Chapter /$ Report the Investigation

*his chapter discusses ho" to or ani$e the information that you ather and the documentation that you create throu hout a computer investi ation, as "ell as ho" to "rite a final report. @se the t"o'step process sho"n in the follo"in fi ure.
Figure ..1. #eporting phase of the computer investigation model
0ather and Organi'e In ormation

8urin the initial phases of a computer investi ation you create documentation about the specific activities in each phase. From "ithin this documentation you need to identify the specific information that is relevant to your investi ation and or ani$e it into appropriate cate ories. @se the follo"in procedure to ather and or ani$e the re)uired documentation for the final report. <. 4ather all documentation and notes from the 1ssess, 1c)uire, and 1naly$e phases. Include any appropriate bac# round information. 2. =. >. ?. Identify parts of the documentation that are relevant to the investi ation. Identify facts to support the conclusions you "ill ma#e in the report. %reate a list of all evidence to be submitted "ith the report. ;ist any conclusions you "ish to ma#e in your report.
M. 2r ani$e and classify the information you ather to ensure that a clear and concise report is the result. 3eference the follo"in 7-rite the 3eport7 section and Sample * Internal Investigation #eport.doc /in 1ppendi!: 3esources in this uide0 to help or ani$e the information.
1rite the Report

1fter you or ani$e the information into appropriate cate ories, you can use it to "rite the final report. It is critical to the outcome of the investi ation that the report is clear, concise, and "ritten for the appropriate audience. *he follo"in list identifies recommended report sections and information that should be included in these sections. /urpose of #eport. %learly e!plain the obHective of the report, the tar et audience, and "hy the report "as prepared. Author of #eport. ;ist all authors and co'authors of the report, includin their positions, responsibilities durin the investi ation, and contact details. Incident Summar!. Introduce the incident and e!plain its impact. *he summary should be "ritten so that a non'technical person such as a Hud e or Hury "ould be able to understand "hat occurred and ho" it occurred. $vidence. Provide descriptions of the evidence that "as ac)uired durin the investi ation. -hen describin evidence state ho" it "as ac)uired, "hen, and "ho ac)uired it. ,etails. Provide a detailed description of "hat evidence "as analy$ed and the analysis methods that "ere used. &!plain the findin s of the analysis. ;ist the procedures that "ere follo"ed durin the investi ation and any analysis techni)ues that "ere used. Include proof of your findin s, such as utility reports and lo entries. Justify each conclusion that is dra"n from the analysis. ;abel supportin documents, number each pa e, and refer to them by label name "hen they are discussed in the analysis. For e!ample, 7Fire"all lo from server, supportin document 8.7 1lso, provide information about those individuals "ho conducted or "ere involved "ith the investi ation. If applicable, provide a list of "itnesses. Conclusion. (ummari$e the outcome of the investi ation. *he conclusion should be specific to the outcome of the investi ation. %ite specific evidence to prove the conclusion, but do not provide e!cessive detail about ho" the evidence "as obtained /such information should be in the 78etails7 section0. Include Hustification for your conclusion, alon "ith supportin evidence and documentation. *he conclusion should be as clear and unambi uous as possible. In many cases, it "ill be stated near the be innin of the report, because it represents the actionable information. Supporting documents. Include any bac# round information referred to throu hout the report, such as net"or# dia rams, documents that describe the computer investi ation procedures used, and overvie"s of technolo ies that are involved in the investi ation. It is important that supportin documents provide enou h information for the report reader to understand the incident as completely as possible. 1s mentioned earlier, label each supportin document "ith letters and number each pa e of the document. Provide a complete list of supportin documents. If it is li#ely that the report "ill be presented to a varied audience, consider creatin a lossary of terms used in the report. 1 lossary is especially valuable if the la" enforcement a ency is not #no"led eable about technical issues or "hen a Hud e or Hury needs to revie" the documents.
Chapter ($ 3eport the 0nvesti&ation
2.
)ote 1urin& an investi&ation "ou will likel" collect valuable information about the use of computer investi&ation processes. =ou mi&ht also &ain eBperience and a better understandin& of operational and securit"-related procedures. =ou should review "our eBistin& operational and incident response documentation and incorporate the knowled&e "ou &ain durin& an investi&ation. 0f "ou do not have such documentation or wish to adopt an industr" standard format# "ou can use the MicrosoftD :perations ,ramework >M:,? documentation templates and &uidance. ,or more information about M:, visit the Microsoft :perations ,ramework home pa&e.
Chapter 2$ Applied Scenario *3ample

*his scenario depicts unauthori$ed access to internal confidential information "ithin a national financial institutionO-ood rove 9an#. *he scenario is fictional, as are the people and the or ani$ations mentioned in the scenario. *he scenario "as desi ned to provide an overvie" of tools and technolo ies used for data collection and e!amination. In a real security breach situation, you should consult "ith appropriate mana ement, le al, and la" enforcement roups for advice about the appropriate investi ative techni)ues to use. 1lso, althou h the authors reco ni$e that ima in a suspect drive is important in investi ative "or#, it is beyond the scope of this uide and only briefly mentioned durin the data ac)uisition phase of the scenario.
Scenario
It has been brou ht to the attention of 3ay %ho", the &nterprise (ystems 1dministrator of -ood rove Aational 9an#, that someone "as bra in about #no"in the salary of many different ban# employees. 3ay learned the name of the employee "ho claimed to #no" this informationO+i#e 8anse lio. +i#e "or#s in the loan department and should not have access to any 6uman 3esources /630 files. -ood rove Aational 9an# has a policy that relates to the proper use of ban# computers. *his policy states that there is no e!pectation of privacy "hen usin company computers for any purpose, includin e'mail services and access to -eb sites. *he policy also states that no pro rams "ill be loaded on any computers "ithout the "ritten permission of the I* 8irector, and that any attempts to circumvent pass"ords or obtain unauthori$ed access to ban# files "ill be rounds for termination or le al prosecution. *he policy also allo"s the I* staff to install any net"or# monitorin devices, includin sniffers or other pac#et capture devices, to maintain net"or# security or to investi ate possible abuses. 3ay "ants to ensure that he uses accepted computer investi ation procedures to investi ate this issue and report his findin s. 3ay believes that information mi ht have been ori inally obtained from the 63 file server and plans to follo" the four'phase computer investi ation model sho"n in the follo"in fi ure:
Figure 0.1. Computer investigation model overview
!'portant +ee the CApplied +cenario !ab Confi&urationC section at the end of this chapter for information about how to emulate this scenario and follow alon& usin& the tools.
Assess the Situation

3ay meets "ith mana ement to assess the situation. +ana ement indicates that unauthori$ed access to and distribution of confidential payroll information "ould be rounds for termination, but they "ill not prosecute an employee for such actions. -ood rove Aational 9an# policy states that mana ement "ill consult "ith the internal le al department to chec# local la"s and determine "hether any other policies affect investi ations about improper employee access to restricted computer systems. *he -ood rove Aational 9an# le al department provides "ritten permission for 3ay to e!amine the contents of +i#e 8anse lioJs company computer. *he le al and mana ement teams as# to be informed of the investi ation outcome. *hey also as# 3ay to follo" up "ith steps to protect sensitive data more effectively in the future if he finds that a breach occurred. 3ayFs first tas# is to identify the computers that are involved in the investi ation and document the hard"are confi uration for each. 1fter he completes this tas#, 3ay dra"s a lo ical dia ram of the involved computers, "hich is sho"n in the follo"in fi ure.
Figure 0.(. +ogical diagram of computers involved in the investigation 3ay then considers different options for proceedin "ith the investi ation. 9ecause some of the information he needs to ac)uire is volatile data, 3ay decides to be in the internal computer investi ation by analy$in live data. 6e "ill then ma#e an ima e of +i#e 8anse lioJs drive and e!amine the static evidence. 3ay creates a @(9 drive that includes the appropriate investi ative tools for a live investi ation. /*he 7*ools7 section in 1ppendi!: 3esources in this uide describes the tools that are referenced in this chapter.0 3ayFs ne!t tas# is to duplicate the suspected partyFs hard dis# in a "ay that protects and preserves the evidence if he locates information that re)uires him to report the case to la" enforcement.
Chapter '$ Applied +cenario 7Bample
2'
3ay notes items of potential interest, documents "hat is needed to be able to identify and authenticate the collected evidence later in the investi ation, and creates an audit lo of actions performed durin the investi ation.
Ac&uire *vidence o Con idential Data Access

-ood rove Aational 9an# mana ement authori$ed 3ay to e!amine the directory structure on the 63 file server /-A9'6N'F(<0 and the payroll files to determine "hether an unauthori$ed individual read the files. 3ay could o to +i#e 8anse lioJs computer immediately and loo# for evidence, or he could be in at the server and try to locate evidence in the audit lo s. 3ay also "ants to #no" "hat user ri hts +i#e 8anse lio has "ith re ard to the 63 folders. 3ay decides to use the follo"in t"o'step approach to ac)uire the evidence: <. &!amine the 63 file server to loo# for evidence of unauthori$ed access to confidential files and folders. *his e!amination may or may not confirm mana ementJs suspicion that +i#e 8anse lio accessed these files "ithout proper authori$ation. 2. &!amine the contents of +i#e 8anse lioJs drive locally and remotely to loo# for any confidential data. 3ay plans to use a combination of native +icrosoft, -indo"s, tools /includin Ipconfi , (ysteminfo, and Aetstat0 and -indo"s (ysinternals tools /includin 1ccess%h#, Ps;o ed2n, and PsFile0. 3ay intervie"s 63 team members and e!amines the file server. 6e notes that payroll files are summari$ed once each month in spreadsheet files that are #ept in the 63PInternalPPayroll folder. *he 63 +43( roup is the only roup that should have read or "rite permissions to this folder, and +i#e 8anse lio is not a member of this roup. 3ay needs to determine "hether it is possible for someone to access the 63 8epartment folder that contains the salary information for ban# employees. 3ay vie"s the event lo s for the 63 file server. 6e previously confi ured auditin on the 63PInternal folder so that he could trac# access failures and successes. 3ay notes all the steps he ta#es to open and vie" the (ecurity event lo . (everal entries in the event lo stand out, such as the one sho"n in the follo"in screen shot. 1 fe" entries indicate that a mdanse lio user account accessed the 1#2Internal2/a!roll2030405/#*A1-3.6ls file.
26
Figure 0.-. Securit! event log entries that indicate user account mdanseglio accessed the 030405/#*A1-3.6ls file in the 1#2Internal2/a!roll folder First, 3ay creates ne" Pevidence and Ptools folders on the @(9 drive. *o ensure the inte rity of the evidence files he creates, 3ay "ill perform an +8'? crypto raphic hash on any files he copies from +i#eJs computer to the evidence folder. +8'? crypto raphic hashes are created by runnin an al orithm on a file to create a uni)ue <2Q'bit Tfin erprintU of the contents of the file. If someone )uestions the inte rity of the data collected by 3ay /for e!ample, to imply the file may have been edited at a later time0, 3ay can provide the ori inal +8'? chec#sum value for comparison and validation. 3ay e!ports the lo set to a @(9 drive that is labeled 630<. 6e "ill use this same @(9 drive for all his evidence collection.
)ote Connectin& a /+8 drive to a ;indowsFbased computer adds an entr" to the Setupapi.lo" file and alters the followin& re&istr" ke"$ *+%,-.OCA.-/AC*!)%0Syste'0CurrentControlSet0%nu'0Stora"e0 e'ova1le/e$ia
3ay decides to determine "hat permissions are assi ned to the 63PInternal folder by runnin the -indo"s (ysinternals 1ccess%h# tool on the server. *his tool sho"s "hat permissions the specified user or roup has to files, re istry #eys, or -indo"s services. 3ay runs the tool from his @(9 drive, "hich appears as drive F:, by typin the follo"in at a command prompt: f:\tools>accesschk mdanseglio c:\hr\internal
27
)ote The +"sinternals AccessChk tool re4uires an installation process and will leave a footprint on the local drive in the followin& re&istr" ke"$ *+%,-C2 %)3-2S% 0So4tware0Sysinternals0AccessCh(
3ay notes that the mdanse lio user account has read and "rite permissions to the P9enefits, PPayroll, and P3evie"s subfolders under P63PInternal as sho"n in the follo"in screen shot:
Figure 0... AccessCh) results that indicate user account mdanseglio has read and write permissions to the 1#2Internal su7folders 3ay suspects that errors in the confi uration of the 63 server permissions allo"ed +i#e 8anse lio to access the 63PInternal folder. 3ay spends a fe" minutes investi atin +i#e 8anse lioJs user ri hts and notices that he is a member of a roup called branch0<m rs. *his roup has read and "rite permissions to the 63PInternal folders. 3ay "ants to #no" "hether +i#e 8anse lio is currently lo ed on to any servers on the net"or#. 3ay uses Ps;o ed2n, a tool that displays locally lo ed on users as "ell as users "ho are lo ed on throu h resources to either the local computer or a remote one. 3ay inserts his @(9 stic# into his computer and types the follo"in at the command prompt: f:\tools>psloggedon mdanseglio *he results, sho"n in the follo"in screen shot, indicate that +i#e 8anse lio is lo onto -A9'6N'F(< at this time. ed
Figure 0.0. /sloggedon results indicating that user account mdanseglio is logged on to W'&*18*FS1 3ay removes +i#e 8anse lio from the branch0<m rs roup and rechec#s his user ri hts to the 63PInternal folder. 1fter further revie" of the (ecurity event lo s and the results of 1ccess%h# to loo# for other possible incorrect permission confi urations to the 63PInternal folder, 3ay be ins investi atin the contents of +i#e 8anse lioJs computer usin remote investi ative techni)ues.
2<
Remote *vidence Collection

3ay decides to ather information remotely from +i#e 8anse lioJs computer before he tries to ather information locally, and he comes into the office durin a "ee#end to ma#e a forensically sound copy of +i#eJs hard dis#. In an actual situation, 3ay mi ht perform his entire forensics investi ation on a hard dis# ima e of the suspected partyFs computer. 6o"ever, this scenario depicts the use of tools and techni)ues to ather volatile evidence locally and remotely. 3ay uses a @(9 drive connected to his o"n computer that contains numerous tools. *he @(9 drive "ill store all evidence that he collects as "ell as a te!t file record of all commands he types. 3ay uses the follo"in basic procedure, "hich allo"s him to mar# the time his e!amination starts, collect the evidence from +i#e 8anse lioJs computer across the net"or#, record all his investi atory steps, and create an +8? hash of the evidence he collects.
!'portant +ome +"sinternals tools# includin& 2s7Bec# 2s,ile# and 2s!o&!ist# are blocked b" the default ;indows ,irewall confi&uration. To follow alon& with this applied eBample and use these tools to eBamine what information can be &athered across the network# "ou need to click the %&ceptions tab in ;indows ,irewall and enable 5ile an$ 6rinter Sharin". *owever# "ou do :T need to share an"thin&. :n tar&et computers that have ;indows ,irewall enabled and ,ile and 2rinter +harin& disabled >the default settin&?# the +"steminfo# 0pconfi&# Arp# etstat# +chtasks# 2s,ile# 2s!ist# and 2s!o&!ist tools must be run directl" on the tar&et computer. 0n such a case# run each of these tools directl" on the tar&et s"stem and pipe the results to the evi$ence2.t&t file created in the C!ocal 7vidence CollectionC section later in this chapter.
<.
1ccess the @(9 drive.
3ay accesses the @(9 drive and the Ptools folder that contains his command'line tools /includin Ps&!ec and the File %hec#sum Inte rity Galidator /F%IG0 tool0. j: cd tools 2. Aote the e!amination start date and time.
3ay pipes the results of the date and time commands to record the start time of his investi ation into a ne" mdevidence.t6t file that is created in the Pevidence folder on his @(9 drive. /3ay "ill obtain the system time on +i#e 8anse lioJs computer in step =.0 In addition, 3ay loo#s for any discrepancy bet"een the 9I2( date and time and the actual date and time. date /t > j:\evidence\mdevidence.txt time /t >> j:\evidence\mdevidence.txt =. 2btain basic information about the tar et computer.
3ay runs a series of native -indo"s commands to obtain information about +i#eJs computer. j: cd tools
2-
psexec psexec psexec psexec psexec
\\hqloan164 \\hqloan164 \\hqloan164 \\hqloan164 \\hqloan164
s steminfo >> j:\evidence\mdevidence.txt ipconfig /all >> j:\evidence\mdevidence.txt arp !a >> j:\evidence\mdevidence.txt netstat !" >> j:\evidence\mdevidence.txt schtasks >> j:\evidence\mdevidence.txt
)ote 2s7Bec &athers information remotel" b" usin& services that are alread" on the tar&et computer# such as Cmd and 0pconfi&. 2s7Bec can also be used to load services across the network to run on the tar&et computer. 3a" does not want to install an" applications on MikeGs computerHhe onl" runs services that are supported b" the ;indows I2 operatin& s"stem on MikeAs computer.
>. /1PIs0.
3un remote tools that use local application pro rammin interfaces
3ay no" runs several tools to determine "hether other computers have files open on +i#eJs computer, the processes that are runnin on the computer, and to obtain the (ystem and (ecurity event lo s from the computer. psfile \\hqloan164 >> j:\evidence\mdevidence.txt pslist !t \\hqloan164 >> j:\evidence\mdevidence.txt psloglist !s \\hqloan164 >> j:\evidence\mdevidence.txt psloglist !s sec \\hqloan164 >> j:\evidence\mdevidence.txt PsFile sho"s files opened remotely. *his tool uses remote -indo"s 1PIs and does not need to be loaded on the tar et computer. Ps;ist sho"s information about runnin processes and threads on a computer. *his tool uses remote -indo"s 1PIs and does not need to be loaded on the tar et computer. Ps;o ;ist dumps the contents of the computerFs &vent lo by defaultOno additional parameter is needed. 3ay runs this command "ith the sec parameter to obtain the (ecurity event lo . ?. %reate a record of all tas#s. -indo"s automatically trac#s all the commands that are e!ecuted at a command prompt. 3ay uses the 8os#ey command to capture this record and pipes the history information into a file called mdevidence*dos)e!.t6t. doske /h > j:\evidence\mdevidence!doske .txt M. Perform an +8? chec#sum on the evidence files.
3ay uses the F%IG tool to perform an +8? chec#sum on the evidence files. fciv j:\evidence\mdevidence.txt >> j:\evidence\md#mdevidence.txt
)otes 1ispla" limitations mi&ht cause the precedin& command to displa" on more than one line. 0t should be entered as a sin&le line at the command prompt.
)0
The ,C0J tool computes and verifies cr"pto&raphic hash values. This tool is available throu&h Microsoft Enowled&e 8ase article <(.2-0# CAvailabilit" and description of the ,ile Checksum 0nte&rit" Jerifier utilit".C
3ay "ants to remotely revie" the folders on +i#e 8anse lioJs computer. *o do so, he uses Ps&!ec to open a command prompt on +i#eFs computer. 1t the command prompt, 3ay enters the follo"in commands: psexec \\hqloan164 cmd cd c:\doc$ments and settings\mdanseglio\m doc$ments dir /s 1lthou h all users are re)uired to #eep documents on the net"or# server, 3ay notices that +i#e 8anse lio has a Personal folder on his computer. *his folder includes a spreadsheet and a P!!!pi!set subfolder. 1fter remotely revie"in the folders on +i#eFs computer, 3ay is ready to report his findin s and move to +i#eJs computer to investi ate locally. Jill (hrader, the 63 8epartment +ana er, calls 3ay on his cell phone and as#s about the status of 3ayJs investi ation. 3ay e!plains that he has collected the follo"in information: +i#e 8anse lioFs user account had read and "rite permissions to the 63PInternal folder because he "as mista#enly added to the branch0<m rs roup, "hich has permissions to that folder and its subfolders. +i#eFs computer has a Personal folder on its hard dis# that contains at least one spreadsheet. +i#eFs computer contains t"o unauthori$ed pro rams that enable him to monitor net"or# traffic and scan the net"or# for services and computers. +i#eFs computer has a lar e collection of ima e files on its hard dis# that 3ay suspects are porno raphic ima es.
(ocal *vidence Collection

Ideally, computer investi ations should be conducted on hard dis# ima es. In this e!ample, ho"ever, 3ay runs a series of tools directly on +i#e 8anse lioJs computer. *hese tools are run from a @(9 drive and do not re)uire installation on the local computer. 6o"ever, as mentioned earlier in this chapter, the insertion of the @(9 drive "ill leave a footprint in the re istry.
!'portant 0f Mike 1anse&lioGs computer had ;indows ,irewall enabled with ,ile and 2rinter +harin& disabled# 3a" would run the +"steminfo# 0pconfi&# Arp# etstat# +chtasks# 2s,ile# 2s!ist# and 2s!o&!ist tools locall" on MikeGs computer. 3a" would enter the commands listed in the C3emote 7vidence CollectionC section earlier in this chapter but remove the reference to KKh4loan.6( before pipin& the results to the evi$ence2.t&t file he creates in this section.
3ay plans to perform the follo"in tas#s on +i#eJs computer: (earch the drive for evidence of confidential files. 1c)uire copies of any suspect files. &!amine the files.
).
3ay lo s on to +i#eJs computer usin the 1dministrator account to access +i#eJs personal folder. 3ay uses the follo"in basic procedure after he connects the evidence collection @(9 drive to +i#eJs computer: <. 1ccess +i#e 8anse lioJs Personal folder. 3ay accesses +i#eFs Personal folder "ith the follo"in commands. c: cd %doc$ments and settings\mdanseglio\m doc$ments\personal% 2. Aote e!amination start date and time.
3ay pipes the results of the 8ate and *ime commands to record the start time of his investi ation. 6e pipes the results into a ne" mdevidence(.t6t file that is created in the Pevidence folder on the @(9 drive. date /t > f:\evidence\mdevidence&.txt time /t >> f:\evidence\mdevidence&.txt
)ote The /+8 drive is desi&nated as drive ,$ on MikeGs computer.
=.
1c)uire directory structure information.
3ay uses the 8ir command to e!amine the contents of +i#eJs Personal folder. First, 3ay pipes the results to the screen to vie" the results and notices a spreadsheet file and the P!!!pi!set folder. *hen 3ay pipes the results of the 8ir command to the evidence file usin three different parameters: /tc to sho" creation time, /ta to sho" last accessed time and /t" to sho" last "ritten time. dir /ta >> f:\evidence\mdevidence&.txt dir /tc >> f:\evidence\mdevidence&.txt dir /t' >> f:\evidence\mdevidence&.txt >. 1ccess the @(9 drive.
3ay accesses the @(9 drive and the Ptools folder that contains his command'line tools. f: cd tools ?. 4ather +i#e 8anse lioFs file information.
3ay uses the 8u utility to e!amine the contents of +i#e 8anse lioJs +y 8ocuments folder and any subfolders. 6e uses the .l ? parameter to search to a depth of five folders. First, 3ay e!amines the results on the screen /sho"n in the follo"in screen shot0 before he pipes the evidence to the mdevidence(.t6t file. d$ (l # d$ (l # >> f:\evidence\mdevidence&.txt
)2
Figure 0.5. #esults of running the ,u utilit! M. %opy suspect files to the PevidenceVfiles folder.
1lthou h 3ay created an ima e of +i#e 8anse lioJs entire drive, he decides to copy the files in +i#e 8anse lioJs Personal folder to a ne" folder named evidence9files that he creates on the @(9 drive. 6e "ill e!amine the folder and files durin the analysis process.
)ote 3a" obtained a cop" of the ori&inal file durin& the ima&in& process. *e can perform a hash on the ori&inal file found on the live drive if he wishes to compare this file to the cop" of the file on his /+8 drive.
3ay uses the Icopy command "ith the /s parameter to copy subfolders, the /e parameter to copy subfolders even if they are empty, the /# parameter to retain the read'only attribute on destination files if present on the source files, and the /v parameter to verify each file as it is "ritten to the destination file to ma#e sure that the destination files are identical to the source files. f: md evidence)files c: cd \doc$ments and settings\mdanseglio\m doc$ments\personal xcop *.* f:\evidence)files /s /e /k /v 7. &!amine the contents of the 3ecycle 9in.
3ay )uic#ly revie"s the contents of the 3ecycle 9in on +i#e 8anse lioFs computer, "hich contains numerous deleted files as sho"n in the follo"in fi ure. 3ay #no"s the drive ima e process obtained a copy of these files if he "ants to revie" the files later. 1fter he notes the contents of the 3ecycle 9in, 3ay is ready to revie" the evidence he collected remotely and locally.
))
Figure 0.:. Several image files located in the #ec!cle &in
Analy'e Collected *vidence

3ay has t"o evidence files: mdevidence.t6t and mdevidence(.t6t. 6e also has a copy of +i#e 8anse lioJs Personal folder. 3ay uses the follo"in procedure on his o"n computer to analy$e the information contained in these files. <. 1naly$e the process information. 3ay revie"s the mdevidence.t6t file. *he results of Ps;ist are very interestin , because they indicate that +i#e 8anse lio is runnin some unauthori$ed applications, includin -ireshar# and n+ap-in, as sho"n in the follo"in screen shot. 3ay #no"s it is not unusual to find unrelated violations "hen performin an investi ation on a suspect computer. 3ay also understands that not all applications "ill be easily reco ni$ed /such as the ones listed in this scenario0 and that it is also possible they "ere installed "ithout +i#eFs #no"led e.
)(
Figure 0.4. #esults of running /slist on %i)e ,anseglio;s computer 2. 1ccess the @(9 drive.
3ay accesses the @(9 drive and the Ptools folder that contains his command'line tools. j: cd tools =. ;oo# for suspect strin s in the spreadsheet file.
3ay loo#s for the strin TconfidentialU in his copies of the files from +i#eJs Personal folder. *o do so, he uses the Find command "ith the /I parameter /this parameter i nores the case of characters "hen searchin for the strin 0 and the /c parameter /this parameter provides the number of lines that contain the strin 0. First, 3ay pipes the results to the screen. It appears that the 030405/#*A1-3.6ls file contains a match, as sho"n in the follo"in screen shot. *herefore 3ay runs the command a second time to pipe the results to an mdevidence*review.t6t file. j: cd \evidence)files find /i /c %confidential% *.* find /i /c %confidential% *.* > j:\evidence\mdevidence! revie'.txt
)ote 1ispla" limitations mi&ht cause the precedin& command to displa" on more than one line. 0t should be entered as a sin&le line at the command prompt.
)'
Figure 0.3. #esults of the search for <confidential=> found in 030405/#* A1-3.?+S >. 3ay first copies 030405/#*A1-3.6ls to the PevidenceVfiles folder and then uses the (trin s tool to list 1(%II and @nicode strin s contained in the spreadsheet file. strings j:\evidence)files\+,+-+6./!011,.xls *he results /sho"n in the follo"in screen shot0 indicate that the spreadsheet file contains payroll information. 3ay runs the (trin s tool a ain and pipes the results into his mdevidence*review.t6t file. strings j:\evidence)files\+,+-+6./!011,.234 >> j:\evidence\mdevidence!revie'.txt
)ote 1ispla" limitations mi&ht cause the precedin& command to displa" on more than one line. 0t should be entered as a sin&le line at the command prompt.
)6
Figure 0.10. #esults of running the Strings utilit! on the spreadsheet file 3ay feels confident that he has located an unauthori$ed copy of an 63 payroll file on +i#e 8anse lioJs computer.
Report the *vidence

3ay analy$es and correlates the evidence and then "rites a report that summari$es his findin s. 1 sample report is available in the materials that accompany this uide, "hich are referenced in the 7-or#sheets7 section of 1ppendi!: 3esources In his report, 3ay includes recommendations for securin confidential data from future breaches. 3ay also performs data inte rity chec#in on the evidence files and then stores the files appropriately by burnin them and the final report to a %8. 3ayJs report includes the follo"in information: /urpose of #eport. *he reportFs purpose is to advise -ood rove 9an# mana ement about the incident and state ho" the results of the investi ation can be used to prevent future security breaches. Author of #eport. 3ay identifies himself, provides his title, and states that he performed technical lead responsibilities. Incident Summar!. *his section lists the initial suspicions and the business impact of the incident. $vidence. *his section includes the list of runnin processes, the personal directory found on +i#e 8anse lioFs computer, the e!plicit ima es that "ere found, the list of unacceptable applications that "ere runnin , and the location of a confidential file that contains payroll information.
)7
Anal!sis. *his section includes the results of the local and remote investi ations, "hich prove that se!ually e!plicit ima es "ere do"nloaded, permissions "ere incorrectly confi ured, and a confidential file that contains payroll information "as accessed. Conclusion. *his section summari$es the outcome of the investi ation and includes recommendations to avoid similar incidents in the future. Supporting documents. *his section includes net"or# dia rams and a list of the computer investi ation procedures and technolo ies used in the investi ation. 1fter submittin his report, 3ay "aits for the authori$ation to perform additional investi atory steps or "hatever other actions mana ement mi ht "ant him to perform.
)ote 7ver" investi&ation ma" be different. =ou should use tools that are appropriate for the re4uired task and that help "ou obtain the information "ou seek# but it is alwa"s a &ood idea to &ather more evidence than "ou mi&ht need.
Applied Scenario (a" Con iguration

*o emulate this applied scenario in a test lab environment, you "ill need to complete the follo"in steps: <. domain. 2. =. >. ?. 8eploy computers and create an 1ctive 8irectory, directory service %reate users and roups in 1ctive 8irectory. %reate folders and files on specific computers. 1ssi n sharin and permissions. %onfi ure auditin .
,eplo! Computers and Create ,omain

*he follo"in table lists the computers and operatin systems you "ill need: @a7le 0.1. Computers and Aperating S!stems Bsed in the Applied Scenario +a7 %omputer name -A9'6N'8% -A9'6N'F(< 6N'I*'P%<0 6N;21A<M> 2peratin system -indo"s (erver, 200= 32 -indo"s (erver 200= 32 -indo"s IP Professional (P2 -indo"s IP Professional (P2
1fter you install the operatin system on each computer, run 8cpromo on -A9'6N'8% to install 1ctive 8irectory and 8A(.
Create Bsers and Groups

*he follo"in table lists the roups and users that need to be defined in the 1ctive 8irectory @sers and %omputers +icrosoft +ana ement %onsole /++%0:
)<
@a7le 0.(. Groups and Bsers #eferenced in the Applied Scenario +a7 4roups @sers
&nterprise (ystem 1dministrator 3ay %ho" 8omain 1dmins 63 +43( 9ranch0<+ rs 3ay %ho" Jenny 4ottfried, 3oland -in#ler, Jill (hrader +i#e 8anse lio, Auria 4on$ale$
2n the file server -A9'6N'F(<, the 8omain 1dmins roup is added as a member of the local 1dministrators roup.
Create Folders and Files

*he follo"in table lists device names, directory structures, and included files that you "ill need: @a7le 0.-. ,evices= Folders= and Files Bsed in the Applied Scenario +a7 8evice /computer or @(9 stic#0 -A9'6N'F(< /file server0 Folders Files
P63PInternalP9enefits P63PInternalPPayroll P63PInternalP3evie" P*ools
0R0Q0MP3'1<=R.!ls /*his folder contains all (ysInternal tools and the F%IG tool as listed in the 7*ools7 section in 1ppendi!: 3esources.0 0R0Q0MP3'1<=R.!ls /*his folder contains several .Hp files that include !!! as part of the file name. (everal !!!W.W files "ere deleted from this folder and reside in the 3ecycle 9in.0 /*his folder contains all (ysInternal tools and the F%IG tool as listed in the 7*ools7 section in 1ppendi!: 3esources.0 /*his folder contains all (ysInternal tools and the F%IG tool as listed in the 7*ools7 section in 1ppendi!: 3esources.0
6N;21A<M> /+i#e 8anse lioFs computer0
P8ocuments and (ettin sPmdanse lioP+y 8ocumentsPPersonal P8ocuments and (ettin sPmdanse lioP+y 8ocumentsPPersonalP!!!pi!set P*ools
6N'I*'P%<0 /3ay %ho"Fs computer0
@(9 stic# /3ay %ho"Fs @(9 stic#0
P&vidence P&videnceVFiles P*ools
)-
Assign Sharing and /ermissions

*he follo"in table lists the file folders and share permissions that are needed for file server -A9'6N'F(<: @a7le 0... Folders and Share /ermissions in the Applied Scenario +a7 Folder P63 P*ools (hare permissions 9ranch0<+ rs /Full %ontrol, %han e, 3ead0 63 +43( /Full %ontrol, %han e, 3ead0 Aot sharedS only for local use by users "ho have administrative credentials on the server.
Configure Auditing
2n the domain controller -A9'6N'8%, the Audit o7Cect access policy is confi ured to audit both (uccess and Failure. *his confi uration is set throu h the 8omain (ecurity Policy ++% and the 8omain %ontroller (ecurity Policy ++%. 2n the file server -A9'6N'F(<, auditin is confi ured for the 8omain @sers roup on the P63PInternal folder. *o achieve this confi uration, ri ht'clic# the folder and select /roperties= Securit!= Advanced= and then Auditing. *hen enter the ,omain Bsers roup.
Appendi3$ Resources
*his appendi! provides information about various resources that you can use to conduct a computer investi ation.
Preparing 4our Organi'ation or a Computer Investigation

*o prepare your or ani$ation for an internal computer investi ation, you should assemble a readily available computer investi ation tool#it that includes soft"are and devices you can use to ac)uire evidence. (uch a tool#it mi ht contain a laptop computer "ith appropriate soft"are tools, different operatin systems and patches, application media, bac#up devices, blan# media, basic net"or#in e)uipment, and cables. Preparin this tool#it can be an on oin tas# as you find the need for various tools and resources, dependin upon the investi ations you need to conduct. @se the follo"in uidelines "hen buildin and usin a computer investi ation tool#it: 8ecide "hich tools you plan to use before you start the investi ation. In addition to the +icrosoft, -indo"s, (ysinternals and other -indo"s tools discussed in this document, the tool#it "ill typically include dedicated computer forensics soft"are, such as &ncase by 4uidance (oft"are, *he Forensic *ool#it /F*50 by 1ccess8ata, or Pro8iscover by *echnolo y Path"ays. &nsure that you archive and preserve the tools. :ou mi ht need a bac#up copy of the computer investi ation tools and soft"are that you use in the investi ation to prove ho" you collected and analy$ed data. ;ist each operatin system that you "ill li#ely e!amine, and ensure you have the necessary tools for e!aminin each of them. For e!ample, you can use -indo"s (ysinternals tools /described later in this appendi!0 such as PsInfo, Ps;o ;ist, and Process&!plorer to e!amine computers that run -indo"s IP and -indo"s (erver, 200=. Include a tool to collect and analy$e metadata. Include a tool for creatin bit'to'bit and lo ical copies.
Include tools to collect and e!amine volatile data, such as the system state. (ome e!amples from -indo"s (ysinternals include ;ist8;;s, ;o on(essions, Pend+oves, 1utoruns, and Process&!plorer. -indo"s tools include (ysteminfo, Ipconfi , Aetstat, and 1rp. Include a tool to enerate chec#sums and di ital si natures on files and other data, such as the File %hec#sum Inte rity Galidator /F%IG0 tool. *his tool is available throu h +icrosoft 5no"led e 9ase article Q><2R0, 1vailability and description of the File %hec#sum Inte rity Gerifier utility. If you need to collect physical evidence, include a di ital camera in the tool#it. In addition, ensure that your tool#it meets the follo"in criteria:
8ata ac)uisition tools are sho"n to be accurate. Provin accuracy is enerally easier if you use "ell'#no"n computer forensics soft"are. *he tools do not modify the access time of files. *he e!aminerFs stora e device is forensically sterile, "hich means the dis# drive does not contain any data, before it is used. :ou can determine "hether a stora e device is forensically sterile by runnin a chec#sum on the device. If the chec#sum returns all $eros, it does not contain any data. *he e!aminerFs hard"are and tools are used only for the computer investi ation process and not other tas#s.
1orksheets and Samples

*he follo"in table provides a list of "or#sheets and samples you can use durin your computer investi ation. (ome of these resources are available as separate -ord documents, and are included in the +icrosoft 8o"nload %enter file from "hich you e!tracted this uide. 2thers are available throu h a lin# to the -eb site of the Aational Institute of Justice. @a7le A.1. Wor)sheets and Samples ,ocument 'ame -or#sheet ' %hain of %ustody ;o 8ocumentation.doc -or#sheet ' Impact 1nalysis.doc (ample ' Internal Investi ation 3eport.doc %omputer &vidence 6ard 8rive &vidence 3emovable +edia 1ppendi! %. (ample -or#sheets in Forensic &!amination of 8i ital &vidence: 1 4uide for ;a" &nforcement by the Aational Institute of Justice, an a ency of the @.(. 8epartment of Justice. +ocation ;in# to the Fundamental %omputer Investi ation 4uide for -indo"s on the +icrosoft 8o"nload %enter
Reporting Computer-Related Crimes

)ote Much of the information in this section is from the 3eportin& Computer# 0nternet-3elated# or 0ntellectual 2ropert" Crime pa&e in the Computer Crime L 0ntellectual 2ropert" +ection of the /nited +tates 1epartment of Mustice ;eb site.
:ou should first consult "ith your le al advisors to determine "hether it is necessary to report specific computer'related crimes to appropriate authorities at the local, state, federal, or international level, dependin on the scope of the crime. +ost li#ely, your local or state authorities "ould be the first ones to contact. If it is a computer'related federal crime, then you mi ht need to report the crime to local offices of federal la" enforcement. 1s noted earlier, this uidance is only intended for use in the @nited (tates.
AppendiB$ 3esources
()
@nited (tates la" enforcement a encies that investi ate Internet'related crime include the follo"in : Federal 9ureau of Investi ation /F9I0 @nited (tates (ecret (ervice /@(((0 @.(. Immi ration and %ustoms &nforcement /I%&0 @.(. Postal Inspection (ervice 9ureau of 1lcohol, *obacco, Firearms and &!plosives /1*F0 @.(. 8ru &nforcement 1dministration /8&10
*hese a encies have offices throu hout the @nited (tates, and contact information is available in local telephone directories or throu h Internet searches. 4enerally, federal crimes can be reported by telephonin the local office of an appropriate la" enforcement a ency and re)uestin the 8uty %omplaint 1 ent. If the or ani$ation has Hoined the &lectronic %rimes *as# Force /&%*F0, Infra4ard, or the International 6i h *echnolo y %rime Investi ation 1ssociation /6*%I10, then the appropriate contact person may already be #no"n. %ontactin someone "ho is #no"n and #no"s your or ani$ation simplifies the reportin process. +any a encies have trained a ents "ho speciali$e in computer hac#er cases.
+ocal +aw $nforcement Agencies

In some situations, the best choice is to contact a local la" enforcement a ency. (uch a encies or hi h technolo y crimes tas# forces mi ht have trained personnel "ho can investi ate an incident. 1 encies that have trained personnel include the 3&1%* *as# Force, "hich serves the (an Francisco 9ay area, the %1*%6 *eam, "hich serves the (an 8ie o re ion, and other police a encies. Information in the follo"in table can help you determine "hich federal a ency to contact for certain types of crime. @a7le A.(. +aw $nforcement Agencies for ,ifferent @!pes of Crime *ype of crime %hild e!ploitation and Internet fraud matters that have a mail ne!us %hild porno raphy or e!ploitation 1ppropriate a encies @.(. Postal Inspection (ervice Internet %rime %omplaint %enter ;ocal police a ency :our local F9I office If imported, @.(. Immi ration and %ustoms &nforcement Internet %rime %omplaint %enter
((
*ype of crime %omputer intrusion /hac#in 0
1ppropriate a encies :our local F9I office @nited (tates (ecret (ervice Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
%opyri ht /soft"are, movie, sound recordin 0 piracy
:our local F9I office If imported, @.(. Immi ration and %ustoms &nforcement Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
%ounterfeitin of currency Identity theft or theft of customer data
@nited (tates (ecret (ervice :our local F9I office @nites (tates (ecret (ervice /Financial %rimes 8ivision0 F*% %onsumer %omplaint Form Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
Internet bomb threats
:our local F9I office ;ocal 1*F field division office ;ocal hi h technolo y crimes tas# force or police a ency
Internet fraud and (P1+
:our local F9I office @nited (tates (ecret (ervice /Financial %rimes 8ivision0 F*% %onsumer %omplaint Form If securities fraud or investment'related (P1+ e' mail, (&% %enter for %omplaints and Informant *ips Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
AppendiB$ 3esources
('
*ype of crime Internet harassment
1ppropriate a encies :our local F9I office ;ocal hi h technolo y crimes tas# force or police a ency
Pass"ord traffic#in
:our local F9I office @nited (tates (ecret (ervice Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
*heft of trade secrets
:our local F9I office ;ocal hi h technolo y crimes tas# force or police a ency
*rademar# counterfeitin
:our local F9I office If imported, @.(. Immi ration and %ustoms &nforcement Internet %rime %omplaint %enter ;ocal hi h technolo y crimes tas# force or police a ency
*raffic#in in e!plosive or incendiary devices or firearms over the Internet
:our local F9I office ;ocal 1*F field division office
)raining
6ave at least some incident response team members attend formal computer investi ation trainin . -ithout relevant trainin , it is unli#ely that the team "ill be effective in the investi ation. In fact, uns#illed e!aminers could ne atively affect the investi ation by accidentally destroyin volatile evidence. For a list of nonprofit a encies, or ani$ations, Federal la" enforcement a encies, and academic institutions that provide computer forensic trainin , see 71ppendi! 4. *rainin 3esources ;ist7 in Forensic &!amination of 8i ital &vidence: 1 4uide for ;a" &nforcement by the Aational Institute of Justice, an a ency of the @.(. 8epartment of Justice.
)ools
&very investi ation "ill li#ely be different. *he tools you use should be appropriate for obtainin the information you see#, but it is al"ays a ood idea to ather more evidence than you mi ht need.
(6
*his section provides information about the -indo"s (ysinternals tools and other -indo"s tools that can help you conduct an internal computer investi ation. *ool types are represented by icons in the first column of the follo"in table: @a7le A.-. @ool @!pes Icon 8escription *his icon represents a command'line tool.
*his icon represents a tool "ith a 4@I interface that re)uires installation and alters the tar et drive.
*he follo"in tables provide information about numerous tools that you can use in computer investi ations.
Windows S!sinternals @ools

@a7le A... Windows S!sinternals @ools Information @ool t!pe 'ame 1ccess%h# v2.0 ,escription 8isplay access to files, re istry #eys, or -indo"s services by the user or roup you specify. 8isplay "ho has access to "hich directories, files, and re istry #eys on a computer. @se it to find places "here permissions arenFt properly applied. 8isplay pro rams that are confi ured to start up automatically "hen a computer boots and a user lo s in /also displays the full list of re istry and file locations "here applications can confi ure auto'start settin s0. *he command'line version of the 1utoruns pro ram /described in the previous entry0. %apture all hard dis# activity. 1cts li#e a soft"are dis# activity li ht in your system tray. 4raphical dis# sector utilityS dis# vie"er.
1ccess&num v<.= 1utoruns vQ.?=
1utorunsc vQ.?=
8is#mon
8is#Gie"
AppendiB$ 3esources
(7
@ool t!pe
'ame 8u v<.=
,escription 8isplay dis# usa e by directory.
Filemon v7.0=
8isplay all file system activity in real'time.
6andle v=.2
8isplay open files and the process that opened those files.
;ist8;;s v2.2?
8isplay all the 8;;s that are currently loaded, includin "here they are loaded and their version numbers /prints the full path names of loaded modules0. ;ist active lo on sessions
;o on(essions v<.< Pend+oves v<.<
8isplay file rename and delete commands that "ill be e!ecuted the ne!t time the computer is started. 8isplay serial and parallel port activity /"ill also sho" a portion of the data bein sent and received0. 8isplay files, re istry #eys, and other obHects that processes have open, "hich 8;;s they have loaded, o"ners of processes, etc. &!ecute processes remotely.
Portmon v=.02
Process &!plorer v<0.2 Ps&!ec v<.72
PsFile v<.0<
8isplay open files.
PsInfo v<.7<
8isplay information about a computer.
(<
@ool t!pe
'ame Ps;ist v<.27
,escription 8isplay information about processes and threads.
Ps;o ed2n v<.=2 Ps;o ;ist v2.M=
8isplay users lo
ed on to a computer.
8ump event lo records.
Ps(ervice v2.2
Gie" and control services.
3e mon v7.0=
8isplay all re istry activity in real time.
3oot#it3evealer
(can for root#it.based mal"are.
(hare&num v<.M
(can file shares on a net"or# and vie" their security settin s to eliminate improperly applied settin s. 3eveal A*F( alternate data streams.
(treams v<.?=
(trin s v2.=
(earch for 1A(I and @AI%28& strin s in binary ima es.
*%PGcon v2.=>
8isplay active soc#ets.
*%PGie" v2.>
8isplay all open *%P and @8P endpoints and the name of the process that o"ns each endpoint.
AppendiB$ 3esources
(-
@ool t!pe
'ame *8I+on v<.0<
,escription 8isplay *%P/IP information.
*o#enmon v<.0<
8isplay security'related activity, includin lo on, lo off, privile e usa e, and impersonation.
Windows @ools
@a7le A.0. Windows @ools Information @ool t!pe 'ame 1rp ,escription 8isplay 1ddress 3esolution Protocol /13P0 tables.
8ate
8isplay current date settin .
8ir
8isplay a list of files and subdirectories.
8os#ey
8isplay command history for an open %+8.&I& shell.
Ipconfi
8isplay local computer confi uration.
Aet
@pdate, fi!, or vie" the net"or# or net"or# settin s.
Aetstat
8isplay protocol statistics and current connection information.
*ime
8isplay current time settin .
'0
@ool t!pe
'ame Find
,escription (earch file/s0 to find a strin .
(chtas#s
8isplay scheduled tas#s.
(ysteminfo Provide eneral information about the computer.
Gol
8isplay the dis# volume label and serial number, if they e!ist.
6ostname
8isplay the host name portion of the full computer name of the computer. Nuery, display, or disconnect open files or files opened by net"or# users. File %hec#sum Inte rity Gerifier. @se to compute a +8? or (61< crypto raphic hash of the content of a file. @se to e!amine metadata associated "ith a file.
2penfiles
F%IG
Aotepad
3e
@se to vie", modify, e!port, save or delete, re istry #eys, values, and hives. 4ather net"or# trace information from the command line.
Aetcap
(c
@se to communicate "ith the (ervice %ontroller and services. /(c )uery is useful for dumpin all services and their states.0 Gie" or modify file name e!tension associations.
1ssoc
AppendiB$ 3esources
'.
@ool t!pe
'ame Ftype
,escription Gie" or modify file types used in file name e!tension associations.
4presult
8etermine resultin set of policies.
*as#list
;ist runnin processes and loaded modules.
+9(1
8etermine security patch status and other #no"n vulnerabilities.
3sop.msc
(ho" resultin set of policies.
3asdia
%ollect dia nostic information about remote services and place that information in a file.
Acknowledgments
*he (olution 1ccelerators ' (ecurity and %ompliance roup /(1'(%0 "ould li#e to ac#no"led e and than# the team that produced the Fundamental Computer Investigation Guide for Windows. *he follo"in people "ere either directly responsible or made a substantial contribution to the "ritin , development, and testin of this solution. Authors= Contri7utors= and Writers Galentine 9oiar#ine ' Wadeware LLC 3oss %arter ;aura %happell ' Protocol nal!sis Institute Paul %ullimore *homas Nuilty ' "# Consulting and Investigations$ Inc% Paul (later ' Wadeware LLC 5en (tavinoha $ditor (teve -ac#er ' Wadeware LLC #eviewers John 1ddeo ' #imension #ata *echnical (er eant &ric 1pple ' Was&ington 'tate Patrol %urt 9ryson ' Was&ington (utual 6arlan %arvey ' Windows Forensics and Incident Recover! Fred %otton ' #efense Computer Investigations )raining Program (tacia ;. Jac#son ' Loc*&eed (artin Information )ec&nolog! 8etective (er eant (cott Jarmon ' Was&ington 'tate Patrol +ar# +en$ ' #igital Evidence 'cientist +i#e +en$ ' +ewlett Pac*ard +artin Aova# ' ,ational Institute of -ustice John 3edd GII . Infinite Consulting James (ibley ' #eput! #istrict ttorne!$ Count! of 'anta Clara$ C 8etective *odd *aylor ' Was&ington 'tate Patrol #eviewers D%icrosoftE (ha"n 1ebi, 5ate 9aroni, 3ich 9enac#, %hristopher 9udd, 8eric# %ampbell, %hase %arpenter, *om %lo"ard, Jason %ooper, 4re %ottin ham, +i#e 8anse lio,
%harles 8enny, 5arl 4run"ald, John 6o"ie, %hristopher Johnsen, ;esley 5iplin , *roy ;arson, +ar# +iller, 9ob +c%oy, %rai Aelson, (anHay Pandit, 1le!andre 6ollanda (ilva, +i#e (mith';oner an /roduct %anagers 1lain +eeus Jim (tuart /rogram %anager Glad Pi in #elease %anager 5arina ;arson @esters 4aurav (in h 9ora *hammarai (elvi 3aHendran ' Infos!s )ec&nologies Ltd% GiHayanand (enniappan ' Infos!s )ec&nologies Ltd%
Inde3
A
1ccess8ata....................................................<=, <7 1c)uire the data. .2, =, ?, R, <<, <?, <M, <R, 2?, =0, =< 1naly$e the data....................2, =, Q, <?, <M, <R, == 1rp............................................................2Q, =0, >< 1ssess the situation...................2, =, ?, 7, R, <R, 2> 2nline analysis.....................................................<?
P
Pend+oves..........................................................>< Process&!plorer...................................................>< PsFile.........................................................Q, 2?, 2Q Ps;ist.............................................................2Q, =0 Ps;o ;ist.................................................2Q, =0, ><
B
9I2(.....................................................................2Q
R
3eport the investi ation.........................................2
C
%rypto raphic hash..................................2Q, 2R, ?0
S
(chtas#s.........................................................2Q, =0 (hare&num............................................................Q (ysinternals...Q, <M, <7, 2?, 27, 2Q, 2R, =0, =<, =2, ==, =?, =M, ><, >M, >7, >Q (ysteminfo...........................................................2? (ystinernals....................................................><, >M
D
8ocumentation...............................................<>, >2
E
&ncryption............................................................<M
F
File %hec#sum Inte rity Gerifier /F%IG0. <=, 2Q, 2R, =0, =Q, ><, ?0 Fire"all.....................................................20, 2Q, =0
T
*%PGcon..............................................................>Q *%PGie"..............................................................>Q *8I+on............................................................Q, >R *he Forensic *ool#it......................................<7, >< *ime.....................................................................=< *o#enmon............................................................>R *ools..Q, <<, <2, <=, <M, <7, 2>, 2?, 27, 2Q, =Q, =R, ><, >?, >M, >R *rainin ..........................................................>?, ?=
G
4uidance (oft"are..................................<=, <7, ><
I
Intrusion detection system /I8(0....................<2, <? Ipconfi .....................................................2Q, =0, ><
L
;o on(essions.....................................................><
N
Aetstat................................................2?, 2Q, =0, ><
W
-indo"s %ommand ;ine *ools...R, 2?, 2Q, 2R, =0, =<, =>, ><, >R, ?0 -indo"s Aet"or# +onitor /Aet+on0.....................Q

Fundamental Computer Investigation Guide For Windows

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fundamental Computer Investigation Guide For Windows

Uploaded by

Copyright:

Available Formats

Fundamental Computer Investigation Guide for Windows

Computer Investigation Model

Initial Decision-Making Process

Caveats and Disclaimers

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Re erences and Credits

Support and !eed"ack

Chapter #$ Assess the Situation

Figure 1.1. Assessment phase of the computer investigation model

%oti y Decision Makers and Ac&uire Authori'ation

Review Policies and (aws

Chapter .$ Assess the +ituation

Identi y Investigation )eam Mem"ers

Conduct a )horough Assessment

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Chapter .$ Assess the +ituation

Prepare or *vidence Ac&uisition

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Chapter +$ Ac&uire the Data

Figure (.1. Ac uisition phase of the computer investigation model

,uild a Computer Investigation )oolkit

Collect the Data

Chapter 2$ Ac4uire the 1ata

Store and Archive

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Physically secure and store the evidence in a tamperproof location.

Chapter -$ Analy'e the Data

Figure -.1. Anal!sis phase of the computer investigation model

Analy'e %etwork Data

Analy'e .ost Data

Analy'e Storage Media

Chapter )$ Anal"5e the 1ata

Chapter /$ Report the Investigation

Figure ..1. #eporting phase of the computer investigation model

0ather and Organi'e In ormation

1rite the Report

Chapter ($ 3eport the 0nvesti&ation

Chapter 2$ Applied Scenario *3ample

Figure 0.1. Computer investigation model overview

Assess the Situation

Chapter '$ Applied +cenario 7Bample

Ac&uire *vidence o Con idential Data Access

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Chapter '$ Applied +cenario 7Bample

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Remote *vidence Collection

1ccess the @(9 drive.

Chapter '$ Applied +cenario 7Bample

psexec psexec psexec psexec psexec

\\hqloan164 \\hqloan164 \\hqloan164 \\hqloan164 \\hqloan164

,undamental Computer 0nvesti&ation 9uide ,or ;indows

(ocal *vidence Collection

Chapter '$ Applied +cenario 7Bample

1c)uire directory structure information.

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Chapter '$ Applied +cenario 7Bample

Figure 0.:. Several image files located in the #ec!cle &in

Analy'e Collected *vidence

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Chapter '$ Applied +cenario 7Bample

,undamental Computer 0nvesti&ation 9uide ,or ;indows

Report the *vidence

Chapter '$ Applied +cenario 7Bample