Search My Blog

Sunday, September 12, 2010

Computer Forensic Analysis - The Series

This posting is not completed yet. Think of it as a preview.

Recently, a friend of mine sent me a job posting for a computer forensics analysis position.  Now, I don’t currently, nor have I ever done this type of work professionally. However,  I have done this type of work “academically” or at home for personal “enrichment”. So, I do have the experience and knowledge to perform these types of activities. The job posting “sparked” an idea in my head, that maybe I should post a blog entry about system analysis and investigation into an attack. I can’t really post it all in one blog entry, so this might be a series or something. (Time permitting in my personal life.)  Today, I figured I would cover the top level kind of stuff.

Now, before I start, I will say that normally I would have used the Backtrack LiveBoot CD or the OWASP toolkit to perform this analysis. This posting isn’t going to use those.....why? Well, the job posting asked for experience with Helix. I’ve never used Helix…. So what better reason to learn about it. Also, I think I’m going to focus on Windows based analysis.

I started my day (for this blog entry) trying to find a copy of Helix. Turns out, in 2008, the publisher of that distribution made it “commercial only” and wants ~$240 for Helix Pro. That’s pretty reasonable, but I’m not going to buy it just to blog about it. So, I did more searching and found the last free distribution ISO Helix2008R1 ( ). Ok, the site looks “shady”…so I did do some virus scanning and validation on the ISO.  I should note that my AV system went crazy with this distribution. It claims there are viruses in a number of the components of this ISO.  I have found clean copies of the components that were infected, so I’m pretty sure the virus identifications are correct vice being “false positives”. Secondly, my AV software doesn’t like that a lot of the tools are “Security Assessment Tools” and blocks them….. So, I had to move to a VM just to build a “clean” and updated distribution of the Helix suite. I’m going to refer to my “custom build” as HelixCustom. I've updated a bunch of the SysInternals tools, fixed the "Virus Infected" libraries, and added a few things to the distribution.

Now, since I’m doing this windows-based approach, my VM is a Windows 7 x64 image. It was out of date so I spent like 2 hours installing updates.  With that out of the way, I took a clean snapshot of it and turned off the virus protection……. (oh no!!!!!). Yes, I had to turn of the virus protection to build the “clean” distribution of HelixCustom. I’ll scan my custom ISO after I’m complete on a different system to verify its integrity.

Responding to an Incident

There are defined steps one must take when responding to a “potential” attack. If you are responding in a legal capacity, there are extra steps you must take to protect the evidence chain and make the data admissible in court. I’m not in law enforcement….. I do have a number of friends that are, but I don’t really want to add to the complexity of this blog posting. We are going to focus on just how to solve/investigate your incident.

NOTE: If you are Corporate IT guy and are looking to do some collection before informing Law Enforcement of a known breach…. DON’T! You will corrupt the scene. Call them now and let them respond. You may overwrite data that they can use.

RFC 3227 - Guidelines for Evidence Collection and Archiving defines the “best practices” for general digital evidence collection. Collection is based on the volatility of the data so memory is generally regarded as the first thing to collect. 

Capture Memory
(Preference: WinDD)
First step in responding to an incident would be to dump the physical memory. Computers these days have GB of memory. It is very important to preserve what is currently resident in the memory,  before proceeding. It is possible that as you respond to the situation, that memory will be overwritten or lost, so best to dump the memory as your 1st step.

In Windows, you can use WinDD from (MoonSols Windows Memory Toolkit -, if you have a Helix distro use DD.exe or mdd (Mantech Memory Dump),  HBGary FastDump Pro, Nigilant32,  or other means. I will note that WinDD was probably the easiest, especially on Win64 based platforms since they require signed drivers.

Obtain Relevant System Details
Using the Helix3 distro, launch cmdenv1.bat. This will set-up your directory path to use the Helix trusted executables.

 Capture Date and Time
 Standard ways to get that would be date /t  and time /t

11:52:10.59 D:\IR> date /t
Sun 09/12/2010

11:52:13.55 D:\IR> time /t
11:52 AM
 Derive Hostname
 Using the hostname command
11:52:16.78 D:\IR> hostname

Derive your current identity
Using the whoami command
11:53:03.93 D:\> whoami
Derive OS Version
Using the ver command
11:55:10.12 D:\> ver
Microsoft Windows [Version 6.1.7600]
Determine IP Interfaces and their active modes
To get the interface IP addresses in use run iplist
DiamondCS IP Enumerator v1.0 (
#         ADDRESS       BROADCAST       NETMASK
5 interfaces found.

12:36:25.73 D:\>

To determine their active modes use promiscdetect

PromiscDetect 1.0 - (c) 2002, Arne Vidstrom ( -

Adapter name:

 - PCI-E Gigabit Ethernet Controller

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

Adapter name:

 - VirtualBox Host-Only Ethernet Adapter

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

Adapter name:

 - RemoteControl USB LAN LINK

Warning: Cannot open the adapter

Adapter name:

 - Intel(R) WiFi Adapter

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

12:37:05.69 D:\>
 Obtain System Uptime
 I like to use uptime and psinfo. Psinfo provides a better level of granularity and a bit more info.
12:58:27.29 D:\> uptime
Unknown HZ value! (-1868102526) Assume 100.
 12:58:38 up  4:23,0 users,load average: 0.00, 0.00, 0.00

12:58:38.19 D:\> psinfo -h -d

PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals -

System information for \\CRAIGLAPTOP-PC:
Uptime:                    0 days 4 hours 23 minutes 38 seconds
Kernel version:            Windows 7 Professional, Multiprocessor Free
Product type:              Professional
Product version:           6.1
Service pack:              0
Kernel build number:       7600
Registered organization:   Microsoft
Registered owner:          Microsoft
IE version:                8.0000
System root:               C:\Windows
Processors:                2
Processor speed:           2.2 GHz
Processor type:            Intel(R) Core(TM)2 Duo CPU     P8400  @
Physical memory:           2940 MB
Video driver:              Mobile Intel(R) 4 Series Express Chipset Family
Volume Type  Format Label Size       Free        Free
C: Fixed     NTFS         290.07 GB  191.63 GB  66.1%
D: CD-ROM    CDFS   HC    701.76 MB              0.0%
E: Removable                                     0.0%

Installed     HotFix
n/a           Internet Explorer - 0

12:58:45.82 D:\IR>
You can also use DumpWin ( ) for this; however, DumpWin has a lot of other features and can be better used at other steps.

Determine Active Logged On Sessions
You can do this a bunch of ways. I’m going to use netusers and psloggedon.

13:38:40.59 D:\> netusers /l /h /v

History of users logged on locally at CRAIGLAPTOP-PC:    Last Logon:
CraigLaptop-PC\Craig                                     2010/09/12 11:10
The command completed successfully.

13:38:53.81 D:\> psloggedon
PsLoggedon v1.34 - See who's logged on
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals -

Users logged on locally:
     9/12/2010 8:36:22 AM       CraigLaptop-PC\Craig

Users logged on via resource shares:
     9/12/2010 1:39:21 PM       (null)\Craig

13:39:24.95 D:\>
Also, running logonsessions –p will provide active data about current sessions and processes these session are running. The output of this is a bit long, so I’m not going to show it.

I know..... I still have to complete this posting. as of Sept-30-2010... I haven't found the time to sit down and finish this one up. I really do plan on doing it. Maybe this weekend :-).... It's really interesting stuff.....just the personal/family time stuff takes up my "nerd posting time"....

No comments:

Post a Comment