Forensics Book 2: Investigating Hard Disk and File and Operating Systems. Chapter 5: Windows Forensics II

(1)

Forensics

Book 2: Investigating

Hard Disk and File and

Operating Systems

Chapter 5:

Windows Forensics II

(2)

Objectives



Understand event logs



Understand other audit events



Understand forensic analysis of event logs



Understand Windows password issues



Describe some popular Windows forensic analysis

(3)

Introduction to Windows Forensics,

Part II



This chapter:



Continues the study of Windows forensics



Covers events and event logs



Discusses password and authentication issues

(4)

Understanding Events



Whenever an event occurs, the operating system logs

the event



Event



Any occurrence that the operating system or a

program wants to keep track of or alert the user about



Some events are recorded by default



Others are recorded based on the audit configuration

maintained in the PolAdEvt registry key

(5)

Understanding Events (continued)

Table 5-1 The event logging system keeps track of different types of

(6)

Event Log File Format



Windows event log is stored in a binary format with

distinct, recognizable features



Each event log consists of a header section and a

series of event records



Event log is maintained as a circular buffer



Event log header



Contained in the first 48 bytes of a valid event log file



Consists of 12 distinct DWORD values

(7)

Event Log File Format (continued)

Table 5-2 The event log header consists of 12 DWORD values, nine of which

(8)

(9)

Vista Event Logs



Vista uses an XML format for storing events



Supports central collection of event records



XML



General-purpose specification for markup

programming languages



Allows the user to define specific elements to aid in

sharing structured data among different types of

computers with different operating systems and

applications



wevtutil command



Retrieves information about the Windows event log

that is not readily apparent via the Event Viewer

(10)

(11)

Vista Event Logs (continued)

Figure 5-2 An investigator can view configuration information

(12)

IIS Logs



Microsoft’s Internet Information Server (IIS)



Popular Web server platform



IS Web server logs are most often maintained in the

%WinDir%\System32\LogFiles directory



Each virtual server has its own subdirectory for log

files, named for the server itself



By default, the log files are in ASCII format



Are easily openable and searchable

(13)

Parsing IIS Logs



Managing and configuring IIS through the IIS

Management Console



Possible only on a system that has IIS installed and

running



By default, logging is enabled and is configured to

use the W3C Extended Log File Format setting

(14)

(15)

Parsing IIS Logs (continued)

(16)

Parsing IIS FTP Logs



FTP logs record the same fields that IIS Web logs do,

except for the following:



cs-uri-query



cs-host



cs(User-Agent)



cs(Cookie)



cs(Referrer)



sc-substatus

(17)

Parsing DHCP Server Logs



Dynamic Host Configuration Protocol

(DHCP)



Service provided by a server in which the server

assigns a client machine an IP address upon request



Microsoft server products all provide DHCP service

if it is enabled and configured



DHCP Service Activity Logs are created by the

DHCP service



Logs are stored in the following location by default:

%SystemRoot%\System32\DHCP

(18)

Parsing DHCP Server Logs (continued)

(19)

Parsing Windows Firewall Logs



When logging is enabled, Windows Firewall logs are

stored in %SystemRoot%\pfirewall.log



Stores data in the file objects.data



Located in

%SystemRoot%\System32\wbem\Repository\FS\



Windows Firewall log contains a header at the top

that describes the software and version, the time

format, and the fields

(20)

Using the Microsoft Log Parser



Powerful and versatile log-parsing tool that uses

SQL-like queries



Command to get all of the information from the

System event log:

(21)

Using the Microsoft Log Parser

(continued)

Figure 5-3 An investigator can feed SQL-like queries to Log

(22)

Evaluating Account Management

Events



Account management category of events



Records changes to accounts and group membership



Includes:



Creation, deletion, and disabling of accounts



Modifying which accounts belong to which groups



Account lockouts and reactivations



Various event IDs are associated with changes to

(23)

Evaluating Account Management

Events (continued)

(24)

Interpreting File and Other

Object-Access Events



Object-access audit category



Allows administrators to configure the event logs to

record access to various objects on the system



Access attempts are recorded in the event logs using

three different event IDs: 560, 567, and 562



When a process needs access to some object, it first

opens a handle to that object



Handle is simply a shorthand way of referring to an

object

(25)

Examining Audit-Policy Change Events



Attackers will frequently attempt to disable auditing



Modifications to the audit policy are recorded as event

ID 612 entries



In the audit policy



+ symbols indicate which events are being audited



– symbols show which events are not being audited



Audit policy of the domain controller takes

precedence over changes made to the local audit

policy on an individual computer

(26)

Examining System Log Entries



System event log



Records events relating to system behavior, including:



Changes to the operating system



Changes to the hardware configuration



Device driver installation



Starting and stopping of services



Whenever a service is started or stopped, the Service

Control Manager sends a stop signal to the service

(27)

Examining Application Log Entries



Application event log



Contains messages from both the operating system

and various programs



Many utilities send messages to the Application log



Especially antivirus and other system-protection

programs



Virtual Network Computing (VNC)



Allows remote connections



VNC application records connections to the VNC

server, with the IP and port from which the

(28)

Using EnCase to Examine Windows

Event Log Files



EnCase parses Windows event log files by means of

an EnScript



EnScript is provided in the Sweep Case series



EnCase does not rely on the Windows API to process

the event logs



EnCase can process event logs that are reported as

“corrupt” by those viewers that rely on the Windows

API

(29)

Using EnCase to Examine Windows

Event Log Files (continued)

Figure 5-4 EnCase allows an investigator to find the event log

(30)

(31)

Windows Event Log File Internals



Windows event log files



Databases with the records related to the system,

security, and applications



Stored in separate files named SysEvent.evt,

SecEvent.evt, and AppEvent.evt, respectively



Stored in the %SystemRoot%\system32\config folder



Each file has a header, a floating footer of sorts, and

records



To keep the files from becoming fragmented, the

operating system may allocate large contiguous

cluster runs to the event log files

(32)

Repairing Corrupted Event Log

Databases



Log file will be reported as corrupt when:



The four critical fields appearing in both the header

and the floating footer are out of sync



The file status byte is a value other than 0x00 or 0x08



If a file is reported as corrupt, an investigator can

use a hex editor to repair the file status byte



The next step in the repair process: synchronize the

four critical fields in the header with the current

values found in the floating footer

(33)

Repairing Corrupted Event Log

Databases (continued)

Figure 5-6 An investigator needs to copy this 16-byte string when repairing a

(34)

Repairing Corrupted Event Log

Databases (continued)

(35)

Repairing Corrupted Event Log

Databases (continued)

(36)

Understanding Windows Password

Storage



Windows systems store their user and password

data in one of two places:



Security Account Manager (SAM) file



Active Directory



SAM file is located in the

%SystemRoot%\System32\Config folder



File exists as a registry hive file



Active Directory database information resides on the

(37)

Hashing Passwords



Password is run through a specific algorithm that

converts the password into a numeric value



This value, called the hash value or simply the hash of

the password, is then stored in lieu of the actual

password



Hashing algorithm



Also called hash function



Group of algorithms called one-way functions



Whenever a particular password is used as the input

to the function, it will always generate the same hash

value



Likelihood of two separate passwords generating the

same hash value is low

(38)

Hashing Passwords (continued)



Authentication steps:



User first selects a password



System calculates the password hash value



System records the resulting hash value along with

the account name in the SAM or ntds.dit file



When a user attempts to authenticate



System takes the password that the user provides

during the authentication attempt, runs it through the

hash function, and compares the resulting hash value to

the hash value stored in the password file

(39)

Hashing Passwords (continued)



Windows hash functions



Modern Windows operating systems mainly use two

different hash functions



NT LanMan (NTLM) hash

(40)

Cracking Windows Passwords Stored

on Running Systems

(41)

Exploring Windows Authentication

Mechanisms



Windows systems use one of three main types of

authentication mechanisms to access remote

computers:



LanMan authentication



NTLM authentication



Kerberos

(42)

LanMan Authentication



Relies on a hash to determine whether a remote user

has provided a valid username/password

combination



LanMan hash is never actually sent across the

network during an authentication session



Attack methods



Replay attack



Attacker copies the authentication message as it crosses

(43)

LanMan Authentication (continued)

Figure 5-11 The actual LanMan hash is never sent over the

(44)

LanMan Authentication



Attack methods (continued)



Known plain-text attack



Attacker knows both the encrypted form of a

communication and the original message that was

encrypted



LanMan authentication mechanism starts to break

down when the complexity (or lack thereof) of its

key is examined

(45)

NTLM and Kerberos Authentication



More secure than its predecessor



Hash is calculated across the entire case-sensitive

password



Resulting in a 16-byte hash



Hash is created using the MD4 hash algorithm



Changes make the NTLM password less susceptible

to brute-force cracking



Main problem



When a client uses the NTLM authentication, the

client also sends the LanMan hash as part of the

authentication communication

(46)

NTLM and Kerberos Authentication

(continued)

(47)

NTLM and Kerberos Authentication

(continued)



Kerberos



Secure option available to Windows computers



Relies on a system of security, or access, tickets that

are issued by computers designated as ticket-granting

authorities



Microsoft implementation still uses the NTLM hash

as a starting point for identifying that a user knows

the correct password



Verification of the user’s identity takes place

(48)

Sniffing and Cracking Windows

Authentication Exchanges



Authentication takes places whenever a process on

one system attempts to access a resource on another

system



When a process needs to access a remote system



Attempts to authenticate to the remote system by

providing the credentials for the account whose

security context it is using



When the user selects a share existing on another

(49)

Sniffing and Cracking Windows

Authentication Exchanges (continued)



Sniffing



If an attacker controls that remote system, or if the

attacker is able to monitor communication between

the victim system and the remote system



Attacker can potentially sniff the authentication

attempt and use it to crack the user’s password



Cain and Abel



Cain has many different capabilities



Among them is a network sniffer that is designed to

look for passwords exchanged during various types of

authentication exchanges

(50)

Cracking Offline Passwords



Certain tools can extract password data from the

SAM files of computers



Encrypting File System (EFS)



Allows data to be stored on a disk in an encrypted

format automatically without manual action by the

user



One way to recover files encrypted with EFS



Crack the passwords of the users’ accounts

(51)

Tool: Helix



Helix



Customized distribution of the Knoppix Live Linux

CD



Designed not to touch the host computer in any way



Forensically sound



Will not automatically mount swap space or any

attached devices

(52)

Tools Present on Helix CD for Windows

Forensics (continued)



Tools on the Helix CD for Windows forensics

include:



Windows Forensics Toolchest (WFT)



Incident Response Collection Report (IRCR2)



First Responder’s Evidence Disk (FRED)



First Responder Utility (FRU)



Security Reports (SecReport)



MD5 Generator

(53)

Tools Present on Helix CD for Windows

Forensics (continued)

Figure 5-13 Helix provides a variety of different

(54)

Tools Present on Helix CD for Windows

Forensics (continued)

(55)

Tools Present on Helix CD for Windows

Forensics (continued)

Figure 5-15 Helix provides a forensic investigator

(56)

Tools Present on Helix CD for Windows

Forensics (continued)



Helix Tool: SecReport



Comprises two command-line utilities



SecReport collects security information from a

Windows-based system



Delta compares the results of SecReport, either from

any two systems or from the same system at two

different times



Helix Tool: Windows Forensics Toolchest (WFT)



Collects security information from a Windows system

and provides an automated incident response

(57)

Tools Present on Helix CD for Windows

Forensics (continued)

(58)

Tool: Sigverif



Built-in Windows tool that searches for unsigned

drivers on a system



After Sigverif is finished running its check



A list of all unsigned drivers installed on the computer

is displayed



The investigator can find the list of all signed and

unsigned drivers found by Sigverif in the Sigverif.txt

file in the %Windir% folder, typically the Winnt or

Windows folder

(59)

Tool: Word Extractor



Hacking tool that extracts human-understandable

words from binary computer files



Hacking tool that extracts human-understandable

words from binary computer files



Some features of Word Extractor:



Replaces nonhuman words with spaces or dots for

better visibility



Supports drag and drop and text wrapping



Saves results as text or RTF files

(60)

(61)

Tool: RegScanner

Figure 5-18 RegScanner shows all of its search results in

(62)

Tool: PMDump



Dumps the memory contents of a process to a file

without stopping the process



PMDump stands for Post-Mortem Dump



Investigator can save the dump information to a

(63)

Tool: System Scanner



System Scanner



Extracts information about processes, including the

IDs of all the threads and handles to DLLs



Provides the ability to suspend specific threads of a

specific process and to view a process’s virtual

memory



Shows all the processes currently running on the

system, the number of threads per process, and the

executable path of each process



List is updated every five seconds by default, but this

is configurable

(64)

(65)

Tool: X-Ways Forensics



Provides a forensic work environment



Some features of X-Ways Forensics:



Disk cloning and imaging, including under DOS



Examining the complete directory structure inside

raw image files, even spanned over several segments



Native support for FAT, NTFS, ext2, ext3, CDFS, and

UDF



Built-in interpretation of RAID 0 and RAID 5 systems

and dynamic disks



Viewing and dumping physical RAM and the virtual

memory of running processes

(66)

(67)

Tool: Traces Viewer

Figure 5-21 Traces Viewer can remove all Web traces, including cookies,

(68)

Tool: PE Builder



Creates a bootable Windows CD-ROM that creates a

BartPE (Bart Preinstalled Environment)



Offers a complete Win32 environment with network

support; a GUI; and FAT, NTFS, and CDFS support



Investigator can use this tool to perform analysis of a

(69)

Tool: Ultimate Boot CD-ROM



Allows an investigator to run floppy-based

diagnostic tools from CD-ROM drives



Without the need for an operating system



Tool has over 100 diagnostic and system

management utilities



Types of tools include:



CPU tester



Memory tester



Peripheral tools



CPU information tools



Hard disk tools

(70)

Tool: Ultimate Boot CD-ROM

(continued)

(71)

Summary



A DHCP server dynamically assigns IP addresses

upon a client machine’s request



Windows Firewall logs are stored in

%SystemRoot%\pfirewall.log



Several registry values and settings could impact the

forensic analysis



Modifications to audit policy are recorded as event

(72)

Summary (continued)



The Application event log contains messages from

the operating system and various programs



SAM files are located in the

%SystemRoot%\System32\Config folder



Passwords are run through a specific hash algorithm