Windows

2

9

:

, - - . , , , ( , ) . : , . ( , , ). , ? , . , . (EnCase, FTK, ProDiscover . .) . , , , , , , . , , , . , , , . ( , ) , .

. ( ), , , , MAC ( , ) ( ) . , , . , , , , EnCase, , . , , , , .

3

, / , , . , , . ., . , , . - , . , . , , , , - , . , , , Perl. , Perl , , , . . , Perl , , - SQL- , . , , . , RegRipper (www.regripper.net). , , Perl, , Perl-. , Perl , , , Python. (Dave Roth) Perl. , , . , , , . , , , , . , - , , , . ! , . ( ), . , , , , , . , , , . , , , , - . , , ( ) . , , ,

4

; , . . , , . , , , , . ( ) , , , . , , ( ) . , , ( , ?), . . , , , , . , , - , - . ( ), , , , . , , , ? ? , , - , ? , , ? , , - . , ? , . , , . , , -, , SQL-. -. - IIS (Internet Information Server) Microsoft, Microsoft SQL Server, xp_cmdshell -, -. , , ProDiscover, -, xp_cmdshell -. : intrusion_20081030 ProDiscover 5.0.

-, . xp_cmdshell - (

), ProDiscover; ex081002.log ex081003.log.

. , , , . , (xp_cmdshell), ( ProDiscover 5.0), ( ). , , . ? ?

5

, ? ? grep (Search) Windows (, FTK Imager, (Start), (Search) (For Files and Folders))? ? , , ? , ; , , . , , . . , . , . , , , , , , . . -, ; . , , Windows, Security. , . , . SAM , NTUSER.DAT . , , . , , , Microsoft, . , , , , Forensic CaseNotes QCC Information Security (www.qccis.com/?section=casenotes). Forensic CaseNotes . , . , CaseNotes , , , . 9.1.

6

. 9.1. Forensic CaseNotes

. . 9.1 . (Exhibit List). , , . . (Hours). , , ; . . , (Analysis). , . , . , , , . CaseNotes , ( , . .) . , , , - , , . , , , . . ? . . , , , Microsoft , ( ); , , , . .; , , , , . , , . , , CaseNotes , . , CaseNotes , , CaseNotes, , .

7

NoteCase (http://notecase.sourceforge.net). NoteCase , , . -, , Microsoft Word. Microsoft Word; , (Adobe) (PDFCreator) PDF. , CaseNotes, Microsoft Word Excel, Excel . , . . , - . ? , ( ) , (, ) , , , , . . ? , , . , , , . , , , , . , , . dd dd , , . dd Linux/UNIX, ( , http://linuxreviews.org/man/dd) . , ; . dd, - (George M. Garner, Jr.), Windows Forensic Acquisition Utilities (http://gmgsystemsinc.com/fau). , ( ), , -, .

8

dd , , dd, , dd . , , . - , , , dd (SUSE Linux 9), . , (dd, split . .) . dcfldd (http://dcfldd.sourceforge.net) dd, Windows. dcfldd (Nick Harbour). - Sourceforge, dcfldd, GNU dd , , , . . , ( - , ), , . dd , . . , , ( , , . .), ( ) . , , ( ) . ? , , dd, , . . . -, , . , , , , , : ?. , , , . , , , ,

9

. - ; ( ) . -, , , , , , . . FTK Imager FTK Imager, FTK Imager Lite, AccessData.com (www.accessdata.com). FTK Imager Lite FTK Imager, - -. - AccessData.com , FTK Imager, - -. , FTK Imager . , EnCase, EnCase ( ), .E0x FTK Imager , dd. , FTK Imager , SUSE Linux 9 ReiserFS. , FTK Imager , , - Windows , USB ( / ). FTK Imager .vmdk VMware. , , VMware, , . , , .vmdk ( .vmem, ) . FTK Imager (Add an Evidence Item), , (Create Disk Image), .vmdk ( .E0x) dd, SMART .E0x. , .vmdk , , , . , , -, , . , . , - , , , , ? , . , , , . , , .

10

CFReDS (NIST). - Hacking Case (www.cfreds.nist.gov/Hacking_Case.html) dd, , EnCase EWF ( Expert Witness; Expert Witness EnCase) , . , , Digital Forensics Tool Testing (http://dftt.sourceforge.net), (Brian Carrier). , , , , . (Lance Mueller) ForensicKB.com (www.forensickb.com/search?q=practical). (~400 ), Windows XP, .E0x/EWF. EnCase, : FTK Imager dd EWF-. , . , - , , . , , -, , . . ( , . .) . The SleuthKit The Sleuth Kit (TSK; www.sleuthkit.org) Autopsy Forensic Browser. TSK , -. TSK Windows; Autopsy Forensic Browser Windows ( Windows, Cygwin). TSK Windows , Linux, . -, , , . , -, , , : [] 1 2 3

11

FTK Imager, -. FTK Imager , , , , EnCase Guidance Software. type Windows, , : D:\images>type image.001 > image_all.img D:\images>type image.002 >> image_all.img D:\images>type image.003 >> image_all.img TSK , dd, EWF (. . Expert Witness/EnCase) AFF (www.sleuthkit.org/sleuthkit/desc.php). fls.exe ( 3 TSK) Windows (dd), EWF , : D:\tools\tsk>fls -i list Supported image format types: raw (Single raw file (dd))

ewf (Expert Witness format (encase)) split (Split raw files)

- SleuthKit - , , . , (http://wiki.sleuthkit.org/index.php?title=FS_Analysis) (http://wiki.sleuthkit.org/index.php?title=Timeline) TSK. , - TSK (http://wiki.sleuthkit.org/index.php?title=Main_Page). TSK dls -. -: dls A image.dd > unalloc.dls - , grep , , , IP- . -: fsstat f ntfs image.dd fsstat , -. , Windows XP : FILE SYSTEM INFORMATION ----------------------------------------- File System Type: NTFS Volume Serial Number: 98B0A679B0A65D8E

12

OEM Name: NTFS Version: Windows XP , fsutil.exe. , ( ), fsstat.exe, : C:\>fsutil fsinfo volumeinfo C:\ C:\>fsutil fsinfo ntfsinfo C: ; . , TSK fls.exe (http://wiki.sleuthkit.org/index.php?title=Fls), , mactime.pl. , -, : D:\tools\tsk>fls -m c: -r d:\cases\xp\xp.001 -m ( C:\). , , mactime.pl ex-tip ( , (Michael Cloppert); https://www2.sans.org/reading_room/whitepapers/forensics/32767.php), . , fls.exe TSK, mactime.pl ex-tip, , . , , . , , , Windows, ( , ), ( ex-tip McAfee OnAccessScan, , setupapi.log . .). , , ( - TSK fls.exe). , , , ex-tip, , , , . , , Zeitline (http://projects.cerias.purdue.edu/forensics/timeline.php).

13

TSK PDF- CyberGuardians (www.cyberguardians.org/docs/ForensicsSheet.pdf). - Sourceforge Selective File Dumper Windows, FUNDL ( File Undeleter, . ) TSK (http://sfdumper.sourceforge.net/fundl.htm). . . , . , , , (. . dd), , . . 2008 Technology Pathways ProDiscover 5.0, EWF. DFRWS 2008 (Michael Cohen) PyFlag Windows. 2008 Sleuthkit, , Windows. ( , Autopsy Forensic Browser ( Cygwin- )) dd, EWF ( libewf) AFF ( afflib; www.afflib.org). PyFlag DFRWS 2008 (Michael Cohen) Windows PyFlag (www.pyflag.net/cgi-bin/moin.cgi/PyFlagWindows). PyFlag PyFlagWindows WinPyFlag. , . PyFlag Linux, PyFlag , Windows. PyFlag Windows - PyFlagWiki FlagHTTPServer.py, , - http://127.0.0.1:8000. . 9.2 PyFlag, Firefox Windows.

14

. 9.2. PyFlag Firefox Windows.

PyFlag , , Linux. PyFlag TSK -, . PyFlag Volatility, . DFRWS 2008 (www.dfrws.org/2008/rodeo.shtml) PyFlag , ( , -), , . ProDiscover Basic ProDiscover , , 3; 2008 . , Windows, , , , . , , , ProDiscover. (Chris Brown), Technology Pathways Computer Evidence: Collection and Preservation, (Basic) ProDiscover. Basic , . ProDiscover , -, . , , ProDiscover, , , pds-. .pds

15

, . pds-, ( FTK Imager, ). - , - , , . ( ) - ( , , , -, . .) . , (SmartMount ASRData Mount Image Pro GetData), Virtual Disk Driver (VDK; http://chitchat.at.infoseek.co.jp/vmware/vdk.html), . VDK , - . VDKWin (http://petruska.stardock.net/Software/VMware.html), . 9.3, , , .

. 9.3. VDKWin.

VDKWin ( ) vdk.sys, ? , , ;

16

, ( ), , -, ( , ). , - , , , , , , , . IMDisk ( 1.1.3 5 2008 , . www.ltr-data.se/opencode.html), , , . . 9.4 IMDisk, (H:\) .

. 9.4. IMDisk, H:\.

Microsoft ( ) , Virtual CD-ROM Control Panel for XP. Windows XP -, .iso ( CD- DVD-) .

, - Microsoft (http://msdn.microsoft.com/en-us/subscriptions/aa948864.aspx; ), RaDaJo (http://radajo.blogspot.com/2006/09/mounting-cddvd-iso-imagesin-windows.html) help.net (http://weblogs.asp.net/pleloup/archive/2004/01/15/58918.aspx).

17

, . (, INFO2 Windows, 5), . , , , . , . , - , - . (Jesse Kornblum) MD5Deep (http://md5deep.sourceforge.net), - MD5 , - SHA-1, SHA-256, Tiger Whirlpool. , , . - , , , , , . - VirusTotal (www.virustotal.com) , . , , , -, . , . ssdeep (http://ssdeep.sourceforge.net), -. , . , , , 9899 . , , . , , . , , Perl-, , , , / , . , , Windows XP Vista (. 5). UltraEdit (www.ultraedit.com), , . ( , Perl- , ), .

18

Perl, , . , UltraEdit, , , . , : Cygnus Hex Editor Free Edition (www.softcircuits.com/cygnus/fe) XVI32 (www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm) Free Hex Editor Neo HDD Software

(www.hhdsoftware.com/Products/home/ hex-editor-free.html) HexEdit (www.physics.ohio-state.edu/~prewett/hexedit)

, , , , , . , (http://en.wikipedia.org/wiki/Comparison_of_hex_editors) , , , . , , , , , , - ( ). , , . (, , , ( )) . , , , , . , , , ( ) , . , , , . , , - , , , . , , , , , . , , , , (, Microsoft SQL Server TCP- 1433, ) . , ,

19

. , , . , , . , ( , ) . , , . , 2008 Microsoft , MS08-067 (http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx) Windows Server. Windows XP , , , , , , , . , , , , , . , LiveView (http://liveview.sourceforge.net) (, LiveView, ), , , , . , Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184924.aspx) Microsoft, , . . , , , . , Nmap (www.Nmap.org). , Nmap , Zenmap Nmap . , Nmap , Nmap. , , fe3d (http://projects.icapsid.net/fe3d), , Nmap . , Nmap Perl-, Nmap::Scanner, Nmap::Parser Nmap::Parser::XML. Nmap, (. . . .) .

20

. , , . Nessus (www.nessus.org/nessus) Sara (www-arc.com/sara), Nessus . 100 (http://sectools.org) . , , . , : , - , . Windows Wireshark (www.wireshark.org) NetworkMiner (http://sourceforge.net/projects/networkminer). . Wireshark 1.0.3 Windows. Wireshark ( ), . . 9.5 Wireshark.

. 9.5. Wireshark 1.0.3.

Wireshark, , TCP-. , Wireshark, (Analyze) TCP- (Follow TCP Stream) . Wireshark , TCP. , ( ). , -, , , . Wireshark UDP- SSL-.

21

, , . - , ; , , . , , - . . -, , IP- . (1) , ( IP-), (2) , , , ( tcpvcon.exe, netstat.exe , ), . -, ( TCP) , . , (. . , ). Wireshark (Statistics), , , . , . . , , , , . Wireshark, , tshark, tcpdump dumpcap. - Wireshark, , , . , tcpdump 68 , . windump (www.winpcap.org/windump), , tshark dumpcap, . NetworkMiner 0.85 () Windows. NetworkMiner - Sourceforge Windows, , PCAP. , NetworkMiner , .

22

NetworkMiner . . 9.6, NetworkMiner ( , , . .) .

. 9.6. NetworkMiner 0.85 ().

Linux tcpxtract (http://tcpxtract.sourceforge.net) (Nick Harbour), , . Tcpxtract . tcpxtract Windows, NetworkMiner . NetworkMiner - Sourceforge , . NetworkMiner , p0f (http://lcamtuf.coredump.cx/p0f.shtml), , , ( Nmap). . 9.7 , NetworkMiner , , .

. 9.7. NetworkMiner, ,

. ( ) PacketMon (www.analogx.com/contents/download/network/pmon.htm). , PacketMon , , Wireshark NetworkMiner, , . ( , ), , ngrep (http://ngrep.sourceforge.net/download.html), grep, , . ; , , . , ,

23

. , , , , , , . tcpdump, , dd , - .

2008 NetWitness Investigator, http://download.netwitness.com/download.php?src=DIRECT. Investigator, .pcap, , . Investigator NextGen , . , . Snort , , Snort (www.snort.org). (). Snort, , , , . Snort , ( ), , , . Snort .pcap , , ngrep , , . , . , . , , , , , , . Snort ( , ), , , , . , , , , . ; ,

24

, (, . .), . ASCII Unicode Windows, , . . , . , SessionManager, Session Manager. , , Windows NT, WindowsNT. , . , ASCII Unicode. DWORD (4 ), , . DWORD 0 , , 1. - . , . , , , . , , , , , . ( , FTK X-Ways Forensics, ), . - GNU utilities for Win32 (http://unxutils.sourceforge.net). UNIX- , , UNIX, Windows. . , grep Windows. , , grep for Windows; Sourceforge (http://gnuwin32.sourceforge.net/packages/grep.htm), InterLog (http://pages.interlog.com/~tcharron/grep.html). . , , , , . , SB-1386 , Visa. , . , , . Spider (www.cit.cornell.edu/security/tools),

25

( , - . .) , . Spider , . ccsrch (http://sourceforge.net/projects/ccsrch). csrch Windows, , . (PAN) , , . ccsrch, , , , . , : (www.regular-

expressions.info); (http://en.wikipedia.org/wiki/Credit_card_number); (www.regular-

expressions.info/creditcard.html). , , , . , , . , , , , , 16 , , (. . , , ), , , . , , , , , . ( ), , . , , . , : , Perl-. , , , . , , .

26

.

, , ( ) .

- . ( , ).

,

, . , , , .

, . , . .

: , . ? : , . . , , , . ? , (. . ) , ? IIS-, , SQL-? , , ; , Perl-, Log Parser Microsoft. : ? : , (IP-), , , ( , , ) . , .

27

: (. . , , ), ? ? : . , , , PyFlag.

28

2 3 7 7 dd 7 FTK Imager 9 10 The SleuthKit 10 PyFlag 13 ProDiscover Basic 14 - 15 17 17 17 18 18 20 23 25 26 26

29

http://computer-forensics-lab.org

: .. .. ..