Part 5

Appendices

Appendix A

The Bottom Line

Each of The Bottom Line sections in the chapters suggests exercises to deepen skills and understanding. Sometimes there is only one possible solution, but often you are encouraged to use your skills and creativity to create something that builds on what you know and lets you explore one of many possibilities.

Chapter 1: Network Investigation Overview

Gather important information from the victim of a network incident. It is important to properly vet any report of an incident to ensure that the appropriate people and resources are utilized to address every report. As the number of reported incidents continues to rise, this requirement becomes more and more important to ensure the most efficient utilization of limited agency resources.
We outlined various questions and considerations that any investigator responding to an incident should keep in mind when first interviewing the members of the victim organization. The steps you take at this stage can set the tone for the rest of your investigation and are vital to a rapid and effective response.
Master It You are called regarding a possible computer intrusion into a defense contractor’s network. After performing an initial interview with the reporting person by phone, you feel confident that an incident has occurred and that you should continue your investigation. What steps would you next take to gather additional information to launch an investigation?
Solution Arrange to meet with the reporting person again in person and without a large number of people present. Gather information about the network topology and what the reporting person observed that made her suspect that an intrusion has occurred. Arrange to meet with the other people within the organization to discuss the incident in detail. At that meeting consider questions such as the following:
Be sure to get a thorough understanding of the network environment, normal patterns of use, possible sources of evidence, and the responsibilities and contact information of the various members of the victim organization whose assistance you may need throughout your investigation.
Identify potential sources of evidence in a network investigation. Evidence within a digital crime scene can be located in many different places. It is important to consider how data flows through a network to determine which network devices may have recorded information that can be of evidentiary value. In addition to logs that may be kept on the victim computer, explore logs generated by firewalls, IDSs, routers, wireless devices, authentication servers, and proxy servers that may have recorded information about the attack.
Master It You are called to a company where they suspect that a disgruntled system administrator has accessed the company’s database from outside the company and deleted multiple important records. The logs on the database server have been deleted, leaving no trace of the attack. What are some other possible sources of evidence for this incident?
Solution Since the attack is alleged to have occurred from outside the company, consider which perimeter devices may have recorded the attack. Devices such as firewalls, intrusion detection systems, and VPN concentrators will frequently generate logs relating to connection and access attempts. The company may use a central authentication server such as a Kerberos or RADIUS system to authenticate all network access. These devices are excellent sources of log data. A centralized logging server, such as a syslog server or SIEM, may be configured to store logs. Backup systems may exist that could contain logs that were later deleted by the attacker from their original location but that still exist as a backup file. Forensic recovery of the deleted log files from the victim server may also be possible. Finally, evidence may exist at the computer used to launch the attack. Don’t forget to use standard investigative steps to determine the whereabouts of the suspect to try locating any computers that may have been used to launch the alleged attack.
Understand types of information to look for during analysis of collected evidence. After the evidence is properly secured, the analysis phase should be completed as quickly and accurately as possible to allow time to follow up on any other investigative leads that the analysis may suggest. The analysis should be thorough and may be time consuming, but as new investigative leads are discovered, you should take immediate action to preserve that evidence for later collection.
Once suspects are located, a thorough search for digital evidence should ensue to gather all possible evidence of their involvement in the incident. As analysis of collected evidence occurs, you may uncover evidence that proves the reported incident along with evidence of crimes that were not previously known. Thorough analysis and interviewing may lead to the discovery of multiple other victims and other crimes.
Evidence to search for will depend on the specific investigation, but common items of interest include the following:
Master It While investigating an alleged attack against a local government finance server, you locate and seize a computer believed to have been used by the suspect. What are some types of evidence that you should look for on the suspect’s computer?
Solution Look in the suspect’s computer for signs of any tools that may have been used to perform recon of the victim network or to launch an attack against it. Check the web browser history for any evidence showing that the suspect was targeting the local government systems. Perform string searches for the victim computer’s IP addresses, machine name, DNS name, or other identifying information that may link the suspect computer to the victim. Search for any files on the suspect system that may have come from the victim, including any deleted files. Search for usernames or passwords of users of the local government system that may have been stored by the attacker.

Chapter 2: The Microsoft Network Structure

Explain the difference between a domain and a workgroup as it relates to a network investigation. Domains are centrally managed collections of computers that rely on a network infrastructure that includes domain controllers. Computers participating in a domain surrender much of their autonomy in order to benefit from centralized administration. Domains enforce common policies and maintain a list of domain-wide accounts on the domain controllers.
Workgroups are simply independent computers that are grouped together for purposes of sharing information. Each machine is essentially an island unto itself, with its own accounts, policies, and permissions. The local Administrator account is the ultimate authority on a workgroup computer, and the SAM maintains the list of authorized users.
Master It You are called to the scene of an incident. The victim network is organized as a single domain with all the DCs running Windows Server 2008. All the workstation computers are running Windows 7, and all of them are members of the domain. The administrator explains that he located a keystroke-logging program on his laptop, and he believes that someone was able to record his keystrokes to capture the passwords as he logged in to his various domain accounts, including his domain Administrator account. He fears that the loss of the passwords from the activity on his laptop might lead to unauthorized access on the secure file servers in the Research and Development department, which are located in another building, are part of the same domain, but are in a different organizational unit than his laptop. Could that be a viable threat?
Solution This is certainly a possible threat. If the logon credentials for the domain Administrator account are stolen, those credentials can be used to access data on any computer in the domain that allows remote connectivity. Since the computers participate in a domain, they share a common group of accounts throughout the domain, and the loss of the credentials for privileged accounts in a domain from one computer represents a possible threat to all computers in that domain or to other domains with a trust relationship to that domain.
Explain the importance of groups within a Microsoft network. Groups are the primary means of organizing accounts and assigning the necessary capabilities to each user or computer. Groups are created based on the needs and structure of the organization. The appropriate capabilities necessary for each group to accomplish its role are assigned to the group as permissions and rights. As users are added to the network, their accounts are made members of the appropriate groups, granting all of the necessary capabilities to their accounts. As users join and leave the organization or are reassigned within the organization, the administrator simply changes the membership of the various groups to ensure that all users have the necessary capabilities.
Master It When called to the scene of an incident, you are told that a very sensitive file containing research data has been altered. Had an observant researcher not noticed the changes, they would have resulted in the manufacture of faulty parts, resulting in millions of dollars of damage. By comparing the changed file to backup copies, the administrator was able to determine that the change was made last Wednesday. What role would groups play in your investigation?
Solution Since permissions determine who has access to files and what type of access they have, noting the permissions of each user account to the altered file is important. Also, since permissions are normally assigned to groups, knowing which accounts are members of groups with permission to the file could prove critical to your investigation.
Understand file permissions as they relate to accessing remote resources. A file has two different sets of permissions. The NTFS (or file) permissions determine which accounts can have access to a file—either remotely or locally. The share permissions determine who can have access to a file only when connecting to the resource from across the network. Permissions can be set at either level, and the most restrictive permission set will determine what access is granted to a remote user.
Master It While investigating the file mentioned in the previous question, you learn that while three groups (called Researchers, Administrators, and Research Techs) have NTFS permissions to modify the file, only the Researchers group has share permissions set to make changes. There is no indication that permissions or group membership have been changed since the incident. Could a user account assigned to the Research Techs group be responsible for the change?
Solution A user account assigned only to the Research Techs group could have made the change if logged on interactively to the computer storing the file but not from across the network (assuming of course, that the user’s account was not also a member of the Researchers group).

Chapter 3: Beyond the Windows GUI

Explain the process-separation mechanisms implemented in Windows operating systems and ways in which attackers can subvert these protections. Windows uses one of two modes for all processes. User Mode is where all user-initiated processes are run. Kernel Mode is reserved for the operating system and its components, including device drivers. System memory is divided into two main sections: one for User Mode and one for Kernel Mode.
Within User Mode, each process is allocated its own memory space. For a thread to execute an instruction, the instructions must be located in the process memory space in which that thread exists. Threads from one user process cannot access or alter memory that belongs to another user process.
By loading rogue device drivers onto a system, an attacker can execute malicious code within Kernel Mode, allowing the manipulation of any system memory. By intercepting system and function calls, the attacker can intercept and alter the results provided from the operating system to other processes. This allows the attacker to conceal the evidence of her activities by hiding processes, files, registry keys, and so on from the view of the rest of the system.
Master It You respond to a scene of an incident in a large company. You have developed reasons to suspect that a particular web server, which is administered by a separate contractor, has been compromised. When you approach the administrator to gather evidence, he states, “I know the hacker isn’t on this system. I run a script each night to look for new processes and ports that are not authorized, and nothing has been detected.” Explain to the administrator why his User Mode script may not detect the attacker’s presence.
Solution If the machine was fully compromised, the attacker could have installed rogue components (such as a DLL) running in Kernel Mode. Since Kernel Mode (which operates in ring 0) has more direct control over the system, it is able to alter information that is provided to User Mode (ring 3) processes. A rogue process that is operating in Kernel Mode can defeat any User Mode security mechanism.
Identify ways in which attackers can redirect the flow of running processes to accomplish malicious activity. Using DLL injection, an attacker can insert malicious code into the memory space of a process. Using either an exploit or function hooking, the flow of execution for that process can then be redirected into the attacker’s injected DLL, allowing the attacker to execute code within the context of the usurped process. This allows the attacker’s code to execute with the security permissions of the original process and helps hide the attacker’s activities.
Master It The same administrator from the previous example states that he would have noticed if the attacker had launched any new processes on the system. Explain to him how an attacker can run code on his system without ever starting a new process.
Solution By taking advantage of a vulnerability in one of the services being run on a computer, the attacker could remotely compromise the system and inject a payload. Rather than delivering a payload that spawns a new process, the attacker can spawn a new thread within that process or simply redirect the flow of execution of an existing thread within the process. For example, the attacker can deliver a payload that downloads a rogue DLL, injects that DLL into the process’s memory space, and then executes a function in that DLL. This would allow the attacker to run malicious code on the victim system without creating a new process.
Explain how attackers can use rootkits to evade detection. Rootkits are sets of tools that are installed on a victim system after an attacker has gained root, or full, access to the system. These tools typically install backdoors to the system as well as provide mechanisms for hiding the evidence of the attacker’s presence.
Rootkits can exist in User Mode, in Kernel Mode, or as a combination of each. User Mode rootkits will use DLL injection and hooking to change the flow of execution of certain processes. Kernel Mode rootkits will often hook calls to the operating system for basic functions such as listing files on disk, listing processes in memory, and querying the network stack.
By modifying the results of queries by other system processes, the attacker is able to hide any files, registry keys, processes, ports, and so on that are being used for malicious purposes. This allows the hacker to continue to collect information from the system without being discovered by legitimate users.
Master It Explain ways that the presence of a rootkit may be detected.
Solution Rootkits are difficult to detect when an infected computer is running. Tools such as RootkitRevealer can use a Kernel Mode utility to manually examine files and registry keys and compare the results obtained to the results provided through standard API calls requesting the same information. Any discrepancies between the results of a manual examination and a normal request can then be examined to determine if a rootkit might be concealing the presence of malicious files.
An offline analysis of an image from a victim system will often yield evidence of a rootkit. Since the victim system is no longer running, the rootkit is no longer able to exert control and conceal its presence. Antivirus or similar scans can detect components of known rootkits during an offline scan of the data obtained from the victim system. In addition, file hash analysis can uncover files known to be components of known rootkits or other hacker tools that a rootkit is concealing.

Chapter 4: Windows Password Issues

Explain how Windows stores username and password information. Windows OSes store the username and passwords in one of two places. Local accounts are stored in the computer’s SAM file, while domain accounts on Windows 2000, 2003, and 2008 domains are stored in the Active Directory database file called ntds.dit. Passwords are stored not in plain text but rather as an encrypted password or as a hash value. Windows uses two different techniques to store the LanMan and NTLM password credentials. The first, oldest, and weakest is the LanMan encryption process. This process suffers from numerous problems that make its encryption relatively easy to crack. The second, NTLM, provides a more secure option and so is less subject to attack (although it is still vulnerable).
Master It While performing a forensic examination of a suspect’s Windows Vista computer, you encounter numerous encrypted files. Some of these are encrypted with EFS, while others are encrypted with a third-party encryption utility. You would like to learn what passwords the suspect uses so that you can attempt to use them to decrypt the various types of encrypted files. How might you extract the list of password hashes from the suspect’s computer?
Solution Local accounts used on the Windows Vista computer should be stored in the C:\Windows\System32\config\SAM file. This file is stored in a proprietary, binary format, and the encrypted or hashed passwords stored inside the file are additionally encrypted using SysKey. To extract the password hashes from this system, use Cain to extract the SysKey stored in the SYSTEM file and then dump the password hashes from the SAM file. The password hashes can then be cracked using a utility such as RainbowCrack.
Explain the mechanisms used to authenticate a remote user to a Windows machine. Windows authentication occurs using the LanMan challenge/response mechanism, the NTLM (or NTLMv2) challenge/response mechanism, or Kerberos. In a Windows 2000 or later domain, Kerberos is the default protocol used for authentication of domain accounts. Authentication to local accounts or network accounts by IP address will still utilize NTLM or NTLMv2. NTLM authentication normally contains the LanMan authentication response in addition to the NTLM response for backward compatibility. The NTLMv2 process will not send the LanMan authentication response; instead, it sends a new response called LanMan v2. Operating systems beginning with Windows Vista disabled the storage of LanMan passwords, and beginning with Server 2003, the automatic sending of the LanMan response was disabled by default.
Master It An administrator notices that a large number of clients within his network are sending NTLM authentication requests to a particular client machine located within the network. He is suspicious that the activity may be the result of an intrusion, but he is uncertain as to why it may be happening. Based on the information provided in this chapter, what is a possible reason for this behavior?
Solution If an attacker has compromised the client machine, she could set up a password sniffer such as Abel or ScoopLM on the system. By then sending an HTML-enabled e-mail to other users within the network, she could cause their client machines to attempt to download a file from the compromised system using SMB. As part of this process, each computer would send the authentication information of the currently logged-on user to the compromised computer, allowing a mass compromise of usernames and passwords to occur.
Demonstrate ways in which Windows account passwords can be compromised. Because of legacy protocols remaining in use on Windows systems to support backward compatibility, Windows passwords on older systems are particularly susceptible to cracking. From a live system, password hashes can be extracted using tools such as pwdump2, which requires administrator-level control of the system. From an offline system, the same goal can be accomplished by extracting the password hashes from the registry using tools such as Cain. Finally, sniffers can be used to sniff Windows authentication exchanges from the wire, allowing cracking of their associated passwords.
Master It You have been called in to investigate a report that an employee of a company has stolen large amounts of sensitive data and is suspected of selling that data to a rival company. Log analysis indicates that the suspect’s workstation was used to log on to a file server containing the compromised files, but that the user account used was one of a senior manager, not the suspect. Describe how the attacker may have come into possession of the manager’s password and possible evidence that you may find to support your theory.
Solution There are many ways in which a password can be compromised. Investigators must not be so focused on technology that they overlook the human component. Perhaps the manager gave the suspect the password in the past for some purpose. Maybe the manager wrote his password on a Post-It note in his office. Perhaps the password was simple to guess. Conduct thorough interviews of the manager, administrator, and even other coworkers to explore these possibilities. Also, you should perform forensic analysis of the subject’s computer. Look for any of the tools discussed in this chapter, as well as fragments of their results on the system. Use a test system to determine what the LanMan and NTLM hashes of the password would have been, and perform string searches for the plaintext and hashed versions of the compromised password. Search the web browser histories for locations where password-cracking tools and articles can be located. Similarly, determine if any proxy server or other logs may exist that may identify users who may be downloading password-cracking tools.

Chapter 5: Windows Ports and Services

Explain the role of open and active ports in a network investigation. Ports represent ways to communicate with a system. Open ports are those that are bound to a listening process and that can be used to receive and process some type of communication. To an attacker, an open port represents a possible way onto a system. Investigators must know which ports are in use on a victim system in order to examine each for possible rogue use and to help determine how an attack may have occurred.
Master It You are called to investigate a suspected computer intrusion at a private company. Upon examining the ports that are open on the victim system, the administrator noted that TCP port 4444 was listening on one of his computers. He notes that the firewall that guards the only connection to the outside world does not permit any traffic to enter to port 4444 on any of the systems. He concludes from this that some legitimate process must use this port since an attacker would not benefit from opening such as port. Is his logic sound? Why or why not?
Solution The administrator in this case is clearly incorrect. The point to this question is that you cannot always trust the opinion of an administrator. Administrators are frequently skilled in maintaining the operational aspect of systems but can be completely lacking in knowledge about security issues. Perhaps an attacker in this case opened the port without realizing the firewall would block access from the outside. Perhaps the attack was automated and always chose that port. Perhaps the attacker was an insider for whom the firewall was not an issue, or perhaps that attacker already has a foothold within the network from which he can access this victim system on port 4444. The question you need to ask is whether the administrator can provide you with a legitimate reason for the port to be open. If he cannot, you should consider it suspicious until another (more competent) administrator can explain its presence or until some similarly mitigating fact is revealed.
Identify what a service is and explain its importance in a network investigation. Services are processes that are managed by the operating system and that run in a security context that is not dependent on a user being logged on to the system. A service is typically started at boot time. Services can be bound to a port to provide a listening process that will always restart when the system is rebooted and that can be automatically restarted in the event of a failure. Since services are robust and start automatically, attackers frequently use them to perform malicious functions such as opening backdoors to the system, running a sniffer or keystroke logger, or performing other malicious functions.
Master It You determine that a service running on a compromised system is being used to perform password sniffing. You have identified that the name of the service is w32ps. How might you determine where the service’s program is located on disk?
Solution By viewing the registry and looking for the ImagePath value under the HKLM\SYSTEM\CurrentControlSet\Services\w32ps subkey, you will be able to determine which program the service is using. If the service is using svchost, you will also need to check the value of ServiceDLL under the HKLM\SYSTEM\CurrentControlSet\Services\w32ps\Parameters subkey to view the location of the DLL that contains the instructions being performed by the service.
Explain the svchost process and its importance in a network investigation. The svchost process hosts services implemented in DLLs rather than as standalone programs. A single svchost process may host multiple services from multiple DLLs or may host a single service. Since multiple instances of the svchost process appear in most Windows systems, the name is a favorite for attackers. Many malicious programs will use the svchost name or a variant of it to try to avoid detection.
Master It Looking at the tasklist /SVC output shown here, identify a process that is most suspicious:
bapp01uf001.tif
Solution PID 1356 is called svchost, but it is not hosting any services. This is a red flag that some other process has been named svchost to try to hide in plain sight. Use a forensic tool to search the drive for a program named svchost in a location other than the default %SystemRoot%\System32 location, and perform tool analysis on that program.

Chapter 6: Live-Analysis Techniques

Prepare, test, verify, and document a toolkit for analyzing live systems. The toolkit that you prepare for acquisition and subsequent analysis of a compromised system must be thoroughly tested and verified by you or someone in your unit before it can ever be used during an actual response against a live business-critical server or in a large-scale intrusion investigation. Failure to do so will result in severe consequences not only for you but potentially for the system(s) involved.
All systems are different and can be installed on different architectures. As an investigator you must know how to properly respond to a live system regardless of how it’s configured and successfully acquire its RAM for subsequent analysis.
Master It Prepare a toolkit that can be used to respond to a potentially compromised Windows 7 Standard Edition and Windows 2008 Standard Server by successfully acquiring RAM from each system. Clearly indicate which processes are running on each system at the time of the response.
Solution Download and test RAM-acquisition tools discussed in the chapter (FTK Imager Lite, DumpIt, and WinEn) within each environment discussed. Acquire RAM from the system and analyze using the “plist” (Process List) Volatility plug-in as discussed earlier in the chapter.
Identify the pros and cons of performing a live analysis. Performing a live analysis provides the opportunity to pull relevant information out of the RAM of a running system that will be lost once power to that system is discontinued. The disadvantage to this type of analysis is that it involves interacting with the system while it is still running, thus altering the information contained on its hard drive(s). The investigator must determine whether losing data from RAM or modifying data on disk represents the greatest threat to the investigation and base her decision on how to collect evidence at the scene accordingly.
Master It You are called to the scene of a suspected intrusion. The administrator states that he has detected the presence of communication going to the victim computer on port 6547, a port the administrator states should not be open on that computer. What initial steps might you take to gather relevant evidence?
Solution Since the administrator has indicated that he has already detected suspicious traffic going to the victim computer, you will want to ascertain how he detected this activity and whether or not he still has any data or logs that show that activity. You should perform live analysis of the victim computer to confirm that port 6547 is indeed in use on that computer and determine what process on that computer is using that port. Also, after securing proper legal authority, you might want to sniff network traffic to that computer on port 6547 to get an idea of what type of information exchange is occurring. If live analysis of the system does not show port 6547 as open despite the fact that traffic has been observed running to that port on the system, the presence of a rootkit on the system is possible.

Chapter 7: Windows Filesystems

Interpret the data found in a 32-byte FAT directory record. The FAT filesystem is alive and well. It is the one filesystem that is portable between the various popular operating systems, which are Windows, OS X, Linux, and so forth. With the rapid growth in thumb drives, various types of flash media, and personal music players, the FAT filesystem will be around for years to come. Many attackers keep their tools and data on thumb drives to keep them portable and hidden from prying eyes.
FAT stores vital filesystem metadata in a structure known as a FAT directory entry. This entry is 32 bytes in length and contains, among other things, the file’s name, length, and starting cluster.
Master It An intrusion has occurred and it is clearly an inside job. An unidentified thumb drive was found in the back of a server. Upon examination of the thumb drive, you searched for directory-entry fragments that specifically targeted deleted executables (see the sidebar in this chapter for an explanation of this technique) and found several of them. To the extent possible, you want to recover these executables and examine them more closely.
Solution During your search of deleted executables, you found an entry that indicates the filename is _akeover.exe. You note that the “dot double dot” signature is missing and that you have recovered a directory entry fragment. Since you suspect the filename is takeover.exe, you search for that name and find references to it elsewhere on the system. Because this filename is most suspicious, you are interested in the function of the code. When you look at the directory entry, you find that the starting cluster (byte offsets 26 and 27) for the file is 2,047. When you go to that cluster, you find the first two bytes are MZ, which is the file signature for an executable file. So far, things are looking good.
Next, you look at the length of the file (byte offsets 28–31) and find it is 52,075 bytes. When you go back to the starting cluster, you place your cursor on the starting byte, which is the M in MZ. When you sweep 52,075 bytes, you find that the bytes that follow are all zeros that continue until you reach the sector boundary. Such a finding means that the binary data is contained within the specified file size (52,075 bytes) and the zeros that immediately follow were filled in by the operating system from the end of the file until the sector boundary (sector slack).
Thus, you find that you have what you believe to be a perfect recovery of an executable file. If you export these 52,075 bytes out of your forensic program, naming it takeover.exe, you now have what appears to be an attacker’s tool on which you can perform further tool-analysis techniques. You can also hash this file and search for the hash value in the hopes that others have already identified this tool.
Determine a file’s cluster run in a FAT table, given its starting cluster number and file size. The FAT filesystem uses two tables (FAT1 and FAT2) to track cluster usage and to track cluster runs. Normally FAT2 exists as a copy of FAT1 in the event that FAT1 is ever corrupted. Cluster entries for clusters 0 and 1 in these two tables are used for other metadata, and cluster numbering therefore starts with cluster 2. The tables contain arrays of 12-, 16-, or 32-bit entries depending on whether it is a FAT12, FAT16, or FAT32 filesystem. Each 12-, 16-, or 32-bit array represents a cluster in the partition. The value of the array is either zero (cluster is unallocated), a value (next cluster in the cluster run), or an End of File marker. It may also contain a value marking it as a bad cluster.
Master It In the previous intrusion example, you recovered a file named takeover.exe. Although you have recovered the file, you also want to verify that the starting cluster was not in use by an allocated file.
Solution Your thumb drive is a FAT16 filesystem. In EnCase, you could create a text style that would force the hex view into 2-byte arrays (16 bits/FAT16). From there, you could manually compute where cluster 2,047 would be and go to that location. Once there, if you see that the values are 0x0000, then the cluster is unallocated and not in use by any other file. In EnCase, there is an easier way. In the left pane, you would click the Show All or Set Included Folders button to show all files in the right pane. In the right pane, in the table view, you would sort by the Starting Extent column, which also means starting cluster. In the Starting Extent column, scroll down until you reach C2047 (cluster 2,047). If it is present, it is being used by a file. If it is absent, no file is using it as its starting extent. If you are using WinHex, on the Position menu, there is a Go To FAT Entry feature. You can enter the FAT entry for cluster 2,047 and read its value. For other tools, you’ll need to consult the documentation to determine how to make this determination.
Interpret the data found in an NTFS MFT record. Instead of using the 32-byte directory entry records used by FAT, NTFS uses 1,024-byte MFT record entries to achieve, at a minimum, a similar purpose. Instead of using a FAT table (FAT1 and FAT2), NTFS uses a cluster bitmap. In the cluster bitmap, 1 bit represents each cluster in the partition. If the bit value is 0, the cluster is not allocated to a file. If the bit value is 1, the cluster is in use by a file. The cluster runs are tracked by the $DATA attribute within the MFT.
Master It In your previous intrusion case, involving the file takeover.exe, you examined one of the compromised servers, finding a reference to the file takeover.exe in the pagefile.sys file. Upon examining the data, you see FILE0 in the preceding data and again in the data that follows. From the F in the preceding FILE0 to the F in the one that follows, there are 1,024 bytes. When you examine the MFT, there is no such entry. What have you most likely found, and how can you explain its presence in the paging file but not in the MFT?
Solution MFT entries are normally 1,024 bytes in length, beginning with FILE0. That your data, takeover.exe, is sandwiched between two MFT headers, separated by 1,024 bytes, means you have located an MFT entry. The data in this entry can be parsed out. If you can go to the starting cluster, found in the $DATA attribute, and see the program found on the thumb drive, you would have a tremendous find in your case. Since this entry appears in the swap file and not in the MFT, it means that at one time it was in the MFT but has been deleted. The MFT is loaded into RAM and is used by the operating system. If the system is busy and needs more RAM than is available, it will write some areas of RAM to the swap file (pagefile.sys) to free up RAM memory. In this case, some of the MFT was written to the swap file and still exists in that file even though it was subsequently deleted from the MFT.
Locate alternate data streams on an NTFS filesystem. You are, by now, familiar with the $DATA attribute. The $DATA attribute is used to contain either the resident data of the file or the runlist information pointing to the clusters containing the nonresident data. You should also recall that you can have more than one $DATA attribute. When additional $DATA attributes are present, they are referred to as alternate data streams (ADSs). When data is inserted into an ADS, it is not visible to the user, even if the user has administrator rights, making an ADS an ideal place for an intruder to hide data and make use of it.
Master It In the previous intrusion case, involving the file takeover.exe, you suspect that your attacker may have hidden the program (takeover.exe) in an alternate data stream. How can you determine if there are alternate data streams present?
Solution If you are looking at a live system, you can use the tool streams.exe to locate hidden or alternate data streams. If you wanted to locate all alternate data streams on the C: drive, you could execute streams.exe -s c:\ at the command prompt. If you were examining the drive in a forensic environment and were using EnCase, you could run the condition named Alternate Data Streams. This would show only the files that are alternate data streams. From there, you could examine each ADS. In addition, you could hash each ADS and compare the results to the hash value of the file recovered from the thumb drive.
Understand the basics of the exFAT filesystem. The exFAT filesystem is the latest supported filesystem for Microsoft operating systems. It brings enhancement in capability compared to its FAT predecessors and removes limitations, such as with timestamp recording, from which those filesystems suffered. While not currently encountered in great number, the increasing size of removable media and native support being added to more devices may increase its popularity in the near future.
Master It You are reviewing a fellow examiner’s report for accuracy. The report indicates that the examiner was analyzing removable media formatted with the exFAT filesystem and that he recovered a deleted file. His report shows the name of the recovered file as _y file. His notes indicate that the initial character of the filename was overwritten when the file was deleted by the hex character E5 as part of the deletion process. Is there likely a problem with his report?
Solution The exFAT filesystem does not handle file deletion by overwriting the first character of the filename with the hex value E5 like other FAT filesystems do. There is likely an inaccuracy in the report and the media should be examined to determine if it was using exFAT or FAT.

Chapter 8: The Registry Structure

Understand the terms keys, values, and hive files, as well as understand how logical keys and values are mapped to and derived from physical registry hive files. The Windows registry is a complex database of configuration settings for the operating system, programs, and users. The database data is stored in several files called hive files. When mounted, the registry is rendered into a logical structure that can be addressed, called, edited, and so forth. The Windows operating system provides a utility called regedit, by which the registry can be viewed, searched, and edited.
Master It From the Run window, type in regedit.exe and press Enter. In the resulting UI, what is the left pane called and what is the right pane called? Is there a registry key that shows the mounted logical registry keys and their derivative hive files?
Solution In regedit, the left pane is called the key pane, and the right pane is called the value pane. In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist. In the value pane, you will see that the currently mounted registry keys are listed as value names. For each registry key (value name) except one, you’ll find that the value data points to the complete path of the derivative hive file. The one key for which there is no derivative file is the key HKLM\HARDWARE, listed as the value name \REGISTRY\MACHINE\HARDWARE. If you recall, this is a dynamic key created at boot for which there is no hive file.
Use different utilities to navigate and analyze both live and offline registries. Many of the Windows registry keys are derived keys, where a particular key is derived by a pointer or link to any key. For example, in a live registry, the key HKEY_CURRENT_USER (abbreviated HKCU) is derived from a link to HKU\SID, where SID is the SID of the current logged-on user. Another key, HKLM\HARDWARE, is volatile and available only at boot. The registry on a live machine will differ somewhat from an offline registry, such as that seen in a forensic environment. In addition to regedit there are other tools that you can use to search, edit, or analyze the registry. In a forensic environment, you will typically be using a third-party tool, such as Registry Browser (IACIS), Reg Ripper (Harlan Carvey), Registry Viewer (AccessData), or EnCase (Guidance Software).
Master It During a network investigation, you want to know which commands your suspect may have typed from the Run window. Where can you find this information, and which tool might you use to find it?
Solution When a user types commands in the Run window, the operating system recognizes that these commands may often be repeated. As a convenience to the user, these commands are stored in the user’s registry hive key. When you access this key, you can see the past commands on a drop-down list. Forensic examination of the appropriate registry key can therefore reveal a list of commands typed in the Run window.
First you must locate the NTUSER.DAT hive file for the user in question. This file will be located in the root of the subfolder of the Documents and Settings or Users folder bearing the user’s name.
Using a program such as Registry Viewer, load the user’s hive file. Navigate to Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU. This key will contain a list of the commands the user typed into the Run window.
Determine which control set is the current control set. As part of the operating system’s fail-safe features, the OS keeps a copy of the current control set key from the last good logon. If during boot, the current set being used fails, you have an option of using the one from the last good logon, which Microsoft calls “last known good configuration.” If you opt to use this, the current control set from the last good boot will be used instead. When you view an offline registry, there will be no current control set, and you will have to determine which control set is current in order to examine the correct or most recent one. When there are just two options, the task is relatively simple. However, there may be multiple control sets present on a problem system or one on which the user has been tinkering. Regardless of the underlying circumstances, your examination must be accurate, and you must therefore correctly determine the current control set before examining the information it contains.
Master It During a network investigation, you encounter a registry in which there are eight control sets. Which control set do you examine as the current control set?
Solution You must locate and load the SYSTEM hive file found in the path C:\%SystemRoot%\System32\config\. Using the registry utility, navigate to the registry path HKLM\SYSTEM\Select. In this key, you’ll find several values, but you want to look at the one named Current. The data for the Current value will indicate which control set number is current and the one to examine as such.
Use ProcMon to conduct basic registry research techniques. ProcMon is a very useful utility from SysInternals, which is now owned by Microsoft (http://technet.microsoft.com/en-us/sysinternals). Among other things, ProcMon allows real-time monitoring of the system registry. The registry is a very busy place, and ProcMon filters let you to focus on what is relevant while shielding you from being deluged by what is not.
Master It During an investigation you find that it is significant to determine if deleted files passed through the Recycle Bin (the default behavior) or if they were deleted immediately without going to the Recycle Bin. You could probably look up the involved registry setting elsewhere, but you suspect you could find it more quickly using ProcMon.
Solution You can quickly determine the answer using ProcMon. Start ProcMon and make sure it is capturing. Right-click the Recycle Bin icon and choose Properties. If your system is Windows 7 and in its default configuration, you should see an empty radio button next to a line that reads Don’t Move Files To The Recycle Bin. Remove Files Immediately When Deleted. Click this radio button, but before clicking Apply, go back to ProcMon and clear the accumulated data. When ProcMon is clear, go back to the Recycle Bin UI and click Apply. Then go back to ProcMon and stop the capture. Examine the results. If you repeat this capture process a few times, turning on and off this feature, you’ll quickly see that the value that changes each time is NukeOnDelete, which is found at the path HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket. When this value is 0, its default value, files are first sent to the Recycle Bin upon deletion. When this value is 1, files are deleted and not sent to the Recycle Bin.

Chapter 9: Registry Evidence

Locate and mount Windows XP registry hive files stored in restore points and analyze restore point registry settings to determine before-and-after intrusion settings. Windows XP shipped with a system that creates restore points, which are folders containing snapshots of system settings and files that have been added to the system since the previous restore point. These occur daily and at other special times. Their purpose is to enable you to recover the system to a very recent working state should things go wrong. For the forensic examiner, restore points are extremely valuable time capsules containing evidence of system settings. In intrusion investigations, they are valuable in determining before-and-after intrusion system states.
Master It Disable your Security Center’s firewall warning system. Demonstrate how a restore point can be used to show before-and-after settings.
Solution Go to your System Restore control panel and create a restore point, naming it something like Before Warning System Disabled. Note the time when you create this restore point. Next, go to the Security System control panel and disable the warning for your firewall. To demonstrate this, you’ll need a forensic tool such as EnCase that allows you to forensically see your own hard drive. Open EnCase, create a new case, and add your own hard drive to the case. Once you can see your own drive, locate the RP## folder for the restore point you just created. Mostly likely, it will be the highest-numbered one in the series. Verify its creation time against the time you recorded. In its Snapshot subfolder, locate and copy out the file _REGISTRY_MACHINE_SOFTWARE. In the folder %SystemRoot%\system32\config, copy out the file SOFTWARE. You can now open these files in the registry viewer of your choice, comparing the value FirewallDisableNotify in the key HKLM\SOFTWARE\Microsoft\Security Center. In the restore point registry showing the before view, the value should have been 0. In the registry as it currently exists, the value should be 1, because you currently have it disabled. In this manner, you have used restore points to show before-and-after settings of the Security Center.
Tip
You can download AccessData’s FTK Imager from their website and use it without a dongle. With it open, simply choose File ⇒ Add Evidence Item ⇒ Physical Drives. Select your primary hard drive, and click Finish. When your drive is mounted, navigate to any restore point folder (RP##) and right-click it. Choose Export and provide a path. With that, you’ve accessed a restore point on your hard drive and at no cost!