Mastering Windows Network Forensics and Investigation E-Book

Contents

Cover

Acknowledgments

About the Authors

Contents

Introduction

Part 1: Understanding and Exploiting Windows Networks

Chapter 1: Network Investigation Overview

Performing the Initial Vetting

Meeting with the Victim Organization

Understanding the Victim Network Information

Understanding the Incident

Identifying and Preserving Evidence

Establishing Expectations and Responsibilities

Collecting the Evidence

Analyzing the Evidence

Analyzing the Suspect’s Computers

Recognizing the Investigative Challenges of Microsoft Networks

The Bottom Line

Chapter 2: The Microsoft Network Structure

Connecting Computers

Windows Domains

Interconnecting Domains

Organizational Units

Users and Groups

Types of Accounts

Groups

Permissions

File Permissions

Share Permissions

Reconciling Share and File Permissions

Example Hack

The Bottom Line

Chapter 3: Beyond the Windows GUI

Understanding Programs, Processes, and Threads

Redirecting Process Flow

DLL Injection

Hooking

Maintaining Order Using Privilege Modes

Using Rootkits

The Bottom Line

Chapter 4: Windows Password Issues

Understanding Windows Password Storage

Cracking Windows Passwords Stored on Running Systems

Exploring Windows Authentication Mechanisms

LanMan Authentication

NTLM Authentication

Kerberos Authentication

Sniffing and Cracking Windows Authentication Exchanges

Using ScoopLM and BeatLM to Crack Passwords

Cracking Offline Passwords

Using Cain & Abel to Extract Windows Password Hashes

Accessing Passwords through the Windows Password Verifier

Extracting Password Hashes from RAM

Stealing Credentials from a Running System

The Bottom Line

Chapter 5: Windows Ports and Services

Understanding Ports

Using Ports as Evidence

Understanding Windows Services

The Bottom Line

Part 2: Analyzing the Computer

Chapter 6: Live-Analysis Techniques

Finding Evidence in Memory

Creating a Windows Live-Analysis Toolkit

Using DumpIt to Acquire RAM from a 64-Bit Windows 7 System

Using WinEn to Acquire RAM from a Windows 7 Environment

Using FTK Imager Lite to Acquire RAM from Windows Server 2008

Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image

Monitoring Communication with the Victim Box

Scanning the Victim System

The Bottom Line

Chapter 7: Windows Filesystems

Filesystems vs. Operating Systems

Understanding FAT Filesystems

Understanding NTFS Filesystems

Using NTFS Data Structures

Creating, Deleting, and Recovering Data in NTFS

Dealing with Alternate Data Streams

The exFAT Filesystem

The Bottom Line

Chapter 8: The Registry Structure

Understanding Registry Concepts

Registry History

Registry Organization and Terminology

Performing Registry Research

Viewing the Registry with Forensic Tools

Using EnCase to View the Registry

Examining Information Manually

Using EnScripts to Extract Information

Using AccessData’s Registry Viewer

Other Tools

The Bottom Line

Chapter 9: Registry Evidence

Finding Information in the Software Key

Installed Software

Last Logon

Banners

Exploring Windows Security, Action Center, and Firewall Settings

Analyzing Restore Point Registry Settings

Windows XP Restore Point Content

Analyzing Volume Shadow Copies for Registry Settings

Exploring Security Identifiers

Examining the Recycle Bin

Examining the ProfileList Registry Key

Investigating User Activity

Examining the PSSP and IntelliForms Keys

Examining the MRU Key

Examining the RecentDocs Key

Examining the TypedURLs Key

Examining the UserAssist Key

Extracting LSA Secrets

Using Cain & Abel to Extract LSA Secrets from Your Local Machine

Discovering IP Addresses

Dynamic IP Addresses

Getting More Information from the GUID-Named Interface

Compensating for Time Zone Offsets

Determining the Startup Locations

Exploring the User Profile Areas

Exploring Batch Files

Exploring Scheduled Tasks

Exploring the AppInit_DLL Key

Using EnCase and Registry Viewer

Using Autoruns to Determine Startups

The Bottom Line

Chapter 10: Introduction to Malware

Understanding the Purpose of Malware Analysis

Malware Analysis Tools and Techniques

Constructing an Effective Malware Analysis Toolkit

Analyzing Malicious Code

Monitoring Malicious Code

Monitoring Malware Network Traffic

The Bottom Line

Part 3: Analyzing the Logs

Chapter 11: Text-Based Logs

Parsing IIS Logs

Parsing FTP Logs

Parsing DHCP Server Logs

Parsing Windows Firewall Logs

Using Splunk

The Bottom Line

Chapter 12: Windows Event Logs

Understanding the Event Logs

Exploring Auditing Settings

Using Event Viewer

Opening and Saving Event Logs

Viewing Event Log Data

Searching with Event Viewer

The Bottom Line

Chapter 13: Logon and Account Logon Events

Begin at the Beginning

Comparing Logon and Account Logon Events

Analyzing Windows 2003/2008 Logon Events

Examining Windows 2003/2008 Account Logon Events

The Bottom Line

Chapter 14: Other Audit Events

The Exploitation of a Network

Examining System Log Entries

Examining Application Log Entries

Evaluating Account Management Events

Interpreting File and Other Object Access Events

Examining Audit Policy Change Events

The Bottom Line

Chapter 15: Forensic Analysis of Event Logs

Windows Event Log Files Internals

Windows Vista/7/2008 Event Logs

Windows XP/2003 Event Logs

Repairing Windows XP/2003 Corrupted Event Log Databases

Finding and Recovering Event Logs from Free Space

The Bottom Line

Part 4: Results, the Cloud, and Virtualization

Chapter 16: Presenting the Results

Report Basics

Creating a Narrative Report with Hyperlinks

Creating Hyperlinks

Creating and Linking Bookmarks

The Electronic Report Files

Creating Timelines

CaseMap and TimeMap

Splunk

Testifying about Technical Matters

The Bottom Line

Chapter 17: The Challenges of Cloud Computing and Virtualization

What Is Virtualization?

The Hypervisor

Preparing for Incident Response in Virtual Space

Forensic Analysis Techniques

Dead Host-Based Virtual Environment

Live Virtual Environment

Artifacts

Cloud Computing

What Is It?

Services

Forensic Challenges

Forensic Techniques

The Bottom Line

Part 5: Appendices

Appendix A: The Bottom Line

Chapter 1: Network Investigation Overview

Chapter 2: The Microsoft Network Structure

Chapter 3: Beyond the Windows GUI

Chapter 4: Windows Password Issues

Chapter 5: Windows Ports and Services

Chapter 6: Live-Analysis Techniques

Chapter 7: Windows Filesystems

Chapter 8: The Registry Structure

Chapter 9: Registry Evidence

Chapter 10: Introduction to Malware

Chapter 11: Text-based Logs

Chapter 12: Windows Event Logs

Chapter 13: Logon and Account Logon Events

Chapter 14: Other Audit Events

Chapter 15: Forensic Analysis of Event Logs

Chapter 16: Presenting the Results

Chapter 17: The Challenges of Cloud Computing and Virtualization

Appendix B: Test Environments

Software

Hardware

Setting Up Test Environments in Training Laboratories

Chapter 1: Network Investigation Overview

Chapter 2: The Microsoft Network Structure

Chapter 3: Beyond the Windows GUI

Chapter 4: Windows Password Issues

Chapter 5: Windows Ports and Services

Chapter 6: Live-Analysis Techniques

Chapter 7: Windows Filesystems

Chapter 8: The Registry Structure

Chapter 9: Registry Evidence

Chapter 10: Introduction to Malware

Chapter 11: Text-Based Logs

Chapter 12: Windows Event Logs

Chapter 13: Logon and Account Logon Events

Chapter 14: Other Audit Events

Chapter 15: Forensic Analysis of Event Logs

Chapter 16: Presenting the Results

Chapter 17: The Challenges of Cloud Computing and Virtualization

Index

End User License Agreement

Acquisitions Editor: Agatha Kim

Development Editor: Mary Ellen Schutz

Technical Editors: Lance Mueller, Rob Lee

Production Editor: Liz Britten

Copy Editor: Linda Recktenwald

Editorial Manager: Pete Gaughan

Production Manager: Tim Tate

Vice President and Executive Group Publisher: Richard Swadley

Vice President and Publisher: Neil Edde

Book Designers: Maureen Forys, Happenstance Type-O-Rama; Judy Fung

Compositor: Maureen Forys, Happenstance Type-O-Rama

Proofreaders: Sarah Kaikini, Scott Klemp; Word One, New York

Indexer: Ted Laux

Project Coordinator, Cover: Katherine Crocker

Cover Designer: Ryan Sneed

Cover Image: © Pete Gardner/Digital Vision/Getty Images

Copyright © 2012 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-118-16382-5

ISBN: 978-1-118-22614-8 (ebk.)

ISBN: 978-1-118-23608-6 (ebk.)

ISBN: 978-1-118-26411-9 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2011945567

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Windows is a registered trademark of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

Dear Reader,

Thank you for choosing Mastering Windows® Network Forensics and Investigation, Second Edition. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at [email protected]. If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde

Vice President and Publisher

Sybex, an Imprint of Wiley

To my parents, with thanks for the countless times you have helped me along the way.

—Steve Anson

To Donna, my loving wife and partner for life, for your unwavering love, encouragement, and support.

—Steve Bunting

To my wife Stacy and my sons Finn and Declan, for your loving support, understanding, and most of all your patience. I wouldn’t be where I am without you all.

—Ryan Johnson

To my mother, Geneva Tucker, for introducing me to this digital world and for instilling in me the passion to work hard, while smiling in the face of adversity.

—Scott Pearson

Acknowledgments

Any work of this magnitude requires the hard work of many dedicated people, all doing what they enjoy and what they do best. In addition, many others have contributed indirectly, and without their efforts and support, this book would not have come to fruition. That having been said, there are many people deserving of our gratitude.

Our appreciation goes to our development editor, Mary Ellen Schutz, Gentle Editing LLC, our technical editors Lance Mueller and Rob Lee, and the entire team at Wiley for helping keep us on track and focused on the task at hand. Without them, this book would never have been completed. Finally, we would like to thank Aleksandar Palauzov for helping us test, document, and verify many of the facts and updates in this version of the book.

—The authors

The field of computer crime investigation is constantly evolving to try to address the challenges that come with each new technology, and no individual can keep up with this ever-changing landscape. Just as each case and each new incident require a group effort to address it, so did this project. I would like to thank all of my coworkers, students, teachers, and friends who have worked with me over the years and have shared their knowledge, trust, and insight. The team at Forward Discovery deserves special recognition for their daily contribution to my personal knowledge pool and for the countless times I reached out to them for advice while updating this version of the book. My thanks go to all of my previous coworkers at the former Sytex training group who worked with me to develop my initial understanding of many of the topics presented in this book, as well as to the hundreds of students who taught me as much as I ever taught them. Thanks also to everyone at the P.D. for the opportunities and friendships that you provided. To the agents of the FBI Task Force, the Defense Criminal Investigative Service, and the crew at the U.S. Department of State, Bureau of Diplomatic Security, Office of Antiterrorism Assistance - Cyber Division, I extend my heartfelt appreciation for the mentoring, knowledge, and friendship that you have shown to me. A special thanks goes to my coauthors, for their tireless and exceptional contribution to this project. Finally, I thank Juliet for being my rock in a sea of shifting sands.

—Steve Anson

The study of computer forensics can’t exist within a vacuum. To that extent, any individual examiner is a reflection and product of his instructors, mentors, and colleagues. Through them we learn, share ideas, troubleshoot, conduct research, grow, and develop. Over my career, I’ve had the good fortune of interacting with many computer forensics professionals and have learned much through those relationships. In no particular order, I would like to thank the following for sharing their knowledge over the years: Keith Lockhart, Ben Lewis, Chris Stippich, Grant Wade, Ed Van Every, Raemarie Schmidt, Mark Johnson, Bob Weitershausen, John Colbert, Bruce Pixley, Lance Mueller, Howie Williamson, Lisa Highsmith, Dan Purcell, Ben Cotton, Patrick Paige, John D’Andrea, Mike Feldman, Mike Nelson, Joel Horne, Mark Stringer, Fred Cotton, Ross Mayfield, Bill Spernow, Arnie “A.J.” Jackson, Ed Novreske, Bob Moses, Kevin Perna, Dan Willey, Scott Garland, Erik Miyake, Art Ehuan, Ryan Johnson, Shawn Fleury, Steve Williams, and Scott Pearson.

A special thanks also goes to Steve Anson, who is my fellow author on this project. Steve is a long-standing friend and mentor. He was a super partner in this endeavor, and his contribution to this work is immeasurable.

Last, but by no means least, I would like to acknowledge the contributions by my family. My parents instilled in me, at a very young age, an insatiable quest for knowledge that has persisted throughout my life, and I thank them for it along with a lifetime of love and support. My best friend and loving wife, Donna, encouraged and motivated me long ago to pursue computer forensics. While the pursuit of computer forensics never ends, without her support, sacrifices, motivation, sense of humor, and love, this book would never have been completed.

Thank you everyone.

—Steve Bunting

I hadn’t intended to get into a career in computers. When I was a kid, I wanted to be many things, but never once did I say that I wanted to investigate computer intrusions for a living. I got my first computer in the early ’80s and it was downhill from there.

I wish I could thank all the people in my life who helped to get me where I am now; however, I’m told that I’m not allowed to blow my page count by doing so. So for once in this book, I will be brief.

Thank you to my wonderful, loving, patient, and supportive wife, Stacy, for encouraging me to undertake this project and almost every other worthwhile endeavor I’ve embarked on. Your encouragement, sacrifice, and (sometimes forceful) prodding were instrumental to my being able to complete this process.

Thank you to my son, Finn, for letting me experience the sheer joy with which you engage your surroundings and for teaching me that it’s a lot more fun to eat spaghetti with your hands—and to the BT folks who taught me that that should really be considered more of a metaphor than anything else. Thank you to my son Declan, whose interaction with the world is a sight to behold and a source of constant enjoyment and wonder.

Thank you to Toby Terrill for being the person responsible for my stepping out of the safety of my lab and doing some very gratifying work with the U.S. military in Iraq. Thank you to Chris Chappell for always being there to laugh about the silliness all around us.

Thank you to Ray “NMN” Reyes, Scott Pearson, Lance Mueller, Steve Bunting, Jason Fry, Charles Giglia, Rob Lee, and Jansen Cohoon for never ceasing to entertain my questions and crazy concepts, even in the dead of night and from one side of the world to the other.

—Ryan Johnson

Digital forensics is an exciting field that attempts to satisfy the insatiable addiction for knowledge (and the latest technology) that exists in a very special group of people. I have had the great fortune of being introduced to some really great minds and shockingly interesting personalities who have collectively taught me how to research, but more important, how to think outside of the box—for this is where the bad guys we chase live and operate. Lance Mueller, Steve Bunting, Steve Anson, and Ryan Johnson—it has been a pleasure working with you on this project, and I am humbled that you would allow me into your circle to collaborate on your vision. Thank you for taking that chance when you really didn’t have to.

To my colleagues at the U.S. Department of State, Bureau of Diplomatic Security, Office of Antiterrorism Assistance - Cyber Division—I can’t thank you enough for investing the time and patience to show me the ropes and how to be a true professional in this field. It is because of your efforts that I have the confidence and credibility to even attempt a project such as this.

To my best friend and staunchest critic, Liezel Pearson—thank you for sacrificing your time and patience (and sanity) so that I could be a part of this book. You are the “glue” and I appreciate your countless words of encouragement when I needed them and the swift kicks to the backside when I needed them more.

—Scott Pearson

About the Authors

Steve Anson is currently the managing director of Forward Discovery Middle East (www.forwarddiscovery.com) providing digital forensics, incident investigation, and IT security solutions to clients in the Middle East, Africa, and Asia markets. He is an active instructor for the U.S. Department of State, Bureau of Diplomatic Security, Office of Antiterrorism Assistance - Cyber Division, providing training to law enforcement agencies, prosecutors, and judges around the world. Steve is a former special agent with the Pentagon’s Defense Criminal Investigative Service, where he conducted network investigations involving U.S. military systems. He holds a master’s degree in computer science, as well as numerous industry certifications. As a former contract instructor for the FBI, he taught hundreds of veteran federal agents, state and local police officers, and intelligence agency employees techniques for conducting computer-intrusion investigations. He also founded and supervised a local police department computer crime and information services unit and served as a cyber task force agent for the FBI. He has conducted investigations involving large-scale computer intrusions, counterterrorism, crimes against children, and many other offenses involving the substantive use of computers. Steve can be reached at [email protected].

Steve Bunting is a retired captain with the University of Delaware Police Department, where he was responsible for computer forensics, video forensics, and investigations involving computers. He has more than 35 years of experience in law enforcement, and his background in computer forensics is extensive. Currently, he is a senior forensic consultant with Forward Discovery, Inc., where he is responsible for conducting forensic examinations, electronic discovery planning and processing, investigative consultation, and course development and instruction. He develops courses and instructs for the U.S. Department of State, Bureau of Diplomatic Security, Office of Antiterrorism Assistance - Cyber Division. He is a Certified Computer Forensics Technician (CCFT), EnCase Certified Examiner (EnCE), and an Access Data Certified Examiner (ACE). He was the recipient of the 2002 Guidance Software Certified Examiner Award of Excellence. He holds a bachelor’s degree in applied professions/business management from Wilmington College and a computer applications certificate in network environments from the University of Delaware. He has conducted computer forensic examinations for numerous local, state, and federal agencies on a variety of cases, including extortion, homicide, embezzlement, child exploitation, intellectual property theft, and unlawful intrusions into computer systems. He has testified in court on numerous occasions as a computer forensics expert. He has taught computer forensics for Guidance Software, makers of EnCase, and taught as a lead instructor at all course levels. He has been a presenter at several seminars and workshops, is the author of numerous white papers, and is the primary author of the book EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide, First Edition, Second Edition, and Third Edition. You can reach him at [email protected].

Ryan Johnson is a senior forensic consultant with Forward Discovery. He is a former digital forensics examiner for the Durham Police Department in Durham, North Carolina, where he helped develop, equip, and implement their initial digital forensics capability. He left the Durham Police Department in January 2007 to deploy with the U.S. Army to Iraq, where he served as a media exploitation analyst working with the brave men and women of the 25th ID, 1st CAV, and 4th ID. After leaving Iraq, he started with Forward Discovery, where he performs a variety of tasks including digital forensic examinations, electronic discovery, intrusion response, security consultations, and course development and instruction. He is an instructor and course developer with the UU.S. Department of State, Bureau of Diplomatic Security, Office of Antiterrorism Assistance - Cyber Division. He is a Digital Forensics Certified Practitioner (DFCP), Certified Forensic Computer Examiner (CFCE), EnCase Certified Examiner (EnCE), and Seized Computer Evidence Recovery Specialist (SCERS). He holds two bachelor’s degrees from Queen’s University in Kingston, Ontario, Canada, and a master’s degree from Dalhousie University in Halifax, Nova Scotia, Canada. He has conducted investigations into some of the largest computer network breaches in the United States and abroad and specializes in theft of intellectual property cases. He can be reached at [email protected].

Since 2004, Scott Pearson has provided technical training and investigative consultations overseas to foreign law enforcement entities, military personnel, and network/system administrators in Antigua and Barbuda, Bahrain, Bangladesh, Colombia, Egypt, Ethiopia, Greece, India, Indonesia, Jordan, Kazakhstan, Kenya, Malaysia, Morocco, Pakistan, Philippines, Singapore, Thailand, Trinidad and Tobago, and Turkey. On behalf of the U.S. Department of State, Bureau of Diplomatic Security, Office of Antiterrorism Assistance - Cyber Division, he has advised and trained on topics pertaining to computer and mobile device forensics, network forensics, incident response, network security, Internet-based investigations, and various advanced consultations with emerging technologies. Pearson has helped design and build numerous digital forensics labs around the world for law enforcement entities in nations that have requested assistance from the United States government. Scott is also a certifying instructor on the Cellebrite UFED Logical and Physical Analyzer Mobile Device Forensics tool. From 2006 to 2007, Scott was also an instructor for the Department of Defense Computer Investigations Training Academy in Linthicum, Maryland, where he was a member of the Network Intrusions track and taught courses in advanced network log analysis to analysts from the United States Marine Corps, Navy, Air Force, and FBI. You can reach him at [email protected].

Introduction

This book is about conducting a thorough investigation into incidents that occur in a Windows network. While that may seem like a fairly specific set of criteria, the reality is that thousands of such incidents occur every day, and although many people are able to provide some type of initial response, the pool of people qualified to fully investigate these incidents is surprisingly small. Incidents can range from misuse of company computers, to theft of corporate secrets, to intrusion into sensitive government computer systems. While each incident is unique and the severity of these incidents varies wildly, the skills needed to conduct an investigation into these types of incidents are remarkably similar. This book will provide you with many of those skills.

With more information, money, and power being placed into information systems every day, it is no wonder that the criminal element has embraced the computer as a tool. Whereas con artists of the past would target individual people on the street, they now target thousands at a time through e-mail phishing schemes. With vast sums of money moving from bank to bank not by armored car but by encrypted network traffic, it is no wonder that organized crime has come to rely on computer intrusion and electronic extortion as a preferred method of theft. Changes in technology have brought with them changes in criminal behavior, and with that must come changes in the law enforcement and security community response.

The computer security and law enforcement communities have done a good job of responding to many of these challenges. Most network security staff have a good understanding of the mechanics of computer intrusions and how to mitigate their exposure to such attacks. In addition, most law enforcement agencies currently have computer forensics capabilities that allow them to recover evidence stored on digital media using proper evidence-handling techniques. The current field of development seems to be in the areas where these two disciplines intersect. Most law enforcement agencies are very skilled at handling incidents involving one or two computers, and network security personnel are able to recover from network incidents fairly quickly. Effectively investigating a network incident requires a combination of the law enforcement officer’s investigative prowess and the technical expertise of the administrators.

This book attempts to bring these two disciplines together for a meeting of the minds. As more and more computer systems become interconnected, more criminal cases are involving not single computers but entire networks. However, as network security administrators recover from each security incident, they frequently destroy much of the evidence that a trained investigator could have used to piece together a picture of what occurred and what other damage might still lie hidden throughout the network. Similarly, when law enforcement or private network investigators arrive, they frequently lack the background in network administration and network investigation necessary to comprehend the entire scope of an incident.

This book will bridge the gap between the initial response of a network security team to perform a quick assessment and damage control and the more long-term goal of law enforcement to identify and prosecute an offender. We will discuss the initial stages of evidence collection, in which both network security and law enforcement personnel may be involved, as well as the more detailed analysis of log data, malicious software, and modus operandi that follow. Our approach will be to educate you on technical details of how these networks function, to show you how attackers can exploit these networks, and finally to teach you to detect and preserve the evidence of criminal activity that occurred in a network.

With Microsoft’s dominance in the current marketplace, it seems surprising that there are not more books that address the techniques required to conduct a thorough incident investigation within a Windows network. While there are many exceptional books on providing an initial response to an incident, there are few that go to the next level of discussing how to thoroughly investigate that incident to its logical conclusion. This book will attempt to fill that void. We will focus on Windows networks, not because they are more important than networks consisting of other types of systems, but because we must focus our efforts somewhere in order to provide a more in-depth treatment, and Windows machines dominate the majority of current networks.

Who Should Read This Book?

This book is designed primarily for two groups of people. First are the law enforcement or private network investigators who are responsible for locating, collecting, analyzing, and testifying to evidence of unauthorized activity on a computer or network of computers. Second are the network security administrators who live each day in the IT trenches fighting the good fight against a continuous onslaught of attackers. While the first group may have ultimate responsibility for conducting a thorough investigation and seeking charges in court or at an internal administrative hearing, the second group has a vested interest in seeing that process succeed. Since many of the actions taken by initial security response can set the tone for an entire investigation, it is in everyone’s best interest to understand the process, from the first admin to notice the problem to the final prosecutor making the case before the court.

Our approach is part computer science text, part network security manual, and part investigative notes. We will draw from real-case examples where appropriate to illustrate our points and will always attempt to draw real-world implications to any theory that we discuss. We will demonstrate how attackers do their business, so that you will be better informed as to how to do yours. We will provide many examples of tools and techniques that you can utilize in your investigations and will provide you with enough detailed information to do so.

At times, you may feel that the information being presented is almost too detailed. We firmly believe that it is not enough to know how to perform a certain technique, but you must also be able to explain why you would do so. It is incumbent upon the investigator to realize that in the end, an investigative technique is only as good as the investigator’s description of it in court. While you may know how to do all sorts of technically complicated tasks, if you cannot clearly explain to a jury what you did, and you cannot clearly articulate your actions under cross-examination by a defense attorney, then all of your efforts may be for naught. By providing you not only with information on how to find evidence but also with the understanding of why that evidence will be present and what it means in context, we hope to arm you with the information you will need not just during the initial response but also throughout the investigation and ultimately into the courtroom.

What You Will Learn

This book is not is a step-by-step guide or a best-practices manual. While such rote methods may be appropriate in some disciplines, network investigation is far too complex for a follow-the-recipe approach. Instead, we will arm you with the information you will need to assess each unique case and make the investigative decisions that you will need to make based on the facts of each investigation. Following all of the techniques outlined in this book for every case would be foolish. You will learn to assess the variables involved for yourself and perform the actions that are most appropriate for your case. When reading this book, always remain cognizant of the fact that there are many different types of investigations that can involve a Windows network, and each case will be unique. The steps to investigating an intrusion into a government network perpetrated by a foreign country will definitely be different than those involved in investigating the storage of pornography by an employee on a corporate server. As more criminals turn to computers as a means to further criminal acts, this variety will only increase, and your need to make informed investigative decisions will be even more critical.

Since this book bridges different disciplines, finding an adequate starting point is a challenge. The book is designed as an intermediate-to-advanced text on conducting network investigations in a Windows environment. It is not intended to be a person’s first introduction to computer investigation, and we will assume a good deal of knowledge on your part. We’ll assume you have the ability to perform basic computer forensic acquisitions and analysis as well as have a basic knowledge of investigative procedure, but a lack of this knowledge should not leave you in the dark. We will also assume a basic familiarity with computer network technology and basic network design. With that being said, we do not want to leave any readers behind and have designed the first two chapters as primers.

A major premise of this book is that it is vital for a network investigator to understand the technology and function of networks. Since each investigation is unique, the investigator will be required to make numerous decisions throughout the investigation that will greatly impact the likelihood of success. Without thorough understanding of how Windows networks function, an investigator will not be properly equipped to make these decisions and might hinder the investigative process. At the same time, we limit detailed technical discussion to areas that are relevant to conducting investigations and do not go into detail where it is not warranted. Try to stick with us through some of the denser technical material. The journey will lead you to a place of better technical understanding and improved investigative ability.

What You Will Need

This book contains many specific examples of how to use particular tools or products to further your investigations. We have made an effort to focus on tools that can be freely acquired or those that are already in wide use by law enforcement and network security organizations. While we will mention specific products in order to provide concrete examples, we do not endorse any of the products that we mention. We also do not attest to their safety or fitness for use. As with anything else, use your common sense and best judgment to determine the applicability of any tool that we discuss to your situation. We also provide several examples of tools used to commit attacks against networks so that you may better understand the techniques that may be used to commit a crime within a network. Certainly, we do not advocate the malicious use of these tools, nor do we suggest that they are safe. You should carefully control any educational use of such tools within a suitable testing environment.

For a detailed list of the software and minimum hardware requirements needed to create the testing environment for the exercises in each chapter, please refer to Appendix B, “Testing Environments,” available online from www.sybex.com/go/masteringwindowsforensics.

What Is Covered in This Book?

Mastering Windows Network Forensics and Investigation is organized to provide you with the knowledge needed to master the art of conducting a thorough investigation into incidents that occur within a Windows network. Starting with introductory information and working through in-depth analysis, this book covers a wide range of topics of interest to those people tasked with making sense of the chaos that occurs daily in computer networks.

By the time you reach Chapter 3, the introductory material should be behind you and more in-depth work can begin. Both administrators and investigators should be able to rally together at Chapter 3 and proceed in lockstep from that point forward.

The Mastering Series

The Mastering series from Sybex provides outstanding instruction for readers with intermediate and advanced skills, in the form of top-notch training and development for those already working in their field and clear, serious education for those aspiring to become pros. Every Mastering book includes the following:

Real-World Scenarios, ranging from case studies to interviews, to show how you apply the tool, technique, or knowledge presented in actual practice

Skill-based instruction, with chapters organized around real tasks rather than abstract concepts or subjects

Self-review test questions, so you can be certain you’re equipped to do the job right

Part 1

Understanding and Exploiting Windows Networks

Chapter 1: Network Investigation Overview

Chapter 2: The Microsoft Network Structure

Chapter 3: Beyond the Windows GUI

Chapter 4: Windows Password Issues

Chapter 5: Windows Ports and Services

Chapter 1

Network Investigation Overview

As mentioned in the introduction, this chapter provides background information to those readers who do not have a great deal of experience in conducting network investigations. Since much of this book will focus on the techniques used to conduct these investigations, a basic working knowledge of the steps required to use them is essential to getting the most out of this text. Those who have an extensive amount of experience in this area will probably be able to skim this chapter and proceed to Chapter 2, “The Microsoft Network Structure.”

With that disclaimer out of the way, we’ll now cover the steps generally involved in conducting an investigation of a network intrusion or similar network-related incident. It is important to note that this section will deal with broad generalities. Every investigation is unique, and it is the responsibility of the investigator to analyze each situation to determine the appropriate investigative approach. Making these decisions and implementing the associated techniques require a great deal of subject matter expertise, and the remainder of this book is designed to provide you with the information and techniques that you will need to be an effective Windows network investigator.

In this chapter, you will learn to

Gather important information from the victim of a network incident

Identify potential sources of evidence in a network investigation

Understand types of information to look for during analysis of collected evidence

Performing the Initial Vetting

The vast majority of intrusion investigations begin with a phone call. Someone, somewhere has encountered something that makes them suspect that they are the victim of a computer hacker. The first thing any investigator must learn is that many of the people who pick up a phone to report an incident are not victims. It is important to conduct an initial assessment of any report and determine its legitimacy in order to avoid unnecessary and unproductive false starts.

Since most cases begin with a phone call, it makes sense to perform your initial investigation while on the phone. This saves a great deal of time by allowing you to get preliminary information to determine exactly what resources (if any) you will need to bring to bear to conduct an appropriate investigation into the incident being reported. Obviously, if the reported incident involves classified or otherwise sensitive information, you will need to factor operation-security concerns into your approach. In such cases, you may need to perform even your initial vetting in person at an appropriately secure facility. While each situation will be unique, the following list of questions will provide you with a good starting point for performing your initial inquiries:

After you have an idea of what has transpired, you will be in a position to make suggestions to the caller to help preserve any evidence that may exist. The instructions that you give in this regard will depend on the specifics of the case, and by the end of this book you will have the knowledge necessary to make that determination. In many cases, the best advice is simply to suggest that the computer be left powered on and that only the network cable be disconnected if necessary to prevent further damage. Again, there will be situations where this is not the best idea, but each case must be analyzed independently.

Meeting with the Victim Organization

Once you have gathered enough information to determine that some type of incident occurred and that you are the appropriate person or agency to respond to that incident, it is time to get your investigation under way. At this stage, it is best to arrange a meeting with the reporting person and anyone else who has relevant information about the incident.

If possible, the first face-to-face meeting with the victim organization should take place in a quiet meeting room with at least one whiteboard available. After the initial introductions, have the reporting person explain what is known about the incident in very broad terms. During this meeting, there are some very specific pieces of information that you will need to obtain, so don’t let the initial overview get into too much detail. After everyone agrees on a very general view of what you are all gathered to discuss, take control of the meeting and begin to gather information in a systematic manner. The following sections will give you some ideas on information that you need to ascertain, but keep in mind that no two investigations will be exactly alike.

Understanding the Victim Network Information

Before you can even begin a serious discussion of any incident, you must first establish a baseline understanding of the network environment in which the incident took place. This is no different than performing an initial assessment of the scene of a burglary or any other crime. Just as an investigator of a physical crime must identify possible points of entry or exit, location of valuables, items that may be missing or moved, and so on, the same concepts apply when conducting a computer-related investigation.

One of the first things that you will need to get clear in your own mind is the topology of the victim network. The topology refers both to the physical location of the various pieces of hardware, media, and so on that constitute the network and to the way that data logically flows through that network. You should have a clear understanding of any connections that lead to outside networks such as partner organizations or the Internet. Identify which security controls, such as firewalls, IDSs, and filtering routers are in place at possible entry or exit points to the network and within the core of the network. Obtaining a current network diagram (if available) or using a whiteboard to sketch out the network visually at this point can be very helpful. Start trying to identify possible sources of evidence within the network, such as devices that generate logs and/or monitor network communications. Gain an understanding of any proprietary technologies or systems with which you are not familiar by asking specific and detailed questions to clarify the network’s design and function.

Get a sense of how the network is used and what normal patterns of usage might be. By understanding what type of activity is typical, you will be in a better position when analyzing evidence for activity that may be abnormal and malicious. Here are some questions that will help you determine normal usage patterns:

Do you have employees who log in from remote locations?

Do partner organizations have access to any of your systems?

During what times do your employees normally access the network?

Do remote connections normally last for long periods of time (such as interactive user logons), short periods of times (such as automated transactions or updates), or variable amounts of time?

Which systems house sensitive data, and which users should have access to those systems?

Are all of your systems located in this facility, or are you using remote data centers or cloud service providers?

By asking these and similar questions, you will be able to understand both how the network is structured and how it is used by legitimate users. Without this information, it is virtually impossible to perform a successful network investigation.

Understanding the Incident

Now that you have had a chance to get acquainted with the electronic crime scene, let’s get into the details of the incident itself. You’ve already given the reporting person two opportunities (once in the initial vetting and once at the beginning of the face-to-face meeting) to give you the highlights of what has occurred, so you should have a fair idea of what has happened that raised concern. At this stage, you should direct the conversation and get all the detailed information that you can about the timeline, methods, scope, and outcome of the incident. Don’t allow the interviewees to rush ahead of you. Make sure that you understand all of the necessary details of each step before allowing the conversation to move forward.

One thing to keep in mind is that the victim may have already developed a theory of the crime that might or might not bear any similarity to reality. They may even have put together a very fancy, post-incident response report and believe that they are handing you a gift-wrapped case ready for prosecution. While we have received many such reports, we have also never seen one that was 100 percent accurate. As the investigator, it is your job to review any information that you receive and check it for factual accuracy.

After you have determined exactly what the alleged attacker did that caused such upset, it is time to ask one of the most important questions of the interview: “What have you done in response to the incident?” This can be a very telling question. First, you can further gauge the competency of your victims by listening to the steps that they took and analyzing the appropriateness of their response. Second, you get a good idea at this point how much evidence might still be available to you.

For example, if you ask your victim what they did in response to the incident and receive an answer of, “We screamed in sheer panic for 30 seconds and then immediately called you,” then you know two things: these may not be the most technically proficient people, and your evidence is likely right where the attacker left it. If on the other hand you receive a response such as, “We immediately downed the affected systems, did a bit-level zeroing of all media contained within them, reinstalled from known-good media, and restored the network to full functionality,” you know you are dealing with a fairly technically competent crew who has stomped all over your evidence and your chances of working a successful case.