Win Forensics(VolatileInfo)

Win Forensics in Volatile Infomation

Win Forensics
Win forensics in non-volatile information
http://systw.net/note/af/sblog/more.php?id=318
Win forensics in volatile information
http://systw.net/note/af/sblog/more.php?id=316
Win forensics in file
http://systw.net/note/af/sblog/more.php?id=317
Registry
http://systw.net/note/af/sblog/more.php?id=178
Windows Executable File
http://systw.net/note/af/sblog/more.php?id=306 

 

Volatile information
it can be easily modified or lost when the system is shut down or rebooted.
It helps to determine a logical timeline of the security incident and the users who would be responsible.

Tool like below
Rekall,http://www.rekall-forensic.com/
Volatility Framework ,http://volatilityfoundation.org/

.......................................................................................................................................

User Analysis

net session
display username and ip of remote login session

third party tool:
logonsessions
psloggedon


.................................................................................................................

 

Open File Analysis

net file
show the names of all open shared files on a server and number of file locks on each file
format: net file [ID [/close]]

openfiles
openfiles /parameter [arguments]

psfile
third party tool


ps:
doskey /history
Show command history in cmds
ps: when cmd is closed, history is null

 

.................................................................................................................

Resource Analysis

net use
列出目前在使用的共享資源連線記錄
looking at which sessions the machine has opened with other systems

net share
列出本機電腦上所有共享資源

net start
shows all of the network services running on Windows-based servers


.................................................................................................................

 

Network Analysis

netstat
a tool for collecting Information regarding network connections.
It provides a simple view of TCP and UDP connections, and their state and network traffic statistics.
ex:
netstat -ano: display the tcp and udp network ,listening ports,PID
netstat -b: display binary
netstat -r
netstat -s


refer
netstat command
http://systw.net/note/af/sblog/more.php?id=305

 


.................................................................................................................

 

Process Analysis

PID(process id)
PPID = parent of process id
PID 4 is system
ps:
PID order
lower pid mean early execute (some process is lower PID, like system )
PID order can be showed by PID tree( PID and PPID)
PID order can indicate whether anomaly, ex: low PID is become high PID, that mean PID is restart by malware

ps:
大部份的process可能會沒有parent process,但svchost這個process,一定會有parent process,而且是由service帶起
ex:svchost.exe的父程序通常是services.exe
大部份user開啟的process,通常都由explorer.exe帶起
ex:Internet Explorer(IEXPLORE.EXE)的父程序通常是explorer.exe

..................

Process dump tool
tool for dump process memory file

pmdump
process dumper( pd.exe)
procdump, sysinternal tool
userdump
tool for analysis process memory dump
bintext: extract ASCII,unicode, and resource strings from the dump file
strings: read dump file and output in text
handle.exe: provide a list of handles that have been opened by the process
listdlls.exe

Tool for analysis process:
tasklist
pslist
listdlls
handle
tlist:以tree的方式把process列出來

...................

handle
display information about open handles for any process in the system
information include openfile,registry key,threads,...etc
ex:
handle -p winlogon.exe
handle "C:WINDOWS"


...

listdlls
third party tool
show module or dll that are in use by a process
ps:most dll is in system32
ex:
listdlls winlogon.exe
listdlls -d GDI32.dll

...

tasklist
Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.
common paramater
/fo < TABLE|LIST|CSV>
/m [ModuleName]
/svc
/v
ex:
> tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ ===========
System Idle Process 0 Services 0 4 K
System 4 Services 0 815,872 K
smss.exe 368 Services 0 932 K
csrss.exe 620 Services 0 4,124 K
wininit.exe 724 Services 0 4,400 K
csrss.exe 732 Console 1 24,028 K
winlogon.exe 800 Console 1 30,456 K
services.exe 868 Services 0 5,996 K
lsass.exe 876 Services 0 13,560 K
svchost.exe 968 Services 0 17,252 K
...omit...

tasklist -v
listed processes including below
Image Name, ex:csrss.exe
PID, ex:620
Session Name, ex:Services
Session#, ex:0
Mem Usage, ex:4,124 K
Status, ex:Unknown
User Name, ex:NT AUTHORITYSYSTEM
CPU Time, ex:0:00:02
Window Title, ex:N/A

tasklist -svc
list all service name that run in the svchost
ps
"name" of service is equal in key_local_machinesystemcurrentcontrolsetservices"name"
in regirty, parameters include some information like dll
ex:
> tasklist -svc
Image Name PID Services
========================= ========
System Idle Process 0 N/A
System 4 N/A
smss.exe 368 N/A
csrss.exe 620 N/A
wininit.exe 724 N/A
csrss.exe 732 N/A
winlogon.exe 800 N/A
services.exe 868 N/A
lsass.exe 876 KeyIso, SamSs, VaultSvc
svchost.exe 968 BrokerInfrastructure, DcomLaunch, LSM,
PlugPlay, Power, SystemEventsBroker
...omit...


refer
https://technet.microsoft.com/en-us/library/bb491010.aspx

...

process explorer
GUI third party tool
ps:
it load procexp152.sys, so it can into deep level for reading more detail in windows

1 look string of process
image: raw process(sometime appear strange code, because it is encoded)
memory: after decode of raw process

2.look start address of process thread
normal: exe and dll
abnormal: address

3 check virustotal
the file is not in virustotal, it is anomaious, because that mean the file is new(it is impossible)

ps:
sysinternal tool only can't look below:
hidden running process
terminated process
os kernel module (steal cetrficate to write malware into driver and inject kernel of windows)

 

2015-10-23 13:41:38發表 2016-03-02 09:57:25修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識

資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net