Win Forensics in Volatile Infomation
Win Forensics
Win forensics in non-volatile information
https://systw.net/note/af/sblog/more.php?id=318
Win forensics in volatile information
https://systw.net/note/af/sblog/more.php?id=316
Win forensics in file
https://systw.net/note/af/sblog/more.php?id=317
Registry
https://systw.net/note/af/sblog/more.php?id=178
Windows Executable File
https://systw.net/note/af/sblog/more.php?id=306
Volatile information
it can be easily modified or lost when the system is shut down or rebooted.
It helps to determine a logical timeline of the security incident and the users who would be responsible.
Tool like below
Rekall,http://www.rekall-forensic.com/
Volatility Framework ,http://volatilityfoundation.org/
………………………………………………………………………………………………………………………
User Analysis
net session
display username and ip of remote login session
third party tool:
logonsessions
psloggedon
…………………………………………………………………………………………………..
Open File Analysis
net file
show the names of all open shared files on a server and number of file locks on each file
format: net file [ID [/close]]
openfiles
openfiles /parameter [arguments]
psfile
third party tool
ps:
doskey /history
Show command history in cmds
ps: when cmd is closed, history is null
…………………………………………………………………………………………………..
Resource Analysis
net use
列出目前在使用的共享資源連線記錄
looking at which sessions the machine has opened with other systems
net share
列出本機電腦上所有共享資源
net start
shows all of the network services running on Windows-based servers
…………………………………………………………………………………………………..
Network Analysis
netstat
a tool for collecting Information regarding network connections.
It provides a simple view of TCP and UDP connections, and their state and network traffic statistics.
ex:
netstat -ano: display the tcp and udp network ,listening ports,PID
netstat -b: display binary
netstat -r
netstat -s
refer
netstat command
https://systw.net/note/af/sblog/more.php?id=305
…………………………………………………………………………………………………..
Process Analysis
PID(process id)
PPID = parent of process id
PID 4 is system
ps:
PID order
lower pid mean early execute (some process is lower PID, like system )
PID order can be showed by PID tree( PID and PPID)
PID order can indicate whether anomaly, ex: low PID is become high PID, that mean PID is restart by malware
ps:
大部份的process可能會沒有parent process,但svchost這個process,一定會有parent process,而且是由service帶起
ex:svchost.exe的父程序通常是services.exe
大部份user開啟的process,通常都由explorer.exe帶起
ex:Internet Explorer(IEXPLORE.EXE)的父程序通常是explorer.exe
………………
Process dump tool
tool for dump process memory file
pmdump
process dumper( pd.exe)
procdump, sysinternal tool
userdump
tool for analysis process memory dump
bintext: extract ASCII,unicode, and resource strings from the dump file
strings: read dump file and output in text
handle.exe: provide a list of handles that have been opened by the process
listdlls.exe
Tool for analysis process:
tasklist
pslist
listdlls
handle
tlist:以tree的方式把process列出來
……………….
handle
display information about open handles for any process in the system
information include openfile,registry key,threads,…etc
ex:
handle -p winlogon.exe
handle “C:WINDOWS”
…
listdlls
third party tool
show module or dll that are in use by a process
ps:most dll is in system32
ex:
listdlls winlogon.exe
listdlls -d GDI32.dll
…
tasklist
Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.
common paramater
/fo < TABLE|LIST|CSV>
/m [ModuleName]
/svc
/v
ex:
> tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ ===========
System Idle Process 0 Services 0 4 K
System 4 Services 0 815,872 K
smss.exe 368 Services 0 932 K
csrss.exe 620 Services 0 4,124 K
wininit.exe 724 Services 0 4,400 K
csrss.exe 732 Console 1 24,028 K
winlogon.exe 800 Console 1 30,456 K
services.exe 868 Services 0 5,996 K
lsass.exe 876 Services 0 13,560 K
svchost.exe 968 Services 0 17,252 K
...omit...
tasklist -v
listed processes including below
Image Name, ex:csrss.exe
PID, ex:620
Session Name, ex:Services
Session#, ex:0
Mem Usage, ex:4,124 K
Status, ex:Unknown
User Name, ex:NT AUTHORITYSYSTEM
CPU Time, ex:0:00:02
Window Title, ex:N/A
tasklist -svc
list all service name that run in the svchost
ps
“name” of service is equal in key_local_machinesystemcurrentcontrolsetservices”name”
in regirty, parameters include some information like dll
ex:
> tasklist -svc
Image Name PID Services
========================= ========
System Idle Process 0 N/A
System 4 N/A
smss.exe 368 N/A
csrss.exe 620 N/A
wininit.exe 724 N/A
csrss.exe 732 N/A
winlogon.exe 800 N/A
services.exe 868 N/A
lsass.exe 876 KeyIso, SamSs, VaultSvc
svchost.exe 968 BrokerInfrastructure, DcomLaunch, LSM,
PlugPlay, Power, SystemEventsBroker
...omit...
refer
https://technet.microsoft.com/en-us/library/bb491010.aspx
…
process explorer
GUI third party tool
ps:
it load procexp152.sys, so it can into deep level for reading more detail in windows
1 look string of process
image: raw process(sometime appear strange code, because it is encoded)
memory: after decode of raw process
2.look start address of process thread
normal: exe and dll
abnormal: address
3 check virustotal
the file is not in virustotal, it is anomaious, because that mean the file is new(it is impossible)
ps:
sysinternal tool only can’t look below:
hidden running process
terminated process
os kernel module (steal cetrficate to write malware into driver and inject kernel of windows)