{"id":353,"date":"2015-10-23T19:34:00","date_gmt":"2015-10-23T11:34:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=353"},"modified":"2023-10-30T19:38:31","modified_gmt":"2023-10-30T11:38:31","slug":"win-forensicsvolatileinfo","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/353","title":{"rendered":"Win Forensics(VolatileInfo)"},"content":{"rendered":"\n

Win Forensics in Volatile Infomation<\/p>\n\n\n\n

Win Forensics<\/strong>
Win forensics in non-volatile information
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=318<\/a>
Win forensics in volatile information
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=316<\/a>
Win forensics in file
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=317<\/a>
Registry
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=178<\/a>
Windows Executable File
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=306 <\/a><\/p>\n\n\n\n

Volatile information<\/strong>
it can be easily modified or lost when the system is shut down or rebooted.
It helps to determine a logical timeline of the security incident and the users who would be responsible.<\/p>\n\n\n\n

Tool like below<\/strong>
Rekall,http:\/\/www.rekall-forensic.com\/
Volatility Framework ,http:\/\/volatilityfoundation.org\/<\/p>\n\n\n\n

………………………………………………………………………………………………………………………<\/p>\n\n\n\n

User Analysis<\/strong><\/h2>\n\n\n\n

net session<\/strong>
display username and ip of remote login session

third party tool:<\/strong>
logonsessions
psloggedon
…………………………………………………………………………………………………..<\/p>\n\n\n\n

Open File Analysis<\/strong><\/h2>\n\n\n\n

net file<\/strong>
show the names of all open shared files on a server and number of file locks on each file
format: net file [ID [\/close]]<\/p>\n\n\n\n

openfiles<\/strong>
openfiles \/parameter [arguments]<\/p>\n\n\n\n

psfile<\/strong>
third party tool<\/p>\n\n\n\n


ps:
doskey \/history<\/strong>
Show command history in cmds
ps: when cmd is closed, history is null<\/p>\n\n\n\n

…………………………………………………………………………………………………..<\/p>\n\n\n\n

Resource Analysis<\/strong><\/h2>\n\n\n\n

net use<\/strong>
\u5217\u51fa\u76ee\u524d\u5728\u4f7f\u7528\u7684\u5171\u4eab\u8cc7\u6e90\u9023\u7dda\u8a18\u9304
looking at which sessions the machine has opened with other systems<\/p>\n\n\n\n

net share<\/strong>
\u5217\u51fa\u672c\u6a5f\u96fb\u8166\u4e0a\u6240\u6709\u5171\u4eab\u8cc7\u6e90<\/p>\n\n\n\n

net start<\/strong>
shows all of the network services running on Windows-based servers
…………………………………………………………………………………………………..<\/p>\n\n\n\n

Network Analysis<\/strong><\/h2>\n\n\n\n

netstat<\/strong>
a tool for collecting Information regarding network connections.
It provides a simple view of TCP and UDP connections, and their state and network traffic statistics.
ex:
netstat -ano: display the tcp and udp network ,listening ports,PID
netstat -b: display binary
netstat -r
netstat -s<\/p>\n\n\n\n


refer
netstat command
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=305<\/a><\/p>\n\n\n\n

…………………………………………………………………………………………………..<\/p>\n\n\n\n

Process Analysis<\/strong><\/h2>\n\n\n\n

PID(process id)<\/strong>
PPID = parent of process id
PID 4 is system
ps:
PID order<\/strong>
lower pid mean early execute (some process is lower PID, like system )
PID order can be showed by PID tree( PID and PPID)
PID order can indicate whether anomaly,\u00a0ex: low PID is become high PID, that mean PID is restart by malware<\/p>\n\n\n\n

ps:
\u5927\u90e8\u4efd\u7684process\u53ef\u80fd\u6703\u6c92\u6709parent process,\u4f46svchost\u9019\u500bprocess,\u4e00\u5b9a\u6703\u6709parent process,\u800c\u4e14\u662f\u7531service\u5e36\u8d77
ex:svchost.exe\u7684\u7236\u7a0b\u5e8f\u901a\u5e38\u662fservices.exe
\u5927\u90e8\u4efduser\u958b\u555f\u7684process\uff0c\u901a\u5e38\u90fd\u7531explorer.exe\u5e36\u8d77
ex:Internet Explorer(IEXPLORE.EXE)\u7684\u7236\u7a0b\u5e8f\u901a\u5e38\u662fexplorer.exe<\/p>\n\n\n\n

………………<\/p>\n\n\n\n

Process dump tool<\/strong><\/h3>\n\n\n\n

tool for dump process memory file<\/strong>
pmdump
process dumper( pd.exe)
procdump, sysinternal tool
userdump
tool for analysis process memory dump<\/strong>
bintext: extract ASCII,unicode, and resource strings from the dump file
strings:\u00a0read dump file and output in text
handle.exe: provide a list of handles that have been opened by the process
listdlls.exe<\/p>\n\n\n\n

Tool for analysis process:<\/strong>
tasklist
pslist
listdlls
handle
tlist:\u4ee5tree\u7684\u65b9\u5f0f\u628aprocess\u5217\u51fa\u4f86<\/p>\n\n\n\n

……………….<\/p>\n\n\n\n

handle<\/strong>
display information about open handles for any process in the system
information include openfile,registry key,threads,…etc
ex:
handle -p winlogon.exe
handle “C:WINDOWS”<\/p>\n\n\n\n


…<\/p>\n\n\n\n

listdlls<\/strong>
third party tool
show module or dll that are in use by a process
ps:most dll is in system32
ex:
listdlls winlogon.exe
listdlls -d GDI32.dll<\/p>\n\n\n\n

…<\/p>\n\n\n\n

tasklist<\/strong>
Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.
common paramater<\/strong>
\/fo < TABLE|LIST|CSV>
\/m [ModuleName]
\/svc
\/v<\/p>\n\n\n\n

ex:
> tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ ===========
System Idle Process 0 Services 0 4 K
System 4 Services 0 815,872 K
smss.exe 368 Services 0 932 K
csrss.exe 620 Services 0 4,124 K
wininit.exe 724 Services 0 4,400 K
csrss.exe 732 Console 1 24,028 K
winlogon.exe 800 Console 1 30,456 K
services.exe 868 Services 0 5,996 K
lsass.exe 876 Services 0 13,560 K
svchost.exe 968 Services 0 17,252 K
...omit...<\/code><\/pre>\n\n\n\n
tasklist -v<\/strong>
listed processes including below
Image Name,\u00a0ex:csrss.exe
PID,\u00a0ex:620
Session Name,\u00a0ex:Services
Session#,\u00a0ex:0
Mem Usage,\u00a0ex:4,124 K
Status,\u00a0ex:Unknown
User Name,\u00a0ex:NT AUTHORITYSYSTEM
CPU Time,\u00a0ex:0:00:02
Window Title,\u00a0ex:N\/A

tasklist -svc<\/strong>
list all service name that run in the svchost
ps
“name” of service is equal in key_local_machinesystemcurrentcontrolsetservices”name”
in regirty, parameters include some information like dll<\/p>\n\n\n\n
ex:
> tasklist -svc
Image Name PID Services
========================= ========
System Idle Process 0 N\/A
System 4 N\/A
smss.exe 368 N\/A
csrss.exe 620 N\/A
wininit.exe 724 N\/A
csrss.exe 732 N\/A
winlogon.exe 800 N\/A
services.exe 868 N\/A
lsass.exe 876 KeyIso, SamSs, VaultSvc
svchost.exe 968 BrokerInfrastructure, DcomLaunch, LSM,
PlugPlay, Power, SystemEventsBroker
...omit...<\/code><\/pre>\n\n\n\n

refer
https:\/\/technet.microsoft.com\/en-us\/library\/bb491010.aspx<\/p>\n\n\n\n
…<\/p>\n\n\n\n
process explorer<\/strong>
GUI third party tool
ps:
it load procexp152.sys, so it can into deep level for reading more detail in windows<\/p>\n\n\n\n
1 look string of process
image: raw process(sometime appear strange code, because it is encoded)
memory: after decode of raw process<\/p>\n\n\n\n
2.look start address of process thread
normal: exe and dll
abnormal: address<\/p>\n\n\n\n
3 check virustotal
the file is not in virustotal, it is anomaious, because that mean the file is new(it is impossible)<\/p>\n\n\n\n
ps:
sysinternal tool only can’t look below:
hidden running process
terminated process
os kernel module (steal cetrficate to write malware into driver and inject kernel of windows)<\/p>\n","protected":false},"excerpt":{"rendered":"
Win Forensics in Volatile Info …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-353","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=353"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/353\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}