Incident Response and Live Analysis

In this article by Ayman Shaaban and Konstantin Sapronov, author of the book Windows OS Forensics, describe the stages of preparation to respond to an incident are a matter which much attention should be paid to. In some cases, the lack of necessary tools during the incident leads to the inability to perform the necessary actions at the right time.

Taking into account that the reaction time of an incident depends on the efficiency of the incident handling process, it becomes clear that in order to prepare the IR team, its technical support should be very careful.

The whole set of requirements can be divided into several categories for the IR team:

  • Skills
  • Hardware
  • Software

(For more resources related to this topic, see here.)

Let's consider the main issues that may arise during the preparation of the incident response team in more detail.

If we want to build a computer security incident response team, we need people with a certain set of skills and technical expertise to perform technical tasks and effectively communicate with other external contacts. Now, we will consider the skills of members of the team.

The set of skills that members of the team need to have can be divided into two groups:

  • Personal skills
  • Technical skills

Personal skills

Personal skills are very important for a successful response team. This is because the interaction with team members who are technical experts but have poor social skills can lead to misunderstanding and misinterpretation of the results, the consequences of which may affect the team's reputation.

A list of key personal skills will be discussed in the following sections.

Written communication

For many IR teams, a large part of their communication occurs through written documents. These communications can take many forms, including e-mails concerning incidents documentation of event or incident reports, vulnerabilities, and other technical information notifications. Incident response team members must be able to write clearly and concisely, describe activities accurately, and provide information that is easy for their readers to understand.

Oral communication

The ability to communicate effectively though spoken communication is also an important skill to ensure that the incident response team members say the right words to the right people.

Presentation skills

Not all technical experts have good presentation skills. They may not be comfortable in front of a large audience. Gaining confidence in presentation skills will take time and effort for the team's members to become more experienced and comfortable in such situations.

Diplomacy

The members of the incident response team interact with people who may have a variety of goals and needs. Skilled incident response team members will be able to anticipate potential points of contention, be able to respond appropriately, maintain good relationships, and avoid offending others. They also will understand that they are representing the IR team and their organization.

Diplomacy and tact are very important.

The ability to follow policies and procedures

Another important skill that members of the team need is the ability to follow and support the established policies and procedures of the organization or team.

Team skills

IR staff must be able to work in the team environment as productive and cordial team players. They need to be aware of their responsibilities, contribute to the goals of the team, and work together to share information, workload, and experiences. They must be flexible and willing to adapt to change. They also need skills to interact with other parties.

Integrity

The nature of IR work means that team members often deal with information that is sensitive and, occasionally, they might have access to information that is newsworthy. The team's members must be trustworthy, discrete, and able to handle information in confidence according to the guidelines, any constituency agreements or regulations, and/or any organizational policies and procedures.

In their efforts to provide technical explanations or responses, the IR staff must be careful to provide appropriate and accurate information while avoiding the dissemination of any confidential information that could detrimentally affect another organization's reputation, result in the loss of the IR team's integrity, or affect other activities that involve other parties.

Knowing one's limits

Another important ability that the IR team's members must have is the ability to be able to readily admit when they have reached the limit of their own knowledge or expertise in a given area. However difficult it is to admit a limitation, individuals must recognize their limitations and actively seek support from their team members, other experts, or their management.

Coping with stress

The IR team's members often could be in stressful situations. They need to be able to recognize when they are becoming stressed, be willing to make their fellow team members aware of the situation, and take (or seek help with) the necessary steps to control and maintain their composure. In particular, they need the ability to remain calm in tense situations—ranging from an excessive workload to an aggressive caller to an incident where human life or a critical infrastructure may be at risk. The team's reputation, and the individual's personal reputation, will be enhanced or will suffer depending on how such situations are handled.

Problem solving

IR team members are confronted with data every day, and sometimes, the volume of information is large. Without good problem-solving skills, staff members could become overwhelmed with the volumes of data that are related to incidents and other tasks that need to be handled. Problem-solving skills also include the ability for the IR team's members to "think outside the box" or look at issues from multiple perspectives to identify relevant information or data.

Time management

Along with problem-solving skills, it is also important for the IR team's members to be able to manage their time effectively. They will be confronted with a multitude of tasks ranging from analyzing, coordinating, and responding to incidents, to performing duties, such as prioritizing their workload, attending and/or preparing for meetings, completing time sheets, collecting statistics, conducting research, giving briefings and presentations, traveling to conferences, and possibly providing on-site technical support.

Technical skills

Another important component of the skills needed for an IR team to be effective is the technical skills of their staff. These skills, which define the depth and breadth of understanding of the technologies that are used by the team, and the constituency it serves, are outlined in the following sections.

In turn, the technical skills, which the IR team members should have, can be divided into two groups: security fundamentals and incident handling skills.

Security fundamentals

Let's look at some of the security fundamentals in the following subsections.

Security principles

The IR team's members need to have a general understanding of the basic security principles, such as the following:

  • Confidentiality
  • Availability
  • Authentication
  • Integrity
  • Access control
  • Privacy
  • Nonrepudiation

Security vulnerabilities and weaknesses

To understand how any specific attack is manifested in a given software or hardware technology, the IR team's members need to be able to first understand the fundamental causes of vulnerabilities through which most attacks are exploited. They need to be able to recognize and categorize the most common types of vulnerabilities and associated attacks, such as those that might involve the following:

  • Physical security issues
  • Protocol design flaws (for example, man-in-the-middle attacks or spoofing)
  • Malicious code (for example, viruses, worms, or Trojan horses)
  • Implementation flaws (for example, buffer overflow or timing windows/race conditions)
  • Configuration weaknesses
  • User errors or indifference

The Internet

It is important that the IR team's members also understand the Internet. Without this fundamental background information, they will struggle or fail to understand other technical issues, such as the lack of security in underlying protocols and services that are used on the Internet or to anticipate the threats that might occur in the future.

Risks

The IR team's members need to have a basic understanding of computer security risk analysis. They should understand the effects on their constituency of various types of risks (such as potentially widespread Internet attacks, national security issues as they relate to their team and constituency, physical threats, financial threats, loss of business, reputation, or customer confidence, and damage or loss of data).

Network protocols

Members of the IR team need to have a basic understanding of the common (or core) network protocols that are used by the team and the constituency that they serve. For each protocol, they should have a basic understanding of the protocol, its specifications, and how it is used. In addition to this, they should understand the common types of threats or attacks against the protocol, as well as strategies to mitigate or eliminate such attacks.

For example, at a minimum, the staff should be familiar with protocols, such as IP, TCP, UDP, ICMP, ARP, and RARP. They should understand how these protocols work, what they are used for, the differences between them, some of the common weaknesses, and so on. In addition to this, the staff should have a similar understanding of protocols, such as TFTP, FTP, HTTP, HTTPS, SNMP, SMTP, and any other protocols.

The specialist skills include a more in-depth understanding of security concepts and principles in all the preceding areas in addition to expert knowledge in the mechanisms and technologies that lead to flaws in these protocols, the weaknesses that can be exploited (and why), the types of exploitation methods that would likely be used, and the strategies to mitigate or eliminate these potential problems. They should have expert understanding of additional protocols or Internet technologies (DNSSEC, IPv6, IPSEC, and other telecommunication standards that might be implemented or interface with their constituent's networks, such as ATM, BGP, broadband, voice over IP, wireless technology, other routing protocols, or new emerging technologies, and so on). They could then provide expert technical guidance to other members of the team or constituency.

Network applications and services

The IR team's staff need a basic understanding of the common network applications and services that the team and the constituency use (DNS, NFS, SSH, and so on). For each application or service they should understand the purpose of the application or service, how it works, its common usages, secure configurations, and the common types of threats or attacks against the application or service, as well as mitigation strategies.

Network security issues

The members of the IR team should have a basic understanding of the concepts of network security and be able to recognize vulnerable points in network configurations. They should understand the concepts and basic perimeter security of network firewalls (design, packet filtering, proxy systems, DMZ, bastion hosts, and so on), router security, the potential for information disclosure of data traveling across the network (for example, packet monitoring or "sniffers"), or threats that are related to accepting untrustworthy information.

Host or system security issues

In addition to understanding security issues at a network level, the IR team's members need to understand security issues at a host level for the various types of operating systems (UNIX, Windows, or any other operating systems that are used by the team or constituency). Before understanding the security aspects, the IR team's member must first have the following:

  • Experience using the operating system (user security issues)
  • Some familiarity with managing and maintaining the operating system (as an administrator)

Then, for each operating system, the IR team member needs to know how to perform the following:

  • Configure (harden) the system securely
  • Review configuration files for security weaknesses
  • Identify common attack methods
  • Determine whether a compromise attempt occurred
  • Determine whether an attempted system compromise was successful
  • Review log files for anomalies
  • Analyze the results of attacks
  • Manage system privileges
  • Secure network daemons
  • Recover from a compromise

Malicious code

The IR team's members must understand the different types of malicious code attacks that occur and how these can affect their constituency (system compromises, denial of service, loss of data integrity, and so on). Malicious code can have different types of payloads that can cause a denial of service attack or web defacement, or the code can contain more "dynamic" payloads that can be configured to result in multifaceted attack vectors. Staff should understand not only how malicious code is propagated through some of the obvious methods (disks, e-mail, programs, and so on), but they should also understand how it can propagate through other means, such as PostScript, Word macros, MIME, peer-to-peer file sharing, or boot-sector viruses that affect operating systems running on PC and Macintosh platforms. The IR team's staff must be aware of how such attacks occur and are propagated, the risks and damage associated with such attacks, prevention and mitigation strategies, detection and removal processes, and recovery techniques.

Specialist skills include expertise in performing analysis, black box testing, reverse engineering malicious code that is associated with such attacks, and in providing advice to the team on the best approaches for an effective response.

Programming skills

Some team members need to have system and network programming experience. The team should ensure that a range of programming languages is covered on the operating systems that the team and the constituency use. For example, the team should have experience in the following:

  • C
  • Python
  • Awk
  • Java
  • Shell (all variations)
  • Other scripting tools

These scripts or programming tools can be used to assist in the analysis and handling of incident information (for example, writing different scripts to count and sort through various logs, search databases, look up information, extract information from logs or files, and collect and merge data).

Incident handling skills

  • Local team policies and protocols
  • Understanding and identifying intruder techniques
  • Communication with sites
  • Incident analysis
  • Maintenance of incident records

The hardware for IR and Jump Bag

Certainly, a set of equipment that may be required during the processing of the incident should be prepared in advance, and this matter should be given much attention. This set is called the Jump Bag.

The formation of such a kit is largely due to the budget the organization could afford. Nevertheless, there is a certain necessary minimum, which will allow the team to handle incidents in small quantities.

If the budget allows it, it is possible to buy a turnkey solution, which includes all the necessary equipment and the case for its transportation. As an instance of such a solution, FREDL + Ultra Kit could be recommended. FREDL is short for Forensic Recovery of Evidence Device Laptop. With Ultra Kit, this solution will cost about 5000 USD.

Ultra Kit contains a set of write-blockers and a set of adapters and connecters to obtain images of hard drives with a different interface:

More details can be found on the manufacturer's website at https://www.digitalintelligence.com/products/ultrakit/.

Certainly, if we ignore the main drawback of such a solution, this decision has a lot of advantages as compared to the cost. Besides this, you get a complete starter kit to handle the incident. Besides, Ultra Kit allows you to safely transport equipment without fear of damage.

The FRED-L laptop is based on a modern hardware, and the specifications are constantly updated to meet modern requirements. Current specifications can be found on the manufacturer's website at http://www.digitalintelligence.com/products/fredl/.

However, if you want to replace the expensive solution, you could build a cheaper alternative that will save 20-30% of the budget. It is possible to buy the components included in the review of decisions separately.

As a workstation, you can choose a laptop with the following specifications:

  • Intel Core i7-6700K Skylake Quad Core Processor, 4.0 GHz, 8MB Intel Smart Cache
  • 16 GB PC4-17000 DDR4 2133 Memory
  • 256 GB Solid State Internal SATA Drive
  • Intel Z170 Express Chipset
  • NVIDIA GeForce GTX 970M with 6 GB GDDR5 VRAM

This specification will provide a comfortable workstation to work on the road.

As a case study for the transport of the equipment, we recommend paying attention to Pelican (http://www.pelican.com) cases. In this case, the manufacturer can choose the equipment to meet your needs.

One of the typical tasks in handling of incidents is obtaining images from hard drives. For this task, you can use a duplicator or a bunch of write-blockers and computer.

Duplicators are certainly a more convenient solution; their usage allows you to quickly get the disk image without using additional software. Their main drawback is the price. However, if you often have to extract the image of hard drives and you have a few thousand dollars, the purchase of the duplicator is a good investment.

If the imaging of hard drives is a relatively rare problem and you have a limited budget, you can purchase a write blocker which will cost 300-500 USD. However, it is necessary to use a computer and software.

To pick up the necessary equipment, you can visit http://www.insectraforensics.com, where you can find equipment from different manufacturers.

Also, do not forget about the hard drives themselves. It is worth buying a few hard drives with large volumes for the possibility of good performance.

To summarize, responders need to include the following items in a basic set:

  • Several network cables (straight through or loopback)
  • A serial cable with a serial USB adapter
  • Network serial adapters
  • Hard drives (various sizes)
  • Flash drives
  • A Linux Live DVD
  • A portable drive duplicator with a write-blocker
  • Various drive interface adapters
  • A four port hub
  • A digital camera
  • Cable ties
  • Cable snips
  • Assorted screws and hex drivers
  • Notebooks and pens
  • Chain of Custody forms
  • Incident handling procedure

Software

After talking about the hardware, we did not forget about the software that you should always have on hand. The variety of software that can be used in the processing of the incident allows you to select software-based preferences, skills, and budget. Some prefer command-line utilities, and some find that GUI is more convenient to use.

Sometimes, the use of certain tools is dictated by the circumstances under which it's needed to work.

We strongly recommend that you prepare these in advance and thoroughly test the entire set of required software.

Live versus mortem

The initial reaction to an incident is a very important step in the process of computer incident management. The correct method of carrying out and performing this step depends on the success of the investigation.

Moreover, a correct and timely response is needed to reduce the damage caused by the incident.

The traditional approach to the analysis of the disks is not always practical, and in some cases, it is simply not possible.

In today's world, the development of computer technology has led to many companies having a distribution network in many cities, countries, and continents. Wish this physical disconnection of the computer from the network, following the traditional investigation of each computer is not possible.

In such cases, the incident responder should be able to carry out a prior assessment remotely and as soon as possible, view a list of running processes, open network connections, open files, and get a list of registered users in the system. Then, if necessary, carry out a full investigation.

In this article, we will look at some approaches that the responder may apply in a given situation. However, even in these cases when we have physical access to the machine, live response is the only way of incident response.

For example, cases where we are dealing with large disk arrays. In this case, there are several problems at once. The first problem is that the space to store large amounts of data is also difficult to identify. In addition to this, the time that may be required to analyze large amounts of data is unreasonably high.

Typically, such large volumes of data have a highly loaded server serving hundreds of thousands of users, so their trip, or even a reboot, is not acceptable for business.

Another scenario that requires the Live Forensics approach is when an encrypted filesystem is used. In cases where the analyst doesn't have the key to decrypt the disc, Live Forensics is a good alternative to obtain data from a system where encryption of the filesystem is used.

This is not an exhaustive list of cases when the Live Analysis could be applicable.

It is worth noting one very important point. During the Live Analysis, it is not possible to avoid changes in the system.

Connecting external USB devices or network connectivity, user log on, or launching an executable file will be modified in the system in a variety of log files, registry keys, and so on. Therefore, you need to understand what changes were caused by the actions of responders and document them.

Volatile data

Under the principle of "order of Volatility", you must first collect information that is classified as Volatile Data (the list of network connections, the list of running processes, log on sessions, and so on), which will be irretrievably lost in case the computer is powered off.

Then, you can start to collect nonvolatile data, which can also be obtained with the traditional approach in the analysis of the disk image. The main difference in this case is that a Live Forensics set of data is easier to obtain with a working machine.

This article will focus on the collection of Volatile data.

Typically, this category includes the following data:

  • System uptime and the current time
  • Network parameters (NetBIOS name cache, active connections, the routing table, and so on).
  • NIC configuration settings
  • Logged on users and active sessions
  • Loaded drivers
  • Running services
  • Running processes and their related parameters (loaded DLLs, open handles, and ownership)
  • Autostart modules
  • Shared drives and files opened remotely

Recording the time and date of the data collection allows you to define a time interval in which the investigator will perform an analysis of the system:

    (date / t) & (time / t)>%COMPUTER_NAME% \ systime.txt
systeminfo | find "Boot Time" >>% COMPUTERNAME% \ systime.txt

The last command allows you to< show how long the machine worked since the last reboot.

Using the %COMPUTERNAME% environment variable, we can set up separate directories for each machine in case we need to repeat the process of collecting information on different computers in a network.

In some cases, signs of compromise are clearly visible in the analysis of network activity. The next set of commands allows you to get this information:

    nbtstat -c> %COMPUTERNAME%\NetNameCache.txt
netstat -a -n -o>%COMPUTERNAME%\NetStat.txt
netstat -rn>%COMPUTNAME%\NetRoute.txt
ipconfig / all>%COMPUTERNAME%\NIC.txt
promqry>%COMPUTERNAME%\NSniff.txt

The first command uses nbtstat.exe to obtain information from the cache of NetBIOS. You display the NetBIOS names in their corresponding IP address. The second and third commands use netstat.exe to record all of the active compounds, listening ports, and routing tables.

For information about network settings, the ipconfig.exe network interfaces command is used.

The last block command starts the Microsoft promqry utility, which allows you to define the network interfaces on the local machine, which operates in promiscuous mode. This mode is required for network sniffers, so the detection of the regime indicates that the computer can run software that listens to network traffic.

To enumerate all the logged on users on the computer, you can use the Sysinternals tools:

    psloggedon -x>%COMPUTERNAME% \ LoggedUsers.tx:
logonsessions -p >> %COMPUTERNAME%\LoggedOnUsers.txt

The PsLoggedOn.exe command lists both types of users, those who are logged on to the computer locally, and those who logged on remotely over the network. Using the -x switch, you can get the time at which each user logged on.

With the -p key, logonsessions will display all of the processes that were started by the user during the session.

It should be noted that logonsessions must be run with administrator privileges.

To get a list of all drivers that are loaded into the system, you can use the WDK drivers.exe utility:

    drivers.exe>%COMPUTERNAME%\drivers.txt

The next set of commands to obtain a list of running processes and related information is as follows:

    tasklist / svc>%COMPUTERNAME% \ taskdserv.txt
psservice>%COMPUTERNAME% \ trasklst.txt
tasklist / v>%COMPUTERNAME% \ taskuserinfo.txt
pslist / t>%COMPUTERNAME%\tasktree.txt
listdlls>%COMPUTERNAME%\lstdlls.txt
handle -a>%COMPUTERNAME%\lsthandles.txt

The tasklist.exe utility that is made with the / svc key enumerates the list of running processes and services in their context. While the previous command displays a list of running services, PsService receives information on services using the information in the registry and SCM database.

Services are a traditional way through which attackers can access a previously compromised system. Services can be configured to run automatically without user intervention, and they can be launched as part of another process, such as svchost.exe.

In addition to this, remote access can be provided through completely legitimate services, such as telnet or ftp. To associate users with their running processes, use the tasklist / v command key.

To enumerate a list of DLLs loaded in each process and the full path to the DLL, you can use listsdlls.exe from SysInternals.

Another handle.exe utility can be used to list all the handles, which are open processes. This handles registry keys, files, ports, mutexes, and so on.

Other utilities require run with administrator privileges. These tools can help identify malicious DLLs that were injected into the processes, as well as files, which have not been accessed by these processes.

The next group of commands allows you to get a list of programs that are configured to start automatically:

    autorunsc.exe -a>%COMPUTERNAME% \ autoruns.txt
at>%COMPUTERNAME% \ at.txt
schtasks / query>%COMPUTERNAME% \ schtask.txt

The first command starts the SysInternals utility, autoruns, and displays a list of executables that run at system startup and when users log on. This utility allows you to detect malware that uses the popular and well-known methods for persistent installation into the system.

Two other commands (at and schtasks) display a list of commands that run in the schedule. To start the at command also requires administrator privileges.

To install backdoors mechanisms, services are often used, but services are constantly working in the system and, thus, can be easily detected during live response. Thus, create a backdoor that runs on a schedule to avoid detection. For example, an attacker could create a task that will run the malware just outside working hours.

To get a list of network share drives and disk files that are deleted, you can use the following two commands:

    psfile>%COMPUTERNAME%\openfileremote.txt
net share>%COMPUTERNAME%\drives.txt

Nonvolatile data

After Volatile data has been collected, you can continue to collect Nonvolatile Data. This data can be obtained at the stage of analyzing the disk, but as we mentioned earlier, analysis of the disk is not possible in some cases.

This data includes the following:

  • The list of installed software and updates
  • User info
  • Metadata about a filesystem's timestamps

Registry data

However, upon receipt of this data with the live running of the system, there are difficulties that are associated with the fact that many of these files cannot be copied in the usual way, as they are locked by the operating system. To do this, use one of the utilities. One such utility is the RawCopy.exe utility, which is authored by Joakim Schicht.

This is a console application that copies files off NTFS volumes using the low-level disk reading method.

The application has two mandatory parameters, target file and output path:

  • -param1: This is the full path to the target file to extract; it also supports IndexNumber instead of file path
  • -param2: This is a valid path to output directory

This tool will let you copy files that are usually not accessible because the system has locked them. For instance, the registry hives such as SYSTEM and SAM, files inside SYSTEM VOLUME INFORMATION, or any file on the volume.

This supports the input file specified either with the full file path or by its $MFT record number (index number).

Here's an example of copying the SYSTEM hive off a running system:

    RawCopy.exe C:\WINDOWS\system32\config\SYSTEM  %COMPUTERNAME%\SYSTEM

Here's an example of extracting the $MFT by specifying its index number:

    RawCopy.exe C:0  %COMPUTERNAME%\mft

Here's an example of extracting the MFT reference number 30224 and all attributes, including $DATA, and dumping it into C:\tmp:

    RawCopy.exe C:30224 C:\tmp -AllAttr

To download RawCopy, go to https://github.com/jschicht/RawCopy.

Knowing what software is installed and what its updates are helps further the investigation because this shows possible ways to compromise a system through a vulnerability in the software. One of the first actions that the attacker makes is to attack during a system scan to detect active services and exploit the vulnerabilities in them.

Thus, services that were not patched can be utilized for remote system penetration.

One way to install a set of software and updates is to use the systeminfo utility:

    systeminfo > %COMPUTERNAME%\sysinfo.txt. 

Moreover, skilled attackers can themselves perform the same actions and install necessary updates in order to hide the traces of penetration into the system.

After identifying the vulnerable services and their successful exploits, the attacker creates an account for themselves in order to subsequently use legal ways to enter the system. Therefore, the analysis of data about users of the system reveals the following traces of the compromise:

  • The Recent folder contents, including LNK files and jump lists
  • LNK files in the Office Recent folder
  • The Network Recent folder contents
  • The entire temp folder
  • The entire Temporary Internet Files folder
  • The PrivacyIE folder
  • The Cookies folder
  • The Java Cache folder contents

Now, let's consider the preceding cases as follows:

  • Collecting the Recent folder is done as follows:
        robocopy.exe  %RECENT% %COMPUTERNAME%\Recent /ZB
    /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\Recent
    \log.txt

    Here %RECENT% depends on the version of Windows.

  • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:
        %RECENT% = %systemdrive%\Documents and
    Settings\%USERNAME%\Recent 
  • For Windows 6.x (Windows Vista and newer):
        %RECENT% =%systemdrive%\Users\%USERNAME%\AppData\Roaming
    \Microsoft\Windows\Recent
  • Collecting the Office Recent folder is done as follows:
        robocopy.exe  %RECENT_OFFICE%
    %COMPUTERNAME%\Recent_Office /ZB /copy:DAT /r:0 /ts /FP
    /np /E log:%COMPUTERNAME%\Recent_Office\log.txt
  • Here %RECENT_OFFICE% depends on the version of Windows.
  • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:
        %RECENT_OFFICE% = %systemdrive%\Documents and
    Settings\%USERNAME%\Application Data\Microsoft\Office
    \Recent
  • For Windows 6.x (Windows Vista and newer), this is as follows:
        %RECENT% =%systemdrive%\Users\%USERNAME%\AppData\Roaming
    \Microsoft\Windows\Office\Recent
  • Collecting the Network Shares Recent folder is done as follows:
    
    robocopy.exe  %NetShares% %COMPUTERNAME%\NetShares /ZB 
    /copy:DAT /r:0 /ts /FP /np /E
    log:%COMPUTERNAME%\NetShares\log.txt
  • Here %NetShares% depends on the version of Windows.
  • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:
        %NetShares% = %systemdrive%\Documents andSettings\%USERNAME%\Nethood

    For Windows 6.x (Windows Vista and newer), this is as follows:

        %NetShares % =''%systemdrive%\Users\%USERNAME%\AppData
    \Roaming\Microsoft\Windows\Network Shortcuts''
  • Collecting the Temporary folder is done as follows:
        robocopy.exe  %TEMP% %COMPUTERNAME%\TEMP /ZB /copy:DAT
    /r:0 /ts /FP /np /E log:%COMPUTERNAME%\TEMP\log.txt
  • Here %TEMP% depends on the version of Windows.
  • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:
        %TEMP% = %systemdrive%\Documents and Settings\%USERNAME%
    \Local Settings\Temp
  • For Windows 6.x (Windows Vista and newer), this is as follows:
        %TEMP% =''%systemdrive%\Users\%USERNAME%\AppData
    \Local\Temp '' 
  • Collecting the Temporary Internet Files folder is done as follows:
        robocopy.exe  %TEMP_INTERNET_FILES%
    %COMPUTERNAME%\TEMP_INTERNET_FILES /ZB /copy:DAT /r:0
    /ts /FP /np /E log:%COMPUTERNAME%\TEMP\log.txt
  • Here %TEMP_INTERNET_FILE% depends on the version of Windows.
  • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:
        %TEMP_INTERNET_FILE% = ''%systemdrive%\Documents and
    Settings\%USERNAME%\Local Settings\Temporary Internet
    Files'' 
  • For Windows 6.x (Windows Vista and newer), this is as follows:
        %TEMP_INTERNET_FILE% =''%systemdrive%\Users\%USERNAME%\
    AppData\Local\Microsoft\Windows\Temporary Internet
    Files" 
  • Collecting the PrivacIE folder is done as follows:
        robocopy.exe  %PRIVACYIE % %COMPUTERNAME%\PrivacyIE /ZB
    /copy:DAT /r:0 /ts /FP /np /E
    log:%COMPUTERNAME%/PrivacyIE/log.txt 
  • Here %PRIVACYIE% depends on the version of Windows.
  • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:
    
    %PRIVACYIE% = ''%systemdrive%\Documents
    andSettings\%USERNAME%\ PrivacIE'' 
  • For Windows 6.x (Windows Vista and newer), this is as follows:
        %PRIVACYIE% =''%systemdrive%\Users\%USERNAME%\
    AppData\Roaming\Microsoft\Windows\PrivacIE " 
  • Collecting the Cookies folder is done as follows:
        robocopy.exe  %COOKIES% %COMPUTERNAME%\Cookies /ZB
    /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\Cookies
    \.txt 
  • Here %COOKIES% depends on the version of Windows.
  • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:
        %COOKIES% = ''%systemdrive%\Documents and
    Settings\%USERNAME%\Cookies'' 
  • For Windows 6.x (Windows Vista and newer), this is as follows:
        %COOKIES% =''%systemdrive%\Users\%USERNAME%\
    AppData\Roaming\Microsoft\Windows\Cookies" 
  • Collecting the Java Cache folder is done as follows:
        robocopy.exe  %JAVACACHE% %COMPUTERNAME%\JAVACACHE /ZB
    /copy:DAT /r:0 /ts /FP /np /E
    log:%COMPUTERNAME%\JAVACAHE\log.txt 
  • Here %JAVACACHE% depends on the version of Windows.
  • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:
        %JAVACACHE% = ''%systemdrive%\Documents and
    Settings\%USERNAME%\Application Data\Sun\Java\Deployment
    \cache'' 
  • For Windows 6.x (Windows Vista and newer), this is as follows:
        %JAVACACHE% =''%systemdrive%\Users\%USERNAME%\AppData
    

    \LocalLow\Sun\Java\Deployment\cache"

Remote live response

However, as mentioned earlier, it is often necessary to carry out the collection of information remotely. On Windows systems, this is often done using the SysInternals PsExec utility. PsExec lets you execute commands on remote computers and does not require the installation of the system.

How the program works is a psexec.exe resource executable is another PsExecs executable. This file runs the Windows service on a particular target machine. Before executing the command, PsExec unpacks this hidden resource in the administrative sphere of the remote computer at Admin$ (C:\Windows) file Admin$\system32\psexecsvc.exe.

After copying this, PsExec installs and runs the service using the API functions of the Windows management services. Then, after starting psexesvc, a data connection (input commands and getting results) between psexesvc and psexec is established. Upon completion of the work, psexec stops the service and removes it from the target computer.

If the remote collection of information is necessary, a working machine running UNIX OS can use the Winexe utility.

Winexe is a GNU/Linux-based application that allows users to execute commands remotely on WindowsNT/2000/XP/2003/Vista/7/8 systems. It installs a service on the remote system, executes the command, and uninstalls the service. Winexe allows execution of most of the Windows shell commands:

    winexe -U [Domain/]User%Password //host command 

To launch a Windows shell from inside your Linux system, use the following command:

    winexe -U HOME/Administrator%Pass123 //192.168.0.1 "cmd.exe" 

Summary

In this article, we discussed what we should have in the Jump Bag to handle a computer incident, and what kind of skills the members of the IR team require.

Also, we took a look at live response and collected Volatile and Nonvolatile information from a live system. We also discussed different tools to collect information. We also discussed when we should to use a live response approach as an alternative to traditional forensics.

Resources for Article:


Further resources on this subject:


You've been reading an excerpt of:

Practical Windows Forensics

Explore Title
comments powered by Disqus