To investigate Windows system security breach for any potential security breach, investigators need to collect forensic evidence. Microsoft has developed a number of free tools that any security investigator can use for his forensic analysis. This post will give you a list of easy-to-use and free forensic tools, include a few command line utilities and commands.
To collect windows system time use the following command
C:> date /t & time /t
To collect logged in user information download PsLoggedOn from Microsoft
at http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx
this tool shows a list of users who are logged into the system both locally and remotely.
To see which IP and users have accessed your system from which OS platform, use netession command, which is a built in window
Net session
To see active logon session in your system use the Logonsessions.exe built by Microsoft. You can download at http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx
To see which files are being access by the users, use psfile.exe tool, which is free to download from http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx. You can also use “net file” command to see a list of files opened by remote connection. openfiles.exe is another useful tool that shows a listed of opened files.
NetBIOS caching information
When an attacker gain access to a system they want to see the other computers in the network. You can see what other machines are accessible from your system by using nbtstat command. When your computer make a connection to other computer you can see a list NetBIOS cache in your system. If you see anything, it means probably the attacker has compromised those system as well.
Network connection status
When you run a Windows forensic investigation to a system, you need to see network connection to and from the compromised computer. remember that this network connection expires over time. Therefore, you need to collect this information as soon as you suspect that the system has been compromised. To record and log network connection information, you can check firewall logs and can download “Port Reporter” from Microsoft- http://www.microsoft.com/en-us/download/details.aspx?id=9964. Unfortunately, port reported only works with Windows 2000,2003 and XP.
Remember that without network connection based information, it is almost impossible to tell whether somebody has copied sensitive data from your computer.
Another handy tool to see live network connection is netstat, which is a built-in windows tool. This tools show both TCP and UDP connection including the state(listening, established, time_wait etc.). Also you can see a list of process ID using the TCP and UDP ports. To see live network activity with netstat utility type the following commands in your command prompt:
Netstat –ano
To see routing tables use the following switch:
Netstat -r
Windows process information
Though windows task manager shows a list of running process, it never show all the running process. All the well-known system process has it default path. Malicious program may install itself in the same name as legitimate process, but it will not be installed in the default Windows path already used by the system. You can download an advanced process monitoring tool called “process monitor “from Microsoft. http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx. This tool shows live activities for registry, files, process, threads and events.
Tasklist.exe
This is a built-in tool to check all the available image name, PID session name, memory usage and session ID. To get detailed information about processes, you can use /v and /svc switch. You have to type the following commands in your command prompt.
Tasklist /v
Tasklist /svc
Pstools
This is a collection of useful process related tools. You can download it from http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx. After downloading, unzip it in any location. Say, you have unzipped in your C drive. To run the commands, open your command prompt and then type the location of the Pstools folder. Next type the name of the exe file located in the PSToosl folder.
C:\PSTools> pslist
ListDll
This tool show a list of modules or dll a process is using. When a program runs it needs certain types of dll to run certain types of functions. In brief, the dlls makes programming easy by giving the programming options to call some common function from the system, avoiding the hassle of rewriting codes for functions frequently used by the programs. To run this utility, go the the location from your command prompt, where you unzipped the files. Next, type “listdlls –u” to see the lists of all unsigned dlls.
Download it at: http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx)
Handle
This tools shows a list of resources a process uses while it is running. You can download it at http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Windows file protection(WFP)
Windows file protection prevent critical files being modified or deleted accidentally. If there is any attempt to modify your system files or have been modified, then WFP automatically replace that file with a good one. As a result of this action, an event with event id: 64001 will be generate in the event view. If
you discover such events in the event viewers you can assume that there was an attempt by a program to modify your system file, which does not necessarily mean that your system has been compromised.
Process to port mapping tools
To start communication with the external world, your system open network connection. When a network connection start, a process control that connection and communicate via a port. Therefore, every network connection is associated with a process and a port. You can use the popular netstat command to check which process has opened connection. The command:
Netstat –o
Apart command line tools, you can see more detailed listing of ports with TCPview to see the local address, remote address, local ports, remote ports and PID. Download it at http://support.microsoft.com/kb/892853
NIC promiscuous mode detection
Your network card can captures traffic and send sensitive information to attacker if your network card is in promiscuous mode. It is hard to know if your NIC unless you use any automated tool. One such useful tool is Promqry by Microsoft, which is available in both command-line-tool format and user interface format. You can download it from http://support.microsoft.com/kb/892853
If your NIC is in non-promiscuous mode, you can safely say that no one has installed any sniffing software on your computer to collect your confidential information.
Clipboard content
Clipboard is a special region in RAM where program like Microsoft word store information for editing purpose. Data obtained from the clipboard can give useful clues to forensic investigators. To view clipboard contents you can download Pclip.exe on the computer that you are investigating for discovering attack signature.
Process memory collection
To collect process memory contents use Userdump.exe
Windows memory analysis
Contents of the RAM can provide investigators useful information-such as password or malware- that may not be found in the hard drive. If you want to collect information about the memory used by a process, you have the options of using a number of tools such as Process Dumper(pd.exe), userdump.exe, adplus.vbs etc.
Rather than dumping the process memory you can dump the entire contents of the RAM. Some useful physical memory dumping tools you can use are Nigilant32, ProDiscover, KnTDD, MDD, Win32dd, Memoryze, Winen, Fastdump, F-Response
Registry analysis tool
Though registry files may be appear to be intimidating to the new investigators, they can reveal valuable information to about a compromised system. The two useful registry analysis tools that you can try out are ProDiscover and RegRipper.
Windows File logs
Windows event view provides every important events and warning generated by the system. Fortunatley, there is a great tool called log parser that can help you analyze events. You can download GUI version of this tool from www.codeplex.com/visuallogparser.
Suspicious .exe file analysis.
During an forensic investigator process, you might come across .exe files that may look suspicious to you and you want to uncover the function of that file. one of the easiest way to check a .exe file is to scan it with a antivirus software. Although, many antivirus fail to recognize the malicious intent of codes, sometimes it can give you the clue whether the file safe or not. The next step in analyzing executable files is runt the file through strings.exe, which can give information about the nature or purpose of the file. another useful string searching tool is BinText.
Rootkit
A rootkit is simply a program that can hide itself by modifying the operating system’s capability to audit or to log suspicious events. Therefore, you will no nothing about suspicious activities by looking at the logs if your system has a rootkit installed. Fortunately, Microsoft has developed its own rootkit detection tools Rootkit Revealer that you can download at http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
Though rootkit revealer can detect registry and file level rootkits, it fails to detect kernel level rootkits. Some other useful rootkit detection tools are MS Strider GhostBuster,F-secure backlight, Sophos Anti-Rootkit, Helios, GMER.
The purpose of this post was to introduce you with various forensic investigation tools for Windows operating system, which can help you to develop skills in forensic investigation. If you want to share your tools with use, please post your feedback and links in the comment section.
