Hello All,
I still remember my days 7 years back, when I was very keen in learning and working on Computer Forensics, however there were no good resources available for understanding the concepts and practicals for the same.
I am starting this short series for all those who are still struggling to start their career into Digital / Computer Forensics.
However, I wont be covering the basic steps or Phases involved in Computer Forensics and Incident Response, as there are numerous books available for the same, and a Google search may help you all a lot.
So, Let’s start with NTFS Filesystem:-
Currently it is NTFS v3.1 for XP/2000/2003/Vista
NTFS: New Technology File System
formerly known as NTFS is a registered tradmark of Northern Telecom File System, you can still find them on older version’s of CD for Windows 3.5 NT and 4.0.
Going a bit deeper,
NTFS consists of records and entries of MFT,
$MFT= Master File Table
The length of the $MFT within NTFS is 1024 bytes.
Standard Sector size within NTFS is 512 bytes
Standard Cluster size within NTFS is 4096 bytes (8*512 sectors)
MFT is the primary file within NTFS file system,this file points to the locations of the other files within the NTFS formatted filesystem.
Within the MFT there are “entires”, and each entry contains information about the file it points to. These entries provide a variety of information about the file it points to, and it also includes the following:
File Name, File Size, dates about the file included:-
Created=C
Entry Modified=M
Written=E
Accessed=A
ocation of the data of the file.(MACE)
Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with either FILE0 OR FILE*, depending and signifying whether the given partition was formatted using Windows XP , Windows 2000 respectively.
The first 16 MFT entries within the MFT are reserved.
In Next Series of this article we will go deep into NTFS structure with reference to MFT and other records.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Thursday, June 4, 2009
Restore Point and Forensics
Hello All,
Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-
within Windows XP, Windows creates “Restore Points”. These restore points are contained in numbered folders at the following location:
\System Volume Information\-restore{GUID}\RP### (### are sequential numbers as these restore points are created)
These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.
1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint
2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.
3>These are often created whenever a user installs any software or application
4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.
There may have been other reasons which I may not be fully aware, or havent come across.
Now, how the above can help in an ongoing Forensic Investigation?
Well,
1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.
2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG
The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.
The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”
Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.
System restore can be Disabled by a user or an Adminsitrator.
An Administrator can create a System restore Point manually
\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.
There are Registry settings for System restore at:-
HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.
If you have any other inputs to add, or anything i have missed Please feel free to comment.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-
within Windows XP, Windows creates “Restore Points”. These restore points are contained in numbered folders at the following location:
\System Volume Information\-restore{GUID}\RP### (### are sequential numbers as these restore points are created)
These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.
1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint
2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.
3>These are often created whenever a user installs any software or application
4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.
There may have been other reasons which I may not be fully aware, or havent come across.
Now, how the above can help in an ongoing Forensic Investigation?
Well,
1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.
2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG
The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.
The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”
Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.
System restore can be Disabled by a user or an Adminsitrator.
An Administrator can create a System restore Point manually
\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.
There are Registry settings for System restore at:-
HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.
If you have any other inputs to add, or anything i have missed Please feel free to comment.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Can Defeat Forensics upto 50%
Hello All,
After a long time, and Yes you read the Title right!!
With the new feature in Windows XP and Windows Vista called SteadyState, if configured properly, with Disk protection=ON, and deletion of Shared Profile either at Restart or Logoff is configured properly, there is no way to retreive any Artefacts from the system configured to run with Windows SteadyState.
as there are no modifications within $MFT, except for the entry within the $MFT itself for the C:\Boot\Bootstat.dat file.
and nothing changes!!
I am still trying to figure out other possibilities for recovering the Artefacts.
However, as of this time, i assume it is almost 50 % true to say that it is not too far, that one can hide all traces and artefacts from a system, as the advances in technologies like Windows SteadyState are coming..
Note:-System needs to be configured to use Locked Profile and deletion of any user data, Please refer to User Handbook for Windows SteadyState:-)
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K.
After a long time, and Yes you read the Title right!!
With the new feature in Windows XP and Windows Vista called SteadyState, if configured properly, with Disk protection=ON, and deletion of Shared Profile either at Restart or Logoff is configured properly, there is no way to retreive any Artefacts from the system configured to run with Windows SteadyState.
as there are no modifications within $MFT, except for the entry within the $MFT itself for the C:\Boot\Bootstat.dat file.
and nothing changes!!
I am still trying to figure out other possibilities for recovering the Artefacts.
However, as of this time, i assume it is almost 50 % true to say that it is not too far, that one can hide all traces and artefacts from a system, as the advances in technologies like Windows SteadyState are coming..
Note:-System needs to be configured to use Locked Profile and deletion of any user data, Please refer to User Handbook for Windows SteadyState:-)
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K.
Sunday, March 29, 2009
NMAP as a VA tool !!
NMAP a great Penetration-testing tool, which was only used as a Port-Scanning and Enumeration tool, has now got some additional and more powerful features then it’s previous versions.
with the newly added “NSE” Nmap Scripting Engine which uses “Lua”
The NSE (”The Nmap Scripting Engine“) executes the script in parallel with the ongoing scan. Scripts are written in the embedded Lua programming language.
The NSE scripts can be found under:-
/usr/share/nmap/scripts/
There are currently the following categories:
auth, default, discovery, external, intrusive, malware, safe, version, and vuln.
the above categories can be used together as well, seperated by commas:
nmap -v –script=malware,vuln,discovery hostipaddress.com
Some common examples of using NMAP with NSE are as follows:-
to update the Scripts use the following: nmap --script-updatedb
nmap -v -sC hostipaddress.com
nmap -v –script=all hostipaddress.com
nmap -v –script=default hostipaddress.com
nmap -v –script=malware hostipaddress.com
there can be many more options, depending upon what exactly you are trying to find out.
however, it will not be too late, to see NMAP as a Full-Blown Vulnerability Scanner, like or more powerfull than Nessus.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL
with the newly added “NSE” Nmap Scripting Engine which uses “Lua”
The NSE (”The Nmap Scripting Engine“) executes the script in parallel with the ongoing scan. Scripts are written in the embedded Lua programming language.
The NSE scripts can be found under:-
/usr/share/nmap/scripts/
There are currently the following categories:
auth, default, discovery, external, intrusive, malware, safe, version, and vuln.
the above categories can be used together as well, seperated by commas:
nmap -v –script=malware,vuln,discovery hostipaddress.com
Some common examples of using NMAP with NSE are as follows:-
to update the Scripts use the following: nmap --script-updatedb
nmap -v -sC hostipaddress.com
nmap -v –script=all hostipaddress.com
nmap -v –script=default hostipaddress.com
nmap -v –script=malware hostipaddress.com
there can be many more options, depending upon what exactly you are trying to find out.
however, it will not be too late, to see NMAP as a Full-Blown Vulnerability Scanner, like or more powerfull than Nessus.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL
Subscribe to:
Posts (Atom)
