1 Memory Forensics TrainingHBGary, Inc.
2 Agenda Introduction Windows memory basics Collecting memory imagesRecover and analyze data Identify suspicious activity Generate Report
3 Introductions Trainers Participants: introduce yourselves to the classPhil Wallisch Martin Pillion Participants: introduce yourselves to the class Name Experience in Computer Forensics What tools do you use? Why are you here? What would you like to learn in this class? NOTE: All trademarks referenced in this presentation are the property of their respective owners.
4 What You’ll Learn Windows Memory BasicsLive Memory Collection – good, bad, ugly Best practices for memory preservation Options for preserving memory Preparing media for collection Analysis Of Memory Rebuilding the state of the machine Recovering Data Searching for artifacts Methodology and approach for various investigation situations Generating a Report
5 Today’s Schedule/AgendaHow Windows Memory Works (basics) How to Prepare a Memory Forensic Toolkit Software Live Memory Collection – good, bad, ugly Best practices for memory preservation Options for preserving memory Preparing media for collection Analysis Of Memory Rebuilding the state of the machine Searching for artifacts Methodology and approach for various investigation situations Final Exam
6 Disclaimer This 1 day class will not cover: Disk Based ForensicsReverse Engineering Malware Assembly Language tutorial
7 Class Structure Lecture for each section - ConceptsDemonstration/Movie Hands-on Lab Exercises Final Exam last 2 hours Focus: Computer Forensic Investigations
8 Applications we’ll investigateMicrosoft Internet Explorer Microsoft Outlook 2007 True Crypt Skype Yahoo instant messenger Webmail – Gmail Webmail – yahoo DNAScan (Infostealer) –
9 Goals, Content to RecoverPasswords for webmail – internet explorer Password for Hushmail – internet explorer Outlook IMAP Encryption Software Encrypted Chat sessions – Skype File names transferred through Skype Dates and time stamps of messages sent via Skype Internet Explorer – Browser Helper Objects
10 Labs Exercises Collect and Preserve Windows MemoryAnalyze Memory Images off-line Forensic Investigation Cases 3 Different Scenarios Generate Report
11 Key The start of a new training section or conceptMovie that illustrates the concept The start of a new training section or concept Class exercise A helpful analysis hint Instructor demo
12 Class Admin Stuff Receive Install Responder (Should be done)Responder Installation CD Numbered HASP key Class DVD Install Responder (Should be done) Copy DVD contents to your local hard drive (optional) C:\XXXXXX\ { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://slideplayer.com/12299954/72/images/12/Class+Admin+Stuff+Receive+Install+Responder+%28Should+be+done%29.jpg", "name": "Class Admin Stuff Receive Install Responder (Should be done)", "description": "Responder Installation CD. Numbered HASP key. Class DVD. Install Responder (Should be done) Copy DVD contents to your local hard drive (optional) C:\XXXXXX\", "width": "1024" }
14 How Windows Works Because we don’t trust operating system, can’t use it Responder must manually do everything the OS would do Windows is very complex Understatement Thousands of structures Can change between versions Mostly undocumented Hacks on top of short cuts on top of optimizations on top of millions of lines of code....
15 How Windows Works Who knows? Not many peopleSysinternals – Microsoft bought them... Greg, Martin, and Shawn from HBGary.
16 Windows Memory Model 0xFFFFFFFF Kernel 0x User 0x
17 Windows Memory Model 0xFFFFFFFF Kernel Each process has its own 2GBTruecrypte.exe Winword.exe Skype.exe Solitaire.exe 0x
18 Windows Memory Model 0xFFFFFFFF Kernel 0xC0000000 /3GB boot switchUser 0x
19 Windows Architecture Subsystem DLL’s User Mode Kernel Mode ExecutiveSystem Support Processes Service Processes User Applications Environment Subsystems Subsystem DLL’s User Mode Kernel Mode Executive Windowing and Graphics Kernel Device Drivers System support services: Logon process – not started by SCM Session manager – not started by services control manager Service Process: task scheduler – spooler servies. Hardware Abstraction Layer Source: Windows Internals , 4th Edition
20 Windows Architecture System Service Dispatcher NTDLL.DLL KernelSystem Processes Services Applications Environment Subsystems Service control Mgr SvcHost.exe Service control Mgr Windows LSASS WinMgt.exe Task Mgr Winlogon SpoolSv.exe Explorer OS/2 Posix Session manager Services.exe User Applications Windows DLL’s User Mode NTDLL.DLL Kernel Mode System Threads System Service Dispatcher System Service Dispatcher Windows User, GDI I/O MGR File System Cache Object Manager Plug & Play Mgr Security Reference Monitor Virtual Memory Processes & Threads Config Mgr (registry) Local Procedure Call Device & File sys Drivers Graphics Drivers Kernel Hardware Abstraction Layer (HAL)
21 Address Translation ProcessSource: Microsoft Windows Internals, 4th Edition
22 Address Translation ProcessSource: Microsoft Windows Internals, 4th Edition
23 Virtual to Physical MappingsLogical Data – better than strings... Virtual Memory Physical Memory
24 Virtual to Physical MappingsInclude Pagefile.sys = More Data Virtual Memory Memory Image Paging File
25 Process Information EPROCESS Contains KPROCESS Points to PEBStart and Termination times (we’ll recover these soon) PID and Parent PID Heaps Points to PEB BeingDebugged Path to executable Command Line arguments Loaded Modules (DLLs) Points to ETHREAD, other EPROCESS
26 Finding the Processes Active Process Links
27 Process RelationshipsIdle System (pid 0) Smss (pid xyz) (ppid 0) Csrss (pid xyz1) (ppid xyz) Winlogon (and so on…) alg Services svchost Lsass Userinit (exits after Explorer starts) Explorer
28 Process Information Full name and path Command line argumentsProcess ID number (PID) Parent PID Current working directory Window Title Handles Files, devices, drivers List of loaded modules DLLs
29 Process information System processes have defined parentscmd.exe should not be the parent of lsass.exe Most user processes are started by Explorer.exe It’s suspicious when they’re not Maybe started from a command prompt Orphaned process – no PPID or Parent! Some system processes should never start programs lsass.exe should not start cmd.exe
30 Process information List of DLLs for each processResponder gets the name, path, and size of each What is solitaire.exe doing with wsock32.dll? What is iexplore doing with c:\temp\WS2_32.dll? What if there is no path information or memory mapped files? Injected code! Possible Rootkit Where is it on the disk?
31 Process Information Suspicious program names Parishilton.exeSuspicious command lines C:\TEMP\solitaire –L –p e cmd.exe c:\windows\system32\cmd.exe
32 CONCEPT 2: Why Memory Forensics?
33 Memory Forensics is… Random Access Memory (RAM)It’s the state of the computer Very far down into the weeds
34 Strings is not enough… Find all ASCII and Unicode StringsOld School – since 2002 Answers "what" (sometimes) Don't know when, who, where, or why Only Physical Search – cannot tie the content to a process and then to user....
35 Strings is not enough… Produces HUGE amounts of data Lots of good infoSometimes more than 1,000,000 ASCII strings – OMG! No contextual information Lots of good info Mostly on-screen messages Open documents Program names Passwords Network Connection info
36 Why Memory Forensics? Encryption Keys*BitLocker, PGP Whole Disk Encryption, etc. What was happening on the system... Running programs, open documents Unpacked contents of packed programs Network connections What was really happening on the system Not the sanitized (lying) version from the OS Hidden programs, rootkits, injected code Destroying the Hacker Defense What was running ten minutes before the knock and talk
37 Complete InvestigationWhy Memory Forensics? A more Complete Investigation
38 To execute must exist in RAMTraditional Forensics & Security Software
39 Why Live Memory Forensics?Today it’s Easy! Mission-critical systems % availability Anti-forensic techniques used by bad guys Hax0rs Cyber spies Cybercriminals Valuable info in RAM cannot be found on disk Passwords, encryption keys Network packets, screen shots Private chat sessions, unencrypted data, unsaved documents, etc.
40 Why Offline Analysis? No more operating system to be fooledRootkits and malware “lie” Operating system cannot be trusted! Can’t Use it! Everything is recreated from the bottom up Physical layer Replicates disk forensics approach Can Detect Malware that Anti-Virus cannot Can Detect Malware that Host Based IDS/IPS cannot Verify the “Run-Time” state of the system Proactively
41 Useful Information in RAMProcesses and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat
42 Bad Guys use Memory TricksMemory injection attacks never touch the disk Public and commercial hacker tools have used these techniques for over 3 years Metasploit Framework Canvas Core Impact No good software detection mechanism without physical memory preservation and offline analysis Remember: you cannot trust the operating system!
43 History Of Memory AnalysisRelatively New There are some imagers, but nothing solid for analysis Freeware Scene – started in 2003 DFRWS community, Kornblum, Carvey, others Academic Scene – Jan. 2008 The Princeton Video “frozen memory” Open Source & Academic Projects Perl scripts Hex editors Strings.exe, grep searches, manual carving Volatility framework
44 Defeat the Trojan Defense“I didn’t do it, the Trojan horse did!” “the hacker controlling my PC did” Used in the UK Plausible deniability because Law Enforcement didn’t image physical memory Law Enforcement destroyed 4 GB of “evidence” 4GB is equivalent to 1,048,576 pages of paper That's about 2,097 reams of paper Goal: “to prove the negative” “No, your Honor, there was no Trojan or any other software running on the defendant’s machine at the time in question with the capabilities claimed by the defense…”
45 Live Memory Forensics RisksRAM Collection software relies on the host OS Can be subverted Some software more invasive than others Usually load about 10 modules from the operating system
46 Live Memory Forensics RisksRootkits User Mode Can modify system commands (netstat, ipconfig) Kernel Mode Can hide and modify low level blocks of memory/disk Can subvert software dumping of RAM That’s why we’re working on ICEDUMP Similar to the Princeton approach ** Countermeasures to kernel-mode rootkits: VMware Snapshot Files: pause the processor Hiberfil.sys: contents of RAM are written to non-volatile storage before the system is powered down.
47 Counter-Measures Pause the Processor – Virtual MachinesExisting Memory Images (made by Windows) Hibernation Files – file system Crash Dumps – file system
48 Size of Physical MemoryHibernation Saves system state to disk for faster resume Compress physical memory and write it to c:\hiberfil.sys Space reserved when hibernation enabled Not cleared, contains disk free space No data if enabled but never used Once used, always some data maintained Compressed Memory Disk Data Size of Physical Memory
49 Hibernation Not enabled by default* until Windows VistaNow called Sleep
50 Hibernation Header Free Pages Page Tables Compressed DataWiped upon successful restore Free Pages Page Tables Compressed Data
51 CONCEPT 3: Memory Collection
52 Memory Collection Software Memory Imagers Hardware Memory ImagersFastDump Pro – HBGary WinHex – X-Ways DD derivatives (FAU, DD from Garner, NiGilent32, Helix) Winen – Guidance Software MDD – Mantech Hardware Memory Imagers Firewire “Tribble”, other projects online Princeton Video: freeze the RAM
53 Memory Collection – Best PracticesGoal: Be “Minimally Invasive” to suspect machine DO NOT acquire RAM to the local system hard drive Invasive – possibly destroy important data Use external thumb drive - Image the RAM to sterile media Freshly wiped drive preferably with all Zero’s. Reformat the drive to NTFS – FAT 32 File system has 2GB file size limitation FDPro cannot split up the file into chunks yet… Generate MD-5 hash at time of collection – save with memory image Used to verify integrity of file
54 “Smear” Image Software creates a “smear” imageNot a “true” duplicate image This process is not reproducible In order to create a “true” image Hardware is required Virtualization can “pause” the processor Crash Dump Hibernation File (hiberfil.sys)
55 HBGary FastDump™ Software used to dump physical RAMWorks on Windows Operating Systems Windows 2000 – 2008 Server 32 and 64 Bit PAE and Non-PAE
56 Fastdump Pro
57 Memory Collection VideoCollecting the physical memory Movie: FDPro_RAM1.wmv Movie: FDPro_RAM1.wmv
58 Exercise 1: Memory Collection
59 Memory Collection ExerciseLocation of Fastdump Pro : C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\ Copy FDPro to USB 2.0 Drive Create a Memory Snapshot E:\FDPro.exe RAMdump.bin Fdpro writes the memory snapshot to the location where FDPro was run from unless you specify a separate path. Ex: E:\fdpro X:\Memory.bin Take 10 – 15 minutes
60 CONCEPT 4: Memory & Pagefile Collection
61 Virtual to Physical MappingPartial Address Translation – No Pagefile.sys Virtual Memory Memory Image
62 Virtual to Physical MappingsRobust Address Translation = More Data Virtual Memory Memory Image Prototype Paging File
63 Why Collect Pagefile? More accurate recovery of dataMore complete Memory Investigation HBGary Testing: Memory Image – 70,000 URL’s Same Memory with Pagefile.sys – 500,000 URL’s Memory Image – no passwords found Memory Image with Pagefile.sys – Domain Administrator PW
64 Memory & Pagefile Collection VideoCollect physical memory & pagefile.sys Movie: FDPro_RAM_Pagefile1.wmv
65 Exercise 2: Memory & Pagefile Collection
66 Memory & Pagefile Exercise:Location of Fastdump Pro : C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\ Copy FDPro to USB 2.0 Drive Create a Memory Snapshot with Pagefile.sys E:\fdpro.exe RAMdump_Pagefile.hpak Take 15 – 20 minutes
67 CONCEPT 5: Memory Collection with Process Probe
68 Goal of Process Probe GOAL of Process Probe: To force all executable code into RAM for one or all processes on the system. This includes code that is swapped out to the Pagefile.sys and also code that is still contained in the executable on disk but not in use, this code will also be called into RAM prior to acquisition of physical memory.
69 Why Process Probe? Because Process Probe will often times provide the investigator with a much more accurate and complete picture of the executable code and the data. Process Probe Feature Detail: The process probe feature allows you to control what memory is “paged-in” to RAM from SWAP AND the File System before FDPro performs RAM acquisition. When you use the –probe smart feature FDPro.exe will walk the entire process list and make sure *all* code is called into RAM. The result is that we’re able to recover almost 100% of the user-land process memory by causing these pages to be activated & paged in on the fly. The Probe feature will even force code from the file system into RAM for a specific process. The Process Probe feature can dramatically improve the quality and thoroughness of Live Windows Memory Forensic Investigations and Malware Analysis.
70 Why Process Probe? When would I use the Process Probe feature? During any “LIVE” network intrusion investigation, malware analysis case, or computer forensic investigation where the running applications on the computer could play a role. You’re going to want to get any and all possible information relative to the applications running on the computer that are pertinent to your investigation. Examples of these applications include instant messengers, IP Telephony, internet browsers, malware, encryption applications, a database, media players, and other applications. Examples of data you can get access to is encrypted data, passwords, unencrypted chat sessions, documents, s, internet searches, internet postings, password protected websites, etc.
71 Process Probe Best PracticesForensic best practices dictate that an investigator or analyst should always acquire RAM first (and the Pagefile too) without running the Probe Feature. After “freezing the current state” of the RAM the investigator/analyst should run FDPro again, this time using the Probe Feature. Even when grabbing the pagefile, the probe feature can force code from the file system not being used into RAM
72 Process Probe Best PracticesExample Steps: Arrive at server or workstation suspected in the computer incident or forensic investigation Collect RAM to “freeze the runtime state of the machine”. This is a full RAM image with Pagefile If you’re doing any sort of malware analysis, Reverse Engineering, or know for a fact that you will never have to use the RAM acquisition in litigation then you can go ahead and probe –smart on your very first image to save you time but you should know that this technique will instrument a larger footprint in RAM than only performing a memory acquisition
73 Memory Collection with Process Probe VideoCollecting physical memory with Process Probe Movie: FDPro_Probe1.wmv
74 Exercise 3: Memory Collection with Process Probe
75 Memory Collection with Process Probe ExerciseLocation of Fastdump Pro : C:\program files\HBGary, Inc.\HBGary Forensic Suite\Bin\Fastdump\ Copy FDPro to USB 2.0 Drive Create a Memory Snapshot using the following commands E:\fdpro.exe RAMdump_Process_Probe.bin –probe all E:\fdpro.exe RAMdump_Process_Probe.bin –probe smart E:\fdpro.exe RAMdump_Process_Probe.bin –probe pid #
76 CONCEPT 6: HBGary Responder™ Overview
77 Responder Overview Responder Professional Computer ForensicsLive Physical Memory Forensics Runtime & Binary Forensics Computer Forensics Computer Intrusions Rootkit Detection Malware Analysis Computer Forensics Computer Intrusions
78 HBGary Responder Pro™ Embodies the HBGary IR MethodologyComplements disk forensic investigations Commercial shipping product to analyze RAM images “Windows without Windows” Carves all Windows Memory images for Win2k, XP, 2003, Vista, 2008 Server All service packs 32 & 64 bit
79 Creating a Project Wizard walks you through project creationTwo basic types Physical Memory Snapshot Live memory analysis (all running processes) Static PE Import *** Not part of Field Edition Binary import and analysis Project details Why you are analyzing this machine Date & Timestamps
80 Importing a Snapshot File → Import → Physical Memory SnapshotSelect Snapshot File Add Details About the Snapshot Why is it of interest? Select Post-Import Options Extract and Analyze all Suspicious Binaries Generate the Malware Analysis report Same steps when importing a static binary File → Import → Import Executable Binary
81 The Scanning Process Import Memory SnapshotValidate the Page Table layout and size Identify PAE/Non PAE Identify OS and Service pack Reconstruct Object Manager Rebuild EPROCESS Blocks Rebuild the VAD Tree Scan for Rootkits Scan for patterns Scan for Digital DNA
82 CONCEPT 7: Responder User Interface
83 User Interface: Project PanelShows all harvested objects Processes, Modules, Drivers Strings, Symbols Macroscopic view of object data Allows drill-down on most objects Context-sensitive right-click menu Status icons
84 Responder Object SchemaProject Memory Image Hardware IDT Operating System SSDT Processes Drivers Open Files Network Socket Information Open Registry Analyzed Binary Strings Analyzed Symbols
85 Project type Top level folders Leaf-node folders – double click these to see details view of the folder Expandable folders – single click these to expand contents of the folder Table – double click this to see contents of table.
86 UI: Report Panel Provides a repository for documenting your findingsYou can edit the description fields in the Report Panel Descriptions are inserted into the final report You can choose which report items will be included in the final report
87 UI: Report Panel
88 UI: Detail Panels Provide detailed information about the selected category in the Project Panel Data can be searched Data can be exported to a variety of formats PDF - XLS - CSV HTML - Image - Text RTF Panel contents can be “locked” Additional columns are available (per panel)
89 UI: Detail Panels Functions SSDT Strings IDT Symbols ProcessesSamples Modules Files Drivers Registry Network
90 Leaf-node folders: double-click these to see the detail panel of the folder
91 Right click on header to get column chooser
92 Search the Detail Panel, which filters the panel’s contents to only those entries that match the search criteria
93
94 1. Lock the window after filtering2. Double click the “All Open Registry Keys” folder again. Since the default window (the Registry Panel) is locked, a new (unfiltered) Registry View window is created. You can lock as many as you choose
95 Context-Sensitive ActionsEvery panel has a right-click context menu Menu choices based on selected object(s) Most common options Send to report: creates entry in the Report Pane for the selected item Google™ Text Search: uses Google™ search engine to find Internet references to the selected item Google™ Code Search: uses Google™ search engine to find source code that uses the selected item (typically a string or symbol)
96
97
98 Exercise 4: Import RAM walk thru Interface
99 User Interface ExerciseDetails Take 15 minutes and walk through all data Test the different buttons, right clicks, etc. Instructor will be driving through the UI Please ask questions
100 Saving Search Hits Export to: Cannot easily add to report.. excel fileCsv, txt, pdf Cannot easily add to report.. This will be fixed soon
101 Report - Bookmarks Try Right-Click send to ReportIf that doesn’t work you might have to export to disk then manually add to report
102 CONCEPT 8: Baserules.txt
103 What is BaseRules.txt? Malware identification fileCan Auto-Magically analyze “hits” Sometime’s auto-magic is good sometimes not… Searches for suspicious behaviors Customizable by the end-user Add in Strings & Pattern Searches Flagged binaries can be automatically extracted & disassembled for further diagnosis
104 Baserules Suspicious Strings API calls Bytes Assembly *WildcardsExample
105 Exercise 5: Baserules file
106 Edit Baserules # General rule description:#
107 Edit Baserules Example – Storm virus which spreads via emailTrojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13 Known process names to search for FullClip.exe - GreetingCard.exe GreetingPostcard.exe - MoreHere.exe - FlashPostcard.exe Dropper process wincom32.exe
108 Edit Baserules 2 ###################################### Blacklisted Modules - Alert ### # ADDED ENTRY – Dropper for Storm Worm SuspiciousModule:1.0:100:wincom32.exe:KERNELMODE:SuspiciousModule – wincom32.exe, Dropper for Storm worm # ADDED ENTRY – Executable for Storm Worm SuspiciousModule:1.0:100:fullclip.exe:USERMODE:SuspiciousModule –fullclip.exe, executable for Storm worm SuspiciousModule:1.0:100:greetingcard.exe:USERMODE:SuspiciousModule – greetingcard.exe, executable for Storm worm
109 CONCEPT 9: Investigating Applications
110 Investigating ApplicationsGoal: identify artifacts that lead you to other pieces of information… Finding bread crumbs Following the bread crumbs…
111 Investigating ApplicationsTry to find objects and artifacts that can tell you: Who, What, Where, When, Why, How *
112 Investigating ApplicationsApproach: Knowledge is helpful… Google: “skype” What is it? How is it used? How does it work? Why is my suspect using it? Is there data in memory that might not be available by performing disk based forensics?
113 Investigating ApplicationsCreate a list of things you know… Names involved in the investigation Domain names Project names Filenames Website Applications in question Office Applications? Internet Browser Encryption? Chat
114 CONCEPT 10: Webmail investigations
115 Webmail… where do I start?The browsers… Internet Explorer Firefox Opera
116 Webmail… where do I start?Browser Artifacts Web sites visited Files downloaded Dates and timestamps
117 Webmail… things to considerWeb Server Apps act differently Gmail stores passwords differently than hushmail
118 Webmail Search Terms @gmail.com @hotmail.com @yahoo.com @hushmail.comAttachment
119 Webmail Specific Search Terms&passwd= &login= Others…
120 DEMO Webmail Investigations - Gmail
121 Exercise 6: Webmail Investigation
122 Web Mail Exercise Intellectual Property Investigation Focus TypePrivate Company Data sent Via Steps: Once VMware is configured, and Flypaper is running a. Drag the following files to the VM window - InstDrv.exe - _root_.exe - _root_.sys b. Run _root_.exe c. Look for that process in Task Manager (look at its PID) d. Run InstDrv - load _root_.sys - start _root_.sys e. See that the process has been removed in Task Manager f. Run netstat (what flags?) and see that the port is listening to a “non-existent” PID g. Telnet to that port and verify that it is indeed listening Description Search for indications of files, addresses, and other related info data theft Time 30 minutes
123 The Scenario Beginning a search based on suspicionPress release from competitor having similar data Searching for private content WHAT DO WE SEARCH FOR? LETS MAKE A LIST Understanding search hits Process name/module/unidentified Adding webmail data/artifacts to the report
124 Key Search Concept Link Pieces of Information TogetherHow can time stamps help us? How can something we already know find something we don’t know?
125 Search Steps Beginning a search based on suspicionPress release from competitor having similar data FIRST - Search for content we know We know we are looking for “Pluripotent” Searching for addresses to corroborate suspicion Search terms gmailchat= Understanding search hits Process name/module/unidentified SECOND - Search for content we learn Adding webmail data/artifacts to the report
126 Web Mail Questions Search for “Pluripotent”, what file do you find?Where is it located on file system? Who sent this file? What is the address? Who received this file? What is the address? What other important file name is mentioned in the thread? What is the date associated? How else could you find this?
127 Web Mail Answers Pluripotent.pdf C:\temp\plutipotent.pdfLori Hanson, Lance Kline, I5867.doc Fri, July at 3:22pm Make search term from nearby tags Example – “forwarded message”
128 CONCEPT 10: Skype
129 Skype – Where do I start? Questions to answer: What is Skype?secure instant messenger free phone online telephony Why are bad guys using it? anti-forensics secure comm’s What are the disk anti-forensic capabilities and uses of Skype? Why is Skype not liked by IT Security? Encrypted communications…
130 Investigating Skype Process list - are there chat programs listed there? Name harvesting Look to open files, sort, go to skype Notice C:\Documents and Settings\username\Application Data\Skype\skype username. Take note of 'Username', Take note of 'Skypename' Here we have username john smith but with skype name lance kline May be different identity, may be same identity
131 Investigating Skype 2 Name search to get other names- now we search memory to find other names being chatted to - look for something unique, which might only exist once in memory speech, common expressions "wazup" You might try a few search to see which ones give the fewest hits Example: pass = 1,000+ need something more specific
132 Chat Investigations - SkypeDEMO Chat Investigations - Skype
133 Exercise 7: Skype Investigation
134 Skype Chat Exercise Intellectual Property Investigation Focus TypePrivate Company Data sent Via Chat Description Search for indications of files, addresses, and other related info data theft Time 30 minutes Name of File StudentForensic1.bin
135 The Scenario Beginning a search based on suspicionPress release from competitor having similar data Searching for references to private content WHAT DO WE SEARCH FOR? LETS MAKE A LIST What do people say in conversation? Adding chat data/artifacts to the report
136 Key Search Concept Link Pieces of Information TogetherHow can time stamps help us? How can something we already know find something we don’t know?
137 Search Steps Beginning a search based on something we know to find something we don’t know. FIRST - Search for content we know names? Too many hits? Search for word “research”
138 Chat Questions Search for “Research”, what email address do you find?What is his associated name? Could it be real? What is he willing to pay for? What is the name of the document he is looking for? Has this document been read into memory? How do you know? Who else got this file sent to them? How was the file sent?
139 Chat Answers [email protected] John Smith, could beResearch on Advanced Stem Cell I5867.doc Yes. Searching on a term from the document showed it to be in memory Steve Barko Hushmail
140 Final Exam