Pages

Monday, April 20, 2015

[Windows Forensics Checklist]

Checklist for a basic Forensics Assessment of a Windows System:

The System Date and Time: 
Keeping track of the date and time are necessary in case the system's internal clock is off.  This will help in keeping track and correlating data between multiple machines and data that happened prior to the data collection procedure.  

The commands to use are date and time respectively

Current Network Connections: 
If malware on the machine is phoning home or communicating between other machines, knowing what all is talking to the box is necessary.  

The command needed is netstat -an which will show all active TCP connections, and all ports being listened on.  

Coordinating Ports with Executables: 
A tool exists called FPort that will show which executable opens which ports.  If there are traffic and connections that are unknown this tool will tell you which executable opened it.  

Netbios Cache: 
This tool shows connections between netbios names and ip addresses of machines that have connected to the victim computer. 

The command to get this information is nbtstat -c 

Current Logged on Users: 
Microsoft tool PSLoggedOn displays list of users that are logged on the system, or remotely accessing shares on the box.  This is helpful for when there are intruders on the box.  

Internal Routing Table:
Using the Netstat command with the -rn flags will display the internal routing table.  

Running Processes:
Microsoft tool pslist will dump all the processes running.  If there are any foreign processes, they will show up here.  




Posted by at 1 comments

PsList

PsList is a utility by Microsoft used to dump a full list of processes running on a machine.

Executing PsList while in the folder with the executable will defaultly list all processes running on the box.



















-dShow thread detail.
-mShow memory detail.
-xShow processes, memory information and threads.
-tShow process tree.



Download: https://technet.microsoft.com/en-us/sysinternals/bb896682
Posted by at 0 comments

PsLoggedOn

PsLoggedOn is used to figure out what users are logged on to the machine.  It includes those logged locally on the box and those who are remotely logged into the machine through shares.

Executing the command PsLoggedOn in the folder where the executable is stored will display all information regarding logged in users.












Parameters: 
-l: Limits to just local logons only
-x: exclude log in times

Download: https://technet.microsoft.com/en-us/sysinternals/bb897545


Posted by at 0 comments

SysInternals

SysInternals is a suite of tools released by Microsoft used for gathering complex data on a machine.  Not all tools are used at any given time, but for the purposes of this Wiki, tools utilized in actual forensics scenarios will be referenced.

See also:

PsLoggedOn
Posted by at 0 comments

Netstat

Netstat is a network forensics tool built into Windows used to display information about the current network status of the box.

It displays:

  • Active TCP connections
  • ports the computer is listening on 
  • Ethernet Stats
  • IP routing table
  • IP stats
By default it shows active TCP connections. 











Parameters: 
-a: All TCP connections and ports that the machine is listening on 
-e: Ethernet statistics
-n: displays active TCP connections
-o: Includes PID



Posted by at 0 comments
Labels: , , ,
Subscribe to: Posts (Atom)