WIXLIB

First RespondersGuide to ComputerForensicsRichard NolanColin O’SullivanJake BransonCal WaitsMarch 2005CERT Training and EducationHANDBOOKCMU/SEI-2005-HB-001

Pittsburgh, PA 15213-3890First Responders Guideto Computer ForensicsCMU/SEI-2005-HB-001Richard NolanColin O’SullivanJake BransonCal WaitsMarch 2005CERT Training and EducationUnlimited distribution subject to the copyright.

This report was prepared for theSEI Joint Program OfficeESC/XPK5 Eglin StreetHanscom AFB, MA 01731-2100The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest ofscientific and technical information exchange.FOR THE COMMANDERChristos ScondrasChief of Programs, XPKThis work is sponsored by the SEI FFRDC primary sponsor and the Commander, United States Army Reserve (USAR)Information Operations Command and USAR EIO. The Software Engineering Institute is a federally funded research anddevelopment center sponsored by the U.S. Department of Defense.Copyright 2005 Carnegie Mellon University.NO WARRANTYTHIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL ISFURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANYKIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINEDFROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OFANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use isgranted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works.External use. Requests for permission to reproduce this document or prepare derivative works of this document for externaland commercial use should be addressed to the SEI Licensing Agent.This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with CarnegieMellon University for the operation of the Software Engineering Institute, a federally funded research and developmentcenter. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose thework, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to thecopyright license under the clause at 252.227-7013.For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web ml).

ContentsPreface .xiAbstract.xiii12Module 1: Cyber Law .11.1Module 1 Objectives.21.2Forensics .31.2.1 Computer Forensics .41.3Laws that Affect Cyber Security .61.4Legal Governance Related to Monitoring and Collection.91.4.1 Constitutional Issues.91.4.1.1 The 4th Amendment.91.4.1.2 The 5th Amendment.111.4.2 U.S. Statutory Law.121.4.2.1 Wiretap Act/Electronic Communications Privacy Act .151.4.2.2 Pen Registers and Trap and Trace Devices .181.4.2.3 Stored Wired and Electronic Communications Act .211.5Legal Governance Related to Admissibility (Federal Rules ofEvidence) .251.5.1 Hearsay .251.5.1.1 Exceptions .261.5.2 Authentication .271.5.3 Reliability .281.5.4 The Best Evidence Rule .301.6Summary .311.7Review .32Module 2: Understanding File Systems and Building a First ResponderToolkit.332.1Introduction.332.2File System Architecture .352.2.1 Physical Look at the Hard Drive .362.2.2 Types of Hard Drive Formatting.372.2.3 Importance of File Systems .382.2.4 Understanding Windows File Structure .39CMU/SEI-2005-HB-001i

.2.142.2.152.2.162.2.173iiFAT: File Allocation Table . 41NTFS: New Technology File System. 43Windows Registry. 46Swap File, Slack, and Unallocated Space. 472.2.8.1 Swap File . 472.2.8.2 Slack Space. 472.2.8.3 Unallocated Space. 48Linux File System Basics. 49Boot Sequence . 54Commonly Used Terms. 56Forensically Sound Duplication . 57Duplication Tools . 58Wiping Storage Devices . 59DoD Directive 5220-22M . 60Hard Drives. 61Other Storage Devices . 622.3First Responder Toolkit . 632.3.1 Statically- vs. Dynamically-Linked Tools . 642.3.2 Problems with Dynamically-Linked Executables . 662.3.3 Methodology for a Creating First Responder Toolkit . 682.3.3.1 Create a Forensic Tool Testbed . 692.3.3.2 Document the Testbed . 722.3.3.3 Document and Set Up the Forensic Tools . 732.3.3.4 Test the Tools . 752.3.3.5 Benefits of Proper Tool Testing . 802.3.3.6 NIST Methodology . 812.4Summary. 832.5Review. 84Module 3: Collecting Volatile Data. 853.1Introduction . 853.2Objectives . 873.3Role of a First Responder . 883.4What is Volatile Data?. 893.5Order of Volatility . 913.6Why is Volatile Data Important? . 923.7Common First Responder Mistakes . 933.8Volatile Data Collection Methodology . 943.8.1 Step 1: Incident Response Preparation. 953.8.2 Step 2: Incident Documentation . 963.8.2.1 Incident Profile . 96CMU/SEI-2005-HB-001

3.8.33.8.43.8.53.8.63.93.8.2.2 Forensic Collection Logbook.973.8.2.3 First Responder Toolkit Logbook .97Step 3: Policy Verification .98Step 4: Volatile Data Collection Strategy.99Step 5: Volatile Data Collection Setup.1003.8.5.1 Establish a Trusted Command Shell.1003.8.5.2 Establish a Method for Transmitting and Storing theCollected Information .1003.8.5.3 Ensure the Integrity and Admissibility of the ForensicTool Output .101Step 6: Volatile Data Collection Process .102Types of Volatile Information .1033.9.1 Volatile System Information .1043.9.1.1 System Profile.1053.9.1.2 Current System Date and Time and Command History.1093.9.1.3 Current System Uptime.1113.9.1.4 Running Processes.1133.9.1.5 Open Files, Startup Files, and Clipboard Data.1223.9.1.6 Logged On Users .1353.9.1.7 DLLs or Shared Libraries .1433.9.2 Volatile Network Information.1473.9.2.1 Open Connections and Ports .1483.9.2.2 Routing Information.1543.10 Summary .1573.11 Review .1584Module 4: Collecting Persistent Data.1594.1Objectives .1604.2Introduction to Persistent Data .1614.2.1 What Is Persistent Data? .1614.2.2 Why is Persistent Data Important? .1614.2.3 What Problems Exist in Investigating Persistent Data?.1614.3Responding to a Security Event .1634.3.1 Consequences of Responses.1644.4Basic Building Blocks of Disk Storage .1664.5OS and Application Considerations .1674.5.1 Windows .1674.5.1.1 FAT .1674.5.1.2 NTFS.1674.5.2 Linux/UNIX.1684.5.2.1 Ext2/3.168CMU/SEI-2005-HB-001iii

4.5.3Operating Systems . 1684.6Collecting Forensic Evidence . 1694.6.1 To Shut Down or Not to Shut Down . 1714.6.2 Creating a Disk Image Using dd. 1724.7Persistent Data Types. 1734.7.1 System Files . 1734.7.1.1 Windows . 1734.7.1.2 UNIX/Linux. 1744.7.2 Temp Files. 1764.7.3 Web Artifacts . 1784.7.3.1 Windows vs. Linux . 1784.7.3.2 IE Default Locations. 1784.7.3.3 Alternative Browsers. 1814.7.3.4 Cookies. 1824.7.4 File Recovery. 1834.7.4.1 Deleted Data. 1834.7.4.2 Slack Space. 1844.7.4.3 Swap Files . 1844.7.4.4 Unallocated Space. 1844.7.4.5 Partial Files . 1844.7.4.6 Windows Artifacts . 1854.7.5 Hidden Files. 1864.8Recovering a Deleted Email . 1874.9Tools for Accessing Persistent Data. 1884.9.1 Windows . 1884.9.1.1 Command-Line Tools . 1884.9.1.2 GUI-Based Utilities . 1884.9.1.3 Commercial. 1894.9.2 UNIX/Linux . 1894.9.2.1 Command-Line Tools . 1894.9.2.2 GUI-Based Utilities . 1894.9.2.3 Freeware. 1894.10 Summary. 1914.11 Review. 192References. 193ivCMU/SEI-2005-HB-001

List of FiguresFigure 1:Mapping of DoD and OSI Models. 14Figure 2:Logical Layout of the FAT32 File System . 42Figure 3:Types of CMOS Batteries. 54Figure 4:The ldd Command. 64Figure 5:Using Filemon to Identify Dependencies. 66Figure 6:Performing a Cryptographic Hash of Installed DLLs . 70Figure 7:A Regmon Listing . 76Figure 8:An MD5 Hash . 101Figure 9:The systeminfo Command . 106Figure 10: The PsInfo Command . 107Figure 11: The cat Command. 107Figure 12: The uname Command. 108Figure 13: date and time Commands Used with netstat. 109Figure 14: The PsUptime Command .111Figure 15: The net statistics Command. 112Figure 16: The uptime and w Commands . 112Figure 17: Using netstat –ab to Determine Process Executable Image . 115Figure 18: Using ListDLLs to Determine Command Line . 115Figure 19: Using PsList to Determine How Long a Process Has Been Running . 115CMU/SEI-2005-HB-001v

Figure 20: Using PsList to Determine How Much Virtual Memory a ProcessIs Using .116Figure 21: Using ListDLLs to Discover the Currently Loaded DLLs for a Process.116Figure 22: Pulist Output.116Figure 23: tlist.exe .117Figure 24: PsList .117Figure 25: A Process Memory Dump .118Figure 26: The top Command .119Figure 27: The w Command.119Figure 28: The ps Command. 120Figure 29: The dir Command . 123Figure 30: The afind Command. 124Figure 31: MACMatch . 125Figure 32: Autorunsc . 125Figure 33: PsFile . 126Figure 34: Handle. 127Figure 35: Pclip . 127Figure 36: The ls Command. 128Figure 37: Using ls – alct to Show Last Modification Date and Time . 129Figure 38: lsof D. 130Figure 39: lsof -i. 130Figure 40: The find Command. 130Figure 41: The locate Command. 131viCMU/SEI-2005-HB-001

Figure 42: The lsof L1 Command . 131Figure 43: The chkconfig –list Command . 133Figure 44: The Inittab File. 134Figure 45: A Cron Log . 134Figure 46: Netusers . 136Figure 47: PsLoggedOn . 136Figure 48: The net user Command. 137Figure 49: NTLast. 137Figure 50: DumpUsers . 138Figure 51: The who –uH Command . 139Figure 52: The who –q Command . 139Figure 53: The last Command . 140Figure 54: The w Command . 141Figure 55: The cat /etc/passwd Command. 141Figure 56: The cat shadow Command . 142Figure 57: Using ListDLLs Without Options to Produce a List of DLLs . 144Figure 58: Using ListDLLs to Examine a Suspected Rogue Process. 145Figure 59: The ldd Command. 145Figure 60: The ls Command . 146Figure 61: Fport . 149Figure 62: PsService . 150Figure 63: PromiscDetect. 150Figure 64: The netstat –anb Command. 151CMU/SEI-2005-HB-001vii

Figure 65: The net Command . 152Figure 66: The netstat –anp Command. 152Figure 67: /var/log/messages . 153Figure 68: The ifconfig Command . 153Figure 69: The Windows netstat –r Command. 155Figure 70: The Windows arp Command. 155Figure 71: The Linux netstat –rn Command . 156Figure 72: The Linux arp –a Command. 156Figure 73: Sectors and Clusters. 166Figure 74: dd Syntax . 172Figure 75: The TypedURLs Folder . 174Figure 76: Sample Temp Folder Contents. 176Figure 77: The IE Default Location for Bookmarks . 179Figure 78: The IE Default Location for Cookies . 179Figure 79: The IE Default Location for URL History . 180Figure 80: The IE Default Location for Web Cache. 180Figure 81: The Default Location for Outlook Email Files. 187viiiCMU/SEI-2005-HB-001

List of TablesTable 1:Default Cluster Sizes for Volumes with Windows XP Professional FileSystems. 40Table 2:PsList Output Headings. 118Table 3:w Command Output Fields. 120Table 4:A Subset of ps Options. 120Table 5:Output Headings for ps and top . 121Table 6:dir Command Options . 123Table 7:Common ls Parameters. 129CMU/SEI-2005-HB-001ix

xCMU/SEI-2005-HB-001