Pages

Saturday, August 4, 2012

(Windows) Forensics Live Response

LyX Document

Any live system being examined should be considered hostile. It has been demonstrated many times (Darren Bilby [Anti-forensic Rootkits] and Bill Blunden [Anti-Forensics: The Rootkit Connection]) that kernel level rootkits can intercept the calls for reading the physical memory and the hard disk, hide what is to be hidden and still serve valid data. There are special circumstances that need to be considered in these cases such as: a) the presence of the intruder on the system, b) possible ”booby traps”, c) involvement of law enforcement. Protection of the evidence is paramount. Prior to carrying out a live forensic examination, the following should be considered:


1 System date/time and timezone information




2 Memory



















3 Current network state





4 Processes


Running programs



Services



Schedules tasks



Opened files



Processes memory dumps






5 Logged on user information gathering


Logged on users








History of logins






System event logs





Transparently encrypted data
















LSA Secrets


LSA secrets” is a special protected storage for important data used by the Local Security Authority (LSA) in Windows. LSA is designed for managing a system's local security policy, auditing, authenticating, logging users on to the system, storing private data. The important thing to realize about LSA Secrets is that it potentially contains credentials for services started under specific users, passwords for accounts that log on from external domains, as well as Dial-up Networking passwords. This “secret” information is stored in an encrypted format in the registry key HKLM\SECURITY\Policy\Secrets. Normally, these registry keys are not visible even if you run regedit as Administrator, because the permissions for this key show that only the SYSTEM account has access to it. Each secret (key) here contains the data in CurrVal sub-key. For example on systems with auto logon enabled, there is a key called DefaultPassword that contains the cached logon password. For unknown reasons, this key exists even on some systems without auto logon enabled (I had that key on a Windows XP SP3, and I have never had auto login, and other people are reporting the same problem - a possible breach). A method to try to get the logon password (used by other tools also, like Cain&Abel) is to query the value from DefaultPassword key and decrypt it using functions from Windows API. So LSA secret storage can be read in the context of current user by using functions exported by Advapi32 library, LsaRetrievePrivateData being the most useful. A sample application for this purpose is created and attached (http://code.google.com/p/secrets/).

6 Non-volatile data