>> We have covered the general forensic process and the technologies usedin Linux UNIX forensics in previous units.
>>我们已经介绍了一般的取证过程和在以前的单元中在Linux UNIX取证中使用的技术。
Now we will focus on the forensic technologies used in investigating Windows systems.
现在我们将重点讨论用于调查Windows系统的取证技术。
Recall that the first step of the general forensic procedure is acquiring evidence.
回忆一下,一般法医程序的第一步是获取证据。
Before 2008, the law enforcement officers and the incident responders typically followedthe process of yanking the plug to preserve nonvolatile digital evidence ona suspect computer and mainly focused on acquiring a disk image.
在2008年之前,执法人员和事故应对人员通常会拔掉插头,以保存可疑计算机上的非易失性数字证据,主要精力放在获取磁盘图像上。
With advanced encryption and malware, volatile data presented onlyin physical memory becomes crucial for recovering encryption keysand detecting malware for investigation.
随着高级加密和恶意软件的出现,仅存在于物理内存中的易失性数据对于恢复加密密钥和检测恶意软件以供调查变得至关重要。
So, since 2008, there have been a shift from dead forensics to live forensic investigations.
因此,自2008年以来,法医鉴定从死法医转向了活法医调查。
Now let's move on to first study technologies for Windows volatile data acquisition.
现在让我们首先研究用于Windows volatile数据采集的技术。
If a suspect machine is up and connected at a crime scene,volatile evidence such as running processes, physical memory, network connections,logged on users, et cetera are available to be collected from the suspect machine.
如果可疑计算机在犯罪现场启动并连接,则可以从可疑计算机收集易失性证据,如正在运行的进程、物理内存、网络连接、登录用户等等。
Since we're collecting volatile evidence directly from a suspect machine,we should use small footprint tools to ensure minimal disturbance to the stateof the live system.
由于我们直接从可疑的机器上收集易失性证据,我们应该使用小的内存占用工具来确保对活动系统状态的干扰最小。
Earlier, we learned a set of Linux UNIX commands usedto collect important volatile data and system information.
在前面,我们学习了一组用于收集重要的易失性数据和系统信息的Linux UNIX命令。
Incident responders and the forensic investigators use a parallel setof Windows tools to gather volatile data from live Windows systems for forensic investigation.
事件响应人员和法医调查人员使用一组并行的Windows工具从Windows系统中收集挥发性数据,用于法医调查。
I listed certain built-in Windows commands and the free utilities herefor you to try and practice by yourself.
我在这里列出了一些内置的Windows命令和免费实用程序,供您自己尝试和练习。
Some instructions are included in this unit's resources.
本股资源中载有一些说明。
Make sure to redirect result outside of the suspect machineby using greater than or Windows Netcat.
通过使用大于或Windows Netcat,确保将结果重定向到可疑计算机之外。
So, to display system date and time.
因此,要显示系统日期和时间。
So, to display system date and time, we use Windows built-in tool date and timeand to display when was the system rebooted, we use a free utility called Uptime.
因此,要显示系统日期和时间,我们使用Windows内置的工具日期和时间,并显示系统何时重新启动,我们使用一个免费的实用程序称为正常运行时间。
We also use PS tools-- PS info to display system information.
我们也使用PS工具——PS info来显示系统信息。
And we use a built-in IP config to check whether the network interface is runningin promisc mode.
我们使用一个内置的IP配置来检查网络接口是否以混杂模式运行。
Look for unusual processes, we use task list or PS services.
寻找不寻常的过程,我们使用任务列表或PS服务。
To list currently loaded DLLs, we use list the DLLs.
要列出当前加载的dll,我们使用list the dll。
To view open files, we use PS file or open files.
要查看打开的文件,我们使用PS文件或打开的文件。
Show network connections, we can use F port or net stat.
显示网络连接,我们可以使用F端口或net stat。
And to show logged in users, we use PS logged on or log on sessions.
为了显示登录用户,我们使用PS登录或登录会话。
To view clipped content, we use P clipped.
要查看剪贴内容,我们使用P剪贴。
And to view logs, we use Windows event viewer.
要查看日志,我们使用Windows事件查看器。
Next, I want to introduce a powerful forensic toolkit called Helix3 from E-FENSE.
接下来,我想介绍一个来自E-FENSE的强大的法医工具包Helix3。
This tool has a collection of forensics tools for data acquisition, preservation, and analysis.While Helix3 Pro is a commercial tool, they also have a free version, Helix 2009R1.
该工具拥有一组用于数据采集、保存和分析的取证工具。
虽然Helix3 Pro是一个商业工具,他们也有一个免费的版本,Helix 2009R1。
Helix3 operates in two different modes.
Helix3有两种不同的运行模式。
One is in Windows live mode and another is in a bootable environment.
一个在Windows live模式下,另一个在可引导环境中。
Instructions for downloading the Helix3 ISO version 2009R1and creating the CD are given in the course resources.
课程资源中给出了下载Helix3 ISO版本2009R1和创建CD的说明。
When using the Helix3 CD on a Windows suspect machine, it is a perfect exampleof a trusted forensics tool set that includes many forensics tools to collect both volatileand nonvolatile data from a suspect machine without relyingon potentially compromised internal tools and programs.
当在Windows怀疑机器上使用Helix3 CD时,它是一个可信的取证工具集的完美示例,该取证工具集包括许多取证工具,用于从怀疑机器收集易失性和非易失性数据,而不依赖于可能受到损害的内部工具和程序。
When using the CD as a bootable CD, it runs entirely off the CDand only mounts the hard drives in read-only mode.
当使用CD作为可引导CD时,它完全从CD上运行,只以只读模式安装硬盘驱动器。
In this mode, Helix3 is used for in-depth analysis of the targeted powered-off systems.
在此模式下,利用Helix3对目标断电系统进行深入分析。
In the next video, I will demonstrate the use of Helix3 in a live Windows environmentto collect volatile information from a Windows system.
在下一个视频中,我将演示如何在一个活动的Windows环境中使用Helix3从Windows系统收集易失性信息。
螺旋为Windows演示
>> In this video, I will introduce you a great forensic tool called Helix3 from e-fense.
>>在这段视频中,我将介绍一个来自e-fense的非常棒的取证工具Helix3。
Helix3 is a collection of forensic tools for data acquisition, preservation, and analysis.
Helix3是一套用于数据采集、保存和分析的取证工具。
Besides offering a commercial Helix3, they also,the company also give us a Helix free version 2009R1,and this is the version I'm using here, that's the free version.
除了提供一个商业的Helix3,公司还提供了一个Helix免费版本2009R1,这是我在这里使用的版本,这是免费版本。
As we know, Helix3 operates in two different modes, and one is running Helixin Windows live mode and another one is live bootable CD in a boot system to open to.
正如我们所知,Helix3以两种不同的模式运行,一种是在Windows live模式下运行Helix,另一种是在启动系统中打开的live bootable CD。
In this demo, I will show you the live version that run in this, in a Windows environment.
在这个演示中,我将向您展示在Windows环境中运行的实时版本。
The Windows I'm using here is a Windows 7 virtual machine.
我在这里使用的Windows是一个Windows 7虚拟机。
It's on the background. When I open this software and that first thingyou see is a warning, so we are running in a live Windows environment,which typically happen during instant response time.
它在背景上。当我打开这个软件时,你看到的第一件事是一个警告,所以我们运行在一个实时Windows环境中,这通常发生在即时响应时间。
And you need to make sure you make a minimal change, but, certainly,you absolutely know a way to protect information to changing, right.
你需要确保你做了最小的改变,但是,当然,你绝对知道一种保护信息不受改变的方法,对吧。
So this is the warning about and we accept that.
这就是警告,我们接受。
Now, as I said, it's a collection of tools on the, if you move from the left sideand you know each one, what is that? Each icon mean, it's a collection of tools.
就像我说的,这是一个工具集合,如果你从左边移动你知道每一个,那是什么?每个图标意味着,它是一个工具集合。
Each icon may have one or more tools collected inside.
每个图标可能包含一个或多个工具。
So this one is a preview system information. It's a live view of a system information,Windows system information.
这是一个预览系统信息。这是一个系统信息的实时视图,Windows系统信息。
And then this one is acquisition, and thisis incident response tools for Windows. So let's look at a couple of that.
这是获取,这是针对Windows的事件响应工具。我们来看几个例子。
So let's first one look into preview system information.
让我们先来看看预览系统信息。
If I click on that, it tells you what is my operating system, and this is basically lookingto my current Windows 7 virtual machine.
如果我点击它,它会告诉你我的操作系统是什么,这基本上是在找我现在的Windows 7虚拟机。
And who is the owner, and organization, andall those information, okay?
谁是所有者,组织,以及所有这些信息?
And then how many, what are the drives andthe file system?
然后有多少驱动器和文件系统?
And now, we talk about that in the Linux case,and I showed you many of tools, many of Linux UNIX tools to be able to collectivelyto get those type of information.
现在,我们在Linux的例子中讨论这个问题,我向你们展示了许多工具,许多Linux UNIX工具能够共同获得这些类型的信息。
But in this case, it's all that informationbe collected together, just was the screen-based tool.
但是在这种情况下,所有的信息被收集在一起,只是基于屏幕的工具。
So it's very simple to use. And in this week's class, and I also giveyou some of free Windows tools to be able to get system information, but then, certainly,you said this is very convenient for me to use this Helix3 to get that information.
所以用起来很简单。在这周的课上,我也会给你们一些免费的Windows工具来获取系统信息,但是,当然,你说这对我来说很方便用这个Helix3来获取信息。
Now, you see there's a arrow here.
现在,你看这里有个箭头。
This arrow means there's more pages.
这个箭头指向这里有更多的页面。
So we're on page one and it can go to page two.
所以我在页面一上,它可以到页面二
So in this page two, it shows you running processes.
所以在第二页,它显示了正在运行的进程。
Currently, what are the processes it runs here?
目前,它在这里运行的进程是什么?
Now, this is similar to a p, ps in Linux UNIX case.
这类似于Linux UNIX实例中的p ps。
If you have RootKits try to hide certain process, this hidden process will not show here.
如果您有rootkit试图隐藏某些进程,那么这个隐藏进程将不会在这里显示。
And that, this result is also same as the Windows Task Manager.
这个结果与Windows任务管理器相同。
So this is page two show you all the running process.
这是第二页,展示了所有的运行过程。
Now, we're on page two. Certainly, you can go back to page one.
现在,我们到了第二页。当然,你可以回到第一页。
This is the system information. If we move to the next one -- again, thisarrow tells you you're here right now, and if we take to the next one -- on show.
这是系统信息。如果我们看下一个,这个箭头表示你现在在这里,如果我们看下一个,显示。
Line attempt to -- okay. So this is acquisition page.
行尝试。这是采集页面。
So this acquisition page, it allowed you to do acquisition.
这个采集页面,它允许你进行采集。
In this case, it's a live acquisition using, I think it's using dd because it says imageis dd.
在这个例子中,它是一个实时获取使用,我认为它使用dd是因为它说图像是dd。
So if you provide a source -- this is runningWindows dd, similar to Linux dd acquisition --so if you provide source, what source do you want to do a dd's acquisition?
所以如果你提供了一个源——这是在运行Windows dd,类似于Linux dd获取——那么如果你提供了一个源,你想做一个dd获取的源是什么?
Now, it says you could acquire for image, but, by the way, most cases,if you do this physical memory use dd, some of the restricted memory area you'renot able to collect.
现在,它说你可以获取图像,但是,顺便说一下,大多数情况下,如果你这样做物理内存使用dd,一些你不能收集的受限内存区域。
So it's not as effective as other Windowsmemory tool I discussed. So I usually do not use this method, but youcan also use dd to acquire non volatile evidence as well.
现在,它说你可以获取图像,但是,顺便说一下,大多数情况下,如果你这样做物理内存使用dd,一些受限制的内存区域你将不能收集
So this is talk about the source, which one you want to acquire,and then, do you want to use NetCat? Now, this is all connected into one tool.
这是关于资源的讨论,你想获得哪一个,然后,你想使用NetCat吗?现在,这些都连接到一个工具中。
Or do you want to just use attached? And where do you want to put the image file,destination? And then image name.
还是只想用附件?你想把图像文件放在哪里,目的地?然后是图像名称。
So this tells us this is dd, even though it doesn't know, it's not necessary you haveto extension that dd, but to give us a hint, this is a form of dd.
这告诉我们这是dd,尽管它不知道,你没有必要扩展那个dd,但是给我们一个提示,这是dd的一种形式。
And you can provide dd's options.
您可以提供dd的选项。
So Windows dd is, use a very similar way todesign, to match for Linux UNIX dd.
所以Windows dd是,使用一种非常类似的设计方法,来匹配Linux UNIX dd。
And even the options, we have to talk aboutdd in details, so then acquire.
即使是选项,我们也必须详细讨论dd,然后获取。
Certainly, we're not doing acquisition herenow. Let's look at what are the next page do.
当然,我们现在不做收购。让我们看看下一页是做什么的。
So next page is FTK Imager. If you click on the FTK Imager, definitely,you will see FTK Imager's allowed you to memory dump and, also, to other acquisition.
下一页是FTK Imager。如果您点击FTK Imager,您肯定会看到FTK Imager允许您转储内存,以及其他获取。
During the previous weeks, we did one demo. We did a exercise and a demo in Imager.
在前几周,我们做了一个演示。我们在Imager中做了一个练习和演示。
So this is just collecting FTK Imager into this tool, okay.
这只是将FTK图像采集到这个工具中。
And then if you click further, the third page is a live RAM acquisition use Winen,and I also mentioned about this in the class. Winen is free as well, even though most ofGuidance Software is not free. But acquisition is free.
如果你进一步点击,第三个页面是实时RAM获取使用Winen,我在课上也提到过。Winen也是免费的,尽管大多数的导航软件不是免费的。但收购是免费的。
So this is Winen from Guidance Software for live memory acquisition.
这是Winen来自实时内存获取引导软件。
And there's another one called MemDD [phonetic]. This is also free for MemDD memory acquisition.
还有一种叫MemDD[语音]。这对于MemDD内存获取也是免费的。
So I would never use the first page dd to acquire memory, but I would use either Winen,or FTK Imager, or Memory DD to acquire Windows live image.
所以我永远不会使用第一个页面dd来获取内存,但是我会使用Winen,或者FTK Imager,或者内存dd来获取Windows live映像。
All right, so those are the three pages for acquisition acquiredfor memory and/or acquired for, use dd acquired for other information.
好了,这就是为内存和/或为其他信息获取dd而获取的三个页面。
Now, let's move on to the next one. So this one is incident response.
现在,让我们进入下一个话题。这是事件响应。
So it collects various tools for incident response.
因此,它收集各种工具来应对事件。
Let's look at Agile Risk Management's Nigilant32. This one is a interesting tool as well.
让我们看看敏捷风险管理的Nigilant32。这也是一个有趣的工具。
So this one, it says if you want to preview a disk, okay, you click on Preview a Disk.
这个,它说如果你想预览一个磁盘,点击预览一个磁盘。
Now, by the way, be very careful since we are doing live,we are doing a live investigation here.
现在,顺便说一下,要非常小心因为我们在现场,我们在做现场调查。
Commonly, I would say if you want to previewa disk, you should have a right block [phonetic],to use a right block.
通常,我想说,如果你想预览一个磁盘,你应该有一个正确的块[语音],以使用一个正确的块。
So if we look at, if I click that there'sa tool petitions, I click the first petition, and then for those of you, if you're familiarwith Windows, actually, we will cover this information in the nextweek's lecture.
如果我们看一下,如果我点击那个有一个工具请愿书,我点击第一个请愿书,然后对于你们中的一些人,如果你们熟悉Windows,实际上,我们会在下周的课上讲到这个信息。
This is Windows NTFS file system, and thenyou'll see those dollar sign. Those dollar sign files are the system files,and we won't look into dollar sign MFT.
这是Windows NTFS文件系统,然后你会看到那些美元符号。这些美元符号文件是系统文件,我们不会研究美元符号MFT。
Now, I just want to give you one example isif you click on this and then on the left page is a content.
现在,我想给你们举个例子如果你点击这个然后在左边的页面上是一个内容。
It's a content for this chosen file. This is dollar sign MFT, and here they showedyou some text view, and then it's some, so this is the content inside of dollar signMFT mirror. And then you can look at the other information.
它是所选文件的内容。这是美元符号MFT,这里显示了一些文本视图,这是美元符号MFT镜像中的内容。然后你可以看其他信息。
You can extract and all that. This is preview.
你可以提取这些。这是预览。
Just we haven't acquired doing acquisition yet, but we want to look around to findout which information I want to acquire.
只是我们还没有抓取做观察,但我们想四处看看,看看我想要获得哪些信息。
So this tool has a lot of features you canplay around. And certainly, you can start NetCat to dumpall the results to a network-connected machine, forensicsmachine.
所以这个工具有很多你可以使用的功能。当然,您可以启动NetCat将所有结果转储到网络连接的机器,即取证机器。
Since there's an arrow, then we click, andit will see what's in the next page. So that's a page two.
因为有一个箭头,然后我们点击,它会看到下一页是什么。这是第二页。
Page two, it, you can do preservation. So you can browse to a file, then it can generatea hash. So that's on a top one.
第二页,它,你可以做保存。因此,您可以浏览到一个文件,然后它可以生成一个散列。这是上面的一个。
The, for the other ones, there's a, you can, they can provide you Command Shell,and the RootKit Revealer, that's the one can runthrough this current Windows system to identify RootKits, okay.
对于其他的,有一个,你可以,他们可以提供给你命令Shell, RootKit显示器,它可以通过当前的Windows系统来识别RootKit。
So whether this is very effective on that, this one is only can recover RootKits fromUser Mode.
所以这是否非常有效,这是一个只能从用户模式恢复rootkit。
It's not very effective, but it can collectsome if you have a root, User Mode RootKits there.
它不是很有效,但是如果你有一个根用户模式的rootkit,它可以收集一些。
And then certainly, PuTTY SSH provides you SSH.
当然,PuTTY SSH提供SSH。
Now, if I want to see File Recover -- this is more relate to us -- so here choose English.
现在,如果我想看到文件恢复——这与我们更相关——这里选择English。
Yes. All right, so now, it says, do you want to recover deleted file?
是的。现在,它说,你想要恢复被删除的文件吗?
Select Logical Drive or select Pick Your Choice, what kind of file you want to recover.
选择“逻辑驱动器”或“选择要恢复的文件类型”。
So this information wants you recover the file.
所以这个信息需要你恢复文件。
It's listed, and then you can choose to export them out.
它被列出,然后您可以选择导出它们。
So the File Recovery tool, that's also useful. And now, looks like they have more pages,so going to the next page. The next page, they're for other informations.
文件恢复工具也很有用。现在,看起来它们有更多的页面,所以转到下一页。下一页是其他信息。
Each one is a unique tool. Those are all tools, and they, Helix3 collectthem, and put under one umbrella, and put into oneinterface. So for example, IE Cookie Viewer -- it willlook at the Internet Explorer's cookie.
每一个都是独一无二的工具。这些都是工具,Helix3收集它们,放在一个伞下,放在一个接口上。比如IE Cookie Viewer,它会查看IE的Cookie。
And then IE History Viewer -- that one willlook at internet connections.
然后是IE历史查看器,它会查看互联网连接。
For example, if you use Internet Explorerto connect to certain websites, it can list all the websites you list, youvisited.
例如,如果您使用Internet Explorer连接到某些网站,它可以列出您所访问的所有网站。
Password Viewer -- that, if you use IE andthen you, for certain website, you provide a password, then it try to recoverpassword, okay.
密码查看器,如果你使用IE,然后你,对于某些网站,你提供一个密码,然后它试图恢复密码。
Some other things.
一些其他的事情。
Registry Viewer.
注册表查看器。
Registry Viewer is allowed you to view registryinformation.
注册表查看器允许您查看注册表信息。
There are a bunch of interesting, Mail PasswordViewer.
有一堆有趣的邮件密码查看器。
So lots of, bunch of, bunch of this interestingtools, they're actually listed here, we can use.
很多,很多,很多有趣的工具,它们列在这里,我们可以用。
Some of the tools we might or come back to revisit when we talk about Windows analysis.
当我们讨论Windows分析时,我们可能会重新讨论一些工具。
We will come to visit this page again.
我们将再次访问这个页面。
So again, those are the three pages on theincident response.
这是三页关于事件响应的内容。
Very rich resources here.
这里的资源非常丰富。
Move on to the next one.
继续下一个问题。
This is a browser, browser content.
这是一个浏览器,浏览器内容。
Just be very careful when you're browsing it.
你浏览的时候一定要小心。
It possibly modify information, so I would say if you have a lecture to dothat later, you will do that later.
它可能会修改信息,所以我想说如果你以后有课要做这个,你会在以后做。
If you have already confirmed it as incident,don't try to do much at this stage because in the court, people will challengeyou saying you are modify evidence.
如果你已经确认这是一起意外事件,在这个阶段不要做太多,因为在法庭上,人们会质疑你说你在修改证据。
So be very careful to use this tool.
所以要小心使用这个工具。
Just remember, on the first page, we already agreed that those are all possibly changed,but we still want to do it right. So try to be very careful, okay.
请记住,在第一页,我们已经同意这些都有可能改变,但我们仍然希望做对。所以要非常小心。
In this case, if we'll look at the C, under C drive.
在这种情况下,如果我们看C,在C驱动器下。
Now, $Recycle Bin, again, we will discuss that later in the Windows analysis.
现在,还是$ recycling Bin,我们将在Windows分析的后面讨论它。
This is one of the Windows artifacts. Interestingly, if you click on that, if there'sa plus, certainly, you can expand that.
这是Windows构件之一。有趣的是,如果你点击它,如果有一个加号,当然,你可以展开它。
So this, if you have one user, then this user,this is corresponding to one user's Recycle Bin.
如果你有一个用户,那么这个用户,对应于一个用户的回收站。
And then here are the files -- $I file. It's all listed in that.
然后这里是文件,$I文件。都列在上面了。
We will cover this later, okay. There's Document, Settings.
我们稍后再讨论这个问题。有文档,设置。
So this is a math for Windows, basically, and if you look at Users, we logged in, I,for this virtual machine, I logged in as a student.
这是Windows的一个数学问题,如果你观察用户,我们登陆,对于这个虚拟机,我是一个学生。
So for this student, I certainly have lots of information.
对于这个学生,我有很多信息。
So this is Windows, in Windows tree view. Once again, that allowed you to browsing it,to preview it, to identify important information to export.
这是Windows,在Windows树视图中。同样,这允许您浏览它,预览它,识别要导出的重要信息。
But don't do too much because, currently, do not have a right block to use, yeah.
但不要做太多,因为,目前,没有一个正确的块使用,是的。
Move on to the next one. It is the Scan For Pictures.
继续下一个问题。这就是扫描图片。
So given a folder, you can load a folder, and then it will scan all the pictures --JPEG or graphics things -- under this given folder.
给定一个文件夹,你可以加载一个文件夹,然后它会扫描这个文件夹下的所有图片,JPEG或图形。
It will show it in this pane. So it will collect all the pictures and showyou at one time, at one screen, and then you can right-click and export.
它将显示在这个窗格中。它会收集所有的图片,在一个屏幕上显示给你,然后你可以右键单击并导出。
Again, it is for during incident response time or preview time you wantto pick up some pictures or something. And you can even make notes.
同样,它是在事件响应时间或预览时间,你想拿起一些图片或其他东西。你甚至可以做笔记。
So this tool is fascinating because it collects all sorts of tools for acquisition,for preservation, and for analysis.
这个工具很吸引人,因为它收集了各种各样的工具,用于获取、保存和分析。
You can spend hours and hours to play aroundwith these tools.
你可以花很多时间来摆弄这些工具。
Hopefully, you will try that later and thenhave fun with it.
希望你们以后能尝试一下,然后玩得开心。
转载于:https://www.cnblogs.com/sec875/articles/10015654.html
相关资源:JAVA上百实例源码以及开源项目