First Responders Guide To Computer Forensics

First RespondersGuide to ComputerForensicsRichard NolanColin O’SullivanJake BransonCal WaitsMarch 2005CERT Training and EducationHANDBOOKCMU/SEI-2005-HB-001

Pittsburgh, PA 15213-3890First Responders Guideto Computer ForensicsCMU/SEI-2005-HB-001Richard NolanColin O’SullivanJake BransonCal WaitsMarch 2005CERT Training and EducationUnlimited distribution subject to the copyright.

This report was prepared for theSEI Joint Program OfficeESC/XPK5 Eglin StreetHanscom AFB, MA 01731-2100The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest ofscientific and technical information exchange.FOR THE COMMANDERChristos ScondrasChief of Programs, XPKThis work is sponsored by the SEI FFRDC primary sponsor and the Commander, United States Army Reserve (USAR)Information Operations Command and USAR EIO. The Software Engineering Institute is a federally funded research anddevelopment center sponsored by the U.S. Department of Defense.Copyright 2005 Carnegie Mellon University.NO WARRANTYTHIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL ISFURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANYKIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINEDFROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OFANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use isgranted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works.External use. Requests for permission to reproduce this document or prepare derivative works of this document for externaland commercial use should be addressed to the SEI Licensing Agent.This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with CarnegieMellon University for the operation of the Software Engineering Institute, a federally funded research and developmentcenter. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose thework, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to thecopyright license under the clause at 252.227-7013.For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web ml).

ContentsPreface .xiAbstract.xiii12Module 1: Cyber Law .11.1Module 1 Objectives.21.2Forensics .31.2.1 Computer Forensics .41.3Laws that Affect Cyber Security .61.4Legal Governance Related to Monitoring and Collection.91.4.1 Constitutional Issues.91.4.1.1 The 4th Amendment.91.4.1.2 The 5th Amendment.111.4.2 U.S. Statutory Law.121.4.2.1 Wiretap Act/Electronic Communications Privacy Act .151.4.2.2 Pen Registers and Trap and Trace Devices .181.4.2.3 Stored Wired and Electronic Communications Act .211.5Legal Governance Related to Admissibility (Federal Rules ofEvidence) .251.5.1 Hearsay .251.5.1.1 Exceptions .261.5.2 Authentication .271.5.3 Reliability .281.5.4 The Best Evidence Rule .301.6Summary .311.7Review .32Module 2: Understanding File Systems and Building a First ResponderToolkit.332.1Introduction.332.2File System Architecture .352.2.1 Physical Look at the Hard Drive .362.2.2 Types of Hard Drive Formatting.372.2.3 Importance of File Systems .382.2.4 Understanding Windows File Structure .39CMU/SEI-2005-HB-001i

.2.142.2.152.2.162.2.173iiFAT: File Allocation Table . 41NTFS: New Technology File System. 43Windows Registry. 46Swap File, Slack, and Unallocated Space. 472.2.8.1 Swap File . 472.2.8.2 Slack Space. 472.2.8.3 Unallocated Space. 48Linux File System Basics. 49Boot Sequence . 54Commonly Used Terms. 56Forensically Sound Duplication . 57Duplication Tools . 58Wiping Storage Devices . 59DoD Directive 5220-22M . 60Hard Drives. 61Other Storage Devices . 622.3First Responder Toolkit . 632.3.1 Statically- vs. Dynamically-Linked Tools . 642.3.2 Problems with Dynamically-Linked Executables . 662.3.3 Methodology for a Creating First Responder Toolkit . 682.3.3.1 Create a Forensic Tool Testbed . 692.3.3.2 Document the Testbed . 722.3.3.3 Document and Set Up the Forensic Tools . 732.3.3.4 Test the Tools . 752.3.3.5 Benefits of Proper Tool Testing . 802.3.3.6 NIST Methodology . 812.4Summary. 832.5Review. 84Module 3: Collecting Volatile Data. 853.1Introduction . 853.2Objectives . 873.3Role of a First Responder . 883.4What is Volatile Data?. 893.5Order of Volatility . 913.6Why is Volatile Data Important? . 923.7Common First Responder Mistakes . 933.8Volatile Data Collection Methodology . 943.8.1 Step 1: Incident Response Preparation. 953.8.2 Step 2: Incident Documentation . 963.8.2.1 Incident Profile . 96CMU/SEI-2005-HB-001

3.8.33.8.43.8.53.8.63.93.8.2.2 Forensic Collection Logbook.973.8.2.3 First Responder Toolkit Logbook .97Step 3: Policy Verification .98Step 4: Volatile Data Collection Strategy.99Step 5: Volatile Data Collection Setup.1003.8.5.1 Establish a Trusted Command Shell.1003.8.5.2 Establish a Method for Transmitting and Storing theCollected Information .1003.8.5.3 Ensure the Integrity and Admissibility of the ForensicTool Output .101Step 6: Volatile Data Collection Process .102Types of Volatile Information .1033.9.1 Volatile System Information .1043.9.1.1 System Profile.1053.9.1.2 Current System Date and Time and Command History.1093.9.1.3 Current System Uptime.1113.9.1.4 Running Processes.1133.9.1.5 Open Files, Startup Files, and Clipboard Data.1223.9.1.6 Logged On Users .1353.9.1.7 DLLs or Shared Libraries .1433.9.2 Volatile Network Information.1473.9.2.1 Open Connections and Ports .1483.9.2.2 Routing Information.1543.10 Summary .1573.11 Review .1584Module 4: Collecting Persistent Data.1594.1Objectives .1604.2Introduction to Persistent Data .1614.2.1 What Is Persistent Data? .1614.2.2 Why is Persistent Data Important? .1614.2.3 What Problems Exist in Investigating Persistent Data?.1614.3Responding to a Security Event .1634.3.1 Consequences of Responses.1644.4Basic Building Blocks of Disk Storage .1664.5OS and Application Considerations .1674.5.1 Windows .1674.5.1.1 FAT .1674.5.1.2 NTFS.1674.5.2 Linux/UNIX.1684.5.2.1 Ext2/3.168CMU/SEI-2005-HB-001iii

4.5.3Operating Systems . 1684.6Collecting Forensic Evidence . 1694.6.1 To Shut Down or Not to Shut Down . 1714.6.2 Creating a Disk Image Using dd. 1724.7Persistent Data Types. 1734.7.1 System Files . 1734.7.1.1 Windows . 1734.7.1.2 UNIX/Linux. 1744.7.2 Temp Files. 1764.7.3 Web Artifacts . 1784.7.3.1 Windows vs. Linux . 1784.7.3.2 IE Default Locations. 1784.7.3.3 Alternative Browsers. 1814.7.3.4 Cookies. 1824.7.4 File Recovery. 1834.7.4.1 Deleted Data. 1834.7.4.2 Slack Space. 1844.7.4.3 Swap Files . 1844.7.4.4 Unallocated Space. 1844.7.4.5 Partial Files . 1844.7.4.6 Windows Artifacts . 1854.7.5 Hidden Files. 1864.8Recovering a Deleted Email . 1874.9Tools for Accessing Persistent Data. 1884.9.1 Windows . 1884.9.1.1 Command-Line Tools . 1884.9.1.2 GUI-Based Utilities . 1884.9.1.3 Commercial. 1894.9.2 UNIX/Linux . 1894.9.2.1 Command-Line Tools . 1894.9.2.2 GUI-Based Utilities . 1894.9.2.3 Freeware. 1894.10 Summary. 1914.11 Review. 192References. 193ivCMU/SEI-2005-HB-001

List of FiguresFigure 1:Mapping of DoD and OSI Models. 14Figure 2:Logical Layout of the FAT32 File System . 42Figure 3:Types of CMOS Batteries. 54Figure 4:The ldd Command. 64Figure 5:Using Filemon to Identify Dependencies. 66Figure 6:Performing a Cryptographic Hash of Installed DLLs . 70Figure 7:A Regmon Listing . 76Figure 8:An MD5 Hash . 101Figure 9:The systeminfo Command . 106Figure 10: The PsInfo Command . 107Figure 11: The cat Command. 107Figure 12: The uname Command. 108Figure 13: date and time Commands Used with netstat. 109Figure 14: The PsUptime Command .111Figure 15: The net statistics Command. 112Figure 16: The uptime and w Commands . 112Figure 17: Using netstat –ab to Determine Process Executable Image . 115Figure 18: Using ListDLLs to Determine Command Line . 115Figure 19: Using PsList to Determine How Long a Process Has Been Running . 115CMU/SEI-2005-HB-001v

Figure 20: Using PsList to Determine How Much Virtual Memory a ProcessIs Using .116Figure 21: Using ListDLLs to Discover the Currently Loaded DLLs for a Process.116Figure 22: Pulist Output.116Figure 23: tlist.exe .117Figure 24: PsList .117Figure 25: A Process Memory Dump .118Figure 26: The top Command .119Figure 27: The w Command.119Figure 28: The ps Command. 120Figure 29: The dir Command . 123Figure 30: The afind Command. 124Figure 31: MACMatch . 125Figure 32: Autorunsc . 125Figure 33: PsFile .

First Responders Guide to Computer Forensics Richard Nolan Colin O’Sullivan Jake Branson Cal Waits March 2005 CERT Training and Education HANDBOOK