windows baseline
Evidence Acquisition refers to the process of collecting and preserving digital evidence in a forensically sound manner. This ensures that the evidence remains unchanged and admissible in legal proceedings. Key aspects include:
Forensic Imaging: Creating a bit-for-bit copy (forensic image) of storage devices such as hard drives, USB drives, and memory cards.
Chain of Custody: Documenting who had control of the evidence at all times to maintain its integrity.
Verification: Validating the integrity of acquired evidence through hash values (MD5, SHA-256) to ensure it has not been altered.
Documentation: Recording details of the acquisition process, including date, time, personnel involved, and devices images.
Order of Volatility refers to the principle of collecting digital evidence based on its volatility or likelihood of being lost or altered. Common order from most to least volatile includes:
Registers and Cache: CPU registers, cache memory.
RAM: Random Access Memory (volatile memory).
Swap files and paging: Virtual memory and hibernation files.
Disk: Hard drives, SSDs, external storage.
Network State: Active network connections, routing tables.
Logs and backups: System logs, application logs, backups.
Order of Volatility Importance of Following the Order of Volatility:
Data Preservation: Ensures that the most volatile data, which can easily be lost or altered, is collected first.
Integrity: Maintains the integrity and authenticity of evidence for legal admissibility.
Efficiency: Prioritizes resources and efforts to gather the most critical evidence promptly.
Comprehensiveness: Helps in creating a complete and accurate forensic image of the system state at the time of investigation.
Chain of Custody is the documented trail that shows the chronological history of evidence, who had it, when, and for what purpose. Key components include:
Evidence Collection
Evidence Handling
Evidence Transfer
Evidence Analysis
Evidence Presentation
Chain of Custody - Process
The process:
Initial collection
Recording details: Date, time, location and description of the evidence
Initial Custodian: The initial collector signs and dates the evidence collection form
Transfer and storage
Transfer Log: A log used to maintain each transfer of evidence, documenting the recipient, date, time and purpose of transfer
Storage Log: record the storage location, access, times, and identities of individuals accessing the evidence
Custodian Documentation
Signatures: Each transfer requires signatures from both the person transferring and the person receiving the evidence
Condition: Note the condition of the evidence at each transfer to ensure n tampering or damage has occurred
Access Control
Authorized Personnel: only authorized personnel can access the evidence, and each access is documented
Security Measures: Implement security measures such as locks, seals, and surveillance to protect the evidence
Final Disposition
Return or disposal: Document the final disposition of the evidence, whether is it returned to the owner, disposed of, or retained for legal proceedings
Final Documentation: Complete a final chain of custody form, detailing the disposition and condition of the evidence
Importance of Chain of Custody:
Integrity: Ensures that evidence has not been altered, tampered with, or contaminated.
Admissibility: Maintains the admissibility of evidence in court by proving its authenticity and integrity.
Accountability: Provides a clear record of who handled the evidence and when, ensuring accountability at each step.
Trust: Establishes trust in the forensic process and findings by providing a transparent and documented trail of evidence handling.
Common Survey Commands
Survey Commands typically refer to commands used to gather information about a system during an incident response or forensic investigation. Common examples include:
System Information:
systeminfo: Retrieves detailed information about the operating system and hardware.
hostname: Displays the name of the computer.
Network Information:
ipconfig /ifconfig: Displays network configuration details.
netstat: Lists current network connections and open ports.
Process Information:
tasklist: Lists all running processes.
File System and Disk Information:
dir: Lists files and directories.
diskpart: Disk partitioning utility on Windows.
Common Survey Response Tools
Survey Response Tools are software tools used to collect and analyze data during incident response or forensic investigations. Examples include:
Forensic Imaging Tools:
dcfldd: Command-line tools for creating forensic images.
EnCase, FTK Imager: GUI-based tools for forensic imaging and analysis.
Memory Forensics Tools:
Volatility: Framework for analyzing volatile memory (RAM) dumps.
Rekall: Memory analysis framework.
Network Forensics Tools:
Wireshark: Network protocol analyzer for capturing and analyzing network traffic.
tcpdump: Command-line packet analyzer.
Disk Forensics Tools:
Autopsy, The Sleuth Kit: GUI and command-line tools for disk and file system analysis.
AccessData Forensic Toolkit (FTK): Integrated platform for digital investigations.
Common Triage Logs and Artifacts
Triage Logs and Artifacts are data points and traces left on a system that provide evidence or indicate events of interest. Common examples include:
System Logs:
Event logs (Windows Event Viewer): Records system events, errors, and warnings.
Syslog (Unix-like systems): Logs system messages and events.
Application Logs:
Web server logs (Apache access logs, IIS logs): Records HTTP requests and responses.
Database logs: Records database transactions and operations.
Registry Entries (Windows):
Contains configuration settings, installed software, and user activities.
File System Artifacts:
File metadata (creation time, last accessed time).
Prefetch files (Windows): Records applications launched on a system.
Triage Logs and Artifacts - Tools
Forensic Analysis Tools:
EnCase, FTK (Forensic Toolkit), Autopsy (The Sleuth Kit): Provide comprehensive analysis of disk images, file systems, and artifacts.
Memory Forensics Tools:
Volatility, Rekall: Analyze memory dumps for detecting malware, analyzing running processes, and identifying volatile data.
Network Forensics Tools:
Wireshark, tcpdump: Analyze network traffic captures (PCAP files) to identify suspicious activities and communication patterns.
Log Analysis Tools:
ELK Stack (Elasticsearch, Logstash, Kibana), Splunk: Aggregate and analyze logs from various sources for correlation and incident investigation.
Triage Logs and Artifacts
Importance:
Early Detection - Helps in quickly identifying security incidents and minimizing potential damage.
Root Cause – Provides necessary data for understanding the cause and cope of incidents
Forensic Investigation – Crucial for supporting legal proceedings and regulatory compliance
Enumeration Information
Enumeration Information involves gathering detailed information about users, groups, shares, services, and other resources on a system or network. Key aspects include:
User Enumeration:
Enumerating user accounts, including usernames, group memberships, and privileges.
Checking password policies and settings.
Network Enumeration:
Discovering network shares (SMB shares, NFS mounts) and permissions.
Identifying open ports, services running on those ports, and associated vulnerabilities.
System Enumeration:
Listing installed software, patches, and versions.
Enumerating running processes and their associated network connections.
Service Enumeration:
Identifying services running on systems, their status (running stopped) and associated configuration settings
Listing accounts under which services run, along with their permissions and privileges
Web Enumeration:
Servers: Identifying web servers and their configurations
Applications: Enumerating web applications hosted on servers, including URL structures, technologies used and vulnerabilities
Enumeration Information - Tools
Command Line Tools
Net
Netstat
Tasklist
Ipconfig
wmic
PowerShell is used for automated tasks
Network Scanning Tools: Nmap, Zenmap (GUI for Nmap) for port scanning and service enumeration
Active Directory
dsquery
dsget
dsrm
Enumeration Information
Importance of Enumeration:
Security Assessments: Helps identify potential security weaknesses and attack vectors (e.g., open ports, outdated software).
System Administration: Facilitates system and network management tasks (e.g., managing user accounts, monitoring services).
Incident Response: Provides critical information during incident investigations to understand the scope and impact of security incidents.
Compliance and Auditing: Supports compliance with regulatory requirements by ensuring accurate documentation of network and system configurations.
Windows Baseline
Baseline is used to establish network normalcy. It is data collected periodically so that the performance of the network can be properly evaluated. The data collected are then used as a reference during real-time monitoring and evaluation so we can effectively identify abnormalities.
Creating and maintaining an up-to-date, in-depth, and precise baseline of any given system is vital.
Often this makes the difference between spotting exploits and losing valuable infrastructure/data.
Baselines can be stand-alone, or they can be collected over a period in order to help with pattern of life assessments.
Windows Baseline
Baseline – information we have gathered over time or know from creating our system baselines.
Enumeration – Actively gathering information on our target, noticing changes, building patterns of life, ext.
Difference – what did we find that is not as we expect or is what it shouldn’t be.
Port Numbers
22 SSH
88 Kerberos
135 Remote Procedure Call (RPC)
137 Net BIOS Name Service
138 Net BIOS Datagram Service
139 Net BIOS Session Service
389 Lightweight Directory Access Protocol (LDAP)
445 Server Message Block (SMB)
3268/3269 Global Catalog (SSL) for search in forest
3389 Remote Desktop Protocol (RDP)
5985/5986 Windows Remote Management (WINRM)