Preparation

1 Identification
2 Identification
2
Please note that the Sysinternals Troubleshooting Utilities can - Look at the opened sessions on the machine:
■ A physical access to the suspicious system should be be used to perform most of these tasks. C:\> net session
given to the forensic investigator. Physical access is
preferred to remote access, since the hacker could detect ■ Unusual Accounts
- Have a look at the sessions the machine has opened with
the investigations done on the system (by using a network Look for unusual accounts created, especially in the
other systems:
sniffer for example). Administrators group:
C:\> net use
C:\> lusrmgr.msc
■ A physical copy of the hard-disk might be necessary for or
- Check for any suspicious Netbios connexion:
forensic and evidence purposes. Finally, if needed, a C:\> net localgroup administrators or net localgroup
physical access could be needed to disconnect the C:\> nbtstat –S
administrateurs
suspected machine from any network.
- Look for any suspicious activity on the system’s ports :
■ A good knowledge of the usual network activity of the ■ Unusual Files C:\> netstat –na 5
machine/server is needed. You should have a file on a - Look for unusually big files on the storage support, bigger than (5 makes it being refreshed each 5 seconds)
secure place describing the usual port activity, to compare 5MB. (can be an indication of a system compromised for illegal Use –o flag for Windows XP/2003 to see the owner of each
efficiently to the current state. content storage) process:
C:\> netstat –nao 5
■ A good knowledge of the usual services running on the
- Look for unusual files added recently in system folders,
especially C:\WINDOWS\system32. Use “fport” if possible.
machine can be very helpful. Don’t hesitate to ask a
- Look for files using the “hidden” attribute:
Windows Expert for his assistance, when applicable. A
good idea is also to have a map of all services/running
C:\> dir /S /A:H
- Use “windirstat” if possible.
■ Unusual Automated Tasks
process of the machine. Look at the list of scheduled tasks for any unusual entry:
-
C:\> at
■ Unusual Registry Entries On Windows 2003/XP: C:\> schtasks
It can be a real advantage to work in a huge corporate Look for unusual programs launched at boot time in the
environment, where all user machines are the same, installed
from a master CD. Have a map of all
Windows registry, especially:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
■ Unusual Log Entries
processes/services/applications. On such environment where Watch your log files for unusual entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
users are not allowed to install software, consider any additional C:\> eventvwr.msc
HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
process/service/application as suspicious. If possible, use “Event Log Viewer” or such tool
Use “HiJackThis” if possible. (Also have a look in your Startup
folder)
The more you know the machine in its clean state, the more Search for events affecting the firewall, the antivirus, the file
chances you have to detect any fraudulent activity running protection, or any suspicious new service.
from it. ■ Unusual Processes and Services
Check all running processes for unusual/unknown entries, Look for a huge amount of failed login attempts or locked out
especially processes with username “SYSTEM” and accounts.
“ADMINISTRATOR”:
C:\> taskmgr.exe Watch your firewall (if any) log files for suspect activity.
(or tlisk, tasklist depending on Windows release)
Use “psexplorer” if possible.
■ Rootkit check
Run “Rootkit Revealer”, “Rootkit Hooker”, “Ice Sword”, “Rk
■ Check user’s autostart folders Detector”, “SysInspector”, “Rootkit Buster”.
C:\Documents and Settings\user\Start Menu\Programs\Startup
C:\WinNT\Profiles\user\Start Menu\Programs\Startup It’s always better to run several of these tools than only one.

■ Look for unusual/unexpected network services

installed and started ■ Malware check
C:\> services.msc Run at least one anti-virus product on the whole disk. If possible
C:\> net start use several anti-virus. The anti-virus must absolutely be up-to-
date.

■ Unusual Network Activity

- Check for file shares and verify each one is linked to a normal
activity:
C:\> net view \\127.0.0.1
Use “tcpview” if possible.
 Containment
3 Recovery
5
If the machine is considered critical for your company’s No matter how far the hacker has gone into the system and the Incident Response Methodology
business activity and can’t be disconnected, backup all knowledge you might have about the compromission, as long as
important data in case the hacker notices you’re investigating the system has been penetrated, the best practice is to
and starts deleting files. Also make a copy of the system’s reinstall the system fully from original media and apply all
memory for further analysis. (use tools such as fixes to the newly installed system.
Memoryze,win32dd etc.)
In case this solution can’t be applied, you should:
If the machine is not considered critical for your company and IRM #2
can be disconnected, shut the machine down the hard way,
removing its power plug. If it is a laptop with a battery on, just ■ Change all the system’s accounts passwords, and
Windows Intrusion Detection
push the “off” button for some seconds until the computer make your users do so in a secure way: they should use
passwords with upper/lower case, special characters, Live Analysis on a suspicious Windows system
switches off.
numbers, and at least be 8 characters long.
___________________________________________________
Offline investigations should be started right away if the live IRM Author: CERT SG/ Cedric Pernet
analysis didn’t give any result, but the system should still be ■ Restore all files that could have been changed (Example: IRM version: 1.2
considered compromised. svchost.exe) by the attacker.
E-Mail: cert.sg@socgen.com
Make a physical copy (bit by bit) of the whole hard disk on an Web: http://cert.societegenerale.com
external storage support, using EnCase, X-Ways, or similar Twitter: @CertSG
forensic tool (dd, ddrescue etc.).

Try to find evidences of every action of the hacker:

Abstract
■ Find all files used by the attacker, including deleted files
This Incident Response Methodology is a cheat sheet dedicated
(use your forensic tools) and see what has been done with
it or at least their functionality, in order to evaluate the to incident handlers investigating a precise security issue.
threat. Who should use IRM sheets?

■
■
Check all files accessed recently.
Inspect network shares to see if the malware has spread Report
Aftermath
6 •
•
•
Administrators
Security Operation Center
CISOs and deputies
through it. • CERTs (Computer Emergency Response Team)
A crisis report should be written and made available to all of the
■ More generally, try to find how the attacker got into the actors of the crisis management cell. Remember: If you face an incident, follow IRM, take notes
system. All leads should be considered. If no computer and do not panic. Contact your CERT immediately if
proof of the intrusion is found, never forget it could come The following themes should be described: needed.
from a physical access or a complicity/stealing of
information from an employee. ■ Initial detection

■ Apply fixes when applicable (operating system and ■ Actions and timelines of every important event
Incident handling steps
applications), in case the attacker used a known ■ What went right 6 steps are defined to handle security Incidents
vulnerability.
■ What went wrong
J Preparation: get ready to handle the incident
■ Incident cost J Identification: detect the incident
J Containment: limit the impact of the incident
Remediation
4 Capitalize
Actions to improve the Windows intrusion detection
J Remediation: remove the threat
J Recovery: recover to a normal stage
J Aftermath: draw up and improve the process
management processes should be defined to capitalize on this
In case the system has been compromised: experience.
IRM provides detailed information for each step.
■ Temporary remove all accesses to the accounts involved
in the incident.
■ Remove all malicious files installed by the attacker.
This document is for public use