Fundamental Computer Investigation Guide For Windows

Preparing Your Organization for a Computer Investigation

 

To prepare your organization for an internal computer investigation, you should assemble a readily available computer investigation toolkit that includes software and devices you can use to acquire evidence. Such a toolkit might contain a laptop computer with appropriate software tools, different operating systems and patches, application media, backup devices, blank media, basic networking equipment, and cables. Preparing this toolkit can be an ongoing task as you find the need for various tools and resources, depending upon the investigations you need to conduct.

Use the following guidelines when building and using a computer investigation toolkit:

  • Decide which tools you plan to use before you start the investigation. In addition to the Microsoft® Windows® Sysinternals and other Windows tools discussed in this document, the toolkit will typically include dedicated computer forensics software, such as Encase by Guidance Software, The Forensic Toolkit (FTK) by AccessData, or ProDiscover by Technology Pathways.
  • Ensure that you archive and preserve the tools. You might need a backup copy of the computer investigation tools and software that you use in the investigation to prove how you collected and analyzed data.
  • List each operating system that you will likely examine, and ensure you have the necessary tools for examining each of them. For example, you can use Windows Sysinternals tools (described later in this appendix) such as PsInfo, PsLogList, and ProcessExplorer to examine computers that run Windows XP and Windows Server® 2003.
  • Include a tool to collect and analyze metadata.
  • Include a tool for creating bit-to-bit and logical copies.
  • Include tools to collect and examine volatile data, such as the system state. Some examples from Windows Sysinternals include ListDLLs, LogonSessions, PendMoves, Autoruns, and ProcessExplorer. Windows tools include Systeminfo, Ipconfig, Netstat, and Arp.
  • Include a tool to generate checksums and digital signatures on files and other data, such as the File Checksum Integrity Validator (FCIV) tool. This tool is available through Microsoft Knowledge Base article 841290, Availability and description of the File Checksum Integrity Verifier utility.
  • If you need to collect physical evidence, include a digital camera in the toolkit.

In addition, ensure that your toolkit meets the following criteria:

  • Data acquisition tools are shown to be accurate. Proving accuracy is generally easier if you use well-known computer forensics software.
  • The tools do not modify the access time of files.
  • The examiner’s storage device is forensically sterile, which means the disk drive does not contain any data, before it is used. You can determine whether a storage device is forensically sterile by running a checksum on the device. If the checksum returns all zeros, it does not contain any data.
  • The examiner’s hardware and tools are used only for the computer investigation process and not other tasks.

Worksheets and Samples

 

The following table provides a list of worksheets and samples you can use during your computer investigation. Some of these resources are available as separate Word documents, and are included in the Microsoft Download Center file from which you extracted this guide. Others are available through a link to the Web site of the National Institute of Justice.

Table A.1. Worksheets and Samples

Document Name Location
Worksheet – Chain of Custody Log Documentation.doc Link to the Fundamental Computer Investigation Guide for Windows on the Microsoft Download Center.
 
Worksheet – Impact Analysis.doc
 
Sample – Internal Investigation Report.doc
Computer Evidence Appendix C. Sample Worksheets in Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of Justice, an agency of the U.S. Department of Justice.
 
Hard Drive Evidence
 
Removable Media

Reporting Computer-Related Crimes

Note   Much of the information in this section is from the Reporting Computer, Internet-Related, or Intellectual Property Crime page in the Computer Crime & Intellectual Property Section of the United States Department of Justice Web site.

You should first consult with your legal advisors to determine whether it is necessary to report specific computer-related crimes to appropriate authorities at the local, state, federal, or international level, depending on the scope of the crime. Most likely, your local or state authorities would be the first ones to contact. If it is a computer-related federal crime, then you might need to report the crime to local offices of federal law enforcement. As noted earlier, this guidance is only intended for use in the United States.

United States law enforcement agencies that investigate Internet-related crime include the following:

These agencies have offices throughout the United States, and contact information is available in local telephone directories or through Internet searches. Generally, federal crimes can be reported by telephoning the local office of an appropriate law enforcement agency and requesting the Duty Complaint Agent. If the organization has joined the Electronic Crimes Task Force (ECTF), InfraGard, or the International High Technology Crime Investigation Association (HTCIA), then the appropriate contact person may already be known. Contacting someone who is known and knows your organization simplifies the reporting process.

Many agencies have trained agents who specialize in computer hacker cases.

Local Law Enforcement Agencies

In some situations, the best choice is to contact a local law enforcement agency. Such agencies or high technology crimes task forces might have trained personnel who can investigate an incident. Agencies that have trained personnel include the REACT Task F
orce
, which serves the San Francisco Bay area, the CATCH Team, which serves the San Diego region, and other police agencies.

Information in the following table can help you determine which federal agency to contact for certain types of crime.

Table A.2. Law Enforcement Agencies for Different Types of Crime

Type of crime
Appropriate agencies Child exploitation and Internet fraud matters that have a mail nexus U.S. Postal Inspection Service       Internet Crime Complaint Center Child pornography or exploitation Local police agency       Your local FBI office       If imported, U.S. Immigration and Customs Enforcement       Internet Crime Complaint Center Computer intrusion (hacking) Your local FBI office       United States Secret Service       Internet Crime Complaint Center       Local high technology crimes task force or police agency Copyright (software, movie, sound recording) piracy Your local FBI office       If imported, U.S. Immigration and Customs Enforcement       Internet Crime Complaint Center       Local high technology crimes task force or police agency Counterfeiting of currency United States Secret Service Identity theft or theft of customer data Your local FBI office       Unites States Secret Service (Financial Crimes Division)       FTC Consumer Complaint Form       Internet Crime Complaint Center       Local high technology crimes task force or police agency Internet bomb threats Your local FBI office       Local ATF field division office       Local high technology crimes task force or police agency Internet fraud and SPAM Your local FBI office       United States Secret Service (Financial Crimes Division)       FTC Consumer Complaint Form       If securities fraud or investment-related SPAM e-mail, SEC Center for Complaints and Informant Tips       Internet Crime Complaint Center       Local high technology crimes task force or police agency Internet harassment Your local FBI office       Local high technology crimes task force or police agency Password trafficking Your local FBI office       United States Secret Service       Internet Crime Complaint Center       Local high technology crimes task force or police agency Theft of trade secrets Your local FBI office       Local high technology crimes task force or police agency Trademark counterfeiting Your local FBI office       If imported, U.S. Immigration and Customs Enforcement       Internet Crime Complaint Center       Local high technology crimes task force or po
lice agency Trafficking in explosive or incendiary devices or firearms over the Internet Your local FBI office       Local ATF field division office

Training

Have at least some incident response team members attend formal computer investigation training. Without relevant training, it is unlikely that the team will be effective in the investigation. In fact, unskilled examiners could negatively affect the investigation by accidentally destroying volatile evidence.

For a list of nonprofit agencies, organizations, Federal law enforcement agencies, and academic institutions that provide computer forensic training, see "Appendix G. Training Resources List" in Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of Justice, an agency of the U.S. Department of Justice.

Tools

Every investigation will likely be different. The tools you use should be appropriate for obtaining the information you seek, but it is always a good idea to gather more evidence than you might need.

This section provides information about the Windows Sysinternals tools and other Windows tools that can help you conduct an internal computer investigation. Tool types are represented by icons in the first column of the following table:

Table A.3. Tool Types

Icon
Description

This icon represents a command-line tool.

This icon represents a tool with a GUI interface that requires installation and alters the target drive.

The following tables provide information about numerous tools that you can use in computer investigations.

Windows Sysinternals Tools

Table A.4. Windows Sysinternals Tools Information

Tool type
Name
Description

AccessChk v2.0

Display access to files, registry keys, or Windows services by the user or group you specify.

AccessEnum v1.3

Display who has access to which directories, files, and registry keys on a computer. Use it to find places where permissions aren’t properly applied.

Autoruns v8.53

Display programs that are configured to start up automatically when a computer boots and a user logs in (also displays the full list of registry and file locations where applications can configure auto-start settings).

Autorunsc v8.53

The command-line version of the Autoruns program (described in the previous entry).

Diskmon

Capture all hard disk activity. Acts like a software disk activity light in your system tray.

DiskView

Graphical disk sector utility; disk viewer.

Du v1.3

Display disk usage by directory.

Filemon v7.03

Display all file system activity in real-time.

Handle v3.2

Display open files and the process that opened those files.

ListDLLs v2.25

Display all the DLLs that are currently loaded, including where they are loaded and their version numbers (prints the full path names of loaded modules).

LogonSessions v1.1

List active logon sessions

PendMoves v1.1

Display file rename and delete commands that will be executed the next time the computer is started.

Portmon v3.02

Display serial and parallel port activity (will also show a portion of the data being sent and received).

Process Explorer v10.2

Display files, registry keys, and other objects that processes have open, which DLLs they have loaded, owners of processes, etc.

PsExec v1.72

Execute processes remotely.

PsFile v1.01

Display open files.

PsInfo v1.71

Display information about a computer.

PsList v1.27

Display information about processes and threads.

PsLoggedOn v1.32

Display users logged on to a computer.

PsLogList v2.63

Dump event log records.

PsService v2.2

View and control services.

Regmon v7.03

Display all registry activity in real time.

RootkitRevealer

Scan for rootkit–based malware.

ShareEnum v1.6

Scan file shares on a network and view their security settings to eliminate improperly applied settings.

Streams v1.53

Reveal NTFS alternate data streams.

Strings v2.3

Search for ANSI and UNICODE strings in binary images.

TCPVcon v2.34

Display active sockets.

TCPView v2.4

Display all open TCP and UDP endpoints and the name of the process that owns each endpoint.

TDIMon v1.01

Display TCP/IP information.

Tokenmon v1.01

Display security-related activity, including logon, logoff, privilege usage, and impersonation.

Windows Tools

Table A.5. Windows Tools Information

Tool type
Name
Description

Arp

Display Address Resolution Protocol (ARP) tables.

Date

Display current date setting.

Dir

Display a list of files and subdirectories.

Doskey

Display command history for an open CMD.EXE shell.

Ipconfig

Display local computer configuration.

Net

Update, fix, or view the network or network settings.

Netstat

Display protocol statistics and current connection information.

Time

Display current time setting.

Find

Search file(s) to find a string.

Schtasks

Display scheduled tasks.

Systeminfo

Provide general information about the computer.

Vol

Display the disk volume label and serial number, if they exist.

Hostname

Display the host name portion of the full computer name of the computer.

Openfiles

Query, display, or disconnect open files or files opened by network users.

FCIV

File Checksum Integrity Verifier. Use to compute a MD5 or SHA1 cryptographic hash of the content of a file.

Notepad

Use to examine metadata associated with a file.

Reg

Use to view, modify, export, save or delete, registry keys, values, and hives.

Netcap

Gather network trace information from the command line.

Sc

Use to communicate with the Service Controller and services. (Sc query is useful for dumping all services and their states.)

Assoc

View or modify file name extension associations.

Ftype

View or modify file types used in file name extension associations.

Gpresult

Determine resulting set of policies.

Tasklist

List running processes and loaded modules.

MBSA

Determine security patch status and other known vulnerabilities.

Rsop.msc

Show resulting set of policies.

Rasdiag

Collect diagnostic information about remote services and place that information in a file.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Download

Get the Fundamental Computer Investigation Guide For Windows

Update Notifications

Sign up to learn about updates and new releases

Feedback

Send us your comments or suggestions

Windows Sysinternals

<

p>Learn about Windows Sysinternals tools used in this

0 thoughts on “Fundamental Computer Investigation Guide For Windows

Leave a Reply

Your email address will not be published. Required fields are marked *