Published: January 11, 2007
This appendix provides information about various resources that you can use to conduct a computer investigation.
Preparing Your Organization for a Computer Investigation
To prepare your organization for an internal computer investigation, you should assemble a readily available computer investigation toolkit that includes software and devices you can use to acquire evidence. Such a toolkit might contain a laptop computer with appropriate software tools, different operating systems and patches, application media, backup devices, blank media, basic networking equipment, and cables. Preparing this toolkit can be an ongoing task as you find the need for various tools and resources, depending upon the investigations you need to conduct.
Use the following guidelines when building and using a computer investigation toolkit:
- Decide which tools you plan to use before you start the investigation. In addition to the Microsoft® Windows® Sysinternals and other Windows tools discussed in this document, the toolkit will typically include dedicated computer forensics software, such as Encase by Guidance Software, The Forensic Toolkit (FTK) by AccessData, or ProDiscover by Technology Pathways.
- Ensure that you archive and preserve the tools. You might need a backup copy of the computer investigation tools and software that you use in the investigation to prove how you collected and analyzed data.
- List each operating system that you will likely examine, and ensure you have the necessary tools for examining each of them. For example, you can use Windows Sysinternals tools (described later in this appendix) such as PsInfo, PsLogList, and ProcessExplorer to examine computers that run Windows XP and Windows Server® 2003.
- Include a tool to collect and analyze metadata.
- Include a tool for creating bit-to-bit and logical copies.
- Include tools to collect and examine volatile data, such as the system state. Some examples from Windows Sysinternals include ListDLLs, LogonSessions, PendMoves, Autoruns, and ProcessExplorer. Windows tools include Systeminfo, Ipconfig, Netstat, and Arp.
- Include a tool to generate checksums and digital signatures on files and other data, such as the File Checksum Integrity Validator (FCIV) tool. This tool is available through Microsoft Knowledge Base article 841290, Availability and description of the File Checksum Integrity Verifier utility.
- If you need to collect physical evidence, include a digital camera in the toolkit.
In addition, ensure that your toolkit meets the following criteria:
- Data acquisition tools are shown to be accurate. Proving accuracy is generally easier if you use well-known computer forensics software.
- The tools do not modify the access time of files.
- The examiner's storage device is forensically sterile, which means the disk drive does not contain any data, before it is used. You can determine whether a storage device is forensically sterile by running a checksum on the device. If the checksum returns all zeros, it does not contain any data.
- The examiner's hardware and tools are used only for the computer investigation process and not other tasks.
Worksheets and Samples
The following table provides a list of worksheets and samples you can use during your computer investigation. Some of these resources are available as separate Word documents, and are included in the Microsoft Download Center file from which you extracted this guide. Others are available through a link to the Web site of the National Institute of Justice.
Table A.1. Worksheets and Samples
.gif) Note Much of the information in this section is from the Reporting Computer, Internet-Related, or Intellectual Property Crime page in the Computer Crime & Intellectual Property Section of the United States Department of Justice Web site.
You should first consult with your legal advisors to determine whether it is necessary to report specific computer-related crimes to appropriate authorities at the local, state, federal, or international level, depending on the scope of the crime. Most likely, your local or state authorities would be the first ones to contact. If it is a computer-related federal crime, then you might need to report the crime to local offices of federal law enforcement. As noted earlier, this guidance is only intended for use in the United States.
United States law enforcement agencies that investigate Internet-related crime include the following:
These agencies have offices throughout the United States, and contact information is available in local telephone directories or through Internet searches. Generally, federal crimes can be reported by telephoning the local office of an appropriate law enforcement agency and requesting the Duty Complaint Agent. If the organization has joined the Electronic Crimes Task Force (ECTF), InfraGard, or the International High Technology Crime Investigation Association (HTCIA), then the appropriate contact person may already be known. Contacting someone who is known and knows your organization simplifies the reporting process.
Many agencies have trained agents who specialize in computer hacker cases.
Local Law Enforcement Agencies
In some situations, the best choice is to contact a local law enforcement agency. Such agencies or high technology crimes task forces might have trained personnel who can investigate an incident. Agencies that have trained personnel include the REACT Task Force, which serves the San Francisco Bay area, the CATCH Team, which serves the San Diego region, and other police agencies.
Information in the following table can help you determine which federal agency to contact for certain types of crime.
Table A.2. Law Enforcement Agencies for Different Types of Crime
Training
Have at least some incident response team members attend formal computer investigation training. Without relevant training, it is unlikely that the team will be effective in the investigation. In fact, unskilled examiners could negatively affect the investigation by accidentally destroying volatile evidence.
For a list of nonprofit agencies, organizations, Federal law enforcement agencies, and academic institutions that provide computer forensic training, see "Appendix G. Training Resources List" in Forensic Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of Justice, an agency of the U.S. Department of Justice.
Every investigation will likely be different. The tools you use should be appropriate for obtaining the information you seek, but it is always a good idea to gather more evidence than you might need.
This section provides information about the Windows Sysinternals tools and other Windows tools that can help you conduct an internal computer investigation. Tool types are represented by icons in the first column of the following table:
Table A.3. Tool Types
.gif)
|
This icon represents a command-line tool. |
.gif)
|
This icon represents a tool with a GUI interface that requires installation and alters the target drive. |
The following tables provide information about numerous tools that you can use in computer investigations.
Table A.4. Windows Sysinternals Tools Information
|
AccessChk v2.0 |
Display access to files, registry keys, or Windows services by the user or group you specify. |
|
AccessEnum v1.3 |
Display who has access to which directories, files, and registry keys on a computer. Use it to find places where permissions aren't properly applied. |
|
Autoruns v8.53 |
Display programs that are configured to start up automatically when a computer boots and a user logs in (also displays the full list of registry and file locations where applications can configure auto-start settings). |
|
Autorunsc v8.53 |
The command-line version of the Autoruns program (described in the previous entry). |
|
Diskmon |
Capture all hard disk activity. Acts like a software disk activity light in your system tray. |
|
DiskView |
Graphical disk sector utility; disk viewer. |
|
Du v1.3 |
Display disk usage by directory. |
|
Filemon v7.03 |
Display all file system activity in real-time. |
|
Handle v3.2 |
Display open files and the process that opened those files. |
|
ListDLLs v2.25 |
Display all the DLLs that are currently loaded, including where they are loaded and their version numbers (prints the full path names of loaded modules). |
|
LogonSessions v1.1 |
List active logon sessions |
|
PendMoves v1.1 |
Display file rename and delete commands that will be executed the next time the computer is started. |
|
Portmon v3.02 |
Display serial and parallel port activity (will also show a portion of the data being sent and received). |
|
Process Explorer v10.2 |
Display files, registry keys, and other objects that processes have open, which DLLs they have loaded, owners of processes, etc. |
|
PsExec v1.72 |
Execute processes remotely. |
|
PsFile v1.01 |
Display open files. |
|
PsInfo v1.71 |
Display information about a computer. |
|
PsList v1.27 |
Display information about processes and threads. |
|
PsLoggedOn v1.32 |
Display users logged on to a computer. |
|
PsLogList v2.63 |
Dump event log records. |
|
PsService v2.2 |
View and control services. |
|
Regmon v7.03 |
Display all registry activity in real time. |
|
RootkitRevealer |
Scan for rootkit–based malware. |
|
ShareEnum v1.6 |
Scan file shares on a network and view their security settings to eliminate improperly applied settings. |
|
Streams v1.53 |
Reveal NTFS alternate data streams. |
|
Strings v2.3 |
Search for ANSI and UNICODE strings in binary images. |
|
TCPVcon v2.34 |
Display active sockets. |
|
TCPView v2.4 |
Display all open TCP and UDP endpoints and the name of the process that owns each endpoint. |
|
TDIMon v1.01 |
Display TCP/IP information. |
|
Tokenmon v1.01 |
Display security-related activity, including logon, logoff, privilege usage, and impersonation. |
Table A.5. Windows Tools Information
|
Arp |
Display Address Resolution Protocol (ARP) tables. |
|
Date |
Display current date setting. |
|
Dir |
Display a list of files and subdirectories. |
|
Doskey |
Display command history for an open CMD.EXE shell. |
|
Ipconfig |
Display local computer configuration. |
|
Net |
Update, fix, or view the network or network settings. |
|
Netstat |
Display protocol statistics and current connection information. |
|
Time |
Display current time setting. |
|
Find |
Search file(s) to find a string. |
|
Schtasks |
Display scheduled tasks. |
|
Systeminfo |
Provide general information about the computer. |
|
Vol |
Display the disk volume label and serial number, if they exist. |
|
Hostname |
Display the host name portion of the full computer name of the computer. |
|
Openfiles |
Query, display, or disconnect open files or files opened by network users. |
|
FCIV |
File Checksum Integrity Verifier. Use to compute a MD5 or SHA1 cryptographic hash of the content of a file. |
|
Notepad |
Use to examine metadata associated with a file. |
|
Reg |
Use to view, modify, export, save or delete, registry keys, values, and hives. |
|
Netcap |
Gather network trace information from the command line. |
|
Sc |
Use to communicate with the Service Controller and services. (Sc query is useful for dumping all services and their states.) |
|
Assoc |
View or modify file name extension associations. |
|
Ftype |
View or modify file types used in file name extension associations. |
|
Gpresult |
Determine resulting set of policies. |
|
Tasklist |
List running processes and loaded modules. |
|
MBSA |
Determine security patch status and other known vulnerabilities. |
|
Rsop.msc |
Show resulting set of policies. |
|
Rasdiag |
Collect diagnostic information about remote services and place that information in a file. |
|
|
.jpg)