CAPSTONE INFORMATION SECURITY PROJECT

GROUP 16
HARINDER SINGH CHOHAN
PRIYADHARSHAN TAMIL ARASU
RAGHAV MAHAJAN
 COMPUTER FORENSICS
WINDOWS LIVE RESPONSE
Project proposal:
ABSTRACT
Windows live response for collecting and analyzing forensically sound evidence in
which that
Sometimes your victim cannot afford to remove the system or the only evidence of

the incident may currently be in memory. Either way, a standard forensic

duplication is impossible. This chapter will address a technique for collecting and

analyzing forensically sound evidence from what is known as the Live Incident

Response Process.

What we do?

Initially as security analyst that monitor the photograph computer screen which

record the current system time and note this against an accurate time source.

Begin data acquisition in order of volatility(OOV)

• Physical memory, open files, open network connection, swap space

• Encrypted files system where you do not have key to unlock

• Temporary file system.

Record current system time for twice, message digest of gathered evidence using

tool Helix, netcat and cryptcat.

INTRODUCTION:
Computer forensics is the practice of collecting, analyzing and reporting on digital

data in a way that is legally admissible. It can be used in the detection and

prevention of crime and in any dispute where evidence is stored digitally.

Computer forensics follows a similar process to other forensic disciplines, and

faces similar issues. It is a branch of digital forensic science pertaining to evidence

found in computers and digital storage media. The goal of computer forensics is to

examine digital media in a forensically sound manner with the aim of identifying,

preserving, recovering, analyzing and presenting facts and opinions about the

digital information.

USES OF COMPUTER FORENSICS:

Evidence from computer forensics investigations is usually subjected to the same

guidelines and practices of other digital evidence. It has been used in a number of

high-profile cases and is becoming widely accepted as reliable within U.S. and

European court systems.

Computers may constitute a ‘scene of a crime’, for example with hacking or denial

of service attacks or they may hold evidence in the form of emails, internet history,

documents or other files relevant to crimes such as murder, kidnap, fraud and drug

trafficking.

It is not just the content of emails, documents and other files which may be of

interest to investigators but also the ‘metadata’ associated with those files. A

computer forensic examination may reveal when a document first appeared on a

computer, when it was last edited, when it was last saved or printed and which user

carried out these actions.

More recently, commercial organisations have used computer forensics to their

benefit in a variety of cases such as;

* Intellectual Property theft

* Industrial espionage

* Employment disputes

* Fraud investigations

* Forgeries

* Bankruptcy investigations
* Inappropriate email and internet use in the work place

* Regulatory compliance

GUIDELINES

For evidence to be admissible it must be reliable and not prejudicial, meaning that

at all stages of a computer forensic investigation admissibility should be at the

forefront of the examiner’s mind.

A widely used and respected set of guidelines which can guide the investigator in

this area is the Association of Chief Police Officers Good Practice Guide for

Digital Evidence, or ACPO Guide for short. Although the ACPO Guide is aimed at

United Kingdom law enforcement, its main principles are applicable to all

computer forensics.

The four main principles from this guide (with references to law enforcement

removed) are as follows:

1. No action should change data held on a computer or storage media which may

be subsequently relied upon in court.

2. In circumstances where a person finds it necessary to access original data held

on a computer or storage media, that person must be competent to do so and be

able to give evidence explaining the relevance and the implications of their actions.

3. An audit trail or other record of all processes applied to computer-based

electronic evidence should be created and preserved. An independent third-party

should be able to examine those processes and achieve the same result.

4. The person in charge of the investigation has overall responsibility for ensuring

that the law and these principles are adhered to.

FORENSIC PROCESS

Computer forensic investigations usually follow the standard digital forensic

process or phases: acquisition, examination, analysis and reporting. Investigations

are performed on static data (i.e. acquired images) rather than "live" systems. This

is a change from early forensic practices where a lack of specialist tools led to

investigators commonly working on live data.

TECHNIQUES

A number of techniques are used during computer forensics investigations and

much has been written on the many techniques used by law enforcement in

particular. See, e.g., "Defending Child Pornography Cases".

CROSS-DRIVE ANALYSIS

A forensic technique that correlates information found on multiple hard drives. The

process, still being researched, can be used to identify social networks and to

perform anomaly detection.

LIVE ANALYSIS

The examination of computers from within the operating system using custom

forensics or existing sysadmin tools to extract evidence. The practice is useful

when dealing with Encrypting File Systems, for example, where the encryption

keys may be collected and, in some instances, the logical hard drive volume may

be imaged (known as a live acquisition) before the computer is shut down.

DELETED FILES

A common technique used in computer forensics is the recovery of deleted files.

Modern forensic software have their own tools for recovering or carving out

deleted data. Most operating systems and file systems do not always erase physical

file data, allowing investigators to reconstruct it from the physical disk sectors. File

carving involves searching for known file headers within the disk image and

reconstructing deleted materials.

STOCHASTIC FORENSICS

A method which uses stochastic properties of the computer system to investigate

activities lacking digital artifacts. Its chief use is to investigate data theft.

STEGANOGRAPHY

One of the techniques used to hide data is via steganography, the process of hiding

data inside of a picture or digital image. An example would be to hide

pornographic images of children or other information that a given criminal does

not want to have discovered. Computer forensics professionals can fight this by

looking at the hash of the file and comparing it to the original image (if available.)

While the image appears exactly the same, the hash changes as the data changes.
VOLATILE DATA

When seizing evidence, if the machine is still active, any information stored solely

in RAM that is not recovered before powering down may be lost. One application

of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE

tool, windd, Windows SCOPE) prior to removing an exhibit. Capture GUARD

Gateway bypasses Windows login for locked computers, allowing for the analysis

and acquisition of physical memory on a locked computer.

RAM can be analyzed for prior content after power loss, because the electrical

charge stored in the memory cells takes time to dissipate, an effect exploited by the

cold boot attack. The length of time that data is recoverable is increased by low

temperatures and higher cell voltages. Holding unpowered RAM below −60 °C

helps preserve residual data by an order of magnitude, improving the chances of

successful recovery. However, it can be impractical to do this during a field

examination.

Some of the tools needed to extract volatile data, however, require that a computer

be in a forensic lab, both to maintain a legitimate chain of evidence, and to

facilitate work on the machine. If necessary, law enforcement applies techniques to

move a live, running desktop computer. These include a mouse jiggler, which

moves the mouse rapidly in small movements and prevents the computer from

going to sleep accidentally. Usually, an uninterruptible power supply (UPS)

provides power during transit.

However, one of the easiest ways to capture data is by actually saving the RAM

data to disk. Various file systems that have journaling features such as NTFS and

ReiserFS keep a large portion of the RAM data on the main storage media during

operation, and these page files can be reassembled to reconstruct what was in

RAM at that time.

DIGITAL INVESTIGATION:

It covers a broad array of subjects related to crime and security throughout the

computerized world. The primary pillar of this publication is digital evidence, with

the core qualities of provenance, integrity, and authenticity. This widely referenced

publication promotes innovations and advances in utilizing digital evidence for legal

purposes, including criminal justice, incident response, cyber-risk management, civil

and regulatory matters, and privacy protection. Relevant research areas include

forensic science, computer science, data science, artificial intelligence, and smart

technology. This journal is used by investigative agencies and forensic laboratories,

computer security teams, practitioners, researchers, developers, and lawyers from

industry, law enforcement, government, academia, and the military to share their

knowledge and experiences, including current challenges and lessons learned in the

following areas:

RESEARCH AND DEVELOPMENT:

Novel research and development in forensic science, computer science, data science,

and artificial intelligence applied to digital evidence and multimedia. New methods

to deal with challenges in digital investigations, including applied research into

analyzing digital evidence and multimedia, exploiting specific technologies, and into

preparing for and responding to computer security incidents.

CYBER-RISK MANAGEMENT:

Improved ways of using digital evidence to address security breaches involving

information systems, and to perform cyber threat intelligence. The techniques and

findings of digital investigations are essential in drawing post-incident conclusions,

which are vital feedback components of the security policy development process.

PRACTITIONER REPORTS:

Investigative case studies and reports describing how practitioners are dealing with

emerging opportunities and challenges in cybercrime and computer security, including

improved methods for conducting effective digital investigations,

performing forensic analysis, responding to IT security incidents, and handling and

utilizing digital evidence.

SCIENTIFIC PRACTICES:

Novel approaches to strengthening the scientific foundation and rigor of digital

investigations, and to increasing the reliability of and confidence in processes,

analysis methods, results, and conclusions involving digital evidence.

EFFECTIVE PRACTICES:

Studies that assess new practices in digital investigations and propose effective

approaches to handling and processing digital evidence.

SURVEY PAPERS:

Discussion of current methods and future needs relevant to digital investigations,

including analyzing digital evidence and multimedia from computers, smart

technology, mobile phones, memory, malware, network traffic, as well as systems that

support enterprises, telecommunications, and satellites. In addition, advanced

approaches to analyzing digital evidence and multimedia, including novel applications

of artificial intelligence and data analytics.

TOOL REVIEWS:

Evaluation and comparison of specialized software and hardware used to preserve,

survey, examine, analyze or present digital evidence and multimedia, deepening our

understanding of specific tools, and highlight any needed enhancements.

FUTURE CHALLENGES:

Analysis of new technologies, vulnerabilities, and exploits which may create

opportunities for criminality and/or computer security incidents, but which require

further work in order to determine how their use can be investigated and the

evidential opportunities they may create.

REGISTERED REPORTS:

Studies that assess methods critically, and evaluating the reliability, statistical power,

and reproducibility of results. Such reports can include tests and experiments with

negative results, not just positive.

LEGAL ANALYSIS AND UPDATES:

Carefully considered commentary by legal experts on recent cases involving digital

evidence, forensic applications and computer security risk management, relevant

legal developments, privacy issues, and legislative limitations.

 Table of contents
CHAPTER NO. TITLE PAGE NO
ABSTRACT LIST
OF TABLES LIST
OF FIGURES
LIST OF ABBREVATIONS
1. INTRODUCTION
1.1 COMPUTER FORENSICS
1.2 WINDOWS LIVE RESPONSE
1.3 PROJECT PROPOSAL
1.4 ABSTRACT
1.5 USES OF COMPUTER FORENSICS
1.6 GUIDELINES
2. FORENSICS PROCESS
2.1 TECHNIQUES
2.2 CROSS CRIVE ANALYSIS
2.3 LIVE ANALYSIS
2.4 DELETED FILES
2.5 STOCHASTIC FORENSICS
2.6 STEGANOGRAPHY
2.7 VOLATILE DATA
3. DIGITAL INVESTIGATION
4. WINDOWS LIVE RESPONSE
4.1 ANALYZING VOLATILE DATA
5. RESERCH AND DEVELOPMENT
6. CYBER-RISK MANAGEMENT
7. PRACTITIONER REPORTS
PRACTICES
7.1SCIENTIFIC PRACTICES
7.2EFFECTIVE PRACICES
7.3 SURVEY PAPERS
7.4 TOOLS REVIEWS
7.5 FUTURE CHALLENGES
7.6 REGISTERED REPORTS
 7.7 LEGAL ANALYSIS AND UPDATES
8. NETCAT IN OS WINDOWS
LISTENING THE PORT
CONNECTING OF IP ADDRESS
TCP/UDP PORT LISTENING
MD5CHECKSUM
FPORT TOOLS
NETBIOS NAME TABLES
USER LOG FILES
INTERNAL ROUTING TABLE
RUNNING SERVICES
SCHEDULED JOBS
REGISTRY DATA
SUSPICIOUS FILES
WINDOW LIVE RESPONSE:
INTRODUCTION:
• An Attack has taken place!!!
• You, the investigator have just arrived on the scene. It is expected that the
attacker uses encrypted disk volumes.
• In any case, the machine contains memory-resident information that will be
lost after a power cycle.

There are many situations when a forensic duplication cannot be retrieved or

acquired

• The proper backup should be used regularly.

• Swapping the backup system costly and time-consuming.
• The data currently in memory is the only evidence available.
• It hard to afford the disruption to service.
• May not litigate but gather information.

A live response collects all the relevant data that will be used to confirm
whether an incident occurred.

VOLATILE AND NON-VOLATILE DATA:

The data which are retrieved while the live response consists of two main subsets:

• Volatile and non-volatile data

A live response process contains information such as

➢ Volatile data
• Current network connections
 • Running processes
• Open files
➢ Non-volatile data
• System event logs in an easily readable format in which instead of
default raw binary format.
o The live response data is collected by running a series of commands.
o Under normal circumstances, the response would be sent to the console.
o It must save the data further analysis, so it must transmit the data to your
forensics workstation to avoid overwriting the evidence on the device.

The live response data is collected by running a series od commands, each

command produces data that under normal circumstances would be sent to the
console.

Netcat and Cryptcat:

• Use Crypcat which variant of Netcat of “swiss army knife”.

• Offers secrecy and authentication by encrypting all data across the TCP
channel.
• Same command-line switches as Netcat
• Choose the password used in the encryption algorithm by issuing -k
command line flag
• Must use the same password on both sides of the connection for this
process to work.
Lab Architecture: WINDOWS LIVE RESPONSE

Netcat in os
windows Listening
the port

Connecting
to IP address

TCP/UDP port
listening

Md5checksum
Current network
connections

NetBIOS Name
EXECUTED Tables
 Internal routing
Users log files table

Running process
Running
services

Scheduled jobs
Process memory dumps

Full System
Memory DATE STAMPS

Dumps

REGISTRY
DATA
SUSPICIOUS
FILES
LOCAL LAB BULDED: PERFORM THE FORENSICS IN WINDOWS 7 IN
VM WARE:

➢ Forensics analysis with windows 7 and Kali Linux.

➢ Netcat server (swiss knife army) on our forensics workstation:

➢ nc -v -l -p 2222 > command.txt

➢ command | nc forensic_workstation_ip_address 2222

• Among Ncat’s vast number of features there is the ability to chain Ncats together,
redirect both TCP and UDP ports to other sites, SSL support, and proxy
connections via SOCKS4 or HTTP (CONNECT method) proxies (with optional
proxy authentication as well). Some general principles apply to most applications
and thus give you the capability of instantly adding networking support to software
that would normally never support it.
• Ncat is integrated with Nmap and is available in the standard Nmap download
packages (including source code and Linux, Windows, and Mac binaries) available
from the Nmap download page. You can also find it in our SVN source code
repository.

✓ Netcat is installed windows 7:

 ✓ dir | nc 192.168.179.143 2222

The system Date and time

• Current network connections
• Open TCP or UCD ports
• Which executable are opening TCP or UDP ports
• Cached NetBIOS name table
• Users currently logged on
• In netcat command "-v" tells Netcat to be verbose, meaning that it will print
out more details about what is going on. The "-l" tells Netcat to listen for
connections. The "-p" tells Netcat which port to listen for connections on (it's
best to use a port above 1024, in order to avoid conflicting with "well-known"
ports that may already be in use by your system). The ">" tells the shell to
redirect any of the information that Netcat receives to the specified file (we
usually give it the name of the command that we are about to run on the
victim machine.
 ➢ In this screenshot we are opening up the directory with the help of cat
dir.txt syntax and it can be seen in the screen shot itself.
It is entirely possible that we could be executing our live response process while the
attacker is connected to the server. It could also be possible that the attacker is running
a brute force mechanism against other machines on the Internet from this server.
Scenarios similar to the ones we mentioned earlier would be detected if we examined
the current network connections.

We view a machine’s network connections by issuing the netstat command.

Specifically, we need to specify the -an flags with netstat to retrieve all of the network
connections and see the raw IP addresses instead of the Fully Qualified Domain Names
(FQDN):
• Netstat is a common command line TCP/IP networking utility available in most
versions of Windows, Linux, UNIX and other operating systems. Netstat provides
information and statistics about protocols in use and current TCP/IP network
connections. The parameters used -a and -n will tell you all open connection and the tcp
connection.

This section, method, or task contains steps that tell you how to modify the registry.
However, serious problems might occur if you modify the registry incorrectly.
Therefore, make sure that you follow these steps carefully. For added protection, back
up the registry before you modify it. Then, you can restore the registry if a problem
occurs. For more information about how to back up and restore the registry, click the
following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

1) Start Registry Editor.

2) Locate and then click the following registry subkey:

3) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp\PortNumber

4) On the Edit menu, click Modify, and then click Decimal.

5) Type the new port number, and then click OK.

6) Quit Registry Editor.

7) Restart the computer.

 ➢ Here we have output file as a text file of dir.txt and ipconfig.txt

Ultimately, we would like to know what processes the attacker executed on JBRWWW
because they could contain backdoors or further the attacker's efforts into the victim's
network. We can list the process table with the pslist tool from the PsTools suite distributed
from http://www.sysinternals.com. Executing pslist without flags gives us the following
information:
 ➢ In this screen shot itself we are performing the same netstat
command to check the open connections.

It seems as if the attacker has not only iroffer on the system but a netcat session as well.
We cannot tell what the attacker is doing with the netcat session with only these two
lines. It could be an outbound connection, or it could be in listening mode, allowing
inbound connections free access to a command shell. When we reexamine the netstat
output shown earlier, we see that port 60,906 is actively listening. Therefore, we could
conclude through netcat and FPort that the attacker's backdoor on 60,906 is currently
listening for connections and is actively connected to a rogue IP address.

We neglected to mention the UDP ports in the previous section, for good reason. UDP
is typically used less than TCP because it is a stateless protocol, so UDP ports may be
un-familiar to you. One way of determining open UDP ports is to
check http://www.portsdb.org along with the analysis of a similarly configured
Windows 2000 server with IIS and basic Unix services installed. Of course, that is the
hard way of doing it. If you compare the executable files that open UDP ports with the
legitimately opened TCP ports on JBRWWW, you will see that they are opened by
similar system binaries. Of course, to truly make sure they are system binaries, we must
compare the MD5 checksum of these files with a known, trusted source such as
Microsoft or by comparing them to copies found on an uncompromised server
 ➢ Displaying with the open connections.

When we examine the system event logs later in this chapter, we will see that Windows
(up until version 2003) stored connection specifics by NetBIOS name rather than IP
address. As an investigator, this does us no good. An attacker can easily change his
NetBIOS name to "HACKER," do damage to your system, and then change it back to the
original value. Your logs would have the word "HACKER" as the connecting machine.

Because we want to map a NetBIOS name to an IP address to throttle the nefarious

individual, we can issue the nbtstat command during our live response to dump the victim
system’s NetBIOS name cache. Please take note that this command will only show us the
NetBIOS name table cache, not a complete history of connections. Therefore, values in
this table represent connections to and from machines a relatively short time ago. When
we run the following command (the -c switch instructs nbtstat to dump the cache):
➢ Continue with open connections in upcoming snapshot

➢ Showing up the open tcp and all connections.

• In this screen shot we are using thr fport command and the description of
fport is defined following .

• fport reports all open TCP/IP and UDP ports and maps them to the owning
application. This is the same information you would see using the 'netstat -an'
command, but it also maps those ports to running processes with the PID,
process name and path. Fport can be used to quickly identify unknown open
ports and their associated applications.

➢ By using netstat -rn we will display the routing table and network
addresses as a number.
 ➢ Netstat-b Causes -i to report the total number of bytes of traffic.
It seems as if the attacker has not only iroffer on the system but a netcat session as well.
We cannot tell what the attacker is doing with the netcat session with only these two
lines. It could be an outbound connection, or it could be in listening mode, allowing
inbound connections free access to a command shell. When we reexamine the netstat
output shown earlier, we see that port 60,906 is actively listening. Therefore, we could
conclude through netcat and FPort that the attacker's backdoor on 60,906 is currently
listening for connections and is actively connected to a rogue IP address.

We neglected to mention the UDP ports in the previous section, for good reason. UDP
is typically used less than TCP because it is a stateless protocol, so UDP ports may be
un-familiar to you. One way of determining open UDP ports is to
check http://www.portsdb.org along with the analysis of a similarly configured
Windows 2000 server with IIS and basic Unix services installed. Of course, that is the
hard way of doing it. If you compare the executable files that open UDP ports with the
legitimately opened TCP ports on JBRWWW, you will see that they are opened by
similar system binaries. Of course, to truly make sure they are system binaries, we must
compare the MD5 checksum of these files with a known, trusted source such as
Microsoft or by comparing them to copies found on an uncompromised Sites.
When we examine the system event logs later in this chapter, we will see that Windows
(up until version 2003) stored connection specifics by NetBIOS name rather than IP
address. As an investigator, this does us no good. An attacker can easily change his
NetBIOS name to "HACKER," do damage to your system, and then change it back to
the original value. Your logs would have the word "HACKER" as the connecting
machine.

Because we want to map a NetBIOS name to an IP address to throttle the nefarious

individual, we can issue the nbtstat command during our live response to dump the
victim system’s NetBIOS name cache. Please take note that this command will only
show us the NetBIOS name table cache, not a complete history of connections.
Therefore, values in this table represent connections to and from machines a relatively
short time ago. When we run the following command (the -c switch instructs nbtstat to
dump the cache):
• PsInfo is a command-line tool that gathers key information about the
local or remote Windows NT/2000 system, including the type of
installation, kernel build, registered organization and owner, number of
processors and their type, amount of physical memory, the install date
of the system, and if its a trial version, the expiration date
PSLIST:

• The default information listed includes the time the process has
executed, the amount of time the process has executed in kernel and
user modes, and the amount of physical memory that the OS has
assigned the proces
PSLIST-M:

PSLIST –t:

• It seems that the attacker ran PSEXECSVC, which is the result of a PsExec command channel
initiated to JBRWWW. PsExec is a tool distributed from http://www.sysinternals.com that enables a valid
user to connect from one Microsoft Windows machine to another and execute a command over a
NetBIOS connection. (That could explain the connections to port 445 that we discovered in an earlier
section.) Attackers use this tool to typically run cmd.exe. Knowing that the attacker is running PsExec tells
us a lot about this intrusion. First, PsExec will only open a channel if you supply proper administrator-level
credentials. Therefore, the attacker has an administrator-level password. Second, the attacker knows one
of JBR’s passwords, and that password may work on other machines throughout JBR’s enterprise. Third,
the attacker must be running a Microsoft Windows system on his attacking machine to execute PsExec.

We also see that the attacker is running the ftp command. One of the first things attackers usually do
when they gain access to a system is to transfer their tools to the victim machine. Perhaps this process is
part of the standard hacker methodology. We also see nc, which we will find out is netcat, and iroffer, a
program we discussed previously.

The last three lines were part of our live response process, and we expected to see them. This process
list will be used again when we acquire memory dumps of the rogue processes we discovered in this
section
PSLIST -4:

• The default information listed includes memory thread details.

To list the processes of a system, use the pslist command. This walks the
doubly-linked list pointed to by PsActiveProcessHead and shows the offset,
process name, process ID, the parent process ID, number of threads, number of
handles, and date/time when the process started and exited. As of 2.1 it also
shows the Session ID and if the process is a Wow64 process (it uses a 32 bit
address space on a 64 bit kernel).
This plugin does not detect hidden or unlinked processes (but psscan can do
that).
If you see processes with 0 threads, 0 handles, and/or a non-empty exit time,
the process may not actually still be active. For more information, see The
Missing Active in PsActiveProcessHead. Below, you'll notice regsvr32.exe has
terminated even though its still in the "active" list.
Also note the two processes System and smss.exe will not have a Session ID,
because System starts before sessions are established and smss.exe is the
session manager itself.
Tasklist

• Displays a list of applications and services with their Process ID (PID)

for all tasks running on either a local or a remote computer.

1. pstree

To view the process listing in tree form, use the pstree command. This enumerates processes
using the same technique as pslist, so it will also not show hidden or unlinked processes.
Child process are indicated using indention and periods.

2. psscan

To enumerate processes using pool tag scanning (_POOL_HEADER), use the psscan command.
This can find processes that previously terminated (inactive) and processes that have been
hidden or unlinked by a rootkit. The downside is that rootkits can still hide by overwriting the
pool tag values (though not commonly seen in the wild).
If a process has previously terminated, the Time exited field will show the exit time. If you
want to investigate a hidden process (such as displaying its DLLs), then you'll need physical
offset of the _EPROCESS object, which is shown in the far left column. Almost all process-related
plugins take a --OFFSET parameter so that you can work with hidden processes.
• Here we are showing the logon history it is used to dds a new table
which stores information about individual user logins, including a
timestamp, IP address, user agent information, and whether or not the
login was via a reset password link.

• As investigator noted the affected machine in which it contains the batch file
that are affected in driver file I had installed netcat in windows.
• Nc -l -v -p 2222 > dir txt.
 • Displayed the directory and we are going to verify suspicious folder
It can be executable file and it will batch file.
Affected file in which that will run virus or trojan file.
• An executable virus is a non-resident computer virus that stores itself in
an executable file and infects other files each time the file is run. The majority
of all computer viruses are spread when a file is executed or opened

Now we have the application memory of the suspect processes, but we also want to
capture all of the system memory, which may have remnants of other intruder
processes or previous sessions. We can obtain it using a program you are probably
already familiar with—dd.

George M. Garner, Jr. has modified dd, along with several other useful utilities,
specifically for forensic investigation. Enhancements include built-in md5sum,
compression, and logging abilities, to name a few. By incorporating these frequently
used options that are normally associated with separate commands, he significantly
reduces I/O, thus increasing acquisition speed. For more information, and to download
his tools, go to his Forensic Acquisition Utilities page
at http://users.erols.com/gmgarner/forensics. Some of Garner’s utilities are based on the
UnxUtils distribution, which provides many useful GNU utilities. The UnxUtils are
available at http://unxutils.sourceforge.net.

By using the /dev/kmem file on Unix systems, we can obtain a logical view of physical
memory from a live Unix operating system. Unfortunately, Windows NT operating
systems do not provide such a file object, but Garner’s version of dd creates a
/Device/PhysicalMemory section object. A section object, also called a file-mapping
object, represents a block of memory that two or more processes can share, and it can
be mapped to a page file or other on-disk file. By mapping the
/Device/PhysicalMemory section object to virtual address space, Garner’s version of dd
enables us to generate a dump representing system memory.

This memory image, named JBRWWW_full_memory_dump.dd, is on the evidence

DVD for your review. Although we didn't do so in this case, you can also use this
version of dd to obtain an image of the entire physical hard drive from the live system
without requiring a shutdown, reboot, or disruption of service. To accomplish this, we
would have used the following command line:

D:\>dd.exe if=\\.\physicaldrive0 of=z:\JBRWWW_physicaldrive0.dd bs=4096

During a review, the strings command revealed several pieces of information relevant
to the intrusion response.

The following are some of the commands the attacker executed during the intrusion. It
would appear that the intruder pinged himself at192.168.179.138, initiated an ipconfig
/all command, initiated an FTP session, and executed iroffer.exe.
Reference:

https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact
=8&ved=0ahUKEwjZ-
MGn3tfVAhUp04MKHfU7DRAQFggoMAA&url=https%3A%2F%2Fwww.symantec.
com%2Fconnect%2Fblogs%2Fprefetch-analysis-live-
response&usg=AFQjCNEQXhKRxXNCMdCf_srYe5cGixnEwg

https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact
=8&ved=0ahUKEwjZ-
MGn3tfVAhUp04MKHfU7DRAQFghBMAQ&url=http%3A%2F%2Fwhat-when-
how.com%2Fwindows-forensic-analysis%2Flive-response-collecting-volatile-data-
windows-forensic-analysis-part-
1%2F&usg=AFQjCNHI3qyf8dSeOJtsd0chN4_8hy0rtQ