Difference between pages "Determining OS version from an evidence image" and "Zombies and Botnets: Setup-Investigate-Shutdown"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(HP/UX)
 
 
Line 1: Line 1:
One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
+
'''Zombies and Botnets:  Setup-Investigate-Shutdown''' [http://www.wetstonetech.com/cgi-bin/shop.cgi?view,25]
  
==Windows==
 
  
===Windows 95/98/ME===
+
== ==
  
Establish the boot volume, verify that it is a FAT file system, and locate the hidden text file \MSDOS.SYS. Locate the [Options]WinVer parameter:
+
WetStone has created this one-day advanced module to their Hacking Bootcamp focusing exclusively on Zombies and Botnets. Students will have unique access to our “hands-on” interactive learning environment. Students will work  together to establish a complex Botnet environment and practice investigative methods/techniques to collect criminal information. Each student will learn how to shutdown and isolate Botnet operators and individual Zombies in order to limit or preempt the damage they can cause.
  
{| class="wikitable"
 
|-
 
! WinVer
 
! OS
 
|-
 
| 4.00.0950
 
| Windows 95
 
|-
 
| 4.00.1111
 
| Windows 95 OSR2
 
|-
 
| 4.03.1212
 
| Windows 95 OSR2.1
 
|-
 
| 4.03.1214
 
| Windows 95 OSR2.5
 
|-
 
| 4.10.1998
 
| Windows 98
 
|-
 
| 4.10.2222
 
| Windows 98 SE
 
|-
 
| 4.90.3000
 
| Windows ME
 
|}
 
  
Alternatively, establish WinDir ([Paths]WinDir in \MSDOS.SYS), locate the %WINDIR%\SYSTEM.DAT registry file. Next, look up the registry key Software\Microsoft\Windows\CurrentVersion\, and values Version and VersionNumber. (Backup copies of SYSTEM.DAT may be found in .CAB files in %WINDIR%\SYSBCKUP.)
 
  
===Windows NT===
+
'''Sinister Cyber Weapons'''
  
===Windows 2000/2003/XP/Vista===
+
One of the most sinister cyber weapons to arrive on the scene in recent years are Zombies and their associated Botnets. 
Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).
+
 +
Today's cyber investigators must possess in depth working knowledge of their internals. To accomplish this you must know how to setup, investigate, and shutdown these weapons.
  
During a forensic examination, information regarding the version of Windows can be found in a number of places.  For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt". This is not definitive, however, because this directory name is easily modified during installation.
+
Botnets are continuing to be a global issue. These types of malicious software are penetrating our personal, corporate and government systems. Statistics are showing that up to one quarter of all computers that are connected to the  internet have become a part of a Botnet.
  
Determining the version of Windows from the Software Registry Hive file - navigate to the ''Microsoft\Windows NT\CurrentVersion'' key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.
 
  
Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file.  You can view this information with a hex editor, or extract it using a variety of means.  There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script [http://sourceforge.net/project/showfiles.php?group_id=164158&package_id=203967 kern.pl] illustrates a platform independent means of examining the PE header and ultimately locating the file version information.
+
'''Skills Learned'''
  
In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of ''Product ID''). Some of these values:
+
Upon completion of the course, students will have gained advanced knowledge in the fundamentals of Zombies and Botnets
  
{| class="wikitable" border="1"
+
▫ Offensive planning of Zombies and Botnets
|-
+
▫ Investigative considerations when faced with these weapons
!Value (MPC)!!Version
+
▫ Learn the art of isolation and termination of  Botnets.
|-
+
|55034 || Windows XP Professional English
+
|-
+
|55683 || Windows XP Professional Russian
+
|-
+
|55681 || Windows XP Home Edition Russian
+
|}
+
  
==Unix/Linux==
 
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.
 
  
===Linux===
+
Our trainers take you inside the minds of today’s criminals and students completeing the class will be able to execute a full investigation in the respective discipline. Participants proficiency in the above skills will be tested with certification exams.
A number of Linux distributions create a file in ''/etc'' to identify the release or version installed.
+
  
<pre>
 
/etc/issue
 
/etc/issue.net
 
</pre>
 
  
{| class="wikitable" border="1"
 
|-
 
!Distro!!Tag
 
|-
 
|Red Hat || /etc/redhat-release
 
|-
 
|Debian  || /etc/debian-version
 
|}
 
  
=== (Open) Solaris ===
+
----
  
===Free/Net/OpenBSD===
+
'''Contact Information:'''
A first indicator of the presence of a BSDs operating system is the partition table on a MBR-partitioned disk:
+
  
{| class="wikitable" border="1"
+
1-877-WETSTONE ext 2
|-
+
!OS!!Partition type
+
|-
+
|FreeBSD || FreeBSD (0xA5)
+
|-
+
|OpenBSD || OpenBSD (0xA6)
+
|-
+
|NetBSD || NetBSD (0xA9)
+
|-
+
|}
+
  
You can get the release and version of BSDs operating system inside the kernel images, even with only a disk image.
+
www.wetstonetech.com [https://www.wetstonetech.com/index.html]
 
+
{| class="wikitable" border="1"
+
|-
+
!OS!!Kernel path
+
|-
+
|FreeBSD || /boot/kernel/kernel
+
|-
+
|OpenBSD || /bsd
+
|-
+
|NetBSD || /netbsd
+
|-
+
|}
+
 
+
You can use <tt>strings</tt> and <tt>grep</tt> tools to find this information with <tt>strings kernel_path | grep os_name</tt>. (e.g.: <tt>strings /bsd | grep OpenBSD</tt>)
+
 
+
===AIX===
+
 
+
===HP/UX===
+
 
+
===Other===
+
* BSDI
+
 
+
==Other==
+
* Plan9
+
* QNX RTOS
+
* OS2
+
* MacOS-X/IOS
+
 
+
[[Category:Howtos]]
+

Revision as of 14:29, 6 October 2009

Zombies and Botnets: Setup-Investigate-Shutdown [1]


WetStone has created this one-day advanced module to their Hacking Bootcamp focusing exclusively on Zombies and Botnets. Students will have unique access to our “hands-on” interactive learning environment. Students will work together to establish a complex Botnet environment and practice investigative methods/techniques to collect criminal information. Each student will learn how to shutdown and isolate Botnet operators and individual Zombies in order to limit or preempt the damage they can cause.


Sinister Cyber Weapons

One of the most sinister cyber weapons to arrive on the scene in recent years are Zombies and their associated Botnets.

Today's cyber investigators must possess in depth working knowledge of their internals. To accomplish this you must know how to setup, investigate, and shutdown these weapons.

Botnets are continuing to be a global issue. These types of malicious software are penetrating our personal, corporate and government systems. Statistics are showing that up to one quarter of all computers that are connected to the internet have become a part of a Botnet.


Skills Learned

Upon completion of the course, students will have gained advanced knowledge in the fundamentals of Zombies and Botnets

▫ Offensive planning of Zombies and Botnets
▫ Investigative considerations when faced with these weapons
▫ Learn the art of isolation and termination of  Botnets.


Our trainers take you inside the minds of today’s criminals and students completeing the class will be able to execute a full investigation in the respective discipline. Participants proficiency in the above skills will be tested with certification exams.




Contact Information:

1-877-WETSTONE ext 2

www.wetstonetech.com [2]