X-Ways Capture -Live取證工具


X-Ways Caputer 1.2版於3月10日剛剛發佈,看看最新功能。

第一步:程序啟動,檢測操作系統。

a) X-Ways Caputure首先檢測當前系統的運行的Windows操作系統的準確版本,Linux 模塊會檢測 Linux 的準確版本。

b) 執行命令行(可以定義輸出路徑)。

c) X-Ways Capture 詢問用戶鏡像文件、日誌和其他獲取數據的保存路徑。路徑需要絕對地址。

d) 獲取當前系統的日期和時間。選項可以設定詢問用戶當前日期和時間,用於對比系統時間。

第二步、獲取內存信息

a) 將物理內存信息以DD鏡像方式獲取下來。
由於Windows會禁止對某些內存區域進行訪問,因此會出現一些提示信息,這屬於正常現象。

b) Windows環境下,每一個進程的虛擬內存都將被保存至一個文件中,文件名將以進程名或進程編號命名。
c) 運行程序的清單將會輸出至日誌中。

d) 驅動名稱清單將會輸出至日誌中。

第三步、ATA 硬盤檢測
a) 檢測ATA 硬盤及安全設置。

b) 檢測活動的HPA。

c) 檢測驅動器和分區狀況
此步驟對硬盤及分區狀況進行分析,並創建日誌。將檢測硬盤型號、序列號、大小、總線類型、是否為動態磁盤。

4、檢測當前系統中正在運行的加密軟件

Windows系統下,將採取下列方法檢測正在運行的加密程序。
a) 檢測進程中的名稱
根據已知加密程序進程名稱庫,判斷系統中是否存在已知的加密程序。例如,PGP Desktop 9.02 的程序名為PGPserv.exe。
b) 搜索驅動列表,判斷加密程序是否存在。
c) 檢測內存中的程序:此步驟,X-Ways Capture 可能判斷出正在運行的程序中是否包含特定的加密軟件。即便加密程序的exe文件被改名了,也能夠被判斷出來。某些.exe程序的內部程序名和版權信息中包 含有相關加密軟件無法改變的信息,如PGPsdkService,就是PGPserv.exe的內部名稱。
d) 讀取特定扇區信息:將通過兩種方法讀取每個磁盤的特定扇區。通過對比結果,可以判定硬盤是否被系統種的某些加密軟件進行了加密。例如SecureDoc或CompuSec加密工具。
e) 檢測EFS加密 。在NTFS分區中的所有文件中檢測EFS加密數據。根據NTFS分區中的文件數量多少判斷檢測速度。通常來說,此步驟較為耗時。 此步驟通常在邏輯備份方式跳過的情況下進行,因為邏輯備份總是複製並報告EFS加密文件。
f) 在所有加載的分區中判斷是否包含BitLocker加密程序的簽名特徵。

第五步、創建物理磁盤鏡像
根據前期分析結果,或根據軟件設定參數,決定是否利用創建物理磁盤的鏡像。此階段採用扇區方式獲取鏡像,而不是進行採用文件複製方式。
a) 如果硬盤加密被檢測到,或當前硬盤口令處於解鎖狀態,則進行鏡像。
b) 如果 ATA 硬盤口令保護被檢測到,但X-ways Capture 無法準確判斷是否啟用了保護,則進行鏡像。
c) 如果在配置文件中設定了進行物理鏡像步驟,則進行鏡像。

在有些時候,硬盤被採取了軟件加密,但當前狀態下仍處於解密狀態,此時後獲取的數據是被解密的,且可以被正常讀取。鏡像文件可以是DD或e01文件。獲取 中,哈希值將寫入e01證據文件中,dd方式則以單獨文件存儲哈希值。由於獲取過程中或之後可能會有數據寫入

轉自計算機取證技術

Belkasoft Forensic IM Analyzer -IM取證分析工具



俄羅斯Belkasoft公司CEO Yuri Gubanov先生給我來信,推薦他們研製的Forensic IM Analyzer工具。使用了一下,發現這個軟件非常地簡單,可對計算機中各種即時通訊工具進行檢測,並直接讀取聊天紀錄,效果非常不錯。該軟件目前可以 支持ICQ (97a 至ICQ6各版本), Microsoft MSN/LiveMessenger, Skype, Yahoo! Messenger, MySpace IM, &RQ, Miranda, SIM, QIP, Google Hello, Trillian, QQ 和 AIM,適應面很廣。利用該軟件,可自動搜索硬盤中保存的歷史紀錄,且無需口令既可打開。配合Smart Mount等工具,可以直接加載磁盤鏡像,並對鏡像文件中的數據進行分析。



從這些工具來看,世界各國的計算機法取證專家們真是努力呀。以前不知道俄羅斯在電子證據,計算機取證技術方面的進展,現在看來他們的確還是有一些積累的,除了密碼破解方面是強項,法證技術方面也一樣不遜色。

測試版可從以下地址下載:http://belkasoft.com/bfia/en/download.asp

瞭解軟件使用方法,可觀看視頻講解:http://belkasoft.com/bfia/en/How_To_Use_Product.asp

這個視頻中的故事大概是這樣的:

大 家好!我是一名 Neverland 警署的計算機法證調查官。我正在調查的是一起非常複雜的案件。案件是這樣的:一家最大的糖果製造廠被搶劫了,我們找到了嫌疑犯,名字叫做 Sweetieslover。但是,沒有明確的證據證明他參加了這起搶劫案,我們只知道他的名字。通過對他的計算機中的文檔、電子郵件進行檢查,發現他似乎是完全無辜的。我最後的希望就是對他的聊天紀錄進行分析了,其他法證專家們推薦我使用Belkasoft公司研製的 Forensic IM Analyzer聊天記錄分析工具。

現在看看我是怎麼利用這個軟件工作的。左邊窗口,可以看到三個選項,已安裝的聊天工具、發現的聊天工具和搜索結果。'已安裝的聊天工具' 似乎對我這起案件沒有什麼用處,因為我需要做的是對一塊證據硬盤進行分析,獲取的硬盤被通過Encase加載後,以網絡硬盤的方式連接在我的計算機上。

首先,我要判定嫌疑人究竟使用了那種聊天工具。通過對Program Files目錄進行分析,發現裡面包含 Yahoo! Messenger。好,那就看看裡面有什麼記錄信息吧。嗯...看來僅僅通過察看目錄和文件發現不了什麼有用的東西。不過沒關係,我手裡有處理即時通訊 記錄的專業工具。

我從新回到IM Analyzer聊天記錄分析工具,找到「發現的聊天工具」中的「Yahoo messenger」,點擊鼠標右鍵,選擇'打開此聊天軟件歷史記錄'。然後,通過瀏覽器找到Program Files文件夾。

好 了,加入了歷史記錄,這時只要使用「讀取歷史記錄」,就可以直接察看記錄了。哈哈,不少記錄呀!需要看的東西可真不少呀! 能不能縮小查看的範圍呢?當然能,可以將那些沒有聊天記錄的信息隱藏掉。選擇右鍵,「隱藏沒有聊天記錄的聯繫人」。再看看,記錄仍然不少。在導出聊天記錄 的空閒時間裡,還是先來杯咖啡吧!

察看了2個小時了
真是見鬼,還沒有什麼重要的線索。只是從他老婆的聊天記錄中得知,老婆對她老公不是那麼全心全意的,不過這是其他的事情,與本案無關吧。

是不是有些東西通過我的手動分析沒有發現呢?還是讓 Belkasoft Forensic IM Analyzer軟件搜索為我搜索一下歷史記錄吧!從菜單中,我使用了'搜索IM記錄'選項。

這 個工具可以使用多種選項。可以搜索硬盤、移動設備、光盤和網絡驅動器。但由於我搜索的網絡驅動器,因此我需要使用「搜索網絡驅動器」選項。我需要看看有沒 有其他的聊天軟件,各種格式的聊天記錄都可能會有用。根據硬盤大小不同,搜索的時間可能是幾秒鐘,或者是二、三十分鐘。

看看,軟件果然幫我發現到了我沒有注意到的,QQ 聊天記錄。QQ 聊天工具在中國非常普及,有些Neverlandiands人也使用它。

狡猾的嫌疑犯將QQ 聊天記錄保存到了一個其它的位置,但是分析工具自動找到了他。QQ 歷史記錄總是加密的,IM Analyzer在這裡就非常有用了。

現在搜索這個新的歷史記錄,看看有什麼內容與sweets有關。通過察看歷史記錄可以看到,有些聯繫人的聊天記錄比Yahoo中的紀錄還要多。

首 先,搜索一下"cookies"這個詞,這可以通過菜單中的「搜索歷史記錄」來實現。這個人似乎喜歡cookies,有很多的搜索結果。接下來,搜索一下 'sweets',嗯,還是很多結果。比如,她的總是說「Hi, sweetie」。但這些結果對我的調查沒有什麼幫助。還有什麼詞能與"sweets"相近呢?軟件允許我調用「關鍵詞列表」。我有一個詞庫包含許多詞彙 的近義詞。通過搜索,發現'candies'這個詞在聊天記錄中被使用過。但是搜索結果還是很多。我是不是該使用'steal candies'這個詞呢?這可能是嫌疑人可能會說、會做的。但搜索這個詞後,沒有任何結果。對了,這兩個詞可能並不是連續出現的,如果Steal這個詞 與candies這個詞之間有其他字符呢?可能中間有4、5、6個單詞呢?

可以利用軟件提供的「通過正則表達式搜索」功能。先輸入steal,然後後面可能會有幾個數字、符號或空格,最後是candies.

真棒,找到了一個記錄。發送者是Mr. Sweetieslover ,接收者是Mr. Evil。就是他。

好 了,調查分析結束了,我該把這些發現結果提供給其他部門的夥伴了。他們不是計算機的專家,但都是證據和文字分析的專家。我只需要把這些記錄導出為Html 格式,刻錄到光盤上就可以了。我只想導出和Mr. Evil的聊天記錄,通過點擊「選擇的聯繫人」,然後選擇目標文件夾,導出。導出的數據裡包含聊天對象和聊天時間。

好了,我的工作結束了。如果沒有這個軟件,我真不知道我怎麼才能完成這個案件的調查。謝謝Belkssoft.

文章轉自計算機取證技術


X-Ways Capture 實際使用測試

拿到了X-Ways Capture的最新版本。測試了一下。大家可以看看測試結果。



測試一:

正常的Windows環境,未安裝Pgp Desktop,按照Caputure的ini默認配置進行了獲取。

測試二:

同一Windows環境,安裝Pgp Desktop 9.9,啟動EFS加密,按照Caputure的ini默認配置進行了獲取。



步驟及圖片:



X-Ways Capture 包含的原始文件及目錄:



Windows目錄下包含一下四個文件。其中Caputre.ini為配置文件,可以自行修改、自定義。



1、啟動X-Ways Capture
輸入獲取路徑,本例中選擇F:\caputer目錄。Caputrei在整個過程中將根據自定義配置文件自動操作。本測試在c盤桌面運行caputre.exe。實際使用過程中,由於不應將程序複製到嫌疑硬盤中,所以應選擇移動存儲介質。










安裝下載並PDG Desktop 9.9。



創建一個500兆的虛擬磁盤。保存於e盤,虛擬磁盤盤符為G:

在新建的邏輯磁盤G中複製了創建了一份txt文件,並複製一份pdf文件。
獲取過程中,系統檢測到PGP存在,開始邏輯獲取G盤文件,並物理獲取鏡像。




獲取結束後,查看G盤Caputre2目錄下,X-Ways Caputre邏輯方式複製了磁盤中的文件,並創建了磁盤鏡像。





由於在C盤運行的capture,因此未能發現c盤的EFS加密文件。







Capture運行日誌:(複製下來,大家可以看看完整過程。)



X-Ways Capture 1.2 Copyright X-Ways Software Technology AG 2005-2008



Capture was started on 23/03/2009 at 10:44:13 from C:\Documents and Settings\Administrator\桌面\xwcapture\Windows.

Host OS is Windows 5.1.2600 (NT).

Using configuration file capture.ini.



This version is licensed to Sprite Guo.

Result: Capture runs on the computer named B.



Hint: Starting program module: AppendIni (下面為ini配置文件中的設定。)

[user]

name=Sprite Guo

date=16

key=



[steps]

AppendIni

#GetUserDate

#GetUserTime

#Ask "Please enter a comment"

#Ask Please enter a comment

#Ask Please enter three characters: ???

DumpPhysicalMemory

DumpProcessMemory

DumpProcessList

DumpDriverList

ATACheck

HPACheck

ListMountedVolumes

EncryptionCheckProcessList

+CheckDriverListForEncryption

+EncryptionCheckProcessMemory

+EncryptionCheckDiskSectors

#EncryptionCheckAllFiles is redundant if LogicalBackup is not excluded

#EncryptionCheckAllFiles -network

+CheckForBitLockerVolumes

LogicalImaging

PhysicalImaging

LogicalBackup -network



[settings]

language=English

#language=German

PromptForOutputPath

#UserShouldAcknowledge

DateFormat=dd/mm/yyyy

#DateFormat=dd.mm.yyyy

LogInfoMsgs

LogHints

LogWarnings

LogErrors

LogResults

PrintInfoMsgs

PrintHints

PrintWarnings

PrintErrors

PrintResults

ImageSegmentSize=2000

#PhysicalImageFormat=raw

#PhysicalImageFormat=e01-compressed

PhysicalImageFormat=e01-uncompressed

PhysicalImageCalcHash=md5

#PhysicalImageCalcHash=sha-1

#PhysicalImageCalcHash=sha-256

#PhysicalImageCalcHash=none



[ExcludeDevicesFromPhysicalImaging]

#Examples:

#Maxtor 6Y080L0

#WDC WD2000JB-00GVA0



[ExcludeFromLogicalBackup]

#Examples:

E:\

F:\



[SearchProcessMemoryForEncryption]

#Examples:

#Internal name of PGPserv.exe (PGP Desktop 9):

PGPsdkService

#Internal name of Bcresident.exe (BestCrypt v7)

BCResident

#Steganos Security Suite 2006

PortableSafe@Steganos



[SearchProcessListForEncryption] 目前支持的加密檢測

#Examples:

#PGP Desktop 9:

PGPserv.exe

PGPtray.exe

#BestCrypt v7:

Bcresident.exe

#DriveCrypt:

DriveCrypt.exe

#Steganos Security Suite 2006

sss2006.exe

#TrueCrypt, usually just the driver, sometimes just the process

TrueCrypt.exe

#SafeGuard Easy

sgectl.exe



[SearchDriverListForEncryption]

truecrypt



上面為ini配置,下面為獲取記錄。



Hint: Starting program module: DumpPhysicalMemory 獲取物理內存

Hint: Main memory is 253 MB (266326016 bytes)

Warning: Could not read 1.49 MB of physical memory (0x1332000-0x14b0fff).

Result: Main memory imaging completed with one unreadable range.



Hint: Starting program module: DumpProcessMemory 獲取進程內存

Info: Dumping memory of process System (812 KB)

Info: Dumping memory of process smss.exe (968 KB)

Info: Dumping memory of process csrss.exe (52.1 MB)

Info: Dumping memory of process winlogon.exe (44.0 MB)

Info: Dumping memory of process services.exe (12.1 MB)

Info: Dumping memory of process lsass.exe (32.4 MB)

Info: Dumping memory of process svchost.exe (35.1 MB)

Info: Dumping memory of process svchost.exe (33.9 MB)

Info: Dumping memory of process svchost.exe (42.1 MB)

Info: Dumping memory of process KVSrvXP.exe (100 MB)

Info: Dumping memory of process svchost.exe (23.8 MB)

Info: Dumping memory of process svchost.exe (36.0 MB)

Info: Dumping memory of process Explorer.EXE (141 MB)

Info: Dumping memory of process spoolsv.exe (34.4 MB)

Info: Dumping memory of process hkcmd.exe (23.3 MB)

Info: Dumping memory of process KVMonXP.kxp (78.0 MB)

Info: Dumping memory of process hqtray.exe (41.0 MB)

Info: Dumping memory of process peer.exe (32.0 MB)

Info: Dumping memory of process ctfmon.exe (23.6 MB)

Info: Dumping memory of process Thunder5.exe (117 MB)

Info: Dumping memory of process PGPtray.exe (61.5 MB)

Info: Dumping memory of process SnagIt32.exe (187 MB)

Info: Dumping memory of process ImationFlashDetect.exe (24.5 MB)

Info: Dumping memory of process PGPserv.exe (29.4 MB)

Info: Dumping memory of process SeaPort.exe (37.1 MB)

Info: Dumping memory of process vmount2.exe (32.5 MB)

Info: Dumping memory of process TSCHelp.exe (21.7 MB)

Info: Dumping memory of process vmnat.exe (8.78 MB)

Info: Dumping memory of process vmnetdhcp.exe (8.52 MB)

Info: Dumping memory of process vmware-authd.exe (51.2 MB)

Info: Dumping memory of process alg.exe (29.9 MB)

Info: Dumping memory of process svchost.exe (29.3 MB)

Info: Dumping memory of process PGPfsd.exe (35.0 MB)

Info: Dumping memory of process conime.exe (23.9 MB)



Hint: Starting program module: DumpProcessList 獲取進程列表

Info: Process list:

Info: System

Info: smss.exe

Info: csrss.exe

Info: winlogon.exe

Info: services.exe

Info: lsass.exe

Info: svchost.exe

Info: svchost.exe

Info: svchost.exe

Info: KVSrvXP.exe

Info: svchost.exe

Info: svchost.exe

Info: Explorer.EXE

Info: spoolsv.exe

Info: hkcmd.exe

Info: KVMonXP.kxp

Info: hqtray.exe

Info: peer.exe

Info: ctfmon.exe

Info: Thunder5.exe

Info: PGPtray.exe

Info: SnagIt32.exe

Info: ImationFlashDetect.exe

Info: PGPserv.exe

Info: SeaPort.exe

Info: vmount2.exe

Info: TSCHelp.exe

Info: vmnat.exe

Info: vmnetdhcp.exe

Info: vmware-authd.exe

Info: alg.exe

Info: svchost.exe

Info: PGPfsd.exe

Info: conime.exe

Info: firefox.exe



Hint: Starting program module: DumpDriverList獲取驅動列表

Result: Abiosdsk: Device driver, stopped

Result: abp480n5: Device driver, stopped

Result: ACPI (Microsoft ACPI Driver): Device driver, stopped

Result: ACPIEC: Device driver, stopped

Result: adpu160m: Device driver, stopped

Result: aeaudio: Device driver, stopped

Result: aec (Microsoft Kernel Acoustic Echo Canceller): Device driver, stopped

Result: AFD: Device driver, stopped

Result: Aha154x: Device driver, stopped

Result: aic78u2: Device driver, stopped

Result: aic78xx: Device driver, stopped

Result: akshasp (Aladdin HASP Key): Device driver, stopped

Result: aksusb (Aladdin USB Key): Device driver, stopped

Result: Alerter: Service sharing a process with other services, stopped

Result: ALG (Application Layer Gateway Service): Service running in its own process, stopped

Result: AliIde: Device driver, stopped

Result: amsint: Device driver, stopped

Result: AppMgmt (Application Management): Service sharing a process with other services, stopped

Result: asc: Device driver, stopped

Result: asc3350p: Device driver, stopped

Result: asc3550: Device driver, stopped

Result: aspnet_state (ASP.NET State Service): Service running in its own process, stopped

Result: AsyncMac (RAS Asynchronous Media Driver): Device driver, stopped

Result: atapi (標準 IDE/ESDI 硬盤控制器): Device driver, stopped

Result: Atdisk: Device driver, stopped

Result: Atmarpc (ATM ARP Client Protocol): Device driver, stopped

Result: AudioSrv (Windows Audio): Service sharing a process with other services, stopped

Result: audstub (音頻存根驅動程序): Device driver, stopped

Result: BdGuard: File system driver, stopped

Result: Beep: Device driver, stopped

Result: BITS (Background Intelligent Transfer Service): Service sharing a process with other services, stopped

Result: Browser (Computer Browser): Service sharing a process with other services, stopped

Result: BsDeamon: Device driver, stopped

Result: cbidf2k: Device driver, stopped

Result: cd20xrnt: Device driver, stopped

Result: Cdaudio: Device driver, stopped

Result: Cdfs: File system driver, stopped

Result: Cdrom (CD-ROM Driver): Device driver, stopped

Result: cercsr6: Device driver, stopped

Result: Changer: Device driver, stopped

Result: CiSvc (Indexing Service): , stopped

Result: ClipSrv (ClipBook): Service running in its own process, stopped

Result: clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86): Service running in its own process, stopped

Result: CmdIde: Device driver, stopped

Result: COMSysApp (COM+ System Application): Service running in its own process, stopped

Result: Cpqarray: Device driver, stopped

Result: CryptSvc (Cryptographic Services): Service sharing a process with other services, stopped

Result: dac960nt: Device driver, stopped

Result: DcomLaunch (DCOM 服務器進程啟動器): Service sharing a process with other services, stopped

Result: Dhcp (DHCP Client): Service sharing a process with other services, stopped

Result: Disk (磁盤驅動器): Device driver, stopped

Result: dmadmin (Logical Disk Manager Administrative Service): Service sharing a process with other services, stopped

Result: dmboot: Device driver, stopped

Result: dmio (Logical Disk Manager Driver): Device driver, stopped

Result: dmload: Device driver, stopped

Result: dmserver (Logical Disk Manager): Service sharing a process with other services, stopped

Result: DMusic (Microsoft Kernel DLS Syntheiszer): Device driver, stopped

Result: Dnscache (DNS Client): Service sharing a process with other services, stopped

Result: Dot3svc (Wired AutoConfig): Service sharing a process with other services, stopped

Result: dpti2o: Device driver, stopped

Result: drmkaud (Microsoft Kernel DRM Audio Descrambler): Device driver, stopped

Result: E1000 (Intel(R) PRO/1000 Adapter Driver): Device driver, stopped

Result: EapHost (Extensible Authentication Protocol Service): Service sharing a process with other services, stopped

Result: ERSvc (Error Reporting Service): Service sharing a process with other services, stopped

Result: Eventlog (Event Log): Service sharing a process with other services, stopped

Result: EventSystem (COM+ Event System): Service sharing a process with other services, stopped

Result: Fastfat: File system driver, stopped

Result: FastUserSwitchingCompatibility (Fast User Switching Compatibility): Service sharing a process with other services, stopped

Result: Fdc (Floppy Disk Controller Driver): Device driver, stopped

Result: Fips: Device driver, stopped

Result: Flpydisk (軟盤驅動程序): Device driver, stopped

Result: FltMgr: File system driver, stopped

Result: FsVga: Device driver, stopped

Result: Ftdisk (Volume Manager Driver): Device driver, stopped

Result: GetDataMip: Device driver, stopped

Result: Gpc (Generic Packet Classifier): Device driver, stopped

Result: Hardlock: Device driver, stopped

Result: Haspnt: Device driver, stopped

Result: hcmon (VMware hcmon): Device driver, stopped

Result: HdFw_slot: Device driver, stopped

Result: HDPT (HDPT Miniport): Device driver, stopped

Result: helpsvc (Help and Support): Service sharing a process with other services, stopped

Result: HidServ (Human Interface Device Access): Service sharing a process with other services, stopped

Result: HidUsb (Microsoft HID Class Driver): Device driver, stopped

Result: hkmsvc (Health Key and Certificate Management Service): Service sharing a process with other services, stopped

Result: hpn: Device driver, stopped

Result: HTTP: Device driver, stopped

Result: HTTPFilter (HTTP SSL): Service sharing a process with other services, stopped

Result: i2omgmt: Device driver, stopped

Result: i2omp: Device driver, stopped

Result: i8042prt (i8042 鍵盤及 PS/2 鼠標端口驅動程序): Device driver, stopped

Result: ialm: Device driver, stopped

Result: Imapi (CD 燒製篩選驅動器): Device driver, stopped

Result: ImapiService (IMAPI CD-Burning COM Service): Service running in its own process, stopped

Result: ini910u: Device driver, stopped

Result: IntelIde: Device driver, stopped

Result: intelppm (Intel Processor Driver): Device driver, stopped

Result: ioperm (ioperm support for Cygwin driver): Device driver, stopped

Result: Ip6Fw (IPv6 Windows Firewall Driver): Device driver, stopped

Result: IpFilterDriver (IP Traffic Filter Driver): Device driver, stopped

Result: IpInIp (IP in IP Tunnel Driver): Device driver, stopped

Result: IpNat (IP Network Address Translator): Device driver, stopped

Result: IPSec (IPSEC driver): Device driver, stopped

Result: IRENUM (IR Enumerator Service): Device driver, stopped

Result: isapnp (PnP ISA/EISA Bus Driver): Device driver, stopped

Result: JmArpHook: Device driver, stopped

Result: JmFwDDos: Device driver, stopped

Result: Kbdclass (Keyboard Class Driver): Device driver, stopped

Result: kmixer (Microsoft Kernel Wave Audio Mixer): Device driver, stopped

Result: KRegEx: Device driver, stopped

Result: KSecDD: Device driver, stopped

Result: KSysCall (Jiangmin Antivirus Software - SysCall Services): Device driver, stopped

Result: KSysMon (Jiangmin Antivirus Software - System Monitor): Device driver, stopped

Result: KSysTrace (Jiangmin Antivirus Software - File Tracer): Device driver, stopped

Result: KVFileGuard (KVFileGuard From Jiangmin): File system driver, stopped

Result: KVREDIR: Device driver, stopped

Result: lanmanserver (Server): Service sharing a process with other services, stopped

Result: lanmanworkstation (Workstation): Service sharing a process with other services, stopped

Result: lbrtfdc: Device driver, stopped

Result: LmHosts (TCP/IP NetBIOS Helper): Service sharing a process with other services, stopped

Result: Messenger: Service sharing a process with other services, stopped

Result: mnmdd: Device driver, stopped

Result: mnmsrvc (NetMeeting Remote Desktop Sharing): , stopped

Result: Modem: Device driver, stopped

Result: Mouclass (Mouse Class Driver): Device driver, stopped

Result: mouhid (Mouse HID Driver): Device driver, stopped

Result: MountMgr (Mount Point 管理程序): Device driver, stopped

Result: mraid35x: Device driver, stopped

Result: MRxDAV (WebDav Client Redirector): File system driver, stopped

Result: MRxSmb: File system driver, stopped

Result: MSDTC (Distributed Transaction Coordinator): Service running in its own process, stopped

Result: Msfs: File system driver, stopped

Result: MSIServer (Windows Installer): Service sharing a process with other services, stopped

Result: MSKSSRV (Microsoft Streaming Service Proxy): Device driver, stopped

Result: MSPCLOCK (Microsoft Streaming Clock Proxy): Device driver, stopped

Result: MSPQM (Microsoft Streaming Quality Manager Proxy): Device driver, stopped

Result: mssmbios (Microsoft System Management BIOS Driver): Device driver, stopped

Result: Mup: File system driver, stopped

Result: napagent (Network Access Protection Agent): Service sharing a process with other services, stopped

Result: NDIS (NDIS System Driver): Device driver, stopped

Result: NdisTapi (Remote Access NDIS TAPI Driver): Device driver, stopped

Result: Ndisuio (NDIS 用戶模式 I/O 協議): Device driver, stopped

Result: NdisWan (Remote Access NDIS WAN Driver): Device driver, stopped

Result: NDProxy (NDIS Proxy): Device driver, stopped

Result: NetBIOS (NetBIOS Interface): File system driver, stopped

Result: NetBT (NetBios over Tcpip): Device driver, stopped

Result: NetDDE (Network DDE): Service sharing a process with other services, stopped

Result: NetDDEdsdm (Network DDE DSDM): Service sharing a process with other services, stopped

Result: Netlogon (Net Logon): Service sharing a process with other services, stopped

Result: Netman (Network Connections): , stopped

Result: Nla (Network Location Awareness (NLA)): Service sharing a process with other services, stopped

Result: Npfs: File system driver, stopped

Result: Ntfs: File system driver, stopped

Result: NtLmSsp (NT LM Security Support Provider): Service sharing a process with other services, stopped

Result: NtmsSvc (Removable Storage): Service sharing a process with other services, stopped

Result: Null: Device driver, stopped

Result: NwlnkFlt (IPX Traffic Filter Driver): Device driver, stopped

Result: NwlnkFwd (IPX Traffic Forwarder Driver): Device driver, stopped

Result: OMCI: Device driver, stopped

Result: Parport (Parallel port driver): Device driver, stopped

Result: PartMgr (分區管理程序): Device driver, stopped

Result: ParVdm: Device driver, stopped

Result: PCI (PCI Bus Driver): Device driver, stopped

Result: PCIDump: Device driver, stopped

Result: PCIIde: Device driver, stopped

Result: Pcmcia: Device driver, stopped

Result: PDCOMP: Device driver, stopped

Result: PDFRAME: Device driver, stopped

Result: PDRELI: Device driver, stopped

Result: PDRFRAME: Device driver, stopped

Result: perc2: Device driver, stopped

Result: perc2hib: Device driver, stopped

Result: PGPdisk: Device driver, stopped

Result: pgpfs (PGP File Sharing): File system driver, stopped

Result: PGPsdkDriver: Device driver, stopped

Result: PGPserv: , stopped

Result: PGPwded (PGPwded Storage Filter Service): Device driver, stopped

Result: PlugPlay (Plug and Play): Service sharing a process with other services, stopped

Result: PolicyAgent (IPSEC Services): Service sharing a process with other services, stopped

Result: PptpMiniport (WAN Miniport (PPTP)): Device driver, stopped

Result: ProtectedStorage (Protected Storage): , stopped

Result: PSched (QoS Packet Scheduler): Device driver, stopped

Result: Ptilink (Direct Parallel Link Driver): Device driver, stopped

Result: ql1080: Device driver, stopped

Result: Ql10wnt: Device driver, stopped

Result: ql12160: Device driver, stopped

Result: ql1240: Device driver, stopped

Result: ql1280: Device driver, stopped

Result: RasAcd (Remote Access Auto Connection Driver): Device driver, stopped

Result: RasAuto (Remote Access Auto Connection Manager): Service sharing a process with other services, stopped

Result: Rasl2tp (WAN Miniport (L2TP)): Device driver, stopped

Result: RasMan (Remote Access Connection Manager): Service sharing a process with other services, stopped

Result: RasPppoe (遠程訪問 PPPOE 驅動程序): Device driver, stopped

Result: Raspti (Direct Parallel): Device driver, stopped

Result: Rdbss: File system driver, stopped

Result: RDPCDD: Device driver, stopped

Result: rdpdr (Terminal Server Device Redirector Driver): Device driver, stopped

Result: RDPWD: Device driver, stopped

Result: RDSessMgr (Remote Desktop Help Session Manager): Service running in its own process, stopped

Result: redbook (Digital CD Audio Playback Filter Driver): Device driver, stopped

Result: RemoteAccess (Routing and Remote Access): Service sharing a process with other services, stopped

Result: RemoteRegistry (Remote Registry): Service sharing a process with other services, stopped

Result: RpcLocator (Remote Procedure Call (RPC) Locator): Service running in its own process, stopped

Result: RpcSs (Remote Procedure Call (RPC)): Service sharing a process with other services, stopped

Result: RSVP (QoS RSVP): Service running in its own process, stopped

Result: SamSs (Security Accounts Manager): Service sharing a process with other services, stopped

Result: SCardSvr (Smart Card): Service sharing a process with other services, stopped

Result: Schedule (Task Scheduler): Service sharing a process with other services, stopped

Result: SeaPort: Service running in its own process, stopped

Result: Secdrv: Device driver, stopped

Result: seclogon (Secondary Logon): , stopped

Result: SENS (System Event Notification): Service sharing a process with other services, stopped

Result: serenum (Serenum Filter Driver): Device driver, stopped

Result: Serial (Serial port driver): Device driver, stopped

Result: Sfloppy: Device driver, stopped

Result: SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)): Service sharing a process with other services, stopped

Result: ShellHWDetection (Shell Hardware Detection): Service sharing a process with other services, stopped

Result: Simbad: Device driver, stopped

Result: SmartMountImDisk (Smart Mount ImDisk Driver): Device driver, stopped

Result: SmartMountImDSvc (Smart Mount ImDisk Helper Service): Service running in its own process, stopped

Result: smwdm: Device driver, stopped

Result: Sparrow: Device driver, stopped

Result: splitter (Microsoft Kernel Audio Splitter): Device driver, stopped

Result: Spooler (Print Spooler): , stopped

Result: sr (System Restore Filter Driver): File system driver, stopped

Result: srservice (System Restore Service): Service sharing a process with other services, stopped

Result: Srv: File system driver, stopped

Result: SSDPSRV (SSDP Discovery Service): Service sharing a process with other services, stopped

Result: stisvc (Windows Image Acquisition (WIA)): Service sharing a process with other services, stopped

Result: swenum (Software Bus Driver): Device driver, stopped

Result: swmidi (Microsoft Kernel GS Wavetable Synthesizer): Device driver, stopped

Result: SwPrv (MS Software Shadow Copy Provider): Service running in its own process, stopped

Result: symc810: Device driver, stopped

Result: symc8xx: Device driver, stopped

Result: sym_hi: Device driver, stopped

Result: sym_u3: Device driver, stopped

Result: sysaudio (Microsoft Kernel System Audio Device): Device driver, stopped

Result: SysGuard (Jiangmin AntiVirus Software - System Guard): Device driver, stopped

Result: SysmonLog (Performance Logs and Alerts): Service running in its own process, stopped

Result: TapiSrv (Telephony): Service sharing a process with other services, stopped

Result: Tcpip (TCP/IP Protocol Driver): Device driver, stopped

Result: TDPIPE: Device driver, stopped

Result: TDTCP: Device driver, stopped

Result: TermDD (Terminal Device Driver): Device driver, stopped

Result: TermService (Terminal Services): Service sharing a process with other services, stopped

Result: Themes: Service sharing a process with other services, stopped

Result: TlntSvr (Telnet): Service running in its own process, stopped

Result: TosIde: Device driver, stopped

Result: TrkWks (Distributed Link Tracking Client): Service sharing a process with other services, stopped

Result: Udfs: File system driver, stopped

Result: ufad-ws60 (VMware Agent Service): Service running in its own process, stopped

Result: ultra: Device driver, stopped

Result: Update (Microcode Update Driver): Device driver, stopped

Result: upnphost (Universal Plug and Play Device Host): Service sharing a process with other services, stopped

Result: UPS (Uninterruptible Power Supply): Service running in its own process, stopped

Result: usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver): Device driver, stopped

Result: usbhub (USB2 Enabled Hub): Device driver, stopped

Result: usbkey (USB Dongle): Device driver, stopped

Result: USBSTOR (USB 大容量存儲設備): Device driver, stopped

Result: usbuhci (Microsoft USB Universal Host Controller Miniport Driver): Device driver, stopped

Result: VgaSave (VGA 顯示控制器。): Device driver, stopped

Result: ViaIde: Device driver, stopped

Result: VMAuthdService (VMware Authorization Service): Service running in its own process, stopped

Result: vmci (VMware vmci): Device driver, stopped

Result: vmkbd (VMware kbd): Device driver, stopped

Result: VMnetAdapter (VMware Virtual Ethernet Adapter Driver): Device driver, stopped

Result: VMnetBridge (VMware Bridge Protocol): Device driver, stopped

Result: VMnetDHCP (VMware DHCP Service): Service running in its own process, stopped

Result: VMnetuserif (VMware Network Application Interface): Device driver, stopped

Result: vmount2 (VMware Virtual Mount Manager Extended): Service running in its own process, stopped

Result: VMparport (VMware VMparport): Device driver, stopped

Result: VMware NAT Service: Service running in its own process, stopped

Result: vmx86 (VMware vmx86): Device driver, stopped

Result: VolSnap: Device driver, stopped

Result: VSS (Volume Shadow Copy): Service running in its own process, stopped

Result: vstor2 (Vstor2 Virtual Storage Driver): Device driver, stopped

Result: vstor2-ws60 (Vstor2 WS60 Virtual Storage Driver): Device driver, stopped

Result: W32Time (Windows Time): Service sharing a process with other services, stopped

Result: Wanarp (Remote Access IP ARP Driver): Device driver, stopped

Result: WDICA: Device driver, stopped

Result: wdmaud (Microsoft WINMM WDM Audio Compatibility Driver): Device driver, stopped

Result: WebClient: Service sharing a process with other services, stopped

Result: winmgmt (Windows Management Instrumentation): Service sharing a process with other services, stopped

Result: WmdmPmSN (Portable Media Serial Number Service): Service sharing a process with other services, stopped

Result: Wmi (Windows Management Instrumentation Driver Extensions): Service sharing a process with other services, stopped

Result: WmiApSrv (WMI Performance Adapter): Service running in its own process, stopped

Result: WS2IFSL (Windows 套接字 2 .0 Non-IFS 服務提供程序支持環境): Device driver, stopped

Result: wscsvc (Security Center): Service sharing a process with other services, stopped

Result: wuauserv (Automatic Updates): Service sharing a process with other services, stopped

Result: WZCSVC (Wireless Zero Configuration): Service sharing a process with other services, stopped

Result: xmlprov (Network Provisioning Service): Service sharing a process with other services, stopped

Result: {1DFCE140-4FDA-4F95-ADC8-A3ED252DCF93} (KVSrvXP-{1DFCE140-4FDA-4F95-ADC8-A3ED252DCF93}): , stopped

Result: {6080A529-897E-4629-A488-ABA0C29B635E} (Intel(R) Graphics Platform (SoftBIOS) Driver): Device driver, stopped

Result: {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel(R) Graphics Chipset (KCH) Driver): Device driver, stopped

Result: Driver list created successfully.



Hint: Starting program module: ATACheck 檢測ata硬盤加密

Result: ATA security settings for Disk 0 (ST3802110A, 5LR6NYYZ)

Result: ATA security is disabled.

Result: Frozen: Yes



Hint: Starting program module: HPACheck 檢測HPA

Result: No HPA was found on this computer.



Hint: Starting program module: ListMountedVolumes 列出所有卷

Result: List of mounted volumes:

Result: C: resides on disk 0, start sector: 63, file system: NTFS.

Result: E: resides on disk 0, start sector: 20482938, file system: NTFS.

Result: F: resides on disk 0, start sector: 61448625, file system: NTFS.

Result: G: uses file system: FAT32

Result: List of known disks:

Result: Disk 0 is a ST3802110A, serial no.: (unknown), capacity: 74.5 GB, bus: ATA.



Hint: Starting program module: EncryptionCheckProcessList 加密進程檢測

Result: Found the following suspicious processes: PGPtray.exe, PGPserv.exe



Hint: Forcing CheckDriverListForEncryption 加密驅動檢測

Result: No drivers for encryption found.



Hint: Forcing EncryptionCheckProcessMemory 檢測加密進程關鍵詞

Result: Found search string "PGPsdkService" in process PGPserv.exe. 找到PGP

Result: One suspicious string was found once in one process.



Hint: Forcing EncryptionCheckDiskSectors 檢測加密磁盤

Result: No encrypted disks were found.



Hint: Forcing CheckForBitLockerVolumes 檢測bitlocker


Result: Found no volume that is encrypted with BitLocker.



Hint: Starting program module: LogicalImaging 邏輯分區複製


Result: Cannot determine disk containing volume G:, imaging it...

Hint: Writing image segment 1 to F:\CAPTURE3\2009-03-23, 10-44-02-Logical Imaging\DriveG.e01. 製作鏡像文件

Result: Final hash value of the image (format MD5): 448c7f1fb21c6ec6de0d312854b792dc 創建MD5值

Result: Writing hash of image to the Encase file.

Result: Image created successfully.

Result: No encrypted volumes found in this step.



Hint: Starting program module: PhysicalImaging 物理鏡像

Hint: Disk 0 is excluded from imaging, because it contains the output drive. 因為證據文件保存於本機F盤,所以不能進行完整硬盤鏡像。



Hint: Starting program module: LogicalBackup 邏輯複製EFS文件

Hint: Copying files logically will alter NTFS last FILE record modification timestamps. 查找複製EFS文件。

Hint: Starting logical copying of all accessible files.

Hint: Excluding Capture start drive C:. 沒有包含c盤EFS文件查找和複製。

Hint: Copying files from D: ...

Hint: Excluding drive E: because it is listed in the exclusion list.

Hint: F: is excluded from copying, because it contains the output path.

Hint: Copying files from G: ...

Result: Found 0 EFS-encrypted files total. 2 files were copied successfully.

Hint: Program execution completed cleanly.

Hint: Program completed on 23/03/2009, 11:00:00.



HTML clipboard

文章轉自計算機取證技術

MacForensicsLab 公司發佈MacLockPick 2.1



HTML clipboardHTML clipboard

加入新的插件,全面支持 Linux

NEWARK, CA 2009年3月25日 -- MacForensicsLab 公司宣佈推出多平台在線取證工具新版本。除了目前可以獲取嫌疑計算機Windows 和 Mac OS X 系統數據之外,MacLockPick 2.1 實現了獲取 Linux 系統下數據的能力。從現在開始,用戶們不必再擔心嫌疑計算機中的操作系統的限制了。此外, 2.1 版中還增添了一些新功能插件,可以使獲取重要信息的能力比過去更強、更簡單。

現在,對於嫌疑人的電子數據的獲取、"解釋"以及時效性比以往更加緊迫。在處理網絡犯罪和計算機犯罪的工作中,很多時候需要在犯罪嫌疑人的計算機中實施在線獲取,而這些工作的成功率往往是以分鐘來計算,而不再是以天數來衡量。調查員不斷面對的課題,是如何保證數據保持可見及有效,並同時保護犯罪現場的完整性。

新版本的MacLockPick可以獲取 Windows 註冊表中的對調查有用的特定信息。 儘管您可以通過瀏覽Windows 操作系統的整體數據結構以便發現重要的信息,但是 MacLockPick 能夠縮短您的數據獲取時間,保證數據獲取效果。可以獲取的信息包括:最近執行的程序、Internet Explorer URLs 訪問記錄,無線網絡的 SSID、 USB 歷史記錄、完整的 iPhone 手機同步記錄、 VNC 服務器歷史,以及更多的信息。

利用MacLockPick II 的 Linux 獲取功能,現在調查員可以發揮 MacLockPick II的最新功獲取Linux 系統中的嫌疑人信息。 隊員犯罪嫌疑人來說,再也沒有什麼所謂的安全的操作系統了。目前,MacLockPick II是目前唯一一個能夠跨平台使用的在線取證工具。

MacLockPick II 採用了插件式架構,可以為調查員提供最大的方便的擴展能力。MacLockPick II 允許調查員增添第三方工具以增強 MacLockPick的取證能力。



I. 可以從嫌疑計算機中獲取哪些數據

MacLockPick II 為計算機法證、電子證據揭示和IT信息管理人員而設計,可以有效獲取如操作系統、用戶行為和歷史記錄等詳細信息。通過使用插件的架構方式, MacLockPick 可以根據用戶對不同信息的需要而自行配置。這些信息可以包括:特定文件類型、聊天記錄、電話同步紀錄、瀏覽器歷史記錄、口令、賬戶、何系統數據。

1. 插件和插件類型

MacLockPick 通過插件方式,使調查員能夠方便地控制在線取證的所需步驟和信息。這些插件分為5類。

2. 內置插件

下列只是MacLockPick II的部分插件,現有產品能力遠遠強於下列插件所述功能

a) 執法部門專用

下列兩個插件只針對執法部門銷售

NTLM 和 Lan Man 口令獲取 - 本插件可以獲取 SAM中的本地用戶帳戶中的LM和NTLM口令哈希,利用MacLockPick II獲取到哈希值後,可以帶回至法證實驗室,利用穹舉、字典或彩虹表方式攻擊。配合高性能GPU運算系統,可以快速計算出口令。

Apple Key chain 獲取 - 類似於Windows的註冊表,蘋果機的賬戶、口令保存在key chain中,通過獲取key chain中的口令信息,可進一步通過字典方式對登陸口令進行攻擊

b) IT安全管理員/eDiscovery 和執法部門使用

下列插件包含在標準的MacLockPick II 套裝中



Apple iPhone手機獲取 - 獲取在Windows、Mac OS X系統中,通過Apple Mobile Sync保存的iPhone 或其他設備的數據。可獲得的信息包括(此外還有更多信息):
  • 打入、打出的電話記錄、日期時間
  • In接收、發送的短信息,包含電話號碼、姓名、短信內容、日期、時間
  • IMEI - (The International Mobile Equipment Identity )
  • TMSI - (Temporary Mobile Subscriber Identity")
  • IMSI - An International Mobile Subscriber Identity
  • 快速撥號 - 快速撥號中設定的姓名和電話
  • Safari State Documents - Safari瀏覽器打開的頁面
  • Safari History - Safari瀏覽器訪問過的頁面
  • Safari Bookmarks - 所有收藏的地址
  • 記事本記錄的便簽
  • 通訊錄,聯繫人,包含每個聯繫人的撥叫紀錄
  • 郵箱設置信息
  • 其他....

剪貼板 - 很多時候嫌疑人會不小心在剪貼板中保留有重要的信息。可獲取保存在剪貼板中的文本或圖像。所有發現的文本都將保存於日誌報告中。所有圖像都將自動轉為JPEG格式並保存於日誌目錄中。
Firefox - 創建嫌疑人使用Firefox 2 或 3版的分析記錄。包含如下信息(還有更多信息為盡述)
  • 收藏夾中的收藏網站
  • 歷史記錄 - 網站訪問記錄
  • Cookies
  • 下載記錄 - 下載的URL地址和文件名
  • 自動表單 - 自動記錄的名稱、地址、及其他信息

Internet Explorer - 創建IE分析記錄
  • 收藏夾中的收藏網站
  • 歷史記錄 - 網站訪問記錄
  • Cookies
  • 下載記錄 - 下載的URL地址和文件名

Network - 分析嫌疑計算機的局域網信息,包含 ARP tables、 interfaces 和netstat activity.

進程 - 列出當前計算機中的所有進程。可以判斷、發現某些惡意程序或特殊工具的使用。


Apple Safari - 創建Safari瀏覽器的記錄
  • 收藏夾中的收藏網站
  • 歷史記錄 - 網站訪問記錄
  • Cookies
  • 下載記錄 - 下載的URL地址和文件名

截屏 - 獲取並保存嫌疑計算機的當前屏幕狀態


Skype - 創建Skype使用記錄
  • VoIP 電話記錄,包含姓名和電話號碼
  • 聊天記錄,包含聊天人的名稱、聊天內容和日期時間
  • SMS 短信息,包含名稱、電話,短信內容
  • 文件傳送記錄
  • 好友列表,包括從其他系統導入的地址信息
  • 其他....

系統信息 - 嫌疑計算機的硬件信息
  • 用戶名
  • 計算機名稱
  • 操作系統m
  • 系統序列號
  • 處理器
  • RAM
  • 型號
  • UUID
  • 時區
  • 國家代碼
  • 其他

USB 閃存歷史記錄

Windows 註冊表 - This module will extract all settings from the registry on Microsoft Windows systems.




II. MacLockPick II套件包含內容:

1. 硬件

The MacLockPick II 帶有一個2GB閃存,即屬於加密鎖,又可以保存程序、保存日誌和報告,並可以保存從嫌疑計算機中獲取的數據。
  • 2 GB
  • 31.3mm x 12.4mm x 3.4mm
  • 防震防水
  • USB2.0 30MB/秒
  • Mac OS X, Windows, Linux 兼容

格式化為 FAT32,是唯一支持所有操作系統的分區格式。

2. 軟件

MacLockPick II 包含有 5 各程序,2個文件和 3 個特定目錄。每一個程序有兩個版本,一個是 Microsoft Windows版本,另一個是 Mac OS X 版本(同時支持 PowerPC 和Intel架構蘋果機)。



小結:

看了MacLockpic II的功能,真的覺得功能是太強大了。和最早的一代相比,強出了太多。特別是實現了一個工具在三個平台下使用,且側重了系統口令、註冊表、上網紀錄,還有iPhone。等拿到測試版給大家演示一下。作者Marko很厲害,算是一套很替鑑識人員省工的工具阿~

文章轉自計算機取證技術