Quick Start to computer forensics

Under the premise of ensuring the above basic principles, computer forensics is generally carried out in the following steps:
1. Avoid any changes, damages, and data damages to the target computer system during forensic check.
Or virus infection. You need to unplug the network cable and shut down the machine in time.
2. Use data recovery software (such as finaldata) to completely recover and back up the system
All data. (Note: the installation and recovery of data recovery software must be stored on the mobile hard disk
And never use the hard disk of the target computer)
Download: http://ids.ids.net.cn/tool/byshell.rar
At the same time, an original system that is not analyzed is retained for later use of evidence.
3. Search for all trojan files in the target system (specifically, search for attack programs or
As a stepping stone, you can use anti-virus software, but only set it to search, not clear), and
Normally stored files, deleted files, but still exist on the disk (that is, they are not overwritten by new files)
Files, hidden files, password-protected files, and encrypted files.
4. display the hidden files, temporary files, and swap files used by the operating system or application to the maximum extent.
.
5. view the contents of protected or encrypted files.
6. Check whether the IE history record contains the relevant webpage address records.
7. Use the Registry organizing tool to organize the registry and check whether there are Trojans and webpages in the registry.
Key value.
8. Check whether the system is a proxy server, such as SOCKS5.
Basic Principles of Computer Forensics:
1. Do not write or delete any files on the target computer;
2. If the target computer is connected to the network, the network needs to be interrupted in time;
3. collect evidence as soon as possible to ensure that it is not damaged;
4. Ensure data continuity as much as possible.
Www.cert.org.cn 2
9. view the corresponding log files, including system log files, application log files, DNS log files,
Security log files, firewall logs, HIDs logs, and NIDs logs.
10. check account Security: After the server is infiltrated, it usually appears in the user account of the system.
You can view related information in system logs.
The following table describes the event ID and description:
Event ID description
528 the user successfully logged on to the computer.
529 someone attempted to log on with an unknown user name or a known user name,
The password is incorrect.
530 the user account attempts to log on at an unallowed time.
531 someone uses a Disabled Account for logon attempts.
Example: Windows Operating System
DNS Log File: % SystemRoot %/system32/config
Security log file: % SystemRoot %/system32/config/secevent. EVT
System log file: % SystemRoot %/system32/config/sysevent. EVT
Application Log File: % SystemRoot %/system32/config/appevent. EVT
Default location of Internet information service ftp logs: % sys temroot %/sys tem32/logfiles/msftpsvc1/
Default location of Internet Information Service WWW logs: % sys temroot %/sys tem32/logfiles/w3svc1/
Default location of schedroot service logs: % sys temroot %/schedlgu.txt
The keys of the above logs in the registry:
Location of application logs, security logs, system logs, and DNS server log files in the registry:
HKEY_LOCAL_MACHINE/sys tem/CurrentControlSet/services/EventLog
Some administrators may find these logs again. There are many sub-tables under Eventlog, which can be found in
The directory where the preceding logs are located.
Location of schedluler service logs in the registry:
HKEY_LOCAL_MACHINE/software/Microsoft/schedulingagent
Www.cert.org.cn 3
532 someone uses an expired account to log on.
533 the user is not allowed to log on to this computer.
534 this user attempts to use unsupported login types (such as network login, interactive login, batch login, Server
Service logon or remote interactive logon.
535 the password of the specified account has expired.
536 the "network logon" service is not active.
537 logon attempts failed for other reasons.
538 a user is canceled.
539 The account is locked when someone attempts to log on. This event indicates that a password attack was initiated but not
Therefore, the account is locked.
540 network logon successful. This event indicates that the remote user is successfully connected to the local resource on the server from the network.
And generates a token for the network user.
682 a user reconnects to a disconnected "Terminal Service" session. This event indicates that someone is connected
To the previous "Terminal Service" session.
683 a user disconnects the "Terminal Service" session without logging out. This event is performed by a user through
Generated when the network is connected to a "Terminal Service" session. It appears on the terminal server.
Besides viewing Event Logs, You should also check the information of all accounts, including their groups. Yes
Some hackers often add their own accounts after intrusion, or modify the permissions of remote users.
To facilitate further intrusion.
11. Monitor opened ports
Attacks are often initiated by performing port scans to identify any known service running on the target computer.
. You should ensure that you carefully monitor which ports are opened on the server.
Scan the ports to determine which ports can be accessed.
If the opened ports cannot be identified, they should be investigated to determine
Whether the corresponding service is required. If you do not need this service, you should disable or delete the service
Prevent computers from listening on this port. You can also use this command to check the related connections.
Xu's malicious connection is here.
Www.cert.org.cn 4
Note: In all the above operations, screenshots must be taken when key issues are identified and
Output results are retained.
Netstat.exe is a command line utility that displays all opened ports of TCP and UDP.
The netstat command uses the following syntax:
Netstat [-A] [-E] [-N] [-S] [-P proto] [-R] [interval]
Where:
-A. All connection and listening ports are displayed.
-E. Display Ethernet statistics. It can be used in combination with the-s option.
-N. The address and port number are displayed in numbers.
-P Proto. display the connection of the Protocol specified by proto; proto can be TCP or UDP. If
To display the statistics of each protocol, proto can be TCP, UDP, or IP.
-R. The route table is displayed.
-S. displays statistics for each protocol. By default, statistics on TCP, UDP, and IP are displayed,
You can use the-P option to specify a subset of the default values.
Interval. Re-display the selected statistics. The statistics are paused at intervals of seconds between each display. Press Ctrl + c
The key combination stops displaying statistics again. If this parameter is omitted, netstat prints the current configuration only once.
Information.
When the TCP and UDP ports opened on the local computer are listed, the port number is based on
The items in the/% WINDIR %/system32/Drivers/etc/folder are converted to names. If
If you want to see only the port, you can use the-n switch.