To avoid wordy, round-about introductions, let me get straight to the point: if you’re encountering the term forensics, it means that there is already a problem. To prevent you and your company from hasty decisions and nasty outcomes, here are some things to keep in mind when it comes to recovering from an attack with Windows forensics. If there’s a strong suspicion that a Windows system is grounded with solid proof (be it anomalous traffic activity, intrusion detection or simply complaints from the systems users), try following this rather classic what-to-do-next approach.
When your kid catches chicken pox and you don’t want others to be covered with contagious red dots, you block them off from the outside world until they are fully healed. Treat Windows as your kid: disconnect the affected system from an open environment. Even though any company’s business goal is to have their Windows systems up and running right away, give it some time and treatment to properly recover. Don’t face even more detrimental post effects!
If your Windows system was hacked, but you are not sure when exactly – a week, a month or a year ago – look at the latest backups and get all of the compromised parts back on track. Just cleaning and putting your system online is not enough though: it might contain backdoors or viruses that were not detected (hackers are smart enough to count on your negligence and leave something in disguise). Have your IT-team, along with Security experts if you have access to them, monitor the system connections inside the company with enhanced attention for at least 2-3 months.
Never try to hide a security breach from your users. Sooner or later the truth will come to light – and if that light is on the client’s side, you may harm your reputation. Inform Windows users about the affected system and advise them to change all relevant passwords.
Core Repair Process
Once the Windows system is turned off, your next major goal is to save its integrity. Here are the best practices to analyse the security breach and see what can be done:
- Clone the hard disk
- Launch the system in a virtual environment (Disk2vhd is a great utility for this task to be carried out on Microsoft Hyper-V virtual machines while the original machine remains intact)
- Having created a clone and changed all the passwords, temporarily block access to the Windows system for all employees and/or external users
- Apply Security Information and Event Management (SIEM) to establish relationships between event logs (NetFlows, QFlows, VFlows)
- A common practice is to create a Windows memory dump. Usually, a malicious component that gives an attacker access to the system is stored in the system’s memory. As such, make sure you double check there is no concealed executing files there. Dumping the registry is also important for defining what programs start with the system
Our major goal is to analyse all the Windows system files and memory in the virtual environment for malware detection (here MacAfee, Dr.Web, and Kaspersky may come in handy).
Know your enemy: after a malicious component that provides unauthorized access has been discovered, read more about it. Check all network connections and analyse the integrity of the event logs. Since it’s more complicated to change a log than to delete it, it is easy to spot where an attacker was trying to cover up their activity.
It comes as no surprise that an attacker uses one system to get into a more global network, increasingly trying to infect more and more systems and opening backdoors. That’s why it’s important to check all the systems even if only one was compromised. From a business viewpoint, being down for a couple of days may be a problem, but that’s the price you pay to guarantee further security. Follow these steps to detect any possible malicious actions that may cause damage to a Windows system:
- Define all events, overlap them and correlate between each other.
- See if your data is affected by checking when it was modified and comparing it with the latest backup. If it was modified, make sure it was not published online or has gone into production.
- Check the last backup for any holes and gates. Align it with the latest updates and patches.
- Change IP-addresses and set up firewalls or content distribution networks to prevent an attacker from connecting to the Windows system.
- Cryptography is your best friend when it comes to user passwords – make them as hard to crack as possible.
- Who, when, how and why connected to what: monitor all the connections for any suspicious activities.
- Go through the most recently created accounts: an attacker could make a dump of admin passwords or create their disguised account in the system and active directory. For example, Mimikatz is a widely used tool for extracting Windows plaintexts passwords.
- Analyse Task Scheduler, look for anything suspicious.
- Don’t panic and don’t fall for the conditions of blackmailers – if a person is capable of compromising your Windows system, they will keep intimidating you without a trace of remorse.
After implementing a business continuity plan and disaster recovery, lessons learnt come into play! In a perfect world, every company would have a special Security Committee, or even a separate Security Team, who would be responsible for the creation and execution of an Incident Response Plan - i.e. a clear cut procedure of communication in the case of a security incident. In the real world, however, we need to face the attack ourselves. This is where the ability to perform Windows forensics becomes an incredibly important skill.
There are plenty of great Windows forensic guides and training sessions. Prepare and prevent!
Windows Security & Forensics - Microsoft Virtual Academy
Security in the Enterprise - Microsoft Virtual Academy
Security in a cloud enabled world - Microsoft Virtual Academy
By Nazar Tymoshyk, Security Consultant Lead at SoftServe. Nazar has a Ph.D in Information Security and more than 15 years experience in security consulting, enterprise IT consulting and forensics.