[TUTORIAL] Windows Forensics: Incident Response - Am I Hacked??

[TUTORIAL] Windows Forensics: Incident Response - Am I Hacked??

Last week, I received a message from a friend asking whether is it he got hacked as he found out his laptop is behaving strangely obviously and slow. Other symptoms of being hacked might be but not limited to, such as the programs close on itself, cursor moves on itself, CD-ROM open and close on itself, etc. If you have noticed, the keyword here is "itself" which the windows operation is performing on its own without your consent.

Normally these will be blackhat hackers, if you don't know what does blackhat hacker means. It simply means the hacker which is bad guy. Yeah! You heard it right, hackers do have bad and good, even a grey one! These hackers hack for reasons, they zombified your pc and do as they said. Some might use as a botnet to DDOS their target, some might use as a better anonymity by attacking (stealing information etc) other victims through your pc, some might use as a server to distribute materials, some might use to threaten you for ransom by locking up your pc.... the reasons behind these are wayyyy too much and it up to your imaginations and ideas.

Alright! Let's cut it short and dive in to start our forensics straightaway. I prefer to use the old school way where perform the forensics using windows utilities as I believe start from the basic is always the best way to learn. Of course there are some new school GUI utilities released by microsoft, which I will share later. Today, I will just use the Netstat, a old school DOS program in windows.

netstat /?

Here show a snapshot for the netstat utility in windows xp. The netstat in windows xp might lack of few features that is present in latest windows version. But it will not affect our forensics operation today. ;) As we will only use the -a -n -o in today. The -a trigger shows all the connections included TCP and UDP connections. The -a trigger shows all the connection including TCP and UDP. The -n trigger displays all the address and ports in numerical form, which will be ease up our task later in identifying. The -o displays the process ID which we will use to kill the connection later.

netstat -ano

Protocol: This column displays whether the connections is using TCP or UDP type of connections.
Local Address: This column displays the hostname or IP address of local connections, followed by the port number.
Foreign Address: This column displays the hostname or IP address of the remote connections, followed by the port number.
State: This column shows the state of the program's connection. These states are:

ESTABLISHED - An active connection between local and remote address.
LISTENING - A connection waiting for remote address to connect.
CLOSE_WAIT - A connection closed by the remote host.
TIME_WAIT - A connection closed by the local host.

PID: This column shows the process ID for the connections.

The things you need to alert is the "LISTENING" and "ESTABLISHED" state, where your pc might be infected by trojans which will connect your pc back to the attacker. In my XP box, the current netstat shows a very simple and short lists, where only port 135, 445, 1030, and 139. The best way to identify the port whether is malicious or not is by using Google.

Or else, the next thing you can do it by identify the process by looking up the PID using tasklist utility. Let's say we want to identify the program that is running on port 1030 with the respective PID 1892.

e.g.: tasklist /FI "PID eq 1892"

We can see it's a programming named alg.exe running on our pc. Assume that we do not know what is alg.exe. Simply google it up! Or try with this link http://www.fileresearchcenter.com/

And we found out it is the "Application Layer Gateway Service". But, what if I found a malicious port with running processes. OK! I will demo by running Poison Ivy in my XP box.

Here we see a strange port running on port 3460 and port 1044, where both of them belongs to PID 1912. So let's find out what is process 1912.

Obviously! It is our Poison Ivy! XD

So, let's just kill it!

And, the process has been killed and terminated. It is still best to scan your pc with virus scanner as the trojan might auto start up during the next boot. All the procedures above are only best to prove you're infected and you're able to kill the trojan process for the moment. And it is best to identify those trojans which are still actively developed and unable to detected by AV.

Alternatively, you might try on TCPView, Process Monitor and Process Explorer with the GUI options.