1
00:00:00,350 --> 00:00:02,130
<v ->In this short lab demonstration,</v>

2
00:00:02,130 --> 00:00:04,660
I'm going to show you two analytical tools.

3
00:00:04,660 --> 00:00:07,140
One of which is going to be used to show us our open files

4
00:00:07,140 --> 00:00:08,610
and the other one is going to be used

5
00:00:08,610 --> 00:00:10,460
to show us our open sessions.

6
00:00:10,460 --> 00:00:11,980
Now, by doing this we're going to be able

7
00:00:11,980 --> 00:00:13,660
to go into the Windows command line

8
00:00:13,660 --> 00:00:16,170
and use these two tools to see what files

9
00:00:16,170 --> 00:00:19,440
are being accessed at any given time by our system.

10
00:00:19,440 --> 00:00:21,920
This is very helpful when conducting an instant response

11
00:00:21,920 --> 00:00:23,820
and trying to determine if malware is opening

12
00:00:23,820 --> 00:00:25,290
or touching different files.

13
00:00:25,290 --> 00:00:26,460
The second thing we're going to do

14
00:00:26,460 --> 00:00:28,510
is look at the open network session,

15
00:00:28,510 --> 00:00:29,850
which will show us if any of the connections

16
00:00:29,850 --> 00:00:32,270
are being made from our machine out to the internet

17
00:00:32,270 --> 00:00:34,000
or out to the rest of the network.

18
00:00:34,000 --> 00:00:35,870
So, let's jump into the lab environment

19
00:00:35,870 --> 00:00:37,570
and take a look at these commands.

20
00:00:38,470 --> 00:00:39,870
So, the first command we're going to use

21
00:00:39,870 --> 00:00:41,670
is known as open files.

22
00:00:41,670 --> 00:00:43,730
To use this, we have to first enable

23
00:00:43,730 --> 00:00:45,090
the file tracking on it.

24
00:00:45,090 --> 00:00:47,700
And so we're going to do openfiles/local,

25
00:00:47,700 --> 00:00:49,660
for the local machine, on.

26
00:00:49,660 --> 00:00:51,820
This is going to tell it to turn this on.

27
00:00:51,820 --> 00:00:54,590
Now that it's on, we have to reboot this machine,

28
00:00:54,590 --> 00:00:57,900
so that it will enable it to track all of the open files.

29
00:00:57,900 --> 00:01:00,310
I'm going to reboot the machine and be right back.

30
00:01:00,310 --> 00:01:02,200
Okay, my computer has been rebooted,

31
00:01:02,200 --> 00:01:04,780
and so now we can see what open files we have.

32
00:01:04,780 --> 00:01:06,630
So, let's type in, openfiles, and then

33
00:01:06,630 --> 00:01:08,040
this is going to be a lot of information,

34
00:01:08,040 --> 00:01:10,650
so I'm actually going to do a pipe and then more,

35
00:01:10,650 --> 00:01:12,650
which will give me one screen at a time.

36
00:01:13,950 --> 00:01:15,980
Takes a couple of seconds for it to take an inventory

37
00:01:15,980 --> 00:01:17,970
of the system, and then it's going to report this

38
00:01:17,970 --> 00:01:19,053
out to the screen.

39
00:01:20,940 --> 00:01:23,280
And so, here you can start seeing all of the files

40
00:01:23,280 --> 00:01:24,600
that are currently open.

41
00:01:24,600 --> 00:01:26,580
Notice we have the ID on the left,

42
00:01:26,580 --> 00:01:28,300
we have the process name that's using it,

43
00:01:28,300 --> 00:01:30,050
and then the open file.

44
00:01:30,050 --> 00:01:31,750
So, if I'm looking at something and I'm worried

45
00:01:31,750 --> 00:01:33,580
that it may be a piece of malware,

46
00:01:33,580 --> 00:01:37,220
I can actually see what files that malware is touching,

47
00:01:37,220 --> 00:01:40,280
the open files, and the process that's calling it.

48
00:01:40,280 --> 00:01:42,440
And so, if I see something in the middle here

49
00:01:42,440 --> 00:01:45,970
that's malware.exe for example, although most hackers

50
00:01:45,970 --> 00:01:47,890
aren't going to call it that, then I can see

51
00:01:47,890 --> 00:01:49,110
what it's touching on the right.

52
00:01:49,110 --> 00:01:51,500
And so, this helps us as we go investigate

53
00:01:51,500 --> 00:01:53,260
any kind of things that are happening

54
00:01:53,260 --> 00:01:54,280
on this system.

55
00:01:54,280 --> 00:01:56,460
And this is why it's one of our monitoring tools.

56
00:01:56,460 --> 00:01:59,130
This can also be output to a file if you want,

57
00:01:59,130 --> 00:02:00,900
or you can just display it to the screen

58
00:02:00,900 --> 00:02:01,950
as I've done here.

59
00:02:01,950 --> 00:02:03,700
And as you hit spacebar, you'll be able to see

60
00:02:03,700 --> 00:02:05,980
all of the different files that are currently open,

61
00:02:05,980 --> 00:02:08,340
by each of the different processes.

62
00:02:08,340 --> 00:02:09,630
Now I'm going to go ahead an hit Control-C

63
00:02:09,630 --> 00:02:11,430
to get back to my command prompt.

64
00:02:11,430 --> 00:02:12,770
The next thing I want to show you

65
00:02:12,770 --> 00:02:15,550
is how to look at open network sessions.

66
00:02:15,550 --> 00:02:18,960
And to do this we're going to use the netstat command.

67
00:02:18,960 --> 00:02:21,520
And so we do that by typing netstat -ano,

68
00:02:23,060 --> 00:02:25,500
which is going to show me all of my network connections.

69
00:02:25,500 --> 00:02:26,920
And again, this is going to be a lot of information,

70
00:02:26,920 --> 00:02:29,480
so I'm going to use the more at the end as well.

71
00:02:29,480 --> 00:02:30,570
So here we go.

72
00:02:30,570 --> 00:02:32,530
On the left, you'll see the protocol in use,

73
00:02:32,530 --> 00:02:35,290
TCP or UDP, you'll see the local address,

74
00:02:35,290 --> 00:02:37,540
zero, zero, zero, zero is being used,

75
00:02:37,540 --> 00:02:40,140
and you can see the ports that are open on this machine,

76
00:02:40,140 --> 00:02:43,140
135 and 445, because this machine

77
00:02:43,140 --> 00:02:44,630
has file sharing enabled.

78
00:02:44,630 --> 00:02:46,870
So it's sitting there on those first two lines

79
00:02:46,870 --> 00:02:48,430
and the state is listening.

80
00:02:48,430 --> 00:02:50,930
They're listening for somebody who wants to share the files

81
00:02:50,930 --> 00:02:52,410
with this computer.

82
00:02:52,410 --> 00:02:55,010
Then you can see some of these other options here.

83
00:02:55,010 --> 00:02:57,300
The high number 49,000 ports,

84
00:02:57,300 --> 00:03:00,310
are because there are connections out to the outside world,

85
00:03:00,310 --> 00:03:01,600
some kind of a website.

86
00:03:01,600 --> 00:03:04,090
And then we have that callback that's being done,

87
00:03:04,090 --> 00:03:07,300
so we open a high number port, set it to listening,

88
00:03:07,300 --> 00:03:09,230
and then when we make that callout,

89
00:03:09,230 --> 00:03:12,610
we went from our computer, some high number port,

90
00:03:12,610 --> 00:03:16,060
out to that website address, over port 443.

91
00:03:16,060 --> 00:03:18,560
So, this has a secure tunnel established.

92
00:03:18,560 --> 00:03:20,280
And then you can see this as you go through

93
00:03:20,280 --> 00:03:22,790
all of the different things that are going on.

94
00:03:22,790 --> 00:03:24,860
Now, I would be interested to know

95
00:03:24,860 --> 00:03:27,280
what are these particular IP addresses

96
00:03:27,280 --> 00:03:28,130
that we are seeing.

97
00:03:28,130 --> 00:03:31,980
This 52.173.28.179,

98
00:03:31,980 --> 00:03:34,730
or 52.97.72.2.

99
00:03:34,730 --> 00:03:35,920
If we start looking these up,

100
00:03:35,920 --> 00:03:38,460
we can figure out if we have malware on our machine

101
00:03:38,460 --> 00:03:40,700
or if these are legitimate processes.

102
00:03:40,700 --> 00:03:43,620
For example, these might be the machine calling out

103
00:03:43,620 --> 00:03:46,440
to Microsoft to say, is there a new update available?

104
00:03:46,440 --> 00:03:48,190
Do you have a new antivirus definition?

105
00:03:48,190 --> 00:03:49,892
Or things like that, because again,

106
00:03:49,892 --> 00:03:53,330
I don't have any website currently open right now.

107
00:03:53,330 --> 00:03:57,510
If I did, I would see that pop up in this display as well.

108
00:03:57,510 --> 00:03:58,970
And again, if you hit spacebar,

109
00:03:58,970 --> 00:04:01,010
you can go through all of your different screens

110
00:04:01,010 --> 00:04:03,070
and see everything that is currently available

111
00:04:03,070 --> 00:04:07,320
both in IPV4 and IPV6 as you see on the bottom.

112
00:04:07,320 --> 00:04:11,330
That's the way this works when you use netstat -a-n-o.

113
00:04:11,330 --> 00:04:12,950
It's going to show you all your current connections,

114
00:04:12,950 --> 00:04:15,140
what's established, what's listening,

115
00:04:15,140 --> 00:04:17,090
and what's making callouts.

116
00:04:17,090 --> 00:04:19,100
I hope you found this demonstration useful,

117
00:04:19,100 --> 00:04:21,240
as you learned a little bit about open files

118
00:04:21,240 --> 00:04:23,380
and how you can monitor your local files and use,

119
00:04:23,380 --> 00:04:25,760
and netstat to see what your network connections

120
00:04:25,760 --> 00:04:26,760
are currently doing.