ࡱ> n/o(&|sjPNG  IHDRH? gAMA0PLTE{ pHYsttfx@IDATx͕ )ǢK;<E2tazMijvD@.&%{`7魿`pe,6f$Kk63_!B5h;("{}U(NA¡x:L7S# lf YRv>|R ԇ%PIGuqoQ9#Ä E 7NewѨ::E=ɰ]SE31[l&j+d 7 ?\.%88+HZ~q:֒",%E'MU֥& 0RIQ&tQꁇ mΞiL(=qc;P"I?,F?[;Hl䤬#F^J(D)<:C8<+I64 cO4,y95,e$׏Y n.>H .WNA.)̓$QfyU5$%nobMc1o1R0IH ؾ~j+iu1n_$다F}%Qu/6t5"O_8m#E!= IENDB`nR|)Y/H-DrDzPNG  IHDR!61CgAMAPLTE@ ` @ @@@`@@@@@` `@``````` @` @` @` @`@ @@@`@@@@@ @ @@ @` @ @ @ @ @@@ @@@@@`@@@@@@@@@@`@ `@@`@``@`@`@`@`@@ @@@`@@@@@@ @@@`@@@@@@ @@@`@@@@@@ @@@`@@@@@ @` @ ` @ @@@`@@@@@` `@``````` @` @`ࠀ @` @` @` @ ` @ @@@`@@@@@` `@``````` @` @` @`𠠤X4D pHYsttfx IDATx흉F3[:͠3}1t];&4+ u%z<=Vj z=`"jw8C5;3'¾q.ZBa#УNgɒ,ƇG3*>0b|^Ji jU8*Amvߧ;@hcX-#w,.=H+\YXȴU,P^-b#j@C,6Ij!x7h7=">u)-:=@ @z=@ @УU{ z۲,q'=Nz=@ Ax9r-r񾱽1\zKHp{g'TJr#TDu Wq [BVvIU2=/g].5nv&2GzB H˸#ncα~Q9T Iڍ}#uS)~4O:?B6U/=ʋPxxx6*hsQ#X>sjkm_OLUPӇU>S˔]ѳ\Rz]T_bԟkpYlNg)hX z=@ @.Zx$vJ&*G @htlgr=z=@ @zvql$zRˠǹѣ3sKoǹcZ/gᗿ@9:K.H=NlӴG-=Nl6m0Y칝r)A z,B ߧ =.x_ =Y"TGp'MzDWU&9.8J{[h>v J둮&_ՁP {?vBr_o0pQ~υEz P- e}XI6jSa Bz =q I>]r{(r 7lم>ӎ%W;G"~=F^|N ї57oz٠G8*o?sUx܋|Du/=G1i?{~y~9bzqRӮ ^zW蝱#?_/)fZ=|6+?ǽf.cӣ-@۫8HHJ[\[]Ϸ=߽}|e<#淍V\8T.{.fz~zkg딧 ͗y=n[)cσ6:d2m\RanLmӏj|jnyL7`z.vvM-Leoc~^^[e{;r=^7]#AT>S z|fT>6.~c]-Ï5=uMÎ5=OuE#kܱD8ܕ0NQX?.(*#kܾ|U.;=SX>ceAW=P*hLD6 au6k|2$6<ٹp״gk8esYwSG z "*ckzԭG?5=tU둹#=aq# jzz4=Z&YY?y?[Gsl\\z4ʦi*3?YņeDlՃE'..Efs|5=zK^cM߶z~ILz.{5EQ}豕z&NcM#XKƚGS{5HX鈡& ǞR]ǚHgߛEZƚi uXӃ|u ƚKSRp$z=@P@p0u_5Az`R˦2Gso1 sf,Aؤ44L+àyxz8 oK8#;z*' vz4=Pz; @W|u 8`=@ @z=@ @z=@ @z=@ @z=@ @z=@ @z^=x&PV=/  @r=r?0 BIܬ|GW=fSU=_/οpX7p:?fm1f !]e͏c;ҙ4lz^s/P-_s0Ô&S}0zLTǑBb=s[68yr z T.==l*Dc1m/: Ϋ{.KhB8 z=@ @z=@ @z=@ @z=@ @zT&k^zB*[%^wZ~1tfUrvOc zT]mӯn'w1Qv`@nATIF3hWJe)mVeBZ.-.֕ zѣI~nΦCQ;~i{.~E=z=@ @z=. ǵ(yP؏ @kqC jV k_Y00ήyR"N#$^~-=Vפf4t*zGIJ;82y=ܛzL!=X3CXڳpNJ 㤿h%pܭX^z=W㙛63ܯ kӡr{c\Lz͗׆Qhd]_|#JңizCkq;pq-(=`?ZF"Szzz=@Ќx]ɐ湬L=ڀQhnF?93t5eezRy.QhBC..\V׾`<(tMq~2ݖ+V.sK^^\VגWQhq%J湬L=.\Pz=@ @z=.{7 \PYNk\P0# -1-0 _# ͷ=x=SB˕K.~%~?v?r/.)=Rq:# -Qj{8*kH\:ggnA8BKAlz<([z=@ @z=@ hGVܕ1% rɞd)aKZ-wz0#z ,oA(fyzN# E zDB?%G:SzB[*אHz.2Q(-FAW1y.I(|/=z=@ @z=@В>"%AcKEϓΌiD+8B z< C/cW!mMO# - 3/m!6TQ(=sB)=,{z=@ @z=@ @z=@ @z=@ @z=@ @z=@ @z=@ @z=@ @z=@ @Az@ ԪGUE!Bpqz=@ xqU ?RxhAcT8IENDB`nu!A55jKw/$@ YvZ^gPNG  IHDR!61CgAMAPLTE@ ` @ @@@`@@@@@` `@``````` @` @` @` @`@ @@@`@@@@@ @ @@ @` @ @ @ @ @@@ @@@@@`@@@@@@@@@@`@ `@@`@``@`@`@`@`@@ @@@`@@@@@@ @@@`@@@@@@ @@@`@@@@@@ @@@`@@@@@ @` @ ` @ @@@`@@@@@` `@``````` @` @`ࠀ @` @` @` @ ` @ @@@`@@@@@` `@``````` @` @` @`𠠤X4D pHYsttfxIDATx흋r GCrg&ŸKb=ӚSNJ8y~z(ʠ@zLp>vX=&g~^΅)<- 7QxaMW͒Cs/G z F1= 'QSeu$?:0jCocccXOGn_h]{L7}rA髢ǥYu+bs2D}c Gn`]R 8У-8NږK[t &z=@ @z=@ @GYe.xhcJ=z=@ @Ԡ8{N\xL9>1yl|.巆4v6}x@* =ERk>=ԙCz5̘rikOyGͶ:FLV=}ʟdcU)1s&; M>$jvJ|@]۬z{C;ڊI3z|ƍ$<@]j?fQo-=v]GqO-zLFTzDeV|( =Dc:q cP^zCP9UA6w;YUo3 >>^u 0PߤL3xn:z3^kWˠʎb+ H.=o=ꗠb3z=@ @%?z\xOz=@ @*؂vz\wDE@pACh*иP{\jkE6Q6 =BX7_2=BݳaqJ[f0Q,:ǵYW{˜tԃ:=@#M+z\ÕEU(^Hw|t,rqr+cZ>5 P ukK/3yCOxj\U0Ap_wM=-q65̒WbKCEjBz֡V].,xՃ3Eu>:7*пAzq6-8>l _@UqP6 hBW=wå\ޫ9p} u&Em}r6Esn{qnqÕ57 =#Gܟ*pA9qǦ}pG=~: '!)p Sz89lc=蝱#}D>pQ+fuzex,=ZQ֣O=/Dɒ63Vf=}?~~82z"JKe񙋙9=˿Wpsk~Y> DiU_TL=+=xlj*Ndݎuc|b5}ףӯ C]d+~T}4k<?mh>ƚYak9m{izиԮG0t8zjBDz55EVV-Kzd5iJ`ҝT:P߳T:X\*=, T z=@ @T:A) z=@ @{HX7==@ xSq Z=c@3Y߯ ab*E||qqA8s.ͱC7" -zՁd*_΅) @z=@ @z=@ @z=@ @z=@ @z=@ @z=@ W/ U?70E!Bpsz=@ XG+WrP걜)wp%aУn1<~x2uӮnwÞQ5[^0Kw,w`ݏXc;љ4lzY/,P-_s0&s}0zLRǙBb=c[78ܖyq R=`vH6W"豚6|х Ug.AXxkhB8 z=@ @z=@ @z=@ @z=@ @zT/fk2޴zBڧ] *K%^w^~1tfSrvOc zT]mӯnWgw1Qv`@nARIF3hWFu9mVqʄ]=[]lA;G-X=LZ=͇ڣv?s+Ϗ8sz=@ @z=Ԡn5|Vאof?GQO|HU595B#kM;82Gא~,י!z,U@(ܸd}15 A#kVȯ9=pv_r/Ů=Rq9#-Q{8אc?s霙}=X.[#-E]\XjKo^~z=@ @z=[qw/<(6?%!I%aK[-wz0#z ,o@(fyxM#E zDB?%GP{^b'4._˯!=|㑜\w~zD\TGE\:$z=@ @AKzXDU|y.QlL:3]n~0#-$X? ƏŃcr;ڬ7.k G[#f:lI]\mr~zD󰄣 Žl(̡j;zDKz 2bΈ$xk*H2z،sztAQ<{{FKŖ zDI%gWl\2/ 9:#}[KMaK"Bz=@ @z=@Ќ  7^j \L|oċD;T!=زQcANCG[ u]Р􈆐as̶Q=dAVnW<%ݩbklE=L.hz$ j.آ 7lm:")ԃG1Y{z .S1LиpRJ֒QO#~`B6aKKa-=@ @z=@ @z=@ @z=@ @z=@ @z=@ @z=@ @z=@ @z=@ @z=@ @jV=z/  @S@8ԹՓNIENDB`n55O]pyMPNG  IHDRU/jgAMA pHYsttfx IDATxMr8F!hͱX:IG#/!C}2?@L d1$0+3RJh|QJ?,2{www |||蝿ԇ[-=9^Iԋ|S`CnE^)9i30MSU~^ZQ}t0wI_m2Wt)c.!;%X$X6X<K uFCKL3K>yGHiPWj'KK0SV۴-/QV}? k?) BmZX$N-ۻ\9W>x> :7t/̖Do]$=`Rj;Jc'tS??ˏ>ݏm-BQgg&pIF,lCF,}Ռj4MIA`!觳?.)p5t-f(u/7gC>iYFI{ccn+pcqj8LӨx8^B6Q`5Җx 3cc_N|QX$6V%rjgZ3h%veK!%A/:]w\f瓉ck qK(0$vȤq.Ekw<%3̔'nC uZo0M{thh4чQeM+RuH1 â甲فKY'|n+;P]:\)VvJWjɠGE8Y;Ivb-dFU[ΕʒkZKSf q9lKopY*V*n귲'hY澏0[vVl{bf8馓iK8vD;hUFZcfӛtƞoV ދVxE;!]̣mI@-+d{3Jx 4(OJ%Kx{wGVuh.*^^%RٱEYb~??6i7E/}Χ"=% ;O5-ŵ)RM:Jk K!fȝ 8,(:GPߏfJǧquc6`G 3 0MJbLwp{#s\7]*!rޡ_MU%:~d2HAg}W0XafUb%bs6<"s^L/vA)uK@Z׬j"6Vy||I8so-%lJM9w.j&|h8]/?yr_~gbߏmfg׮D)u>(mA]ਔ*iRJMJ P~v~ &y/ ڕtLwǎpTz'EO`g<8-JO[Sv%õ qJBnmNvp{6-zzuZqtWWvMNDxbδF~*=^f~K= у}kK/}%dhzss!Mo]]I̍n~{ͩ]|r[j6$q=]3]&E?;la%>vT(||$6JJ'JlKcwK&|B.:PT}o61[j>i _JܥX)SbpYMzRv w""yE2xU| `dK4YUMU| dlkK7~#gk(:u' h^m/ (t>k@dY|i^[R5Yρ0FXfWP8VT(:>:8LuG˭0Lz,&4smgWrYVS O=(|,[yY9YhYVnv۩C,ZDCIK:v!ˏ9VHu6TBfC~7g6D6;nQD&0yTqONLAk0gAiKMW3r1LSDlfGH{~mtrNG6,Q^-J΅\|8Հ*D73\PEm 4g_i0HOWܐ|Vbs:?h-d{|uB=jՀ=ʺjmiRuH-ޖ6ȞlGn7jkIێ)LkVvv&LǪ-0vAM`Ip$hmIrwnEGj6<[eG%D=&llfGq g[vwwI Tjz.KZC5ietN's'n(%5b ,f{ ZtLi;;\̿z 53NL5Xਔo[,C׽E Mj3 {J[ue/\[B8jyk vqbxQx! |KfHg KlȞZIUՖ֐x ʞE0摒jEKq>V;׍Xv/ta}nӆZ!~UrK*wU Ǚ@3}t >|%MDq-F5&Ij[@>0i ~~ |t%GX|tρ|tW&s&_JRfX%}4?VPmG܄GWu:G +u?/ޚ=7jkcj1w٩s}G95zVQ3iN .hbp6,bKf ,M%W7 ōklHY7Ym^Fl/J[[즗Kcdng 9W}_-Qx{!{VOYl1)kBcg[$ v BŦa %!;p>zS;zyJ9_a =k|)'hDgړ}Fuqp,4I2{ kkl;ImvR^cL OVbOK"TbGPGHѫ'/?gb!Q&>ӳJRҦ64Va]e~>r%rn WN%Jaʆd;vn#Goh%X`iVѥ ,Ĕ@gmzʶ #7+} [zey;1|-~8}?{Bh1~??^Χب$>:2rnmӐk/yQ;q"͖׬_Ňf >NSjf.XFܡpTvSw]u-j99*f@;ȇqt< Pѵ^?X:}b4l1Zh"T!?jr1_…޷E=^Qgk4#6}b6EmsN:^Cu{=[uzr>8OJc[FJΟ;|tq`CAo#keet[9y5Xc}`mvݴaگi;n ѽ6Ō]N8:G8z<͔ {zcc EeH$N!z%35qF$حu5~w#G揨JϟKf{ ZtJ?;jWhdmv Rn >:GnCM6/qR'5~ϝN~UX7Fu=ݾ,T!Ko@@>BcgmVKXwXjwZ;5;*od>|HC_G??! KaiTzga2L kkl;ImvұYk8Y׏u?d&؊9&}ϙ8c)15j=6PۣF[gɶ)J/$Ox@rhb37l q>zC+,KC{7~c8~+0 wvƺo"@v)xuߪE ĺ|$"C}G FP@GfG?X >^Y.<8?h]/G9rX,m=|pz"]:7a bݷm XwOHuI 9C~Y}#JڮÁ|tW&}'`~bIʜg0m]1;nN7lueM-HR 3mS{xo-m:L'ُuk0֦{&쭺3,[$h@ (LYlo?# ߬X_l^}r><,)xx?[cM97=vdoOX Ub$MdkHWUxʱ?cybY'7K%JF5ܪ.Mto/͈ldD c? 6T}3ǒ娽eOcIds->v~aڲ%g]^LQoN6EKLҋzL,lAs(nۗZj{ՙ/0{AO y6K,N+цmw~%8njUYI4P]>z5Zԕz-RSJ_+sjpKjTl@ Bѝ{ &ecMVntt*hiĪ^do$ Bc݇aЫ[{4NꤦQMt/ۜ-xr90f/mQoѶXMγ7U2Ҟ)Ԝ cHOOtfm-l*TD:qѳA;^wmٞ [crty? B|⏕ T\i"9.W[aoKt'zJcV5oDы0ۧK˧j?Byߵa#I-鬝PHIPa49}Ϳi5ٰiwqp,%~Zsk?scR8za_(/>:^b [^uUL;7|#^Hg+Llx,/h,ϴa)t99c cZ Ǿ9c[îGBc;h>r q>-BÀ^+ă{}80$nWh:T-_xPݚ#>-rqt|tϱ|teGGOwc&=a9-%)-j) | \b\ kY->:G\{/>XSMDzET`6WS>:GJFJotLkS&݊n΄ ntif =^+OՌׇ!;u~/ D)UbfLMD8"]x%V#G揨JTO=Ц=7jkcD؍64TA >v iIM_9RX|Nĸ(oۤ4sXwٖ m2 _[*|ĺ|<_6l^l,NZS.Z7l^Uճ;GG/ᢦQ/i g'IGk2Dm R7)Nbr/J2|Ľ*;&ns3\\ߏeĄ*&PX J׳;Vγ .)ƧGJ8?԰~:Gc%?|(ϜCT,=/RXs. gёyji2g}Z>Iz{w-a[_-W?'Բ#m_p0ƺo"@bBKU‘8aA$}%vlǃق>d魮}̙&볳[u^l;"1 c8 qZD`<nћI ?8"`6[f!G0?x:VFM?_8 a:9fv**ś U _8Ox0]_ݗȺfEkg黧(:CK1b']py9%"Wm{׎=7?(0 :۵xug&w'M]5lfXڐ*詆 G7tj4^[~46TnV~`DE3w Au7O8 QhmaPF-Eĸ4`m!#z"/JfzG/fQ5jrm⾑ khũyuI#z=+!zzW5|QOXhO8S?oL,;!^X[TgkM ꥓?Fvhz0YZr8^)J]P83\\cY&>ӳJRҦP!tV~sl]9GJ8?Ԁ=>E=vn# rUAuHG߰E 诿^yƧG8#pf%&[`q8eɗhkg,I98 kBC3ѧ8K4'V#M2 G|ÁѓLjL2 f+4X6WI iQIDAT4ypU7vXc9 Jؕ}vN =: {ɹ98z=޶VrpVmnBl> QH8Ꞩ!H#ձ3*N/+(^u.1艱`5U|i!/PaV%#A5f@1nhy %j3۶hZR!rY$JF1m &ڵvӎkLڰJ!c̶%!>f⼾ǬFmUfL;u8$|t"p^%tDcb6ffvԮˠxׂ e^.޹LK1_^2:bl3Hym'8zpM-m٤!'ֽ$a&>r t+{~W{=pgeݿ f{Ufr Oq~ (^AjI01evk fd-ǯ3xFmภnPl '>\\E[/Mwt#w'*̚x) %;ziG]ew*c:+؝㿏$GxzGo/-7%Vu3w. Go |Fb`vt4O>͎e rٚ}D=ؐ1_buo 5$Uӹ:c_GwX`JLC͕PX,Ld[qt |V9ct,GrGΡ#}txpy q}t~|g &7 q۶XwX_[BN }HttQ)Z G<Ӻ%N=fâΧMa+9E(=zhᢥWE1u|tX|A wq>zb<غX|̭:%%"=Alp²ق47*#G6TO6=/p)ra&ݖL[A NX]^IV V-ZO\Ce]lbQ'^9>%&2|DǺx5!vudHzdn:C"˞:NtmĒlKRe9Hѫ#zRE)S.,U M*w+P0]#Gm_LNj4NMם]OrDjkp.+4ыbFs9g[b 60|6co|\'/7Sez3v;&NYrX`JB,%,ѤUUXbs OJ oB7C胜k|V±o}t#EH1}H':H`eӝN9]:ElDOx#pPlpT$x'gl{ lkalzzBXNo[Cm1֟a)H[W-0lN:[%N 6tG臜!zl\tv[8<9 cbHVʿ2p;3EЛ]ȹ&x^6g).GXuT\VcלhWͱknXw؄Aw'{wI_ԟpP~S{."p,Vm]Y-^+-%bw>N>zܙ5 vPL#q` lU_䄯R5AlpRX)\Cl(m{8}?_n}X:&}5鍝EA0S_ #[H҈u/jFCC쐝zȺtD#`:Euk Ybbkk//(9G^Q˕/J.z2'RU `A 3qR/pP#G7ޞi8F5lsFZ  U58_X7: >3`s!^lmY̶  G\{5S;z4~i4]G*3kos^[n#C}dP{3kwIǾM:_88>{w۷-N&&j])`Wh(Xcmp߯ǯ$hv˵4Z}1qz\OnZoAK|LgUV%"}i*9GJ8;z(v >:Gh{Ge`G%N9T(mݱ_ږRj}[>:@?@>ooX|tρ|t|tϱ|teGGOw#W:r˗7KZV3/miػGϰrB} /JfzG/fQM'7Uckή="|mN:G8zV{&6|QOXhO8S?oL:;Nim"~Unp;5'D}K0> L@,rq9wtߏe$!H`yZU!}AbmA@>|V±o=vȆo|DjQn19GhV-LbA;>:@?@>s ݄s,`@>ѓLjMOf/fvþGWPIm~ >:Gܜq <غ|,[Dѹji6f7g\Q|Yhe.1zOLƞ-a8q"_yft>4ٹ×E[cB}tDk8F5lsFbzNdIw\Iz9u7RhFf]=%W|Q0;z5jn:ȲEK\pG5YQ҆=4Q; g'qfisG݄'8 Z@>GW hcعE..(l= C9>:G\{C+7P Zc>r r߀qtq}t~|6,>:@> k >:X>:2|';v^8ISŭ>:gN|˃+ODzETT v*A qs *~N_ϗ WF/YQ$oYYRN)i3#zWƫݯ CvDήY"7N3s,9G^Q˕/J =/%ՖH5r^>:GnÝ(qmb'uRӨqmd_up\a%,ok Z{efrti"]}puxzGo~0}yUi_<[ cbѳ3طiTzB['qԴAs_>vۏUR;$#Gr&ns3\\m ;zfIK7}ӎX-sqo"@`(GX_s[.z:p-9@> kСsWmݡ99GXDq =ylgf![O"?@_nG#ˮAܜq <غӓyzݟPzX *~N_ϗ WFbklugv}~npJt}("Sû q>ME-0C߈_wlQ[RM~}lkLNwj(w%[[?Z z9{&%>Nӕ>>[p`R"Y\@pPt#,|,I.2 {+ME;sgl{qlu}lI~\U)-%8m9WH)z̛ƙvˍ{cy,br^1X[K Yro?;:OZq1mh@r>w/h9@6wؾ||lh/TpVsV*LIENDB`nw9R:f2PNG  IHDRU/jgAMA pHYsttfx IDATxMr8n=2*i`Vœꐗ C(1duN8h H$)?&=s/c׻=F.?.Ƙ쇟_n˗/ ۝o/[8->9ͳ|S`Cٜ͹9q<30cU~cj1ctp$˯sJ9+z1 +?%Y$Y6YPOf6ۘJo fm򁐌iOB]r]s?GOxKĖ{R訖W$)&4c`87Y*/$/lǷ[dr͵&ŸPē*m#\ Tt?{*"_"|/ aF^ZAXIn`'Pi %xW9PbE)Eu8zgskفJ^ ]4H=7Mzkwr[ȍ3'!,MX7Na+6UzR|[:jɹF򾮖= Mu&p v5>#*=Gs6Bs#dP6| )^HXen?tgr`RC ,2 uܐ'ds`iQt%7O6wfa<<F൪JlruPN=P9*U6U+L_TP;`;^/_vn_{??E1zIv9(7+kzsK#RMJk*K%n 8,(:GPnJO՝F~vGE83}Y0 87{g3nNs]oZ\0 3M xE=~ rgv_ݷ{cTb|_~L/VksE;O'R.\Eʹq*qCˏ)jbh8>ٺ.?yr_?gbbm`7bz6ARix8*REv?Ƙјa&߯ow@dб)Ǿ[2oc=- G}Q8nnڷ:ˉsrnD=-n($L8*U :M&Zڬ%oc#^75X]NDxƜYPJ]Kc?х ѓmL=yGK> %dt6V=;YQ>oK.n}R'3xKؑzqtm(DɅoFuۡ.F)KOe 9$RNS~LeFb-<PBoI=PSSݓFL$e#>usȅR)߽˩&T.F&[BuyK-|%h]Jqkðj_.WĆ*#UaGNEDV`!g/ߗqޙP.ɺj/=0}g[[E=v:VwXxr6%3&G??e@_Lbd[$Ҽ&Xj"_`Q*fY_\sЃp?Ptbtq4S1֝@-Ð7sVv)N̥L:L3vtW9\/n!Fd+9ouRkG6v4=P-T{2]!>ƃq^IpY3Ǻ'+!lס9hε3doO1n` \S .c? Nc[w6ܑN$'~X,mXDG39.}S1N̩qLSJIu1OCTsr9,;SB́̏hcktNjܥcP#K hʭJΕ|8ـ*T73\~PF?lMHs46M5W+u>_5?zn(Vcg) .p9>zo9-vVQ7iML.hbr6,bK8}s}vt&גU Cu?<2MWeƓU?.z+X/[Ym@MtWK43^ȟ{9ͯR8¾P:oyEowlχXlY RS PW"u_3wT {|h8HQwO=p>}=ڱo<]i'$)eW*j{h3(xk9b9_&ej߅qpRsػ5kِA ;Q7,4+ںBb7Й.}޻5k9rq1F߰F$k˯^w{sxHITo[#@czyw{o]>&^^/_^~ι^Ibtejum7Ӑ89mE4{K\Ӿw{+? 3c32`q6b+:Qѥ(yjr^dsc@?Lf ?PnG[7!efJIA-nkC+\}k蒕UcVUxfI7rs c=j gx}B\1܃Om~mQ8Rrl~4'+J*~;Ο?.]VF#'+u>_5?zn(VcV) D=P;H9@<4"E 1:Gi L>Ohf<}n>vӸx7Gy#ݾ,dّK@@?JǺ-owe3$p+˹l? @ɲ'c'θ9{/"Ѿ9WW!.ervЁ^vhѓ%Cr.+ׂ\?] k.C|=.؍m܃m Y? 䂿FsgGmVi[lZ?dZT]#Zd<XK+26X>G rW^A>g/P[vl7Sa?Lk=s0=_'L_~%jiͷ.5mWc^uc|^%RJ_P{ÕWhnRA1ū./Z[rքQ)yu+2V\u+r(ҖnL*3ڙƘYf. 5GyZpH+ںic‡qSRI3iѫCԍg¹Yr>o2**A> *HUE9\S]PKz({wuW:btP~y\GΡ.F߶Fg0t;Kv0a(l5P#W9TDN(ّxRP꾃ϼ4}ѷnas`@?ы21}0$k%)5,bt1˹vMe״[btЏ+ucD:蹡T[A4Ԟ׸'¯ F(`~2Fs6ɌduNX5>gĸ*hۥ0sЏұ~˳/e>g`U0QWbcnkwbknթmhuZczWegwOQݏ.= Ō't1!Пp~ؙh\?=X Փc$87-/KII,K ƞ,2I.x^>qrI eS_燵94s<9hjK<@Hr֞+?n*hX1:22FWQ.lQCw3@O{@1z #Ycrɔ9gv6|6?'s*M66o\~O3VCrcm?de՘|yRk6 )(wYv\/xɰ`"} ?om;3`! 㒵:=t{%*̟@~lc~ 8% ܴkRqgP*?Y}t A6ɡI -2'K[ U~T׷w?˗2{nHSa?.izp#X<3y|9W^+=ytGZ)$ͯe(u5xVCÁݡ1F揨Jݟ>ϗxo͏JĸqJC95-&7ޜMbIr3늣9Χ3;]QQ׏ncYݹn{Ufg`/m+3^;%u{} ,~|fɍ+^_ڲUKwlؼ=Di^>>^Lojtyqv^s+a}V)܂B~?C!Oo`.K\TH"X?*׻K&rpG:ы3%c}kA }2sΟÅjݷvRHC?/CQx{m$cAfGA2$Sr&G`qyXؙEbtǍ8jQ7ֽPv1UcoϪu}ZAo)`w(UIu(pc @9Ps`@?ыhL,&AC8OI#9 $ab V%pVv-ZZ6vq#~W˳a >Q-Ϣ\YW'fK\f@?UTv=?\.=XF 5sDs|bvTnBb ݝyBϚsƽzi. xsP$-ZJ"?P2&3'K\axfs%'٤1<jѫn`kycD:3KUB/:œg`+ipi5 U.++gݬn{Uf<٠̸TŸxnKW6q~PE/6I?:eYplWɔO۞g_lmג-7Eڻp˺XHi^{;vxrZm]yej3{eqgmZKV{xKx33ݹ Vw5+jWB˲O%"vUBtFЌ*uc١pnx?!RD'KM*C+%6WZ WEO΁upn9t^ߺ]ǃE=-˝u15Ő7wl{@;@׷}-"S4FH ) WBmKsr}jX;@3\>Xu '64u`,󺷑l&,Ke4ֽ)@ML,&AC8LgƛkT-J&K kȨGjF믆W~;y9b-g($fSL^PQħ%U_r6L594, 1z5D}0Wt1tuN-sR.U tL*oξNMb_//X u?83-WeƓm5 k]hX[n!Hm7/smeY8\R>)ߨ/k(nP{y[?F=֘*(b~t?.:v.g Ϫ+?%;:;۽1-l`ߨP'gOiGx2O™ٳZutľ2Ă3l(*TNf.) /3yYWoq߭]؏^08;"@\dJNir$mJmҫQ@Ryop)~b<,49%^$I!_ԫ?;=ahwvoGo%==;ߺ+v&cM,叒.nJ ?5b"{ujk7B Y~/OJbt3UǷ*ۏmvi̧c1zrϚTG<+fk_Џ^E$xrDMX0iA|`$ޏkӃF=r*7/%v7F臆Ŏ3Ȏer $m>Bn7F} ;}V$u?9oB54 )х;-3t!9P>5c DuNٲKtHkJe ocdmCn1⾵+FX 1`Х( ;vҷsL={#Kzθܸ *ɍ).) 3j Z &k9%ʖ]@w98[᠂qprd-W5Zb V~xL)RQh(XӀJ&oo++*9t<ևB`?lWwL5F''͡ /~~B\mjƫ$ɗ)%<6&2gJ5m?d3ɫe)d9Yp=L,[OWB*ѫ aɹ'+J*Ǐ)pq\LK%W CP07_oRr瞦s[6?Kr7Y'Gy{1:~tQUd1713QKus*(]n6lCr۶~tG`bQ>)ֶ^x-s|#Y>XosU?:24F=}<}j8^g y]GdH:4wb >/UF}fv?cz_"Np1<]i<%|c Vw3cSO\]0@Q&1?5uj%@r\|N(Ꮐ/fyC~.C2 E oP>!ml^k~ĿkͿ2u1zC-΃a>ӏpw}Y5sN݆!9_ -S]k=~]@<۝[px&ת~Ǎ!FWu$k=cg)ypSJ~ݰvl9&J~NJaݨeߵb{9r3˛h-`l1EύF]UW0^3)ҵA-bt)W˓3 B魝tILa&JbtX}({8 E(드"O.֒J":ul/չSy l"#W;ZLc^uc|^a[м` r(赯*y`kcPs'W*3lm7tsP;RlG%uHVsmmno?L1z|>^Koš10Ѝ}<}j[uzCh׵8}竱f Dr5'du4y</34}zm~~Prhѫ6L f˹/}aswmU~1(1/ ~7Ԓ+>r MB?:1:@?@?NJљ}q{cS!FBa333G1˯ԏI&72AN9}}sϱffRYkZGG/o1([D5NU(Sw_ V=YQR?)pqpet sCZqKM2~Tbt5WC+?u{r"[y߅_ΙJ&A@?cj`b0Ro8\EbV"ȹbtЏ F['i4g3xMVdo:F!a#K5s=J5 cݭ;60|N!!tƱ"-pI]ϙesԍuEvnO/7 :rSX|}Ic1'i}R{F;m.Z;JǺwu}({QܥQo[#$zn(Goѯ1:2?ogycpn.XӼÎ{sm}Grˢ?.#Eݰ+9tUnwWw.WB^a9V"~dky[k,w#7ZvIMLڙ?# IfvM}"l$gTeVQ-bByv1GB^ S,=YQR? pqpe$A+}9\؈`).%(G]#Ǔzj8`Ir]34\|uFBs L=}4_O`m֘߯oo.=~n<׻!2X~[NrF?l9yo_{ 7H:F] ZKasuy '^4_Qv }Gh [_VP1 m.lokfG7@~`UM^6D;V6wRpL+q [ų H}#6 ʷg<`U]9ґqm.lo;.rwt\0*7Sh@_9VvK);Tt Vv+tO-^Ҋ^:,6 .Z$}\j /Z v9˯v G/ g{??bi+ ,X+E`+P*E8(:@pSpt=`t4{ 0i,oo̝ 9w_)^ݏ']b P&)J} }<^- +iwyN!d/q?z8#i ]ig8g8  Tool Overview$ How NTLast works: Reads NT Audit log and analyzes the data into a much easier to read format What does it help identify quickly? It quickly displays who logged on and when How long they were logged on Logon Failures - no way to plainly see this in MAIN CLUE: Where did they come from? PK$K$Setting Up the Audit - Errors $FVery common error Following slide explains the mistake of setting auditing for only one file, when you think auditing has been set for several files - NT GUI is a bit misleading here. Unless you go back and check, you can t be sure your files are being audited. Notice on first slide that ACE s are added for the first group, But second slide shows the following groups have no ACE s assigned. Result = No Effect rz,"S# Setup Error #1 $  !Setup Error #2 $  Running NTLast $Important Notes Auditing must have already been turned on and events have been recorded. It doesn't do any good to run NTLast against an empty log. NT has security auditing turned off by default, so this must be specifically done beforehand DII Combining Switches$ntlast /f /i = ntlast -f -r -n 25 = ntlast /i /not Administrator = ntlast -m \\machinename -f -r = -!  Gets the last 10 failed interactive logon attempts Gets the last 25 failed remote logon attempts Gets the last 10 interactive logons by other accounts besides "Administrator" Gets the last 10 failed remote attempts against machine name J3.Watching for Logon Failures $|Failures are indicated by a single value of 528 in the NT Event Log. This is not easy to spot, nor count. At first glance, determining which account failed the logon is not obvious either. See the following slide of how to use the -F switch with NTLast to view all the failed logon attempts against you box quickly TIP - I keep ntlast in my path and I place a shortcut to it from explorer so I can get to it quickly - See appendix for details on setting this up TIP - I also keep a shortcut placed on my desk to the event viewer, and have the sec log as the default log to look at. See appendix for details of how to do this.** 8}>$w$Routine Password Guessing$NTLast -f -r -n 100 >> results.txt susans \\LIONESS BDC2 Sun Jun 20 09:04:13pm 1999 susans \\LIONESS BDC2 Sun Jun 20 09:04:13pm 1999 susans \\LIONESS BDC2 Sun Jun 20 09:04:14pm 1999 mrogers \\LIONESS BDC2 Sun Jun 20 09:04:14pm 1999 mrogers \\LIONESS BDC2 Sun Jun 20 09:04:15pm 1999 mrogers \\LIONESS BDC2 Sun Jun 20 09:04:15pm 1999 erindfeld \\LIONESS BDC2 Sun Jun 20 09:04:16pm 1999 erindfeld \\LIONESS BDC2 Sun Jun 20 09:04:16pm 1999 Notice as well the close times synchs - indicates automated guessing Probably attempting 3 common guesses as to not trigger a lockout **Note - Using -f switch for failure lookups **Note - Redirecting ntlast output to file to save resultsF$ 555333 2 1*9Remote Usage Results$NTLast -r >> results.txt erindfeld \\RIND BDC2 Mon Jun 21 10:10:00am 1999 erindfeld \\RIND BDC2 Sun Jun 20 04:41:15pm 1999 erindfeld \\SUSANS BDC2 Sat Jun 19 12:47:14am 1999 <--Oddball mrogers \\MROGERS BDC2 Tue Jun 15 12:38:32pm 1999 susans \\SUSANS BDC2 Wed Jun 09 04:47:52pm 1999 mrogers \\MROGERS BDC2 Wed Jun 09 06:40:52pm 1999 erindfeld \\RIND BDC2 Wed Jun 09 09:31:21am 1999 Notice the oddball here, erindfeld logging on from someone else s box late at night **Note - Redirecting ntlast output to file to save results T: 6 # B4 #4 U 29%Evidence of a Sniffed Password$NTLast -r -n 200 >> results.txt brianm \\LION ACCT Wed Apr 21 02:07:30am 1999 <--ALERT brianm \\LION ACCT Sat Apr 17 12:57:22am 1999 <--ALERT gallager DOCSERV ACCT Thu Apr 08 05:45:14pm 1999 <--Normal local gallager DOCSERV ACCT Wed Apr 07 05:18:03pm 1999 <--Normal local thomasl DOCSERV ACCT Tue Apr 06 05:58:34pm 1999 <--Normal local brianm \\BRIANM ACCT Mon Apr 02 02:09:29pm 1999 <--Normal remote thomasl \\THOMASL ACCT Mon Apr 02 11:01:19am 1999 <--Normal remote Notice time lag between brianm logging on from his machine and and logging on from unknown remote box Indicates time needed to crack sniffed password. Notice no failures - Fairly significant - strong evidence of a sniffed password ?)??J=A ( 3@EY&Remote User Activity$(NTLast -r -u brianm -n 3 >> results.txt brianm \\LION BDC2 Mon Jun 07 09:10:00pm 1999 brianm \\LION BDC2 Sun Jun 06 03:41:15am 1999 brianm \\LION BDC2 Sat Jun 05 04:47:14am 1999 Tells us the last 3 time this guy logged on remotely Now drill down on one of these times `(([P  //' Verbose Mode - Time Frame Usage $NTLast -v -r -u brianm >> results.txt 35 minute remote logon from brianm Record Number: 704 ComputerName: ACCT EventID: 528 - Successful Logon Logon: Wed Apr 21 02:07:30am 1999 Logoff: Wed Apr 21 02:42:30am 1999 Details - ClientName: brianm ClientID: (0x0,0x20F9E8A) ClientMachine: \\LION ClientDomain: ACCT LogonType: Remote This gives us a 35 minute window during first crack to look for file activity **Note - Saving verbose mode output to a file&`|"=N+  m \,)"Regarding Searching$3Two things to try You will want to look at very first access times to see first possible activity Next look at recent activity Be prepared, you may find nothing TIP - Try to run as few apps as possible while performing an exam. Command line tools leave a smaller footprint - less chance of altering evidenceRml(Matching File Access$Searching for files Rule out normal system files - I use HandleEx.exe from SysInternals for learning about system files At a command prompt, use dir /t:c to find file creation times dir /t:w to find last file write times dir /t:a to find last file access times Tip - run  dir /t:a > search.txt and load that file into an editor with a search feature~duZcuV9 :##0:*# Searching $TWith luck, you will find a file created during that first suspected logon you will find that same file accessed during the last logon WARNING **Note - Don't use Explorer to check file access times. This destroys the real file access time by setting it to the current time you look at it. That isn't what you want and will kill your clues.  { R% --&File Search Results$With luck, A file shows creation for that time dir /t:c c:\winnt\system32 >> results.txt 06/13/96 06:38p 152,848 winmsd.exe 06/13/96 06:38p 13,046 winnt.hlp 04/21/99 02:38a 32,768 winoldapp.exe <--VERY SUSPECT 06/13/96 06:38p 2,880 winsock.dll 04/30/97 11:00p 92,944 WINSPOOL.DRV 04/30/97 11:00p 15,120 WINSRPC.DLL 04/30/97 11:00p 166,672 WINSRV.DLL 06/03/96 06:38p 19,728 winstrm.dll **There is no legit file called winoldapp.exe - but it does not look out of place **There IS a legit file called winoldap.mod - very similar **Compare - winoldapp.exe == 32k winoldap.mod = 2k N//*L/(-) 5 *   .'"File Examination Using GNU Strings##$./strings winoldapp.exe >> results.txt NetUseDel NetShareEnum NetUseAdd NetUserEnum GetSidSubAuthority LookupAccountNameA **Strings reveals very suspicious api calls **Looks like a backdoor *note - a hacker can hide his machine from browsers - See App D Hackers machine is now basically invisible so it's likely you won't notice it Then connect calls are made to this hidden machine from this dllV|D&UDb [ Real Life Results Problematic$You may find that the main file you are interested in was modified AFTER the suspected user time frame. Or the access time fits, but the modified time is wrong This is probably not enough evidence and means you will have to keep digging. Or things are just totally overwritten. /(Remote WinWord Launch$~Partial list of file accesses during a user time frame 06/22/99 12:17a 3,772,176 MSO97.DLL 06/22/99 12:17a 5,324,560 WINWORD.EXE 06/22/99 12:17a 1,158,416 WWINTL32.DLL Missing from list is msidl.dll - MS GUI Hook This means a DCOM launch WinWord is operating in the background /w no visible interface - Can only view this from Task Manager >6>O0) Trouble Finding DCOM Permissions!!$Look, WinWord is not listed in DCOMCNFG It is listed in OleView, Very few admins know about OleView Or under Classes Key User Manager perms/users are not altered, looking there not helpful  H8  [5.OleView.exe #1$ 2+OleView.exe #2$ 6/OleView Permissions$ Look, runs under perms of current GUI user Use  nbtstat -a to probe when Admin is logged on Launch WinWord with full Admin privs = Guest backdoor w/ Admin privs WinWord has large install base Don t install Word on a secure file server  ,|L3, App_Dll Key $HKLM/Software/microsoft/windows nt/currentversion/windows/appinit_dlls Loads the dll listed here into ever GUI process Empty by Default Never seen this used by a legit app **The kicker is that this value is saved in kernel mode, and requested by user32 whenever a gui is launched. This means that the value can be erased while running to help hide it, but it's effect stays in place. IMPORTANT - this is *NOT* in MS sec guidelines, nor in any NT sec book guidelines I have seen.^7Fd`   WY4-Hooks$Hooks allow the loading of dll's into 'every' GUI process. This means a keyboard/clipboard interceptor. Example - pgp puts pgp60hk.dll into every process space. You can see this with handleex.exe 2PR0 70Gina Replacement Key$HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Be aware that a new value here allows a dll to intercept your logons *HJ>1) Summing It All Up$We have introduced you to the practical operation of NTLast for auditing Windows NT Shown you how to interpret audit results for revealing an intrusion Shown evidence of an intrusion Shown files accessed within a user timeframe Given some tips to assist youResources and Reference$Afind.exe for finding file access times without changing it Audited.exe for generating a list of all files being audited on system Quick way to check your work Both tools are freeware and can be downloaded from http://www.ntobjectives.com HandleEx.exe from SysInternals, again, freeware at http://www.sysinternals.com Strings from Cygnus Bash - freeware unix tools for NT *VERY USEFUL* http://www.cygwin.com33D22Dt  'Addendum - Facts, Tip details$TIP Access times can be faked TIP Place Event Viewer shortcut on desktop - Set Event Viewer to default to security log. TIP Don t use Explorer to look up access times, it corrupts them b[F(!"TIP - NTLast as a Performance Tool$#" $Z You can use NTLast as a network performance tool. Since you can list all remote access across your net, 50 users logging onto Steve s box means two things: Either you found the hidden MP3 site at your company or data exists on that host that needs to be backed up, and/or have redundancy provided. >,,+$ Appendix A$  $PPlacing NTLast in your path copy ntlast to system dir or modify your environment variable Right click on the file name, select copy, move to the winnt\system32 directory, select paste and paste it in there or go to the start button on your task bar, select settings, then control panel. Once the control panel is up, select the system icon. Now select the environment tab, and in the system variables section, select path, this causes your path string to appear in the edit box just below. Add the name of the directory where NT last is there and hit apply. NTLast is now in your path. T@3>2%8,% Appendix B$  $ Creating a prompt shortcut from explorer Edit the HK_CLASSES_ROOT/directory/shell key Add a key called  prompt Under this key, add another key  Command Now under this key, set the default value to say  cmd /K  %1  %1 must be surrounded in qoutes Now right you right-click from explorer you have the option of opening a prompt set the directory you are currently in. J|*y|Appendix C - Installing NTLast $wDownload a copy of NTLast from http://www.ntobjectives.com/ntlast15.exe Install it with self-installing exe(Pretty Painless) To get started quickly, have the install program place ntlast in your c:\winnt\system32 directory. This forces it into your path and makes using it really easy. Or use the manual method in App. A Ensure that auditing exists on your NT box  +5- *#.,81!Appendix D - Hiding from Browsing "!$(Using the registry editor set the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters Set value Hidden from 0 to 1. You should then reboot. You can also type net config server /hidden:yes You can still connect to the computer, but it is not displayed on the browser.s`7```O`s7N>@ Xc/p"# ` f33` 3f3` ___>?" dd@,|?" dd@   " @ `"  n?" dd@   @@``@n?" dd@  @@``PR    @ ` ` p>> % ; 3  (  F J  JZ  s *?PP fN +   + Z2  s *?+ U Z2  s *?  Z2  s *?+TZ2  s *?Z2   s *?+UZ2   s *?Z2   s *?+UZ2   s *?Z   s *?Z2  s *?J%tZ2  s *?%Z2  s *?j%  NtPgֳgֳ ?P  T Click to edit Master title style! !.  HPgֳgֳ ?  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  ZO1 ?``  ?* 2  ZTO1 ?`   A*(2  ZN1 ?`   A*(2N  6޽h? ? f33 Contemporary!   !! "!(   >F J   JZ   s *?P Z   s *?Z2   s *?+JUtZ2   s *?+UZ2   s *?+jUZ2   s *?+UZ2   s *?+UDZ2   s *?+UZ2   s *?+:UcZ2   s *?+UZ2   s *?+[UlT + j  # + jZ2   s *?+ jU Z2   s *? j Z2   s *?+jTZ2   s *?jZ2   s *?+jUZ2   s *?jZ2   s *?+jUZ2   s *?jZ2   s *?+U#N        B   c BC DEF?pp"-<HbutP}@w,riiiigglu{rke\ApbSF=843k"S-:4!4 *&3: {q"h(a(a*^*^*^-\/V3S4S=OCMHMNJQJSHYCY?Q2Q2Q/Q/Q+Q+Q)N)N&HA= <)^X2!n`-J3ro@Z c     c B8CDExF?#'(,.#pbW UW#`,g3t7k7b7]7U3%.'nEw k^RG>!7#-!*$#(3>GLLw8i(\QF:/&-8?JXi{}u}lgccaaglnnnlllH8*yl ^SE84443 !* 8888:HWcnnnnr   !!$$$/8CPWY^bbbglnr!t#w&w*t,t1r5g1\&PC:!4&+,(1*5+6+:/:8:=<?ACJCJ?N=S=SGNSY[denune^SH;1&&+16:?HJJJJ?O,M7D>;G6U6`?kJvXer|{{* 4>?]Nv^n}}l\N?3$'2;BFKQV_l|zjXDXj|?bufV/FL2e}rbN>-#}#|#xxvj#_#W$M-37CYepw#=@@{  z   c JB?CIDE\Fd?*A:H>H>C:A:>,8%-"   -8*A/0@ Q[   N3gֳgֳ ?p  T Click to edit Master title style! !  H3gֳgֳ ? p  W#Click to edit Master subtitle style$ $  Z431 ?``  C* 2  Z31 ?`   E*(2  Zt31 ?`   E*(2N  6޽h? ? f33| 0 <40(     f$z1 ?P   z =*    fz1 ?   z ?* d  c $ ?  zL   fz1 ? @ z RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  # l$z1 ?`P  z =*   # lz1 ?`  z ?* H  0޽h ? ̙33I  @( yyyyyyyyyyyyyyyy l  C DzP  z l  C z  z   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0dz0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33I  P(  l  C P   l  C     c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   00  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33?  `(  l  C DP   l  C ߦ0   8   `    f1?h  p2How do we find out who was on the system and when?"32f   `1?   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0d0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33I  p (   l  C dP   l  C 0     c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   00  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33I  0(  0l 0 C DP   l 0 C    0 c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  0 00  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H 0 0޽h ? f33I   ((  (l ( C P   l ( C d    ( c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   ( 00  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H ( 0޽h ? f333  4s(  4l 4 C dP   l 4 C 3    4  ft31? ;**NTLast does not work if there are no existing log entries<<: 4  f1? 4 c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp H 4 0޽h ? f33U  (  r  S $P   r  S 43     c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0t30  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33  8(  8r 8 S 3P   r 8 S T3  ~ 8 C VA>C:\slidepics\auditmistake1.bmp 8 c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  8 030  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H 8 0޽h ? f33  @(  @r @ S 43P   r @ S 3  ~ @ C VA>C:\slidepics\auditmistake2.bmp @ c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  @ 030  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H @ 0޽h ? f33I  0<(  <l < C 3P   l < C 3   < c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  < 0430  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H < 0޽h ? f33  me@h( )pM@ hl  h C dzP   l  h C z   l  h C zp     h c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  h 0z0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H h 0޽h ? f33I  P(  l  C zP   l  C $z    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0dz0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33[   `H(  Hr H S zP   x H c $Dz   H c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  H 0z0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H H 0޽h ? f33O  p@(  @l @ C $zP   r @ S ĶzPp   @ c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  @ 0z0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H @ 0޽h ? f33[   P(  Pr P S zP   x P c $Dz   P c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  P 0z0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H P 0޽h ? f33[   T(  Tr T S ijzP   x T c $:   T c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  T 0;0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H T 0޽h ? f33[   `( R4D `r ` S <P   x ` c $4=   ` c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  ` 0=0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H ` 0޽h ? f33[   x(  xr x S ?P   x x c $t?   x c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  x 04@0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H x 0޽h ? f33I  (  l  C @P   l  C @    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0A0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U  |(  |r | S 4CP   r | S C   | c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  | 0TD0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H | 0޽h ? f33U  (  r  S DP   r  S E    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0E0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U  ( )pM@ r  S FP   r  S     c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0D0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33I  (  l  C dPP   l  C Ę    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   00  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U  (  r  S PP   r  S d    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0$0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U   ( )pM@ r  S 䜨PP   r  S D 3   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   00  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33  0%(  r  S $PP  3 r  S  3   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0D0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%   `A1? p@H  0޽h ? f33  @%(  r  S PP  3 r  S  3   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0ġ0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%   `A1? pH  0޽h ? f33U  P(  r  S $PP  3 r  S p 3   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0 0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U  `(  r  S 4 PP  3 r  S   3   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0T 0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U  p(  r  S  PP  3 r  S t  3   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   040  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U  (  r  S PP   r  S T    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   00  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33I  L( )pM@ Ll L C 4P   l L C    L c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  L 0T0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H L 0޽h ? f33I   (   l   C 4P   l   C      0t 0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp H   0޽h ? f33I   (  l  C $%zP  z l  C %z z   c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0&z0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U  p(  pr p S  P   r p S 4!   p c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  p 0!0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H p 0޽h ? f33U  (  r  S T"P   r  S " @    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0t#0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33U  (  r  S 4$P   r  S $Pp    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0T%0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33I  4( )pM@ 4l 4 C t&P   l 4 C &   4 c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp  4 0'0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H 4 0޽h ? f33U  ( )pM@ r  S ( P   r  S )    c nAJG:\Outgoing\NTOVBox\NTO_logo_sm6.bmpp   0)0  k%Copyright, 1999 NT OBJECTives, Inc.*& 2%H  0޽h ? f33 0 x( J R  3    ~  C 3 @    H  0޽h ? ̙33 0 x$( d $R $ 3    ~ $ C 3 @    H $ 0޽h ? ̙33 0 x<(  <R < 3    ~ < C T3 @    H < 0޽h ? ̙33 0  D(  DX D C     D S T3 @    H D 0޽h ? ̙33r)t7+ں| 0H 8+ 0B" R0:X<A^;&$),5@2p 13p,>8Oh+'0  hp , L X dpx Intrusion Auditing with NTLast  JD GlaserAuRD:\Program Files\Microsoft Office\Templates\Presentation Designs\Contemporary.potrAdministratores255Microsoft PowerPointoso@FS@ @^? GoM   & &&#TNPPp0D z & TNPP &&TNPP    f--- !---&H 3--- !pH---&------%----d]------------%----e]------&3--- !PpPP-----] U----,]%U----D]<U--&&G&[ |w|wgw[ - &Gy& --@P-- "Arial 5|w|wgw 5 - .-2 LxIntrusion Auditing Under $#!$$+$##$*$$ . .2  Windows NT7$#$.!*$.--YyH-- "Arial[ |w|wgw[ - .2 . .'2 The Need For Auditing    . .2 Yp. .2 Y The ToolsT  . .2  . .'2 0Interpreting the Data      . .2 . . 2 Tips ."Arial 6|w|wgw 6 - .2 $ By JD Glaser    . .02 J: jdglaser@ntobjectives.com    .&gYC?HHXh(H?tt~?>???|?~߾ϟ߀ϟ߇}>8>x8`8?<߀π?π?w|8|<>?>?ppppC?HHXh(H? tt K JJ  O    O O  J K  O   JK  O K   AO O K   A  O  JO  K J   J O   JJ     O   &--X-- "Tahoma[ |w|wgw[ - .?2 b%Copyright, 1999 NT OBJECTives, Inc.Q        .--"Systemw f  -&TNPP &՜.+,D՜.+,     sOn-screen ShowNT OBJECTives, Inc.\(j ,ArialTahoma Courier New Contemporary)Intrusion Auditing Under Windows NT The Need For AuditingInsider Foul Play Scenario The ToolsWhy do I need an Audit Tool?What is NTLastTool OverviewSetting Up the Audit - Errors Setup Error #1 Setup Error #2 Running NTLast Combining SwitchesWatching for Logon FailuresRoutine Password GuessingRemote Usage ResultsEvidence of a Sniffed PasswordRemote User Activity Verbose Mode - Time Frame UsageRegarding SearchingMatching File Access SearchingFile Search Results#File Examination Using GNU StringsReal Life Results ProblematicRemote WinWord Launch!Trouble Finding DCOM PermissionsOleView.exe #1OleView.exe #2OleView Permissions App_Dll KeyHooksGina Replacement KeySumming It All UpResources and ReferenceAddendum - Facts, Tip details#TIP - NTLast as a Performance Tool Appendix A Appendix BAppendix C - Installing NTLast"Appendix D - Hiding from Browsing  Fonts UsedDesign Template Slide Titles( 6> _PID_GUIDAN{2CAF81E3-2A30-11D3-8837-0000861F4BF6}%_? Administrator  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~     Root Entry  K dO) PicturesJ  ~Current User  SummaryInformation ( < PowerPoint Document ( OO