Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Lecture Notes (28 - Nov)
Document related concepts
Transcript
Forensic Computer Analysis
ISMT350
Overview
Why do we care?
Forensic Science Overview
Process and Tools
Evidence on Networks
Advanced Analysis
Errors & Uncertainty
Why do we Care?
Determine what happened
Determine extent of damage
Inform other universities of problems
Prevention & preparation for future
Mitigate risk & liability
If necessary, apprehend & prosecute
=
Forensic Science Overview
Improper Evidence Handling
Why we need to avoid…
Open to unfair dismissal claims
Vulnerable to false accusations
Privacy violation leads to counter suit
Information leakage leads to larger problem
Unresolved incidents create problems
Researcher accused of hacking
Larger problem goes unrecognized
Develop poor evidence handling skills
Forensic Science Overview
Science applied to the discovery of truth
Locard’s exchange principle
whenever two objects come in contact with each other,
they transfer material from one to the other. The Locard
exchange produces the trace evidence of interest from
fingerprints to mud
Authorization
Locate / identify evidence
Collection, documentation & preservation
everything that you will need in two years
Crime reconstruction (forensic analysis)
when, where, how, what, who, why
reproducible & free from bias/distortion
Report / present
Continuity of Offense (COO)
Seek sources, conduits, and targets
Connect the dots
Corroborating evidence
Multiple independent sources
Kiosk
NT DC
Router
Proxy
Hotmail
NetFlow
Access logs
Authentication logs
Victim’s mail
server/PC
Pornography: Transmission
Pivotal Case Study
The theory behind child pornography laws in the U S traditionally has
been that such material is illegal not because of the content of the
material itself, but because of the harm the production and distribution
of such material causes children who are used to create the child
pornography.
U S versus Hilton, invalidated part of the Child Pornography Prevention
Act of 1996, 18 USC Section 2252A.
Hilton claimed to have been collecting child pornography for research
purposes:
Met with an FBI agent and U S Customs officials on a number of occasions
since 1995 to discuss curbing child pornography on the Internet.
Quoted in articles warning parents of the dangers of allowing their children to
surf the 'Net unsupervised.
Police uncovered evidence that “made us question his motivation."
A case of police prosecuting people trying to help cure the Child
Pornography problem?
Pornography: Transmission
How to investigate a “US v. Hilton”
Modem logs
Dial-up server logs
Confirms connection and account used
MAC times and Registry (LastWrite)
Shows PC was connected to Internet
File modification, creation, and access times
FTP logs
On PC: file name, time, remote directory
On server: file name, size, time, account, IP
Relational Reconstruction
Improve understanding of events
Locate additional sources of evidence
Example: Accounting server break-in
Log File Correlation
Sort each source independently, then combine
Correlate MAC times and LastWrite times of Registry
keys with Eventlogs, PC modem & ISP logs
05-15-2000 16:32:53.93 - Initializing modem.
05-15-2000 16:32:53.93 - Send: AT
05-15-2000 16:32:53.93 - Recv: AT
05-15-2000 16:32:54.05 - Recv: OK
05-15-2000 16:32:54.05 - Interpreted response: Ok
05-15-2000 16:32:54.05 - Send: AT&FE0V1&C1&D2 S0=0 W1
05-15-2000 16:32:54.07 - Recv: AT&FE0V1&C1&D2 S0=0 W1
05-15-2000 16:32:54.19 - Recv: OK
05-15-2000 16:32:54.19 - Interpreted response: Ok
05-15-2000 16:32:54.20 - Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3
05-15-2000 16:32:54.22 - Recv: OK
05-15-2000 16:32:54.22 - Interpreted response: Ok
05-15-2000 16:32:54.26 - Dialing.
05-15-2000 16:32:54.26 - Send: ATDT##########
Time Pattern Analysis
Mon
Tues
Wed
Thurs
Fri
Sat
Sun
8am
9am
10am
x
11am
x
12pm
1pm
2pm
3pm
4pm
5pm
x
6pm
7pm
x = event
x
x
x
x
Histograms
Histogram of events over time
High number of events at key times
Histogram of time periods may show unusual
gaps
MAC times
System log entries
EnCase Timeline (patterns)
Search Methodology
Identify the crime scene
Area 1: Local Nodes
Area 2: Wireless devices
Mobile equipment
802.11b
Area 3: Wireless networks
PDA’s
Laptops
Core systems (BSC, MSC, SMS)
Area 4: Remote networks
Routers, switches, cables
Remote nodes
Authorization Example
Floppy found in desk drawer
Collected by IT staff
No authorization
Process not documented
Not clear who found disk
Disk not labeled
Not clear if search was legal
Not clear which disk among several disks
Hot potato – drop it!
High risk of counter suit
Chain of Custody
Who collected & handled the evidence
Fewer people handling the evidence
=> Fewer people testify
Standard forms & procedures
=> Consistency
Collection & Preservation
Acquire evidence
Documentation
EABD versus removing hard drive
save evidence on sterilized media
calculate MD5 checksum of evidence
digitally sign evidence (MD5, time & person)
acquisition & verification process
who, where, how, when, and sometimes why
Lock original in safe
alternately use a custodian
Message Digests
128-bit “fingerprint”
Two messages with same digest
16 hexadecimal values
Computationally infeasible
Search disk for file with same MD5
md5sum netstat.exe
=> 447282012156d360a862b30c7dd2cf3d
What to Collect?
The original disk
An exact copy of the original disk
Log files from the disk (e.g. UNIX wtmp)
Interpreted logs (output of last)
Relevant portions of interpreted logs
Information lost in summarization
Output of last username
May miss some relevant entries
Written notes describing command output
The approach depends on the circumstances
Remote Collection
Document collection process (log to file)
May alert the suspect
Stepping in evidence
Forgotten evidence
Planning and procedures
Jurisdiction
Same as at console
May be only means - foreign countries
May cause an international incident
Evidence only available remotely (SNMP)
To shutdown or not to shutdown
Network state
Processes in memory (MB/GB)
Kernel memory
Swap space
Lose cached data not yet written to disk
Lose data protected by EFS/PGP disk
Corrupt existing data
Limitations of Live Exam?
Hasty
Stepping in evidence
alternate data streams
Can’t see deleted data
automation minimizes changes
not 100% (overwrite user.dmp)
Might miss something
prone to error
automation helps avoid errors
anyone have a floppy diskette?
Can’t trust operating system
Challenge Concealment
Deleted binary
Log deletion or wiping
wzap clears wtmp entries
Altering file attributes
Hidden files/Alternate Data Streams
Copy in /proc/pid/file
icat /dev/hda inode > recovered
hfind.exe (Foundstone)
Device files in Recycle Bin
Rootkits/Loadable Kernel Modules (Knark)
Encryption
The Coroner’s Toolkit
grave-robber output
coroner.log
proc with MD5 of output
command_out with MD5 of output
body - mactime database
removed_but_running
conf_vault
trust
MD5_all
MD5_all.md5
Case Example
W2K Domain Controller Hacked
Unusual port
Messy examination
Cleanup fails!
Initial Assessment
Routine Network Vulnerability Scan
Physical Assessment
Located in locked closet
Initial Examination
BO2K on port 1177 of W2K DC
All security patches applied
NT Security Event logging enabled
fport: c:\winnt\system32\wlogin.exe
System cannot be shutdown
Central to operation of network
Network Assessment
Accessible from the Internet
No dial-up access
Many services enabled
file sharing
Internet Information Server
FTP (anonymous FTP disabled)
IIS fully patched
Assess and Preserve
Toolkit of known good executables
Check for keystroke grabber / sniffer
No fakegina or klogger
Yes sniffer (system32\packet.sys)
MAC times to locate other files
Save output to external/remote disk
Note md5 values of output
Installed IRC bot in C:\WINNT\Java
No obvious access of sensitive information
Could have obtained passwords via lsass
Could have access to other machines
Logs
No unusual logons in Security Event Logs
IIS logs from before security patch installation
Shows compromise via Web server
AntiVirus messages in Application Event Logs
1/19/2002,1:09:11 AM,1,0,5,Norton AntiVirus,N/A, CONTROL,
Virus
Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\Java\w.exe by:
Scheduled scan. Action: Clean failed : Quarantine succeeded : Virus
Found!Virus name: BO2K.Trojan Variant in File:
C:\WINNT\system32\wlogin.exe by: Scheduled scan. Action: Clean failed :
Quarantine failed :
1/19/2002,1:09:11 AM,4,0,2,Norton AntiVirus,N/A, CONTROL,
Scan
Complete: Viruses:2 Infected:2 Scanned:62093 Files/Folders/Drives
Omitted:89
Leads
IP addresses from Web server logs
IRC bot files
eggdrop bot files contained information about
servers, nicknames, channels, and channel
passwords that could be used to gather additional
information
Remediation
Change passwords and examine other hosts
HKLM\System\CurrentControlSent\Services
Machine fails to reboot
Extended downtime
MAC times incomplete
C:\WINNT\System32\wlogin.exe
C:\subdir
Wlogin is zeroed out
Accidental by examiner
Intentional by Norton/intruder?
No binary to analyze
Lessons Learned
Intrusion prior to patching
Lastwrite time of wlogin Registry key
Do not assume that system was secure
Missed opportunity
Attempt to recover piecemeal
Don’t make matters worse than intruder
Make a plan and make a backup plan
Forensic Analysis Overview
Locate, recover, and interpret evidence
Low level analysis vs interpreted data
Timeline – when
Relational reconstruction – where
Functional reconstruction – how
Synthesis – what, why
crime reconstruction
risk assessment
motive and intent
Data may not be trustworthy
seek corroborating data on network
Analysis Process
Access evidentiary images & backups
File inventory with hash values, etc.
Recover deleted data (files, folders, etc.)
Recover slack and unallocated space
Exclude known/unnecessary files
Remove duplicates
Process/decrypt/decompress files
swap and hibernation files
Index text data
File Systems
General creation process
Allocation table and folder entries created
Time stamps set
Track written
Slack space
Perhaps artefacts generated
MS Word file menu Registry entries
Windows: FAT12, FAT16, FAT32, NTFS
Unix: UFS, ext2, ext3
Macintosh: HFS Plus
FAT
NTFS
MFT records overwritten quickly
Index entries are overwritten quickly
Reference handbook
How quickly are blocks reused
Timestamp in MFT Record in table only
modified when name is changed
Sourceforge for more information
http://sourceforge.net/projects/linux-ntfs/
Unix
MacOS (HFS Plus)
Catalog file
Time formats
Balance tree
File threads
GMT v local
No access time
http://developer.apple.com/technotes/tn/tn1150.html
Linux – A Forensic Platform
# dd if=/dev/fd0 | md5sum
2880+0 records in
2880+0 records out
5f4ed28dce5232fb36c22435df5ac867 # dd if=/dev/fd0 of=floppy.image bs=512
# md5sum floppy.image
5f4ed28dce5232fb36c22435df5ac867 floppy.image
# mount -t vfat -o ro,noexec,loop floppy.image /mnt
# find /mnt -type f -exec sha1sum {} \;
86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls
81e62f9f73633e85b91e7064655b0ed190228108 /mnt/Computer.xml
0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc
# grep -aibf searchlist floppy.image
75441:you and your entire business ransom.
75500:I want you to deposit $50,000 in the account
75767:Don't try anything, and dont contact the cops.
The Coroner’s Toolkit
ils -A /dev/hda1 (free inodes)
ils –o /dev/hda1 (removed open files)
icat /dev/hda1 inode
pcat pid
mactime -R -d / 12/13/2001-12/14/2001
mactime -d /export/home 10/30/2001
grave-robber -d . -E /
Perl is a requirement
Log File Correlation
Use the time range from wtmp logs
# last
user pts/3
66-65-113-65.nyc Sat Oct 20 19:45 - 01:08 (05:23)
# mactime -b body -l "Sat Oct 20 19:45 - 01:08 (05:23)"
Oct 21 01 01:32:30 75428 .a. -r-xr-xr-x root bin
/usr/bin/ftp
Computer Forensics Software
AccessData Forensic Toolkit® (FTK™)
The most popular of email forensic software tools
View over 270 different file formats with Stellent's Outside In Viewer Technology.
Generate audit logs and case reports.
Compatible with the Password Recovery ToolkitTM and Distributed Network Attack®.
Full text indexing powered by dtSearch® yields instant text search results.
Advance searches for JPEG images and Internet text.
Locate binary patterns using Live Search.
Automatically recover deleted files and partitions.
Target key files quickly by creating custom file filters.
Supported File & Acquisition Formats
File formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3.
Image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD.
Email & Zip File Analysis
Supports: Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN email.
View, search, print, and export email messages and attachments.
Recover deleted and partially deleted email.
Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files.
Known File Filter™ (KFF™)
Identify and flag standard operating system and program files.
Identify and flag known child pornography and other potential evidence files
Includes hash datasets from NIST and Hashkeeper
Registry Viewer™
Access and decrypt protected storage data
View independent registry files
Report generation
Integrates with AccessData's forensic Tools
Email Forensics
How FTK is used …
Email is one of the most common ways people
communicate
Studies have shown that more email is generated
every day than phone conversations and paper
documents combined
Forensic Analysis of email clients and servers has
been in the spotlight of civil and criminal cases
worldwide and no examination of Document
Discovery is complete without requesting, searching
and organizing email
Email Forensics
Identification and Extraction
The first step in an email examination is to identify the sources of email
and how the email servers and clients are used in an organization
More than just a way of sending messages email clients and servers
have expanded into full databases, document repositories, contact
managers, time mangers, colanders and many other applications
E.g., Microsoft Exchange customized to be used as a complete Customer
Relationship Manager (CRM)
Lotus Notes and Domino Server are used beyond an email system
Many users store their personal calendars, contacts and even synchronize
their email clients with their Personal Digital Assistants (PDA)
Organizations use database enabled email and messaging servers to
manage cases, track clients and share data
Computer forensics should start their collection of evidence with email
Email Forensics
Deleted Email
Many user believe that once they delete email from their client
that the mail is unrecoverable
Nothing could be farther from the truth, many times emails can
forensically extracted even after deletion
Many users also do not grasp the concept that email has a
sender AND a recipient or multiple recipients
Emails may reside on servers unbeknown to the user, or on
backup tapes that were created during the normal course of
business
Of course they may also be extracted from the hard disk of the
client or the server.
Forensic programs are able to recover deleted email, calendars
and more from users email clients and email servers.
Email Forensics
Web Mail or Web Based Email
It is completely possible to forensically recover email that was created
or received by web based email systems and from free web based
email services such as Hotmail, Gmail (Google Mail) and Yahoo Mail
These types of mail systems use a browser to interface with the email
server, the browser inherently caches information to the disk drive in the
system used to retrieve or generate the email thereby effectively saving
a copy to the disk
Forensic examiners can extract the HTML based Email from disk drive
of the system used to create or retrieve the email messages
Many Web Based or Web mail services, including Yahoo and Hotmail
have shared calendaring services, personal calendars and contact
managers as email.
Anytime these services are accessed they may be cached to the disk
as well.
Email Forensics
Correlating Email Messages
New evidence is essentially created by
Correlating emails by date, subject, recipient or
sender
These yield a map of inferences, events and entities
And open up opportunities for more complex pattern
analysis
Forensic software is especially important in
providing these correlations
EnCase Forensic (Guidance Software)
EnCase Forensic is the most popular software for computer forensic
investigation
A single tool, capable of conducting large-scale and complex
investigations from beginning to end:
Acquires data in a forensically sound manner using software with an
unparalleled record in courts worldwide.
Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X,
Solaris and more — using a single tool.
Automates complex and routine tasks with prebuilt EnScript® modules, such
as Initialized Case and Event Log analysis.
Find information despite efforts to hide, cloak or delete.
Easily manage large volumes of computer evidence, viewing all relevant
files, including "deleted" files, file slack and unallocated space.
Transfer evidence files directly to law enforcement or legal representatives
as necessary.
Review options allow non-investigators, such as attorneys, to review
evidence with ease.
Reporting options enable quick report preparation.
EnCase Functions
The EnCase Forensic GUI.
EnCase Forensic
"Conditions" permit users to create complex,
multifaceted filters, using EnScript®
programming language.
EnCase Forensic
The block size and error granularity settings
interface
EnCase Forensic
Logical Evidence Files
"Single Files" allows an
examiner to drag and drop
particular files of interest
into EnCase for analysis
"Logical Evidence Files" can
be created and locked from
"Single Files," as well as
from specific files of interest
from an EnCase preview of
subject media.
TASK Case Screen
TASK Host Screen
TASK Host Manager Screen
TASK Analysis Screen
FTK E-mail Extraction
SMART Main Screen
SMART Case View
PDA Seizure
Password Recovery Toolkit
PRTK: Combinations & permutations
Import FTK keyword list
Missed obvious combinations
DNA
40-bit Encryption
Windows 2000 EFS (export)
MS Word / Excel
Evidence on Networks
Associating Online Activity with Logs
Server logs
E-mail server logs
Web server logs
Internet activity -> data
Internet activity
Logs
Active
PPP Dial-up
TACACS/RADIUS Terminal Server
Router/Firewall
Syslog/Netflow
show conns
Host logon
wtmp/NT
Eventlog
utmp/nbtstat -c
Web server
access/error
netstat -an
E-mail server
messages/syslog
spool
FTP server
xferlog
netstat -an
IRC
server/bot logs
netstat -an
Wireless
device logs
device query
Case Example
Harassment Complaint
Complaint
Unauthorized e-mail access
Suspect pool
Process accounting
Bash history
Harassment (janesmith)
Make sure logs are consistent
mailserver# grep 'Login user=janesmith' syslog*
syslog:Sep 24 17:11:40 mailserver ipop3d[6466]: [ID
234311 mail.info] Login user=janesmith
host=johnsmith.nasa.gov [192.168.135.156]
What to look for next?
Harassment (continued)
wtmp logs indicate that her e-mail account was
accessed from server4.nasa.gov on Dec 9 at
13:14
emailserver# last janesmith
janesmith pts/114 server4.nasa.gov Sun Dec 9 13:14 - 13:19 (00:05)
MAC times show that the .pinerc file was
created on Dec 9 suggesting that this was the
first time Pine was used to access e-mail in
this account.
Harassment (continued)
wtmp logs on server4.nasa.gov show that seven
people were logged in on Dec 9 at 13:14
Note: clock on server4.nasa.gov was 4 minutes fast
server4% last
walterp pts/14 roosevelt.nasa.g Sun Dec 9 13:10 - 13:17 (00:07)
johnsmith pts/2 pc01.admin.nasa. Sun Dec 9 13:09 - 13:29 (00:10)
stephens pts/13 lincoln.nasa.com Sun Dec 9 13:01 - 16:16 (03:15)
hansmol pts/3 homepc.isp.com Fri Dec 7 14:14 - 10:53 (6+20:38)
ianjones pts/7 nasavpn-22.nasa. Fri Dec 7 08:39 - 01:23 (5+16:44)
Harassment (continued)
RADIUS logs show suspect disconnected
prior to offense
192.168.1.219,NASA\ianjones,12/07/2002,08:43:07,IAS,NTSE
RVER,5,7029,6,2,7,1,8,192.168.16.22,25,311 1
192.168.1.45 10/08/2001 19:38:34
22348,40,1,44,E0D03B6B,66,64.252.248.134,45,1,41,0,61,
5,4108,192.168.1.219,4116,0,4128,NASA
VPN,4136,4,4142,0
192.168.1.219,NASA\ianjones,12/07/2002,09:27:12,IAS,NTSE
RVER,5,7029,6,2,7,1,8,192.168.16.22,25,311 1
192.168.1.45 10/08/2001 19:38:34
22348,40,2,42,36793575,43,6837793,44,E0D03B6B,46,356
19,47,417258,48,59388,49,1,66,64.252.248.134,45,1,41,0,6
1,5,4108,192.168.1.219,4116,0,4128,NASA
VPN,4136,4,4142,0
Harassment (continued)
However, server4.nasa.gov kept process
accounting logs and an examination of these
logs show only one SSH connection at the time
in question. This indicates that another account
(johnsmith) was used to connect to the
complainants e-mail account.
server4% lastcomm | grep ssh
ssh
S timsteel
??
ssh
S johnsmith ??
ssh
S richevans ??
0.11 secs Sun Dec 9 10:24
0.02 secs Sun Dec 9 13:10
0.03 secs Sun Dec 9 12:10
Harassment (continued)
Confirmed using bash history
server4# grep janesmith /home/johnsmith/.bash_history
ssh -l janesmith mailserver.ispX.com
Network Traffic
Historical data
Performance monitoring
NetFlow & Argus
IDS (may include full packet capture)
Traffic capture
Temporal considerations
Preservation
Reconstruction and analysis
Tools
Dsniff, NetWitness, Sandstorm, Nixsun, SilentRunner
Many for Unix (e.g., ngrep, review)
Performance Monitoring
Shows patterns on a device
Spikes in traffic
Loss of connectivity to a segment
Multi Router Traffic Grapher (MRTG)
www.mrtg.org
Netflow and Snort Overview
NetFlow
flows represent unidirectional collection of similar packets
NetFlow logs contain basic flow information (src, dst, times,
size)
Snort
based on libpcap
detects known attacks
highly configurable
Using Snort and NetFlow
Host logs may be overwritten
Intrusion Detection System shows partial picture
[**] FTP-site-exec [**]
02/23-04:51:38.012306 192.168.164.88:2721 -> 192.168.168.2:21
TCP TTL:46 TOS:0x0 ID:20194 IpLen:20 DgmLen:468 DF
***AP*** Seq: 0x11A6920B Ack: 0xD567116C Win: 0x3EBC
TCP Options (3) => NOP NOP TS: 98258650 1405239787
NetFlow logs show more complete picture
Start
DstP
End
P Fl Pkts
Sif SrcIPaddress
Octets
0223.04:51:38.841 0223.04:51:48.685 2
192.168.168.2 21 6 2 3
144
SrcP DIf DstIPaddress
192.168.164.88 2721 13
Netflow Losses
Sequence numbers show gaps
% flow-header < ft-v05.2002-04-15.183000-0400
# mode:
normal
# capture hostname: flow
# exporter IP address: 130.132.1.100
# capture start:
Mon Apr 15 18:30:00 2002
# capture end:
Mon Apr 15 18:45:00 2002
# capture period:
900 seconds
# compress:
on
# byte order:
big
# stream version:
3
# export version:
5
# lost flows:
179520
# corrupt packets:
0
# sequencer resets: 1
# capture flows:
206760
Traffic Monitoring/Capture
tcpdump (68 bytes default capture)
Ethereal
Authorization
Wiretap
ECPA
Live Capture
Protecting systems
Stored communications & records
Maintenance and protect users
USA Patriot Act
libpcap losses
High speed links overload sniffers
Protocol type 11 (honeynet)
Applies to all libpcap based sniffers
snort, tcpdump, NetWitness
# tcpdump -X host 192.168.12.5
tcpdump: listening on xl0
.....[data displayed on screen]…
^C
29451 packets received by filter
4227 packets dropped by kernel
Switches
Isolates traffic
CatOS Switched Port Analyzer (SPAN)
Spanning/Mirroring ports
Sniffing is more difficult
Only copies valid Ethernet packets
Not all error information duplicated
Low priority of span may increase losses
http://www.cisco.com/warp/public/473/41.html
Hardware taps
Copy signals without removing layers
May split Tx and Rx (reassembly required)
NIC Losses
Applies to all NICs (firewalls, switches, etc.)
% netstat -nid
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 19877416
0
0
128
7327647
0
0
0
BRU
% /sbin/ifconfig
eth0
Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5
inet addr:128.36.232.10 Bcast:128.36.232.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19877480 errors:0 dropped:0 overruns:128 frame:0
TX packets:7327676 errors:0 dropped:0 overruns:0 carrier:1
collisions:442837 txqueuelen:100
Interrupt:23 Base address:0xec80
Case Example
Intellectual Property Theft (rootkit)
Intellectual Property
IDS logs show intrusion
[**] FTP-site-exec [**]
09/14-12:27: 208.181.151.231 -> 130.132.x.y
09/14-12:28: 24.11.120.215 -> 130.132.x.y
09/14-12:33: 64.28.102.2 -> 130.132.x.y
Concern: system contains sensitive
data
IP Theft (assess damage)
Initial examination of compromised host showed no
signs of compromise
no wtmp entries from site exec exploit
no syslog entries
no odd processes using ps or files using ls
System clock was 5 hours fast (Δt = 5hrs)
Oddities on system suggested compromise
difference between ps & lsof; /tmp/.tmp/
IP Theft (analysis)
Used EnCase to analyze evidence
Recovered deleted syslogs (noting Δt)
Sep 14 17:07:22 host ftpd[617]: FTP session closed
Sep 15 00:21:54 host ftpd[622]: ANONYMOUS FTP LOGIN FROM
231.efinityonline.com
[208.181.151.231], •
1À1Û1É°FÍ
1À1ÛC‰ÙA°?Í
ëk^1À1É
^^AˆF^D
f¹ÿ^A°'Í€
1À•
^^A°=Í
1À1Û
^^H‰C^B1ÉþÉ1À
^^H°^LÍ
þÉuó1ÀˆF^I
^^H
°=Í€
þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰ó•
N^H•
V^L°^KÍ€
1À1Û°^AÍ€
è•
ÿÿÿ0bin0sh1..11
Sep 14 17:22:54 host inetd[448]: pid 622: exit status 1
Linux in EnCase
IP Theft (reconstruction)
Confirmed source of initial intrusion
Determined that target was high risk
Determined motive and intent
not aware of sensitive information on host
used host for DoS, scanning, and IRC
Determined that a sniffer had been used
Located other compromised systems
notified system owners on outside networks
Advanced Analysis
Timestamp Oddities
Moved file in Windows
Corrupt timestamps
Last write time before creation time
Windows folder and .lnk
MacOS
Some logs are in order of the end of the event
Process accounting
CISCO NetFlow
Artefacts of File Transfer
File transferred to external media
MS Word Metadata
Program’s file menu (registry key LastWrite)
Shortcut (.lnk) files
MS Word, Powerpoint, Excel, etc.
WinZip, WinAmp
Explorer (e.g., RecentDocs, RunMRU)
Internet Explorer (history, cache, TypedURLs)
Recent\Desktop (time ordered CAM)
Recycler
May be in unallocated space/swap/hibernation
Recent Lnk to External Disk
Network Artefacts
Downloaded files
Interactive connections
Unix directory listing on Windows PC
Web, e-mail, Usenet, IRC, etc.
IIS Transactions
Telnet Lastmachine (registry)
Secure CRT .ini
Secure Shell
pagefile.sys
Mapped network drives
NetHood (profile, MFT, registry, unallocated)
Internet Accounts
HKEY_USERS
Key Name:
SID\Software\Microsoft\Internet Account
Manager\Accounts\00000004
Class Name:
<NO CLASS>
Last Write Time: 7/5/2002 - 4:33 AM
Downloaded Files
Tape Archive (.tar)
Mapped Network Drive
Explorer (\\name\drive)
StreamMRU, RunMRU, RecentDocs
Scattered
User.dmp, swap, unallocated space
Grep expression: \\\\[A-Z]+\\[A-Z]+
Unix Mounted Drives
df, mount, samba
/etc/fstab:
/dev/hda1
/
ext2 defaults
11
/dev/hda7
/tmp
ext2 defaults
12
/dev/hda5
/usr
ext2 defaults
12
/dev/hda6
/var
ext2 defaults
12
/dev/hda8
swap
swap defaults
00
/dev/fd0
/mnt/floppy ext2 user,noauto
00
/dev/hdc
/mnt/cdrom iso9660 user,noauto,ro
00
none
/dev/pts
devpts gid=5,mode=620 0 0
none
/proc
proc defaults
00
remote-server:/home/accts
/home/accts
nfs
bg,hard,intr,rsize=8192,wsize=8192
remote-server:/var/spool/mail /var/spool/mail nfs
bg,hard,intr,noac,rsize=8192,wsize=8192
Remote Logs and Printing
*.*
/etc/syslog.conf
@remote-server
/etc/printcap:
lp0|lp:\
:sd=/var/spool/lpd/lp0:\
:mx#0:\
:sh:\
:rm=remote-server:\
:rp=lp0:\
:if=/var/spool/lpd/lp0/filter:
Network Artefacts (Telnet)
Telnet registry
File Transfer Protocol
On PC: file name, time, remote
directory
On server: file name, size, time,
account, IP
xferlog: Nov 12 19:53:23 1998 15 216.58.30.131 780800 /home/user/image.jpg a _ o r user
WS_FTP: 98.11.12 19:53 A C:\download\image.jpg <-- FTP Server /home/user image.jpg
Linux ncftp (.ncftp/trace; .ncftp/history)
SESSION STARTED at: Sun Oct 21 01:05:44 2001
Program Version: NcFTP 3.0.0/220 February 19 1999, 05:20 PM
<cut for brevity>
01:05:44 Connecting to 129.132.7.170...
01:05:52 > get openssl-0.9.6.tar.gz
SESSION ENDED at: Sun Oct 21 01:06:50 2001
Network Artefacts (Unix ls)
Grep search
[d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\][rwx\-][rwx\-] (space)
More Unix/Mac Artefacts
SSH
authorized_keys (incoming)
known_hosts (outgoing)
.xauth/refcount/xfs/hostname
Unix xterm buffers show sessions
Transactions of various servers
Windows remnants on Unix
Directory files e.g., C:\winnt\system32\*.exe
Case Example
Intellectual Property Theft (Insider)
Initial Complaint
Employee stole information prior to leaving
Unknown documents from workstation
clients.mdb
Client contact database
Stored on W2K workstation
projectX
Terminated on Sept 16, 2002
Secret project details
Stored on Unix file server
What do you look for?
W2K Workstation
Security (card swipe) records
Suspect entered building at 08:45am
Logon/Logoff record
C:\>ntlast /ad 16/9/2002 /v
Record Number: 18298
ComputerName: WKSTN11
EventID: 528 - Successful Logon
Logon: Tue Sep 16 08:50:58am 2002
Logoff: Tue Sep 16 09:10:00am 2002
Details ClientName: user11
ClientID:
(0x0,0xDCF9)
ClientMachine: WKSTN11
ClientDomain: CORPX
LogonType:
Interactive
How to collect this information as evidence?
W2K Workstation
Transfer of clients.mdb
HKEY_USERS
Created at 08:59:14
Last modified at 08:58:49
Suspect’s e-mail outbox
\Windows\CurrentVersion\Explorer\RecentDocs
Suspect’s environment temp\clients.xls
Accessed 09/16/2002 08:58:30 EST
Shows clients.xls sent to Hotmail
What information would you seek on network?
W2K Workstation
Other file accessed at same time
Registry OpenSaveMRU entry
Recent .lnk written and accessed
private.doc
Recent A: .lnk written and accessed
What would you expect to find on associated
floppy diskette?
Unix File Server
SSH Client Access
Accessed:
\user11\Application Data\Microsoft\Internet
Explorer\Quick Launch\Shortcut to SshClient.lnk
Files in \user11\Application Data\SSH\
\user11\Application Data\SSH\ HostKeys\key_22_srv1
How to collect evidence?
% last user11
user11 pts/77 wkstn11.corpx.com Sep 16 09:05 - 09:06 (00:01)
% ls –altu
-rwxr-xr-x 1 admin staff 8529583 Sep 16 09:05 projectX
ProjectX file found in c:\temp on wkstn11
What timestamps changed in transfer?
W2K Workstation
Deleted projectX file found in c:\temp
Explorer\RecentDocs\NetHood
Created: 09:05am
Accessed: 09:07am
Modified: 09/12/2002 10:07:07am
\\competitorpc\upload
LastWrite 09/13/2002 11:04AM
Explain time discrepancy
Errors & Uncertainty
Nothing can be known if nothing has happened; and yet, while
still awaiting the discovery of the criminal, while yet only on the
way to the locality of the crime, one comes unconsciously to
formulate a theory doubtless not quite void of foundation but
having only a superficial connection with the reality; you heave
already heard a similar story, perhaps you have formerly seen an
analogous case…
Gross, H., Criminal Investigation: (Sweet & Maxwell, Ltd. 1924)
Errors and Uncertainty
Offender/victim covering behavior
Preconceived theories
Accepting others’ assumptions
Technological limitations
Mistakes and misinterpretation
Evidence dynamics
Handbook - Chapter 1
Uncertainty and loss
Casey, E: “Error, Uncertainty and Loss in Digital Evidence”,
International Journal of Digital Evidence, Volume 1, Issue 2, 2002
(www.ijde.org)
Evidence Eliminator
Evidence Eliminator v5.053 started work: 3/4/01 9:26:04 PM
OS Detected: Win95 [Win95 4.0.1111.1024]
Eliminating Folder: C:\WINDOWS\applog\
No folder found: C:\WINDOWS\applog\
Eliminating IE Typed URL History...
Data Found: String data: [url1-C:\My Documents\]
Eliminating IE Typed AutoComplete data...
Eliminating IE Download Folder record...
Eliminating IE Error Logs...
Eliminating File: C:\WINDOWS\IE4 Error Log.txt
No file found: C:\WINDOWS\IE4 Error Log.txt
Eliminating Folder: C:\WINDOWS\Local Settings\Temporary Internet Files\
Eliminating folder tree: C:\WINDOWS\Local Settings\Temporary Internet Files\
including root folder...
Lily Pad Examples
SubSeven with IRC
File sharing
Denial of service
Unix intrusion
Bypass firewall
Attack from within
Remote Storage
Compromised host
Shell/Web account
Online services
www.freedrive.com
www.filesanywhere.com
Mounted network shares
Sniffers that log to remote shares
Home directory on remote server
Intruder Concealment
Deleted binary
Log deletion or wiping
wzap clears wtmp entries
Altering file attributes
Hidden files/Alternate Data Streams
Copy in /proc/pid/file
icat /dev/hda inode > recovered
hfind.exe
Device files in Recycle Bin
Rootkits/Loadable Kernel Modules (Knark)
Encryption
Altering File Attributes
Attrib
Alter MAC times
touch in Unix
ls -altc
Microsoft SetFileTime() API
Hide from search tools
dir /t[:a]
afind.exe (FoundStone)
Alternate Data Streams
c:\temp> lads
LADS - Freeware version 3.01
(C) Copyright 1998-2002 Frank Heyne Software (http://www.heysoft.de)
Scanning directory C:\temp\
size
---------17
17
17
ADS in file
--------------------------------C:\temp\myfile.txt:hidden
C:\temp\myfile.txt:onetwothree
C:\temp\myfile.txt:test
51 bytes found in 3 alternate data streams
Maresware: copy_ads
C:\>d:\marsware\copy_ads -p c:\ -d d:\evidence\ads
Program started Wed Sep 25 13:58:09 2002 GMT, 09:58 EST (-5*)
FILES: DIRECTORY
C:\hidden\makeads:hidden2.txt 32 09/25/2002 09:43w EST
C:\hidden\makeads:hidden2.txt
==> d:\evidence\ads\makeads\makeads[hidden2.txt]
C:\hidden\makeads\regularfile.txt 25 09/25/2002 09:19:19w EST
C:\research\makeads\regularfile.txt
==> d:\evidence\ads\makeads\regularfile.txt
C:\research\makeads\regularfile.txt:hidden1.txt 17 09/25/2002 09:19:19w EST
C:\research\makeads\regularfile.txt:hidden1.txt
==> d:\evidence\ads\makeads\regularfile.txt[hidden1.txt]
Processed 16 directories, 118 files, totaling 7,703,785 bytes:
Found 1 directories with 1 alternate data streams.
Found 1 files with 1 alternate data streams.
Total 2 data streams byte count = 49 bytes
Rootkits
Creates backdoors
Replace system components to hide:
files
processes
promiscuous mode
network connections
Often includes tools
Sniffers
Log wiping utilities
Patches
