Forensic Computer Analysis - PowerPoint PPT Presentation

Forensic computer analysis l.jpg
1 / 122

  • Updated On :
  • Presentation posted in: General

Forensic Computer Analysis. ISMT350. Overview. Why do we care? Forensic Science Overview Process and Tools Evidence on Networks Advanced Analysis Errors & Uncertainty. Why do we Care?. Determine what happened Determine extent of damage Inform other universities of problems

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Forensic Computer Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Forensic computer analysis l.jpg

Forensic Computer Analysis


Overview l.jpg


  • Why do we care?

  • Forensic Science Overview

  • Process and Tools

  • Evidence on Networks

  • Advanced Analysis

  • Errors & Uncertainty

Why do we care l.jpg

Why do we Care?

  • Determine what happened

  • Determine extent of damage

  • Inform other universities of problems

  • Prevention & preparation for future

  • Mitigate risk & liability

  • If necessary, apprehend & prosecute


Forensic science overview l.jpg

Forensic Science Overview

Improper evidence handling why we need to avoid l.jpg

Improper Evidence HandlingWhy we need to avoid…

  • Open to unfair dismissal claims

  • Vulnerable to false accusations

    • Researcher accused of hacking

  • Privacy violation leads to counter suit

  • Information leakage leads to larger problem

  • Unresolved incidents create problems

    • Larger problem goes unrecognized

  • Develop poor evidence handling skills

Forensic science overview6 l.jpg

Forensic Science Overview

  • Science applied to the discovery of truth

  • Locard’s exchange principle

    • whenever two objects come in contact with each other, they transfer material from one to the other. The Locard exchange produces the trace evidence of interest from fingerprints to mud

  • Authorization

  • Locate / identify evidence

  • Collection, documentation & preservation

    • everything that you will need in two years

  • Crime reconstruction (forensic analysis)

    • when, where, how, what, who, why

    • reproducible & free from bias/distortion

  • Report / present

  • Continuity of offense coo l.jpg

    Continuity of Offense (COO)

    • Seek sources, conduits, and targets

      • Connect the dots

    • Corroborating evidence

      • Multiple independent sources

    Victim’s mail







    NT DC

    Access logs

    Authentication logs

    Pornography transmission pivotal case study l.jpg

    Pornography: TransmissionPivotal Case Study

    • The theory behind child pornography laws in the U S traditionally has been that such material is illegal not because of the content of the material itself, but because of the harm the production and distribution of such material causes children who are used to create the child pornography.

    • U S versus Hilton, invalidated part of the Child Pornography Prevention Act of 1996, 18 USC Section 2252A.

    • Hilton claimed to have been collecting child pornography for research purposes:

      • Met with an FBI agent and U S Customs officials on a number of occasions since 1995 to discuss curbing child pornography on the Internet.

      • Quoted in articles warning parents of the dangers of allowing their children to surf the 'Net unsupervised.

      • Police uncovered evidence that “made us question his motivation."

      • A case of police prosecuting people trying to help cure the Child Pornography problem?

    Pornography transmission l.jpg

    Pornography: Transmission

    How to investigate a “US v. Hilton”

    • Modem logs

      • Shows PC was connected to Internet

    • Dial-up server logs

      • Confirms connection and account used

    • MAC times and Registry (LastWrite)

      • File modification, creation, and access times

    • FTP logs

      • On PC: file name, time, remote directory

      • On server: file name, size, time, account, IP

    Relational reconstruction l.jpg

    Relational Reconstruction

    • Improve understanding of events

    • Locate additional sources of evidence

    • Example: Accounting server break-in

    Log file correlation l.jpg

    Log File Correlation

    • Sort each source independently, then combine

      • Correlate MAC times and LastWrite times of Registry keys with Eventlogs, PC modem & ISP logs

        05-15-2000 16:32:53.93 - Initializing modem.

        05-15-2000 16:32:53.93 - Send: AT

        05-15-2000 16:32:53.93 - Recv: AT

        05-15-2000 16:32:54.05 - Recv: OK

        05-15-2000 16:32:54.05 - Interpreted response: Ok

        05-15-2000 16:32:54.05 - Send: AT&FE0V1&C1&D2 S0=0 W1

        05-15-2000 16:32:54.07 - Recv: AT&FE0V1&C1&D2 S0=0 W1

        05-15-2000 16:32:54.19 - Recv: OK

        05-15-2000 16:32:54.19 - Interpreted response: Ok

        05-15-2000 16:32:54.20 - Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3

        05-15-2000 16:32:54.22 - Recv: OK

        05-15-2000 16:32:54.22 - Interpreted response: Ok

        05-15-2000 16:32:54.26 - Dialing.

        05-15-2000 16:32:54.26 - Send: ATDT##########

    Time pattern analysis l.jpg

    Time Pattern Analysis

    x = event

    Histograms l.jpg


    • Histogram of events over time

      • High number of events at key times

    • Histogram of time periods may show unusual gaps

      • MAC times

      • System log entries

    Encase timeline patterns l.jpg

    EnCase Timeline (patterns)

    Search methodology l.jpg

    Search Methodology

    Identify the crime scene

    • Area 1: Local Nodes

      • PDA’s

      • Laptops

    • Area 2: Wireless devices

      • Mobile equipment

      • 802.11b

    • Area 3: Wireless networks

      • Core systems (BSC, MSC, SMS)

    • Area 4: Remote networks

      • Routers, switches, cables

      • Remote nodes

    Authorization example l.jpg

    Authorization Example

    • Floppy found in desk drawer

    • Collected by IT staff

      • No authorization

        • Not clear if search was legal

      • Process not documented

        • Not clear who found disk

      • Disk not labeled

        • Not clear which disk among several disks

    • Hot potato – drop it!

      • High risk of counter suit

    Chain of custody l.jpg

    Chain of Custody

    • Who collected & handled the evidence

    • Fewer people handling the evidence

      => Fewer people testify

    • Standard forms & procedures

      => Consistency

    Collection preservation l.jpg

    Collection & Preservation

    • Acquire evidence

      • EABD versus removing hard drive

      • save evidence on sterilized media

      • calculate MD5 checksum of evidence

      • digitally sign evidence (MD5, time & person)

    • Documentation

      • acquisition & verification process

      • who, where, how, when, and sometimes why

    • Lock original in safe

      • alternately use a custodian

    Message digests l.jpg

    Message Digests

    • 128-bit “fingerprint”

      • 16 hexadecimal values

    • Two messages with same digest

      • Computationally infeasible

    • Search disk for file with same MD5

    • md5sum netstat.exe

      => 447282012156d360a862b30c7dd2cf3d

    What to collect l.jpg

    What to Collect?

    • The original disk

    • An exact copy of the original disk

    • Log files from the disk (e.g. UNIX wtmp)

    • Interpreted logs (output of last)

      • Information lost in summarization

    • Relevant portions of interpreted logs

      • Output of last username

      • May miss some relevant entries

    • Written notes describing command output

      The approach depends on the circumstances

    Remote collection l.jpg

    Remote Collection

    • Document collection process (log to file)

    • May alert the suspect

    • Stepping in evidence

      • Same as at console

    • Forgotten evidence

      • Planning and procedures

    • Jurisdiction

      • May be only means - foreign countries

      • May cause an international incident

    • Evidence only available remotely (SNMP)

    To shutdown or not to shutdown l.jpg

    To shutdown or not to shutdown

    • Network state

    • Processes in memory (MB/GB)

    • Kernel memory

    • Swap space

    • Lose cached data not yet written to disk

    • Lose data protected by EFS/PGP disk

    • Corrupt existing data

    Limitations of live exam l.jpg

    Limitations of Live Exam?

    • Hasty

      • prone to error

      • automation helps avoid errors

    • Stepping in evidence

      • automation minimizes changes

      • not 100% (overwrite user.dmp)

    • Might miss something

      • alternate data streams

    • Can’t see deleted data

      • anyone have a floppy diskette?

    • Can’t trust operating system

    Challenge concealment l.jpg

    Challenge Concealment

    • Deleted binary

      • Copy in /proc/pid/file

      • icat /dev/hda inode > recovered

    • Log deletion or wiping

      • wzap clears wtmp entries

    • Altering file attributes

    • Hidden files/Alternate Data Streams

      • hfind.exe (Foundstone)

      • Device files in Recycle Bin

    • Rootkits/Loadable Kernel Modules (Knark)

    • Encryption

    The coroner s toolkit l.jpg

    The Coroner’s Toolkit

    • grave-robber output

      • coroner.log

      • proc with MD5 of output

      • command_out with MD5 of output

      • body - mactime database

      • removed_but_running

      • conf_vault

      • trust

      • MD5_all

      • MD5_all.md5

    Case example l.jpg

    Case Example

    W2K Domain Controller Hacked

    Unusual port

    Messy examination

    Cleanup fails!

    Initial assessment l.jpg

    Initial Assessment

    • Routine Network Vulnerability Scan

      • BO2K on port 1177 of W2K DC

    • Physical Assessment

      • Located in locked closet

    • Initial Examination

      • All security patches applied

      • NT Security Event logging enabled

      • fport: c:\winnt\system32\wlogin.exe

    • System cannot be shutdown

      • Central to operation of network

    Network assessment l.jpg

    Network Assessment

    • Accessible from the Internet

    • No dial-up access

    • Many services enabled

      • file sharing

      • Internet Information Server

      • FTP (anonymous FTP disabled)

    • IIS fully patched

    Assess and preserve l.jpg

    Assess and Preserve

    • Toolkit of known good executables

      • Save output to external/remote disk

      • Note md5 values of output

    • Check for keystroke grabber / sniffer

      • No fakegina or klogger

      • Yes sniffer (system32\packet.sys)

    • MAC times to locate other files

      • Installed IRC bot in C:\WINNT\Java

      • No obvious access of sensitive information

    • Could have obtained passwords via lsass

    • Could have access to other machines

    Slide30 l.jpg


    • No unusual logons in Security Event Logs

    • IIS logs from before security patch installation

      • Shows compromise via Web server

    • AntiVirus messages in Application Event Logs

      1/19/2002,1:09:11 AM,1,0,5,Norton AntiVirus,N/A, CONTROL, Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\Java\w.exe by: Scheduled scan. Action: Clean failed : Quarantine succeeded : Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\system32\wlogin.exe by: Scheduled scan. Action: Clean failed : Quarantine failed :

      1/19/2002,1:09:11 AM,4,0,2,Norton AntiVirus,N/A, CONTROL, Scan Complete: Viruses:2 Infected:2 Scanned:62093 Files/Folders/Drives Omitted:89

    Leads l.jpg


    • IP addresses from Web server logs

    • IRC bot files

      • eggdrop bot files contained information about servers, nicknames, channels, and channel passwords that could be used to gather additional information

    Remediation l.jpg


    • Change passwords and examine other hosts

    • HKLM\System\CurrentControlSent\Services

      • C:\WINNT\System32\wlogin.exe

    • Machine fails to reboot

      • Extended downtime

    • MAC times incomplete

      • C:\subdir

    • Wlogin is zeroed out

      • Accidental by examiner

      • Intentional by Norton/intruder?

      • No binary to analyze

    Lessons learned l.jpg

    Lessons Learned

    • Intrusion prior to patching

      • Do not assume that system was secure

    • Lastwrite time of wlogin Registry key

      • Missed opportunity

    • Attempt to recover piecemeal

      • Don’t make matters worse than intruder

      • Make a plan and make a backup plan

    Forensic analysis overview l.jpg

    Forensic Analysis Overview

    • Locate, recover, and interpret evidence

    • Low level analysis vs interpreted data

    • Timeline – when

    • Relational reconstruction – where

    • Functional reconstruction – how

    • Synthesis – what, why

      • crime reconstruction

      • risk assessment

      • motive and intent

    • Data may not be trustworthy

      • seek corroborating data on network

    Analysis process l.jpg

    Analysis Process

    • Access evidentiary images & backups

    • File inventory with hash values, etc.

    • Recover deleted data (files, folders, etc.)

    • Recover slack and unallocated space

    • Exclude known/unnecessary files

    • Remove duplicates

    • Process/decrypt/decompress files

      • swap and hibernation files

    • Index text data

    File systems l.jpg

    File Systems

    • General creation process

      • Allocation table and folder entries created

      • Time stamps set

      • Track written

      • Slack space

      • Perhaps artefacts generated

        • MS Word file menu Registry entries

    • Windows: FAT12, FAT16, FAT32, NTFS

    • Unix: UFS, ext2, ext3

    • Macintosh: HFS Plus

    Slide37 l.jpg


    Slide38 l.jpg


    • MFT records overwritten quickly

    • Index entries are overwritten quickly

      • Reference handbook

      • How quickly are blocks reused

    • Timestamp in MFT Record in table only modified when name is changed

    • Sourceforge for more information


    Slide39 l.jpg


    Macos hfs plus l.jpg

    MacOS (HFS Plus)

    • Catalog file

      • Balance tree

      • File threads

    • Time formats

      • GMT v local

    • No access time

    Linux a forensic platform l.jpg

    Linux – A Forensic Platform

    # dd if=/dev/fd0 | md5sum

    2880+0 records in

    2880+0 records out

    5f4ed28dce5232fb36c22435df5ac867 -

    # dd if=/dev/fd0 of=floppy.image bs=512

    # md5sum floppy.image

    5f4ed28dce5232fb36c22435df5ac867 floppy.image

    # mount -t vfat -o ro,noexec,loop floppy.image /mnt

    # find /mnt -type f -exec sha1sum {} \;

    86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls

    81e62f9f73633e85b91e7064655b0ed190228108 /mnt/Computer.xml

    0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc

    # grep -aibf searchlist floppy.image

    75441:you and your entire business ransom.

    75500:I want you to deposit $50,000 in the account

    75767:Don't try anything, and dont contact the cops.

    The coroner s toolkit42 l.jpg

    The Coroner’s Toolkit

    • ils -A /dev/hda1 (free inodes)

    • ils –o /dev/hda1 (removed open files)

    • icat /dev/hda1 inode

    • pcat pid

    • mactime -R -d / 12/13/2001-12/14/2001

    • mactime -d /export/home 10/30/2001

    • grave-robber -d . -E /

    • Perl is a requirement

    Log file correlation43 l.jpg

    Log File Correlation

    • Use the time range from wtmp logs

      # last

      user pts/3 Sat Oct 20 19:45 - 01:08 (05:23)

      # mactime -b body -l "Sat Oct 20 19:45 - 01:08 (05:23)"

      Oct 21 01 01:32:30 75428 .a. -r-xr-xr-x root bin /usr/bin/ftp

    Computer forensics software l.jpg

    Computer Forensics Software

    Accessdata forensic toolkit ftk l.jpg

    AccessData Forensic Toolkit® (FTK™)

    • The most popular of email forensic software tools

    • View over 270 different file formats with Stellent's Outside In Viewer Technology.

    • Generate audit logs and case reports.

    • Compatible with the Password Recovery ToolkitTM and Distributed Network Attack®.

    • Full text indexing powered by dtSearch® yields instant text search results.

    • Advance searches for JPEG images and Internet text.

    • Locate binary patterns using Live Search.

    • Automatically recover deleted files and partitions.

    • Target key files quickly by creating custom file filters.

    • Supported File & Acquisition Formats

    • File formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3.

    • Image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD.

    • Email & Zip File Analysis

    • Supports: Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN email.

    • View, search, print, and export email messages and attachments.

    • Recover deleted and partially deleted email.

    • Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files.

    • Known File Filter™ (KFF™)

    • Identify and flag standard operating system and program files.

    • Identify and flag known child pornography and other potential evidence files

    • Includes hash datasets from NIST and Hashkeeper

    • Registry Viewer™

    • Access and decrypt protected storage data

    • View independent registry files

    • Report generation

    • Integrates with AccessData's forensic Tools

    Email forensics how ftk is used l.jpg

    Email ForensicsHow FTK is used …

    • Email is one of the most common ways people communicate

    • Studies have shown that more email is generated every day than phone conversations and paper documents combined

    • Forensic Analysis of email clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document Discovery is complete without requesting, searching and organizing email

    Email forensics identification and extraction l.jpg

    Email Forensics Identification and Extraction

    • The first step in an email examination is to identify the sources of email and how the email servers and clients are used in an organization

    • More than just a way of sending messages email clients and servers have expanded into full databases, document repositories, contact managers, time mangers, colanders and many other applications

      • E.g., Microsoft Exchange customized to be used as a complete Customer Relationship Manager (CRM)

      • Lotus Notes and Domino Server are used beyond an email system

      • Many users store their personal calendars, contacts and even synchronize their  email clients with their Personal Digital Assistants (PDA)

      • Organizations use database enabled email and messaging servers to manage cases, track clients and share data

    • Computer forensics should start their collection of evidence with email

    Email forensics deleted email l.jpg

    Email ForensicsDeleted Email

    • Many user believe that once they delete email from their client that the mail is unrecoverable

    • Nothing could be farther from the truth, many times emails can forensically extracted even after deletion

    • Many users also do not grasp the concept that email has a sender AND a recipient or multiple recipients

    • Emails may reside on servers unbeknown to the user, or on backup tapes that were created during the normal course of business

    • Of course they may also be extracted from the hard disk of the client or the server. 

    • Forensic programs are able to recover deleted email, calendars and more from users email clients and email servers.

    Email forensics web mail or web based email l.jpg

    Email ForensicsWeb Mail or Web Based Email

    • It is completely possible to forensically recover email that was created or received by web based email systems and from free web based email services such as Hotmail, Gmail (Google Mail) and Yahoo Mail

    • These types of mail systems use a browser to interface with the email server, the browser inherently caches information to the disk drive in the system used to retrieve or generate the email thereby effectively saving a copy to the disk

    • Forensic examiners can extract the HTML based Email from disk drive of the system used to create or retrieve the email messages 

    • Many Web Based or Web mail services, including Yahoo and Hotmail have shared calendaring services, personal calendars and contact managers as email. 

    • Anytime these services are accessed they may be cached to the disk as well. 

    Email forensics correlating email messages l.jpg

    Email ForensicsCorrelating Email Messages

    •  New evidence is essentially created by

    •  Correlating emails by date, subject, recipient or sender

    • These yield a map of inferences, events and entities

    • And open up opportunities for more complex pattern analysis

    • Forensic software is especially important in providing these correlations

    Encase forensic guidance software l.jpg

    EnCase Forensic (Guidance Software)

    • EnCase Forensic is the most popular software for computer forensic investigation

    • A single tool, capable of conducting large-scale and complex investigations from beginning to end:

      • Acquires data in a forensically sound manner using software with an unparalleled record in courts worldwide.

      • Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.

      • Automates complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis.

      • Find information despite efforts to hide, cloak or delete.

      • Easily manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space.

      • Transfer evidence files directly to law enforcement or legal representatives as necessary.

      • Review options allow non-investigators, such as attorneys, to review evidence with ease.

      • Reporting options enable quick report preparation.

    Encase functions l.jpg

    EnCase Functions

    The encase forensic gui l.jpg

    The EnCase Forensic GUI.

    Encase forensic l.jpg

    EnCase Forensic

    • "Conditions" permit users to create complex, multifaceted filters, using EnScript® programming language.

    Encase forensic55 l.jpg

    EnCase Forensic

    • The block size and error granularity settings interface

    Encase forensic logical evidence files l.jpg

    "Single Files" allows an examiner to drag and drop particular files of interest into EnCase for analysis

    "Logical Evidence Files" can be created and locked from "Single Files," as well as from specific files of interest from an EnCase preview of subject media.

    EnCase ForensicLogical Evidence Files

    Task case screen l.jpg

    TASK Case Screen

    Task host screen l.jpg

    TASK Host Screen

    Task host manager screen l.jpg

    TASK Host Manager Screen

    Task analysis screen l.jpg

    TASK Analysis Screen

    Ftk e mail extraction l.jpg

    FTK E-mail Extraction

    Smart main screen l.jpg

    SMART Main Screen

    Smart case view l.jpg

    SMART Case View

    Pda seizure l.jpg

    PDA Seizure

    Password recovery toolkit l.jpg

    Password Recovery Toolkit

    • PRTK: Combinations & permutations

      • Import FTK keyword list

      • Missed obvious combinations

    Slide66 l.jpg


    • 40-bit Encryption

      • Windows 2000 EFS (export)

      • MS Word / Excel

    Evidence on networks l.jpg

    Evidence on Networks

    Associating Online Activity with Logs

    Server logs

    E-mail server logs

    Web server logs

    Internet activity data l.jpg

    Internet activity -> data

    Case example69 l.jpg

    Case Example

    Harassment Complaint


    Unauthorized e-mail access

    Suspect pool

    Process accounting

    Bash history

    Harassment janesmith l.jpg

    Harassment (janesmith)

    • Make sure logs are consistent

      mailserver# grep 'Login user=janesmith' syslog*

      syslog:Sep 24 17:11:40 mailserver ipop3d[6466]: [ID 234311] Login user=janesmith []

    • What to look for next?

    Harassment continued l.jpg

    Harassment (continued)

    • wtmp logs indicate that her e-mail account was accessed from on Dec 9 at 13:14

      emailserver# last janesmith

      janesmith pts/114 Sun Dec 9 13:14 - 13:19 (00:05)

    • MAC times show that the .pinerc file was created on Dec 9 suggesting that this was the first time Pine was used to access e-mail in this account.

    Harassment continued72 l.jpg

    Harassment (continued)

    • wtmp logs on show that seven people were logged in on Dec 9 at 13:14

      Note: clock on was 4 minutes fast

      server4% last

      walterp pts/14 roosevelt.nasa.g Sun Dec 9 13:10 - 13:17 (00:07)

      johnsmith pts/2 pc01.admin.nasa. Sun Dec 9 13:09 - 13:29 (00:10)

      stephens pts/13 Sun Dec 9 13:01 - 16:16 (03:15)

      hansmol pts/3 Fri Dec 7 14:14 - 10:53 (6+20:38)

      ianjones pts/7 nasavpn-22.nasa. Fri Dec 7 08:39 - 01:23 (5+16:44)

    Harassment continued73 l.jpg

    Harassment (continued)

    • RADIUS logs show suspect disconnected prior to offense,NASA\ianjones,12/07/2002,08:43:07,IAS,NTSERVER,5,7029,6,2,7,1,8,,25,311 1 10/08/2001 19:38:34 22348,40,1,44,E0D03B6B,66,,45,1,41,0,61,5,4108,,4116,0,4128,NASA VPN,4136,4,4142,0,NASA\ianjones,12/07/2002,09:27:12,IAS,NTSERVER,5,7029,6,2,7,1,8,,25,311 1 10/08/2001 19:38:34 22348,40,2,42,36793575,43,6837793,44,E0D03B6B,46,35619,47,417258,48,59388,49,1,66,,45,1,41,0,61,5,4108,,4116,0,4128,NASA VPN,4136,4,4142,0

    Harassment continued74 l.jpg

    Harassment (continued)

    • However, kept process accounting logs and an examination of these logs show only one SSH connection at the time in question. This indicates that another account (johnsmith) was used to connect to the complainants e-mail account.

      server4% lastcomm | grep ssh

      ssh S timsteel ?? 0.11 secs Sun Dec 9 10:24

      ssh S johnsmith ?? 0.02 secs Sun Dec 9 13:10

      ssh S richevans ?? 0.03 secs Sun Dec 9 12:10

    Harassment continued75 l.jpg

    Harassment (continued)

    • Confirmed using bash history

      server4# grep janesmith /home/johnsmith/.bash_history

      ssh -l janesmith

    Network traffic l.jpg

    Network Traffic

    • Historical data

      • Performance monitoring

      • NetFlow & Argus

      • IDS (may include full packet capture)

    • Traffic capture

      • Temporal considerations

      • Preservation

      • Reconstruction and analysis

      • Tools

        • Dsniff, NetWitness, Sandstorm, Nixsun, SilentRunner

        • Many for Unix (e.g., ngrep, review)

    Performance monitoring l.jpg

    Performance Monitoring

    • Shows patterns on a device

      • Spikes in traffic

      • Loss of connectivity to a segment

    • Multi Router Traffic Grapher (MRTG)


    Netflow and snort overview l.jpg

    Netflow and Snort Overview

    • NetFlow

      • flows represent unidirectional collection of similar packets

      • NetFlow logs contain basic flow information (src, dst, times, size)

    • Snort

      • based on libpcap

      • detects known attacks

      • highly configurable

    Using snort and netflow l.jpg

    Using Snort and NetFlow

    • Host logs may be overwritten

    • Intrusion Detection System shows partial picture

      [**] FTP-site-exec [**]

      02/23-04:51:38.012306 ->

      TCP TTL:46 TOS:0x0 ID:20194 IpLen:20 DgmLen:468 DF

      ***AP*** Seq: 0x11A6920B Ack: 0xD567116C Win: 0x3EBC

      TCP Options (3) => NOP NOP TS: 98258650 1405239787

    • NetFlow logs show more complete picture

      Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets

      0223.04:51:38.841 0223.04:51:48.685 2 2721 13 21 6 2 3 144

    Netflow losses l.jpg

    Netflow Losses

    • Sequence numbers show gaps

      % flow-header < ft-v05.2002-04-15.183000-0400

      # mode: normal

      # capture hostname: flow

      # exporter IP address:

      # capture start: Mon Apr 15 18:30:00 2002

      # capture end: Mon Apr 15 18:45:00 2002

      # capture period: 900 seconds

      # compress: on

      # byte order: big

      # stream version: 3

      # export version: 5

      # lost flows: 179520

      # corrupt packets: 0

      # sequencer resets: 1

      # capture flows: 206760

    Traffic monitoring capture l.jpg

    Traffic Monitoring/Capture

    • tcpdump (68 bytes default capture)

    • Ethereal

    Authorization l.jpg


    • Wiretap

      • Live Capture

      • Protecting systems

    • ECPA

      • Stored communications & records

      • Maintenance and protect users

    • USA Patriot Act

    Libpcap losses l.jpg

    libpcap losses

    • High speed links overload sniffers

    • Protocol type 11 (honeynet)

    • Applies to all libpcap based sniffers

      • snort, tcpdump, NetWitness

        # tcpdump -X host

        tcpdump: listening on xl0

        .....[data displayed on screen]…


        29451 packets received by filter

        4227 packets dropped by kernel

    Switches l.jpg


    • Isolates traffic

      • Sniffing is more difficult

    • CatOS Switched Port Analyzer (SPAN)

    • Spanning/Mirroring ports

      • Only copies valid Ethernet packets

      • Not all error information duplicated

      • Low priority of span may increase losses


    • Hardware taps

      • Copy signals without removing layers

      • May split Tx and Rx (reassembly required)

    Nic losses l.jpg

    NIC Losses

    • Applies to all NICs (firewalls, switches, etc.)

      % netstat -nid

      Kernel Interface table


      eth0 1500 0 19877416 0 0 128 7327647 0 0 0 BRU

      % /sbin/ifconfig

      eth0 Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5

      inet addr: Bcast:



      RX packets:19877480 errors:0 dropped:0 overruns:128 frame:0

      TX packets:7327676 errors:0 dropped:0 overruns:0 carrier:1

      collisions:442837 txqueuelen:100

      Interrupt:23 Base address:0xec80

    Case example86 l.jpg

    Case Example

    Intellectual Property Theft (rootkit)

    Intellectual property l.jpg

    Intellectual Property

    • IDS logs show intrusion

      [**] FTP-site-exec [**]

      09/14-12:27: -> 130.132.x.y

      09/14-12:28: -> 130.132.x.y

      09/14-12:33: -> 130.132.x.y

    • Concern: system contains sensitive data

    Ip theft assess damage l.jpg

    IP Theft (assess damage)

    • Initial examination of compromised host showed no signs of compromise

      • no wtmp entries from site exec exploit

      • no syslog entries

      • no odd processes using ps or files using ls

    • System clock was 5 hours fast (Δt = 5hrs)

    • Oddities on system suggested compromise

      • difference between ps & lsof; /tmp/.tmp/

    Ip theft analysis l.jpg

    IP Theft (analysis)

    • Used EnCase to analyze evidence

    • Recovered deleted syslogs (noting Δt)

      Sep 14 17:07:22 host ftpd[617]: FTP session closed

      Sep 15 00:21:54 host ftpd[622]: ANONYMOUS FTP LOGIN FROM [], 1À1Û1É°F̀1À1ÛC‰ÙA°?̀ëk^1À1ɍ^^AˆF^Df¹ÿ^A°'̀1À^^A°=̀1À1ۍ^^H‰C^B1ÉþÉ1À^^H°^L̀þÉuó1ÀˆF^I^^H°=̀þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰óN^HV^L°^K̀1À1Û°^Àèÿÿÿ0bin0sh1..11

      Sep 14 17:22:54 host inetd[448]: pid 622: exit status 1

    Linux in encase l.jpg

    Linux in EnCase

    Ip theft reconstruction l.jpg

    IP Theft (reconstruction)

    • Confirmed source of initial intrusion

    • Determined that target was high risk

    • Determined motive and intent

      • not aware of sensitive information on host

      • used host for DoS, scanning, and IRC

    • Determined that a sniffer had been used

    • Located other compromised systems

      • notified system owners on outside networks

    Advanced analysis l.jpg

    Advanced Analysis

    Timestamp oddities l.jpg

    Timestamp Oddities

    • Moved file in Windows

      • Last write time before creation time

    • Corrupt timestamps

      • Windows folder and .lnk

      • MacOS

    • Some logs are in order of the end of the event

      • Process accounting

      • CISCO NetFlow

    Artefacts of file transfer l.jpg

    Artefacts of File Transfer

    File transferred to external media

    • MS Word Metadata

    • Program’s file menu (registry key LastWrite)

      • MS Word, Powerpoint, Excel, etc.

      • WinZip, WinAmp

      • Explorer (e.g., RecentDocs, RunMRU)

      • Internet Explorer (history, cache, TypedURLs)

    • Shortcut (.lnk) files

      • Recent\Desktop (time ordered CAM)

    • Recycler

    • May be in unallocated space/swap/hibernation

    Recent lnk to external disk l.jpg

    Recent Lnk to External Disk

    Network artefacts l.jpg

    Network Artefacts

    • Downloaded files

    • Interactive connections

      • Telnet Lastmachine (registry)

      • Secure CRT .ini

      • Secure Shell

    • Unix directory listing on Windows PC

    • Web, e-mail, Usenet, IRC, etc.

    • IIS Transactions

      • pagefile.sys

    • Mapped network drives

      • NetHood (profile, MFT, registry, unallocated)

    Internet accounts l.jpg

    Internet Accounts


      Key Name: SID\Software\Microsoft\Internet Account Manager\Accounts\00000004

      Class Name: <NO CLASS>

      Last Write Time: 7/5/2002 - 4:33 AM

    Downloaded files l.jpg

    Downloaded Files

    • Tape Archive (.tar)

    Mapped network drive l.jpg

    Mapped Network Drive

    • Explorer (\\name\drive)

      • StreamMRU, RunMRU, RecentDocs

    • Scattered

      • User.dmp, swap, unallocated space

      • Grep expression: \\\\[A-Z]+\\[A-Z]+

    Unix mounted drives l.jpg

    Unix Mounted Drives

    • df, mount, samba

    • /etc/fstab:

      /dev/hda1 / ext2 defaults 1 1

      /dev/hda7 /tmp ext2 defaults 1 2

      /dev/hda5 /usr ext2 defaults 1 2

      /dev/hda6 /var ext2 defaults 1 2

      /dev/hda8 swap swap defaults 0 0

      /dev/fd0 /mnt/floppy ext2 user,noauto 0 0

      /dev/hdc /mnt/cdrom iso9660 user,noauto,ro 0 0

      none /dev/pts devpts gid=5,mode=620 0 0

      none /proc proc defaults 0 0

      remote-server:/home/accts /home/accts nfs bg,hard,intr,rsize=8192,wsize=8192

      remote-server:/var/spool/mail /var/spool/mail nfs bg,hard,intr,noac,rsize=8192,wsize=8192

    Remote logs and printing l.jpg

    Remote Logs and Printing

    • /etc/syslog.conf

      *.* @remote-server

    • /etc/printcap:








    Network artefacts telnet l.jpg

    Network Artefacts (Telnet)

    • Telnet registry

    File transfer protocol l.jpg

    File Transfer Protocol

    • On PC: file name, time, remote directory

    • On server: file name, size, time, account, IP

    • Linux ncftp (.ncftp/trace; .ncftp/history)

    xferlog: Nov 12 19:53:23 1998 15 780800 /home/user/image.jpg a _ o r user

    WS_FTP: 98.11.12 19:53 A C:\download\image.jpg <-- FTP Server /home/user image.jpg

    SESSION STARTED at: Sun Oct 21 01:05:44 2001

    Program Version: NcFTP 3.0.0/220 February 19 1999, 05:20 PM

    <cut for brevity>

    01:05:44 Connecting to

    01:05:52 > get openssl-0.9.6.tar.gz

    SESSION ENDED at: Sun Oct 21 01:06:50 2001

    Network artefacts unix ls l.jpg

    Network Artefacts (Unix ls)

    Grep search

    • [d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-] (space)

    More unix mac artefacts l.jpg

    More Unix/Mac Artefacts

    • SSH

      • authorized_keys (incoming)

      • known_hosts (outgoing)

    • .xauth/refcount/xfs/hostname

    • Unix xterm buffers show sessions

    • Transactions of various servers

    • Windows remnants on Unix

      • Directory files e.g., C:\winnt\system32\*.exe

    Case example106 l.jpg

    Case Example

    Intellectual Property Theft (Insider)

    Initial complaint l.jpg

    Initial Complaint

    • Employee stole information prior to leaving

      • Terminated on Sept 16, 2002

    • Unknown documents from workstation

    • clients.mdb

      • Client contact database

      • Stored on W2K workstation

    • projectX

      • Secret project details

      • Stored on Unix file server

    • What do you look for?

    W2k workstation l.jpg

    W2K Workstation

    • Security (card swipe) records

      • Suspect entered building at 08:45am

    • Logon/Logoff record

      C:\>ntlast /ad 16/9/2002 /v

      Record Number: 18298

      ComputerName: WKSTN11

      EventID: 528 - Successful Logon

      Logon: Tue Sep 16 08:50:58am 2002

      Logoff: Tue Sep 16 09:10:00am 2002

      Details -

      ClientName: user11

      ClientID: (0x0,0xDCF9)

      ClientMachine: WKSTN11

      ClientDomain: CORPX

      LogonType: Interactive

    • How to collect this information as evidence?

    W2k workstation109 l.jpg

    W2K Workstation

    • Transfer of clients.mdb

      • Accessed 09/16/2002 08:58:30 EST


      • \Windows\CurrentVersion\Explorer\RecentDocs

    • Suspect’s environment temp\clients.xls

      • Created at 08:59:14

      • Last modified at 08:58:49

    • Suspect’s e-mail outbox

      • Shows clients.xls sent to Hotmail

    • What information would you seek on network?

    W2k workstation110 l.jpg

    W2K Workstation

    • Other file accessed at same time

      • private.doc

    • Registry OpenSaveMRU entry

    • Recent .lnk written and accessed

      • Recent A: .lnk written and accessed

    • What would you expect to find on associated floppy diskette?

    Unix file server l.jpg

    Unix File Server

    • SSH Client Access

      • Accessed:

        • \user11\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to SshClient.lnk

        • Files in \user11\Application Data\SSH\

        • \user11\Application Data\SSH\ HostKeys\key_22_srv1

    • How to collect evidence?

      % last user11

      user11 pts/77 Sep 16 09:05 - 09:06 (00:01)

      % ls –altu

      -rwxr-xr-x 1 admin staff 8529583 Sep 16 09:05 projectX

    • ProjectX file found in c:\temp on wkstn11

      • What timestamps changed in transfer?

    W2k workstation112 l.jpg

    W2K Workstation

    • Deleted projectX file found in c:\temp

      • Created: 09:05am

      • Accessed: 09:07am

      • Modified: 09/12/2002 10:07:07am

    • Explorer\RecentDocs\NetHood

      • \\competitorpc\upload

      • LastWrite 09/13/2002 11:04AM

    • Explain time discrepancy

    Errors uncertainty l.jpg

    Errors & Uncertainty

    Nothing can be known if nothing has happened; and yet, while still awaiting the discovery of the criminal, while yet only on the way to the locality of the crime, one comes unconsciously to formulate a theory doubtless not quite void of foundation but having only a superficial connection with the reality; you heave already heard a similar story, perhaps you have formerly seen an analogous case…

    Gross, H., Criminal Investigation: (Sweet & Maxwell, Ltd. 1924)

    Errors and uncertainty l.jpg

    Errors and Uncertainty

    • Offender/victim covering behavior

    • Preconceived theories

    • Accepting others’ assumptions

    • Technological limitations

    • Mistakes and misinterpretation

    • Evidence dynamics

      • Handbook - Chapter 1

    • Uncertainty and loss

      • Casey, E: “Error, Uncertainty and Loss in Digital Evidence”, International Journal of Digital Evidence, Volume 1, Issue 2, 2002 (

    Evidence eliminator l.jpg

    Evidence Eliminator

    Evidence Eliminator v5.053 started work: 3/4/01 9:26:04 PM

    OS Detected: Win95 [Win95 4.0.1111.1024]

    Eliminating Folder: C:\WINDOWS\applog\

    No folder found: C:\WINDOWS\applog\

    Eliminating IE Typed URL History...

    Data Found: String data: [url1-C:\My Documents\]

    Eliminating IE Typed AutoComplete data...

    Eliminating IE Download Folder record...

    Eliminating IE Error Logs...

    Eliminating File: C:\WINDOWS\IE4 Error Log.txt

    No file found: C:\WINDOWS\IE4 Error Log.txt

    Eliminating Folder: C:\WINDOWS\Local Settings\Temporary Internet Files\

    Eliminating folder tree: C:\WINDOWS\Local Settings\Temporary Internet Files\ including root folder...

    Lily pad examples l.jpg

    Lily Pad Examples

    • SubSeven with IRC

      • File sharing

      • Denial of service

    • Unix intrusion

      • Bypass firewall

      • Attack from within

    Remote storage l.jpg

    Remote Storage

    • Compromised host

    • Shell/Web account

    • Online services



    • Mounted network shares

      • Sniffers that log to remote shares

      • Home directory on remote server

    Intruder concealment l.jpg

    Intruder Concealment

    • Deleted binary

      • Copy in /proc/pid/file

      • icat /dev/hda inode > recovered

    • Log deletion or wiping

      • wzap clears wtmp entries

    • Altering file attributes

    • Hidden files/Alternate Data Streams

      • hfind.exe

      • Device files in Recycle Bin

    • Rootkits/Loadable Kernel Modules (Knark)

    • Encryption

    Altering file attributes l.jpg

    Altering File Attributes

    • Attrib

    • Alter MAC times

    • touch in Unix

      • ls -altc

    • Microsoft SetFileTime() API

    • Hide from search tools

      • dir /t[:a]

      • afind.exe (FoundStone)

    Alternate data streams l.jpg

    Alternate Data Streams

    • c:\temp> lads

      LADS - Freeware version 3.01

      (C) Copyright 1998-2002 Frank Heyne Software (

      Scanning directory C:\temp\

      size ADS in file

      ---------- ---------------------------------

      17 C:\temp\myfile.txt:hidden

      17 C:\temp\myfile.txt:onetwothree

      17 C:\temp\myfile.txt:test

      51 bytes found in 3 alternate data streams

    Maresware copy ads l.jpg

    Maresware: copy_ads

    C:\>d:\marsware\copy_ads -p c:\ -d d:\evidence\ads

    Program started Wed Sep 25 13:58:09 2002 GMT, 09:58 EST (-5*)


    C:\hidden\makeads:hidden2.txt 32 09/25/2002 09:43w EST


    ==> d:\evidence\ads\makeads\makeads[hidden2.txt]

    C:\hidden\makeads\regularfile.txt 25 09/25/2002 09:19:19w EST


    ==> d:\evidence\ads\makeads\regularfile.txt

    C:\research\makeads\regularfile.txt:hidden1.txt 17 09/25/2002 09:19:19w EST


    ==> d:\evidence\ads\makeads\regularfile.txt[hidden1.txt]

    Processed 16 directories, 118 files, totaling 7,703,785 bytes:

    Found 1 directories with 1 alternate data streams.

    Found 1 files with 1 alternate data streams.

    Total 2 data streams byte count = 49 bytes

    Rootkits l.jpg


    • Creates backdoors

    • Replace system components to hide:

      • files

      • processes

      • promiscuous mode

      • network connections

    • Often includes tools

      • Sniffers

      • Log wiping utilities

      • Patches

  • Login