Forensic computer analysis
Download
1 / 122

Forensic Computer Analysis - PowerPoint PPT Presentation


  • 510 Views
  • Updated On :

Forensic Computer Analysis. ISMT350. Overview. Why do we care? Forensic Science Overview Process and Tools Evidence on Networks Advanced Analysis Errors & Uncertainty. Why do we Care?. Determine what happened Determine extent of damage Inform other universities of problems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Forensic Computer Analysis' - hila


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Overview l.jpg
Overview

  • Why do we care?

  • Forensic Science Overview

  • Process and Tools

  • Evidence on Networks

  • Advanced Analysis

  • Errors & Uncertainty


Why do we care l.jpg
Why do we Care?

  • Determine what happened

  • Determine extent of damage

  • Inform other universities of problems

  • Prevention & preparation for future

  • Mitigate risk & liability

  • If necessary, apprehend & prosecute

=



Improper evidence handling why we need to avoid l.jpg
Improper Evidence HandlingWhy we need to avoid…

  • Open to unfair dismissal claims

  • Vulnerable to false accusations

    • Researcher accused of hacking

  • Privacy violation leads to counter suit

  • Information leakage leads to larger problem

  • Unresolved incidents create problems

    • Larger problem goes unrecognized

  • Develop poor evidence handling skills


Forensic science overview6 l.jpg
Forensic Science Overview

  • Science applied to the discovery of truth

  • Locard’s exchange principle

    • whenever two objects come in contact with each other, they transfer material from one to the other. The Locard exchange produces the trace evidence of interest from fingerprints to mud

  • Authorization

  • Locate / identify evidence

  • Collection, documentation & preservation

    • everything that you will need in two years

  • Crime reconstruction (forensic analysis)

    • when, where, how, what, who, why

    • reproducible & free from bias/distortion

  • Report / present


  • Continuity of offense coo l.jpg
    Continuity of Offense (COO)

    • Seek sources, conduits, and targets

      • Connect the dots

    • Corroborating evidence

      • Multiple independent sources

    Victim’s mail

    server/PC

    Kiosk

    Router

    Proxy

    Hotmail

    NetFlow

    NT DC

    Access logs

    Authentication logs


    Pornography transmission pivotal case study l.jpg
    Pornography: TransmissionPivotal Case Study

    • The theory behind child pornography laws in the U S traditionally has been that such material is illegal not because of the content of the material itself, but because of the harm the production and distribution of such material causes children who are used to create the child pornography.

    • U S versus Hilton, invalidated part of the Child Pornography Prevention Act of 1996, 18 USC Section 2252A.

    • Hilton claimed to have been collecting child pornography for research purposes:

      • Met with an FBI agent and U S Customs officials on a number of occasions since 1995 to discuss curbing child pornography on the Internet.

      • Quoted in articles warning parents of the dangers of allowing their children to surf the 'Net unsupervised.

      • Police uncovered evidence that “made us question his motivation."

      • A case of police prosecuting people trying to help cure the Child Pornography problem?


    Pornography transmission l.jpg
    Pornography: Transmission

    How to investigate a “US v. Hilton”

    • Modem logs

      • Shows PC was connected to Internet

    • Dial-up server logs

      • Confirms connection and account used

    • MAC times and Registry (LastWrite)

      • File modification, creation, and access times

    • FTP logs

      • On PC: file name, time, remote directory

      • On server: file name, size, time, account, IP


    Relational reconstruction l.jpg
    Relational Reconstruction

    • Improve understanding of events

    • Locate additional sources of evidence

    • Example: Accounting server break-in


    Log file correlation l.jpg
    Log File Correlation

    • Sort each source independently, then combine

      • Correlate MAC times and LastWrite times of Registry keys with Eventlogs, PC modem & ISP logs

        05-15-2000 16:32:53.93 - Initializing modem.

        05-15-2000 16:32:53.93 - Send: AT

        05-15-2000 16:32:53.93 - Recv: AT

        05-15-2000 16:32:54.05 - Recv: OK

        05-15-2000 16:32:54.05 - Interpreted response: Ok

        05-15-2000 16:32:54.05 - Send: AT&FE0V1&C1&D2 S0=0 W1

        05-15-2000 16:32:54.07 - Recv: AT&FE0V1&C1&D2 S0=0 W1

        05-15-2000 16:32:54.19 - Recv: OK

        05-15-2000 16:32:54.19 - Interpreted response: Ok

        05-15-2000 16:32:54.20 - Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3

        05-15-2000 16:32:54.22 - Recv: OK

        05-15-2000 16:32:54.22 - Interpreted response: Ok

        05-15-2000 16:32:54.26 - Dialing.

        05-15-2000 16:32:54.26 - Send: ATDT##########



    Histograms l.jpg
    Histograms

    • Histogram of events over time

      • High number of events at key times

    • Histogram of time periods may show unusual gaps

      • MAC times

      • System log entries



    Search methodology l.jpg
    Search Methodology

    Identify the crime scene

    • Area 1: Local Nodes

      • PDA’s

      • Laptops

    • Area 2: Wireless devices

      • Mobile equipment

      • 802.11b

    • Area 3: Wireless networks

      • Core systems (BSC, MSC, SMS)

    • Area 4: Remote networks

      • Routers, switches, cables

      • Remote nodes


    Authorization example l.jpg
    Authorization Example

    • Floppy found in desk drawer

    • Collected by IT staff

      • No authorization

        • Not clear if search was legal

      • Process not documented

        • Not clear who found disk

      • Disk not labeled

        • Not clear which disk among several disks

    • Hot potato – drop it!

      • High risk of counter suit


    Chain of custody l.jpg
    Chain of Custody

    • Who collected & handled the evidence

    • Fewer people handling the evidence

      => Fewer people testify

    • Standard forms & procedures

      => Consistency


    Collection preservation l.jpg
    Collection & Preservation

    • Acquire evidence

      • EABD versus removing hard drive

      • save evidence on sterilized media

      • calculate MD5 checksum of evidence

      • digitally sign evidence (MD5, time & person)

    • Documentation

      • acquisition & verification process

      • who, where, how, when, and sometimes why

    • Lock original in safe

      • alternately use a custodian


    Message digests l.jpg
    Message Digests

    • 128-bit “fingerprint”

      • 16 hexadecimal values

    • Two messages with same digest

      • Computationally infeasible

    • Search disk for file with same MD5

    • md5sum netstat.exe

      => 447282012156d360a862b30c7dd2cf3d


    What to collect l.jpg
    What to Collect?

    • The original disk

    • An exact copy of the original disk

    • Log files from the disk (e.g. UNIX wtmp)

    • Interpreted logs (output of last)

      • Information lost in summarization

    • Relevant portions of interpreted logs

      • Output of last username

      • May miss some relevant entries

    • Written notes describing command output

      The approach depends on the circumstances


    Remote collection l.jpg
    Remote Collection

    • Document collection process (log to file)

    • May alert the suspect

    • Stepping in evidence

      • Same as at console

    • Forgotten evidence

      • Planning and procedures

    • Jurisdiction

      • May be only means - foreign countries

      • May cause an international incident

    • Evidence only available remotely (SNMP)


    To shutdown or not to shutdown l.jpg
    To shutdown or not to shutdown

    • Network state

    • Processes in memory (MB/GB)

    • Kernel memory

    • Swap space

    • Lose cached data not yet written to disk

    • Lose data protected by EFS/PGP disk

    • Corrupt existing data


    Limitations of live exam l.jpg
    Limitations of Live Exam?

    • Hasty

      • prone to error

      • automation helps avoid errors

    • Stepping in evidence

      • automation minimizes changes

      • not 100% (overwrite user.dmp)

    • Might miss something

      • alternate data streams

    • Can’t see deleted data

      • anyone have a floppy diskette?

    • Can’t trust operating system


    Challenge concealment l.jpg
    Challenge Concealment

    • Deleted binary

      • Copy in /proc/pid/file

      • icat /dev/hda inode > recovered

    • Log deletion or wiping

      • wzap clears wtmp entries

    • Altering file attributes

    • Hidden files/Alternate Data Streams

      • hfind.exe (Foundstone)

      • Device files in Recycle Bin

    • Rootkits/Loadable Kernel Modules (Knark)

    • Encryption


    The coroner s toolkit l.jpg
    The Coroner’s Toolkit

    • grave-robber output

      • coroner.log

      • proc with MD5 of output

      • command_out with MD5 of output

      • body - mactime database

      • removed_but_running

      • conf_vault

      • trust

      • MD5_all

      • MD5_all.md5


    Case example l.jpg

    Case Example

    W2K Domain Controller Hacked

    Unusual port

    Messy examination

    Cleanup fails!


    Initial assessment l.jpg
    Initial Assessment

    • Routine Network Vulnerability Scan

      • BO2K on port 1177 of W2K DC

    • Physical Assessment

      • Located in locked closet

    • Initial Examination

      • All security patches applied

      • NT Security Event logging enabled

      • fport: c:\winnt\system32\wlogin.exe

    • System cannot be shutdown

      • Central to operation of network


    Network assessment l.jpg
    Network Assessment

    • Accessible from the Internet

    • No dial-up access

    • Many services enabled

      • file sharing

      • Internet Information Server

      • FTP (anonymous FTP disabled)

    • IIS fully patched


    Assess and preserve l.jpg
    Assess and Preserve

    • Toolkit of known good executables

      • Save output to external/remote disk

      • Note md5 values of output

    • Check for keystroke grabber / sniffer

      • No fakegina or klogger

      • Yes sniffer (system32\packet.sys)

    • MAC times to locate other files

      • Installed IRC bot in C:\WINNT\Java

      • No obvious access of sensitive information

    • Could have obtained passwords via lsass

    • Could have access to other machines


    Slide30 l.jpg
    Logs

    • No unusual logons in Security Event Logs

    • IIS logs from before security patch installation

      • Shows compromise via Web server

    • AntiVirus messages in Application Event Logs

      1/19/2002,1:09:11 AM,1,0,5,Norton AntiVirus,N/A, CONTROL, Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\Java\w.exe by: Scheduled scan. Action: Clean failed : Quarantine succeeded : Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\system32\wlogin.exe by: Scheduled scan. Action: Clean failed : Quarantine failed :

      1/19/2002,1:09:11 AM,4,0,2,Norton AntiVirus,N/A, CONTROL, Scan Complete: Viruses:2 Infected:2 Scanned:62093 Files/Folders/Drives Omitted:89


    Leads l.jpg
    Leads

    • IP addresses from Web server logs

    • IRC bot files

      • eggdrop bot files contained information about servers, nicknames, channels, and channel passwords that could be used to gather additional information


    Remediation l.jpg
    Remediation

    • Change passwords and examine other hosts

    • HKLM\System\CurrentControlSent\Services

      • C:\WINNT\System32\wlogin.exe

    • Machine fails to reboot

      • Extended downtime

    • MAC times incomplete

      • C:\subdir

    • Wlogin is zeroed out

      • Accidental by examiner

      • Intentional by Norton/intruder?

      • No binary to analyze


    Lessons learned l.jpg
    Lessons Learned

    • Intrusion prior to patching

      • Do not assume that system was secure

    • Lastwrite time of wlogin Registry key

      • Missed opportunity

    • Attempt to recover piecemeal

      • Don’t make matters worse than intruder

      • Make a plan and make a backup plan


    Forensic analysis overview l.jpg
    Forensic Analysis Overview

    • Locate, recover, and interpret evidence

    • Low level analysis vs interpreted data

    • Timeline – when

    • Relational reconstruction – where

    • Functional reconstruction – how

    • Synthesis – what, why

      • crime reconstruction

      • risk assessment

      • motive and intent

    • Data may not be trustworthy

      • seek corroborating data on network


    Analysis process l.jpg
    Analysis Process

    • Access evidentiary images & backups

    • File inventory with hash values, etc.

    • Recover deleted data (files, folders, etc.)

    • Recover slack and unallocated space

    • Exclude known/unnecessary files

    • Remove duplicates

    • Process/decrypt/decompress files

      • swap and hibernation files

    • Index text data


    File systems l.jpg
    File Systems

    • General creation process

      • Allocation table and folder entries created

      • Time stamps set

      • Track written

      • Slack space

      • Perhaps artefacts generated

        • MS Word file menu Registry entries

    • Windows: FAT12, FAT16, FAT32, NTFS

    • Unix: UFS, ext2, ext3

    • Macintosh: HFS Plus



    Slide38 l.jpg
    NTFS

    • MFT records overwritten quickly

    • Index entries are overwritten quickly

      • Reference handbook

      • How quickly are blocks reused

    • Timestamp in MFT Record in table only modified when name is changed

    • Sourceforge for more information

      • http://sourceforge.net/projects/linux-ntfs/



    Macos hfs plus l.jpg
    MacOS (HFS Plus)

    • Catalog file

      • Balance tree

      • File threads

    • Time formats

      • GMT v local

    • No access time

    http://developer.apple.com/technotes/tn/tn1150.html


    Linux a forensic platform l.jpg
    Linux – A Forensic Platform

    # dd if=/dev/fd0 | md5sum

    2880+0 records in

    2880+0 records out

    5f4ed28dce5232fb36c22435df5ac867 -

    # dd if=/dev/fd0 of=floppy.image bs=512

    # md5sum floppy.image

    5f4ed28dce5232fb36c22435df5ac867 floppy.image

    # mount -t vfat -o ro,noexec,loop floppy.image /mnt

    # find /mnt -type f -exec sha1sum {} \;

    86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls

    81e62f9f73633e85b91e7064655b0ed190228108 /mnt/Computer.xml

    0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc

    # grep -aibf searchlist floppy.image

    75441:you and your entire business ransom.

    75500:I want you to deposit $50,000 in the account

    75767:Don't try anything, and dont contact the cops.


    The coroner s toolkit42 l.jpg
    The Coroner’s Toolkit

    • ils -A /dev/hda1 (free inodes)

    • ils –o /dev/hda1 (removed open files)

    • icat /dev/hda1 inode

    • pcat pid

    • mactime -R -d / 12/13/2001-12/14/2001

    • mactime -d /export/home 10/30/2001

    • grave-robber -d . -E /

    • Perl is a requirement


    Log file correlation43 l.jpg
    Log File Correlation

    • Use the time range from wtmp logs

      # last

      user pts/3 66-65-113-65.nyc Sat Oct 20 19:45 - 01:08 (05:23)

      # mactime -b body -l "Sat Oct 20 19:45 - 01:08 (05:23)"

      Oct 21 01 01:32:30 75428 .a. -r-xr-xr-x root bin /usr/bin/ftp



    Accessdata forensic toolkit ftk l.jpg
    AccessData Forensic Toolkit® (FTK™)

    • The most popular of email forensic software tools

    • View over 270 different file formats with Stellent's Outside In Viewer Technology.

    • Generate audit logs and case reports.

    • Compatible with the Password Recovery ToolkitTM and Distributed Network Attack®.

    • Full text indexing powered by dtSearch® yields instant text search results.

    • Advance searches for JPEG images and Internet text.

    • Locate binary patterns using Live Search.

    • Automatically recover deleted files and partitions.

    • Target key files quickly by creating custom file filters.

    • Supported File & Acquisition Formats

    • File formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3.

    • Image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD.

    • Email & Zip File Analysis

    • Supports: Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN email.

    • View, search, print, and export email messages and attachments.

    • Recover deleted and partially deleted email.

    • Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files.

    • Known File Filter™ (KFF™)

    • Identify and flag standard operating system and program files.

    • Identify and flag known child pornography and other potential evidence files

    • Includes hash datasets from NIST and Hashkeeper

    • Registry Viewer™

    • Access and decrypt protected storage data

    • View independent registry files

    • Report generation

    • Integrates with AccessData's forensic Tools


    Email forensics how ftk is used l.jpg
    Email ForensicsHow FTK is used …

    • Email is one of the most common ways people communicate

    • Studies have shown that more email is generated every day than phone conversations and paper documents combined

    • Forensic Analysis of email clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document Discovery is complete without requesting, searching and organizing email


    Email forensics identification and extraction l.jpg
    Email Forensics Identification and Extraction

    • The first step in an email examination is to identify the sources of email and how the email servers and clients are used in an organization

    • More than just a way of sending messages email clients and servers have expanded into full databases, document repositories, contact managers, time mangers, colanders and many other applications

      • E.g., Microsoft Exchange customized to be used as a complete Customer Relationship Manager (CRM)

      • Lotus Notes and Domino Server are used beyond an email system

      • Many users store their personal calendars, contacts and even synchronize their  email clients with their Personal Digital Assistants (PDA)

      • Organizations use database enabled email and messaging servers to manage cases, track clients and share data

    • Computer forensics should start their collection of evidence with email


    Email forensics deleted email l.jpg
    Email ForensicsDeleted Email

    • Many user believe that once they delete email from their client that the mail is unrecoverable

    • Nothing could be farther from the truth, many times emails can forensically extracted even after deletion

    • Many users also do not grasp the concept that email has a sender AND a recipient or multiple recipients

    • Emails may reside on servers unbeknown to the user, or on backup tapes that were created during the normal course of business

    • Of course they may also be extracted from the hard disk of the client or the server. 

    • Forensic programs are able to recover deleted email, calendars and more from users email clients and email servers.


    Email forensics web mail or web based email l.jpg
    Email ForensicsWeb Mail or Web Based Email

    • It is completely possible to forensically recover email that was created or received by web based email systems and from free web based email services such as Hotmail, Gmail (Google Mail) and Yahoo Mail

    • These types of mail systems use a browser to interface with the email server, the browser inherently caches information to the disk drive in the system used to retrieve or generate the email thereby effectively saving a copy to the disk

    • Forensic examiners can extract the HTML based Email from disk drive of the system used to create or retrieve the email messages 

    • Many Web Based or Web mail services, including Yahoo and Hotmail have shared calendaring services, personal calendars and contact managers as email. 

    • Anytime these services are accessed they may be cached to the disk as well. 


    Email forensics correlating email messages l.jpg
    Email ForensicsCorrelating Email Messages

    •  New evidence is essentially created by

    •  Correlating emails by date, subject, recipient or sender

    • These yield a map of inferences, events and entities

    • And open up opportunities for more complex pattern analysis

    • Forensic software is especially important in providing these correlations


    Encase forensic guidance software l.jpg
    EnCase Forensic (Guidance Software)

    • EnCase Forensic is the most popular software for computer forensic investigation

    • A single tool, capable of conducting large-scale and complex investigations from beginning to end:

      • Acquires data in a forensically sound manner using software with an unparalleled record in courts worldwide.

      • Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.

      • Automates complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis.

      • Find information despite efforts to hide, cloak or delete.

      • Easily manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space.

      • Transfer evidence files directly to law enforcement or legal representatives as necessary.

      • Review options allow non-investigators, such as attorneys, to review evidence with ease.

      • Reporting options enable quick report preparation.




    Encase forensic l.jpg
    EnCase Forensic

    • "Conditions" permit users to create complex, multifaceted filters, using EnScript® programming language.


    Encase forensic55 l.jpg
    EnCase Forensic

    • The block size and error granularity settings interface


    Encase forensic logical evidence files l.jpg

    "Single Files" allows an examiner to drag and drop particular files of interest into EnCase for analysis

    "Logical Evidence Files" can be created and locked from "Single Files," as well as from specific files of interest from an EnCase preview of subject media.

    EnCase ForensicLogical Evidence Files


    Task case screen l.jpg
    TASK Case Screen particular files of interest into EnCase for analysis


    Task host screen l.jpg
    TASK Host Screen particular files of interest into EnCase for analysis


    Task host manager screen l.jpg
    TASK Host Manager Screen particular files of interest into EnCase for analysis


    Task analysis screen l.jpg
    TASK Analysis Screen particular files of interest into EnCase for analysis


    Ftk e mail extraction l.jpg
    FTK E-mail Extraction particular files of interest into EnCase for analysis


    Smart main screen l.jpg
    SMART Main Screen particular files of interest into EnCase for analysis


    Smart case view l.jpg
    SMART Case View particular files of interest into EnCase for analysis


    Pda seizure l.jpg
    PDA Seizure particular files of interest into EnCase for analysis


    Password recovery toolkit l.jpg
    Password Recovery Toolkit particular files of interest into EnCase for analysis

    • PRTK: Combinations & permutations

      • Import FTK keyword list

      • Missed obvious combinations


    Slide66 l.jpg
    DNA particular files of interest into EnCase for analysis

    • 40-bit Encryption

      • Windows 2000 EFS (export)

      • MS Word / Excel


    Evidence on networks l.jpg

    Evidence on Networks particular files of interest into EnCase for analysis

    Associating Online Activity with Logs

    Server logs

    E-mail server logs

    Web server logs


    Internet activity data l.jpg
    Internet activity -> data particular files of interest into EnCase for analysis


    Case example69 l.jpg

    Case Example particular files of interest into EnCase for analysis

    Harassment Complaint

    Complaint

    Unauthorized e-mail access

    Suspect pool

    Process accounting

    Bash history


    Harassment janesmith l.jpg
    Harassment (janesmith) particular files of interest into EnCase for analysis

    • Make sure logs are consistent

      mailserver# grep 'Login user=janesmith' syslog*

      syslog:Sep 24 17:11:40 mailserver ipop3d[6466]: [ID 234311 mail.info] Login user=janesmith host=johnsmith.nasa.gov [192.168.135.156]

    • What to look for next?


    Harassment continued l.jpg
    Harassment (continued) particular files of interest into EnCase for analysis

    • wtmp logs indicate that her e-mail account was accessed from server4.nasa.gov on Dec 9 at 13:14

      emailserver# last janesmith

      janesmith pts/114 server4.nasa.gov Sun Dec 9 13:14 - 13:19 (00:05)

    • MAC times show that the .pinerc file was created on Dec 9 suggesting that this was the first time Pine was used to access e-mail in this account.


    Harassment continued72 l.jpg
    Harassment (continued) particular files of interest into EnCase for analysis

    • wtmp logs on server4.nasa.gov show that seven people were logged in on Dec 9 at 13:14

      Note: clock on server4.nasa.gov was 4 minutes fast

      server4% last

      walterp pts/14 roosevelt.nasa.g Sun Dec 9 13:10 - 13:17 (00:07)

      johnsmith pts/2 pc01.admin.nasa. Sun Dec 9 13:09 - 13:29 (00:10)

      stephens pts/13 lincoln.nasa.com Sun Dec 9 13:01 - 16:16 (03:15)

      hansmol pts/3 homepc.isp.com Fri Dec 7 14:14 - 10:53 (6+20:38)

      ianjones pts/7 nasavpn-22.nasa. Fri Dec 7 08:39 - 01:23 (5+16:44)


    Harassment continued73 l.jpg
    Harassment (continued) particular files of interest into EnCase for analysis

    • RADIUS logs show suspect disconnected prior to offense

      192.168.1.219,NASA\ianjones,12/07/2002,08:43:07,IAS,NTSERVER,5,7029,6,2,7,1,8,192.168.16.22,25,311 1 192.168.1.45 10/08/2001 19:38:34 22348,40,1,44,E0D03B6B,66,64.252.248.134,45,1,41,0,61,5,4108,192.168.1.219,4116,0,4128,NASA VPN,4136,4,4142,0

      192.168.1.219,NASA\ianjones,12/07/2002,09:27:12,IAS,NTSERVER,5,7029,6,2,7,1,8,192.168.16.22,25,311 1 192.168.1.45 10/08/2001 19:38:34 22348,40,2,42,36793575,43,6837793,44,E0D03B6B,46,35619,47,417258,48,59388,49,1,66,64.252.248.134,45,1,41,0,61,5,4108,192.168.1.219,4116,0,4128,NASA VPN,4136,4,4142,0


    Harassment continued74 l.jpg
    Harassment (continued) particular files of interest into EnCase for analysis

    • However, server4.nasa.gov kept process accounting logs and an examination of these logs show only one SSH connection at the time in question. This indicates that another account (johnsmith) was used to connect to the complainants e-mail account.

      server4% lastcomm | grep ssh

      ssh S timsteel ?? 0.11 secs Sun Dec 9 10:24

      ssh S johnsmith ?? 0.02 secs Sun Dec 9 13:10

      ssh S richevans ?? 0.03 secs Sun Dec 9 12:10


    Harassment continued75 l.jpg
    Harassment (continued) particular files of interest into EnCase for analysis

    • Confirmed using bash history

      server4# grep janesmith /home/johnsmith/.bash_history

      ssh -l janesmith mailserver.ispX.com


    Network traffic l.jpg
    Network Traffic particular files of interest into EnCase for analysis

    • Historical data

      • Performance monitoring

      • NetFlow & Argus

      • IDS (may include full packet capture)

    • Traffic capture

      • Temporal considerations

      • Preservation

      • Reconstruction and analysis

      • Tools

        • Dsniff, NetWitness, Sandstorm, Nixsun, SilentRunner

        • Many for Unix (e.g., ngrep, review)


    Performance monitoring l.jpg
    Performance Monitoring particular files of interest into EnCase for analysis

    • Shows patterns on a device

      • Spikes in traffic

      • Loss of connectivity to a segment

    • Multi Router Traffic Grapher (MRTG)

      • www.mrtg.org


    Netflow and snort overview l.jpg
    Netflow and Snort Overview particular files of interest into EnCase for analysis

    • NetFlow

      • flows represent unidirectional collection of similar packets

      • NetFlow logs contain basic flow information (src, dst, times, size)

    • Snort

      • based on libpcap

      • detects known attacks

      • highly configurable


    Using snort and netflow l.jpg
    Using Snort and NetFlow particular files of interest into EnCase for analysis

    • Host logs may be overwritten

    • Intrusion Detection System shows partial picture

      [**] FTP-site-exec [**]

      02/23-04:51:38.012306 192.168.164.88:2721 -> 192.168.168.2:21

      TCP TTL:46 TOS:0x0 ID:20194 IpLen:20 DgmLen:468 DF

      ***AP*** Seq: 0x11A6920B Ack: 0xD567116C Win: 0x3EBC

      TCP Options (3) => NOP NOP TS: 98258650 1405239787

    • NetFlow logs show more complete picture

      Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets

      0223.04:51:38.841 0223.04:51:48.685 2 192.168.164.88 2721 13 192.168.168.2 21 6 2 3 144


    Netflow losses l.jpg
    Netflow Losses particular files of interest into EnCase for analysis

    • Sequence numbers show gaps

      % flow-header < ft-v05.2002-04-15.183000-0400

      # mode: normal

      # capture hostname: flow

      # exporter IP address: 130.132.1.100

      # capture start: Mon Apr 15 18:30:00 2002

      # capture end: Mon Apr 15 18:45:00 2002

      # capture period: 900 seconds

      # compress: on

      # byte order: big

      # stream version: 3

      # export version: 5

      # lost flows: 179520

      # corrupt packets: 0

      # sequencer resets: 1

      # capture flows: 206760


    Traffic monitoring capture l.jpg
    Traffic Monitoring/Capture particular files of interest into EnCase for analysis

    • tcpdump (68 bytes default capture)

    • Ethereal


    Authorization l.jpg
    Authorization particular files of interest into EnCase for analysis

    • Wiretap

      • Live Capture

      • Protecting systems

    • ECPA

      • Stored communications & records

      • Maintenance and protect users

    • USA Patriot Act


    Libpcap losses l.jpg
    libpcap losses particular files of interest into EnCase for analysis

    • High speed links overload sniffers

    • Protocol type 11 (honeynet)

    • Applies to all libpcap based sniffers

      • snort, tcpdump, NetWitness

        # tcpdump -X host 192.168.12.5

        tcpdump: listening on xl0

        .....[data displayed on screen]…

        ^C

        29451 packets received by filter

        4227 packets dropped by kernel


    Switches l.jpg
    Switches particular files of interest into EnCase for analysis

    • Isolates traffic

      • Sniffing is more difficult

    • CatOS Switched Port Analyzer (SPAN)

    • Spanning/Mirroring ports

      • Only copies valid Ethernet packets

      • Not all error information duplicated

      • Low priority of span may increase losses

      • http://www.cisco.com/warp/public/473/41.html

    • Hardware taps

      • Copy signals without removing layers

      • May split Tx and Rx (reassembly required)


    Nic losses l.jpg
    NIC Losses particular files of interest into EnCase for analysis

    • Applies to all NICs (firewalls, switches, etc.)

      % netstat -nid

      Kernel Interface table

      Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg

      eth0 1500 0 19877416 0 0 128 7327647 0 0 0 BRU

      % /sbin/ifconfig

      eth0 Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5

      inet addr:128.36.232.10 Bcast:128.36.232.255

      Mask:255.255.255.0

      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

      RX packets:19877480 errors:0 dropped:0 overruns:128 frame:0

      TX packets:7327676 errors:0 dropped:0 overruns:0 carrier:1

      collisions:442837 txqueuelen:100

      Interrupt:23 Base address:0xec80


    Case example86 l.jpg

    Case Example particular files of interest into EnCase for analysis

    Intellectual Property Theft (rootkit)


    Intellectual property l.jpg
    Intellectual Property particular files of interest into EnCase for analysis

    • IDS logs show intrusion

      [**] FTP-site-exec [**]

      09/14-12:27: 208.181.151.231 -> 130.132.x.y

      09/14-12:28: 24.11.120.215 -> 130.132.x.y

      09/14-12:33: 64.28.102.2 -> 130.132.x.y

    • Concern: system contains sensitive data


    Ip theft assess damage l.jpg
    IP Theft (assess damage) particular files of interest into EnCase for analysis

    • Initial examination of compromised host showed no signs of compromise

      • no wtmp entries from site exec exploit

      • no syslog entries

      • no odd processes using ps or files using ls

    • System clock was 5 hours fast (Δt = 5hrs)

    • Oddities on system suggested compromise

      • difference between ps & lsof; /tmp/.tmp/


    Ip theft analysis l.jpg
    IP Theft (analysis) particular files of interest into EnCase for analysis

    • Used EnCase to analyze evidence

    • Recovered deleted syslogs (noting Δt)

      Sep 14 17:07:22 host ftpd[617]: FTP session closed

      Sep 15 00:21:54 host ftpd[622]: ANONYMOUS FTP LOGIN FROM 231.efinityonline.com [208.181.151.231], 1À1Û1É°F̀1À1ÛC‰ÙA°?̀ëk^1À1ɍ^^AˆF^Df¹ÿ^A°'̀1À^^A°=̀1À1ۍ^^H‰C^B1ÉþÉ1À^^H°^L̀þÉuó1ÀˆF^I^^H°=̀þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰óN^HV^L°^K̀1À1Û°^Àèÿÿÿ0bin0sh1..11

      Sep 14 17:22:54 host inetd[448]: pid 622: exit status 1


    Linux in encase l.jpg
    Linux in EnCase particular files of interest into EnCase for analysis


    Ip theft reconstruction l.jpg
    IP Theft (reconstruction) particular files of interest into EnCase for analysis

    • Confirmed source of initial intrusion

    • Determined that target was high risk

    • Determined motive and intent

      • not aware of sensitive information on host

      • used host for DoS, scanning, and IRC

    • Determined that a sniffer had been used

    • Located other compromised systems

      • notified system owners on outside networks


    Advanced analysis l.jpg

    Advanced Analysis particular files of interest into EnCase for analysis


    Timestamp oddities l.jpg
    Timestamp Oddities particular files of interest into EnCase for analysis

    • Moved file in Windows

      • Last write time before creation time

    • Corrupt timestamps

      • Windows folder and .lnk

      • MacOS

    • Some logs are in order of the end of the event

      • Process accounting

      • CISCO NetFlow


    Artefacts of file transfer l.jpg
    Artefacts of File Transfer particular files of interest into EnCase for analysis

    File transferred to external media

    • MS Word Metadata

    • Program’s file menu (registry key LastWrite)

      • MS Word, Powerpoint, Excel, etc.

      • WinZip, WinAmp

      • Explorer (e.g., RecentDocs, RunMRU)

      • Internet Explorer (history, cache, TypedURLs)

    • Shortcut (.lnk) files

      • Recent\Desktop (time ordered CAM)

    • Recycler

    • May be in unallocated space/swap/hibernation


    Recent lnk to external disk l.jpg
    Recent Lnk to External Disk particular files of interest into EnCase for analysis


    Network artefacts l.jpg
    Network Artefacts particular files of interest into EnCase for analysis

    • Downloaded files

    • Interactive connections

      • Telnet Lastmachine (registry)

      • Secure CRT .ini

      • Secure Shell

    • Unix directory listing on Windows PC

    • Web, e-mail, Usenet, IRC, etc.

    • IIS Transactions

      • pagefile.sys

    • Mapped network drives

      • NetHood (profile, MFT, registry, unallocated)


    Internet accounts l.jpg
    Internet Accounts particular files of interest into EnCase for analysis

    • HKEY_USERS

      Key Name: SID\Software\Microsoft\Internet Account Manager\Accounts\00000004

      Class Name: <NO CLASS>

      Last Write Time: 7/5/2002 - 4:33 AM


    Downloaded files l.jpg
    Downloaded Files particular files of interest into EnCase for analysis

    • Tape Archive (.tar)


    Mapped network drive l.jpg
    Mapped Network Drive particular files of interest into EnCase for analysis

    • Explorer (\\name\drive)

      • StreamMRU, RunMRU, RecentDocs

    • Scattered

      • User.dmp, swap, unallocated space

      • Grep expression: \\\\[A-Z]+\\[A-Z]+


    Unix mounted drives l.jpg
    Unix Mounted Drives particular files of interest into EnCase for analysis

    • df, mount, samba

    • /etc/fstab:

      /dev/hda1 / ext2 defaults 1 1

      /dev/hda7 /tmp ext2 defaults 1 2

      /dev/hda5 /usr ext2 defaults 1 2

      /dev/hda6 /var ext2 defaults 1 2

      /dev/hda8 swap swap defaults 0 0

      /dev/fd0 /mnt/floppy ext2 user,noauto 0 0

      /dev/hdc /mnt/cdrom iso9660 user,noauto,ro 0 0

      none /dev/pts devpts gid=5,mode=620 0 0

      none /proc proc defaults 0 0

      remote-server:/home/accts /home/accts nfs bg,hard,intr,rsize=8192,wsize=8192

      remote-server:/var/spool/mail /var/spool/mail nfs bg,hard,intr,noac,rsize=8192,wsize=8192


    Remote logs and printing l.jpg
    Remote Logs and Printing particular files of interest into EnCase for analysis

    • /etc/syslog.conf

      *.* @remote-server

    • /etc/printcap:

      lp0|lp:\

      :sd=/var/spool/lpd/lp0:\

      :mx#0:\

      :sh:\

      :rm=remote-server:\

      :rp=lp0:\

      :if=/var/spool/lpd/lp0/filter:


    Network artefacts telnet l.jpg
    Network Artefacts (Telnet) particular files of interest into EnCase for analysis

    • Telnet registry


    File transfer protocol l.jpg
    File Transfer Protocol particular files of interest into EnCase for analysis

    • On PC: file name, time, remote directory

    • On server: file name, size, time, account, IP

    • Linux ncftp (.ncftp/trace; .ncftp/history)

    xferlog: Nov 12 19:53:23 1998 15 216.58.30.131 780800 /home/user/image.jpg a _ o r user

    WS_FTP: 98.11.12 19:53 A C:\download\image.jpg <-- FTP Server /home/user image.jpg

    SESSION STARTED at: Sun Oct 21 01:05:44 2001

    Program Version: NcFTP 3.0.0/220 February 19 1999, 05:20 PM

    <cut for brevity>

    01:05:44 Connecting to 129.132.7.170...

    01:05:52 > get openssl-0.9.6.tar.gz

    SESSION ENDED at: Sun Oct 21 01:06:50 2001


    Network artefacts unix ls l.jpg
    Network Artefacts (Unix ls) particular files of interest into EnCase for analysis

    Grep search

    • [d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-] (space)


    More unix mac artefacts l.jpg
    More Unix/Mac Artefacts particular files of interest into EnCase for analysis

    • SSH

      • authorized_keys (incoming)

      • known_hosts (outgoing)

    • .xauth/refcount/xfs/hostname

    • Unix xterm buffers show sessions

    • Transactions of various servers

    • Windows remnants on Unix

      • Directory files e.g., C:\winnt\system32\*.exe


    Case example106 l.jpg

    Case Example particular files of interest into EnCase for analysis

    Intellectual Property Theft (Insider)


    Initial complaint l.jpg
    Initial Complaint particular files of interest into EnCase for analysis

    • Employee stole information prior to leaving

      • Terminated on Sept 16, 2002

    • Unknown documents from workstation

    • clients.mdb

      • Client contact database

      • Stored on W2K workstation

    • projectX

      • Secret project details

      • Stored on Unix file server

    • What do you look for?


    W2k workstation l.jpg
    W2K Workstation particular files of interest into EnCase for analysis

    • Security (card swipe) records

      • Suspect entered building at 08:45am

    • Logon/Logoff record

      C:\>ntlast /ad 16/9/2002 /v

      Record Number: 18298

      ComputerName: WKSTN11

      EventID: 528 - Successful Logon

      Logon: Tue Sep 16 08:50:58am 2002

      Logoff: Tue Sep 16 09:10:00am 2002

      Details -

      ClientName: user11

      ClientID: (0x0,0xDCF9)

      ClientMachine: WKSTN11

      ClientDomain: CORPX

      LogonType: Interactive

    • How to collect this information as evidence?


    W2k workstation109 l.jpg
    W2K Workstation particular files of interest into EnCase for analysis

    • Transfer of clients.mdb

      • Accessed 09/16/2002 08:58:30 EST

    • HKEY_USERS

      • \Windows\CurrentVersion\Explorer\RecentDocs

    • Suspect’s environment temp\clients.xls

      • Created at 08:59:14

      • Last modified at 08:58:49

    • Suspect’s e-mail outbox

      • Shows clients.xls sent to Hotmail

    • What information would you seek on network?


    W2k workstation110 l.jpg
    W2K Workstation particular files of interest into EnCase for analysis

    • Other file accessed at same time

      • private.doc

    • Registry OpenSaveMRU entry

    • Recent .lnk written and accessed

      • Recent A: .lnk written and accessed

    • What would you expect to find on associated floppy diskette?


    Unix file server l.jpg
    Unix File Server particular files of interest into EnCase for analysis

    • SSH Client Access

      • Accessed:

        • \user11\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to SshClient.lnk

        • Files in \user11\Application Data\SSH\

        • \user11\Application Data\SSH\ HostKeys\key_22_srv1

    • How to collect evidence?

      % last user11

      user11 pts/77 wkstn11.corpx.com Sep 16 09:05 - 09:06 (00:01)

      % ls –altu

      -rwxr-xr-x 1 admin staff 8529583 Sep 16 09:05 projectX

    • ProjectX file found in c:\temp on wkstn11

      • What timestamps changed in transfer?


    W2k workstation112 l.jpg
    W2K Workstation particular files of interest into EnCase for analysis

    • Deleted projectX file found in c:\temp

      • Created: 09:05am

      • Accessed: 09:07am

      • Modified: 09/12/2002 10:07:07am

    • Explorer\RecentDocs\NetHood

      • \\competitorpc\upload

      • LastWrite 09/13/2002 11:04AM

    • Explain time discrepancy


    Errors uncertainty l.jpg

    Errors & Uncertainty particular files of interest into EnCase for analysis

    Nothing can be known if nothing has happened; and yet, while still awaiting the discovery of the criminal, while yet only on the way to the locality of the crime, one comes unconsciously to formulate a theory doubtless not quite void of foundation but having only a superficial connection with the reality; you heave already heard a similar story, perhaps you have formerly seen an analogous case…

    Gross, H., Criminal Investigation: (Sweet & Maxwell, Ltd. 1924)


    Errors and uncertainty l.jpg
    Errors and Uncertainty particular files of interest into EnCase for analysis

    • Offender/victim covering behavior

    • Preconceived theories

    • Accepting others’ assumptions

    • Technological limitations

    • Mistakes and misinterpretation

    • Evidence dynamics

      • Handbook - Chapter 1

    • Uncertainty and loss

      • Casey, E: “Error, Uncertainty and Loss in Digital Evidence”, International Journal of Digital Evidence, Volume 1, Issue 2, 2002 (www.ijde.org)


    Evidence eliminator l.jpg
    Evidence Eliminator particular files of interest into EnCase for analysis

    Evidence Eliminator v5.053 started work: 3/4/01 9:26:04 PM

    OS Detected: Win95 [Win95 4.0.1111.1024]

    Eliminating Folder: C:\WINDOWS\applog\

    No folder found: C:\WINDOWS\applog\

    Eliminating IE Typed URL History...

    Data Found: String data: [url1-C:\My Documents\]

    Eliminating IE Typed AutoComplete data...

    Eliminating IE Download Folder record...

    Eliminating IE Error Logs...

    Eliminating File: C:\WINDOWS\IE4 Error Log.txt

    No file found: C:\WINDOWS\IE4 Error Log.txt

    Eliminating Folder: C:\WINDOWS\Local Settings\Temporary Internet Files\

    Eliminating folder tree: C:\WINDOWS\Local Settings\Temporary Internet Files\ including root folder...


    Lily pad examples l.jpg
    Lily Pad Examples particular files of interest into EnCase for analysis

    • SubSeven with IRC

      • File sharing

      • Denial of service

    • Unix intrusion

      • Bypass firewall

      • Attack from within


    Remote storage l.jpg
    Remote Storage particular files of interest into EnCase for analysis

    • Compromised host

    • Shell/Web account

    • Online services

      • www.freedrive.com

      • www.filesanywhere.com

    • Mounted network shares

      • Sniffers that log to remote shares

      • Home directory on remote server


    Intruder concealment l.jpg
    Intruder Concealment particular files of interest into EnCase for analysis

    • Deleted binary

      • Copy in /proc/pid/file

      • icat /dev/hda inode > recovered

    • Log deletion or wiping

      • wzap clears wtmp entries

    • Altering file attributes

    • Hidden files/Alternate Data Streams

      • hfind.exe

      • Device files in Recycle Bin

    • Rootkits/Loadable Kernel Modules (Knark)

    • Encryption


    Altering file attributes l.jpg
    Altering File Attributes particular files of interest into EnCase for analysis

    • Attrib

    • Alter MAC times

    • touch in Unix

      • ls -altc

    • Microsoft SetFileTime() API

    • Hide from search tools

      • dir /t[:a]

      • afind.exe (FoundStone)


    Alternate data streams l.jpg
    Alternate Data Streams particular files of interest into EnCase for analysis

    • c:\temp> lads

      LADS - Freeware version 3.01

      (C) Copyright 1998-2002 Frank Heyne Software (http://www.heysoft.de)

      Scanning directory C:\temp\

      size ADS in file

      ---------- ---------------------------------

      17 C:\temp\myfile.txt:hidden

      17 C:\temp\myfile.txt:onetwothree

      17 C:\temp\myfile.txt:test

      51 bytes found in 3 alternate data streams


    Maresware copy ads l.jpg
    Maresware: copy_ads particular files of interest into EnCase for analysis

    C:\>d:\marsware\copy_ads -p c:\ -d d:\evidence\ads

    Program started Wed Sep 25 13:58:09 2002 GMT, 09:58 EST (-5*)

    FILES: DIRECTORY

    C:\hidden\makeads:hidden2.txt 32 09/25/2002 09:43w EST

    C:\hidden\makeads:hidden2.txt

    ==> d:\evidence\ads\makeads\makeads[hidden2.txt]

    C:\hidden\makeads\regularfile.txt 25 09/25/2002 09:19:19w EST

    C:\research\makeads\regularfile.txt

    ==> d:\evidence\ads\makeads\regularfile.txt

    C:\research\makeads\regularfile.txt:hidden1.txt 17 09/25/2002 09:19:19w EST

    C:\research\makeads\regularfile.txt:hidden1.txt

    ==> d:\evidence\ads\makeads\regularfile.txt[hidden1.txt]

    Processed 16 directories, 118 files, totaling 7,703,785 bytes:

    Found 1 directories with 1 alternate data streams.

    Found 1 files with 1 alternate data streams.

    Total 2 data streams byte count = 49 bytes


    Rootkits l.jpg
    Rootkits particular files of interest into EnCase for analysis

    • Creates backdoors

    • Replace system components to hide:

      • files

      • processes

      • promiscuous mode

      • network connections

    • Often includes tools

      • Sniffers

      • Log wiping utilities

      • Patches


    ad