Whodunit? - PowerPoint PPT Presentation

whodunit n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Whodunit? PowerPoint Presentation
play fullscreen
1 / 66
Whodunit?
189 Views
Download Presentation
diamond
Download Presentation

Whodunit?

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Whodunit? Beginning the cyber investigation

  2. Addresses • MAC address • Network card (NIC interface card) • Identifies a physical device.. The card!!! • This is how a packet is delivered on a local network • Network (IP) address • Logical address • Associated with a MAC address • Identifies a LOGICAL device

  3. MAC address • Series of six hexadecimal digits • 00-3E-42-A6-51-0E • “burned in” by manufacturer • In reality, can be changed in many cases

  4. IP address • “Dotted decimal” or “dotted quad” • 32 bits (4 octets) • Each octet has a value from 0 thru 255 • 192.168.0.1 • Each IP address has a • Prefix • Identifies a network • Suffix • Identifies a host (device) on that network

  5. IP addresses • IP “prefixes” must be unique on a global basis • The suffixes must be unique on the local level

  6. IP delivery • IP address is used to deliver a message • Comparison using subnet mask determines if: • Local network • A lookup is performed for the MAC address matching the destination IP • Remote network • Packet is sent to the ‘gateway’ / router • Router decides the next hop to send packet to the destination network (determined by prefix) • Arrival at remote network • A lookup is performed for the MAC address matching the destination IP

  7. IP addresses • Prefix part identifies a class A,B,C range • A uses the last 3 octets to identify a host • B uses the last 2 octets • C uses the last octet • If the octet identifying the host is “0” • Means the entire network • 192.168.1.0 (means the entire 192.168.1 network) • If the suffix octet is 255 (all binary 1’s) • Broadcast address for that network • 192.168.1.255 sending to all on the 192.168.1 net

  8. CIDR Classless Inter-Domain Routing

  9. Rationale • Class “C” addresses need entries in network routing tables • Too many unique entries • Affects the performance of the router • Develop a different “network identifier” • Allocate number of bits to identify the network • C class uses 24 bits for the network and remaining 8 bits for the host on the network

  10. Routing • Network mask needs to determine the network identifier in the IP address • Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table • Improves scalability of routing system

  11. Supernet • Arbitrary sized network • Create a network from a contiguous block of “C” addresses • Criteria • Consecutive address ranges • 192.168.6.0 • 192.168.7.0 • Third octet of the first address range must be divisible by 2 • 192.168.6.0 • New network can have up to 512 unique hosts • New netmask is 255.255.254.0 • 9 bits available for the host address

  12. Supernet • Combination of more than two class C networks • Done in powers of 2 • Third octet must be divisible by the number of networks you’re combining • 192.168.16.0 • 192.168.17.0 • …… • 192.168.24.0 • 8 networks combined • Netmask 255.255.248.0 • 21 bits used for the host • 192.168.19.45/21 • IP address, first 21 bits identify the network

  13. Ports • TCP and UDP • Ports identify ‘processes’ running • Numbered 1 to 65535 • “well known ports” • Associated with services • 80 HTTP • 20,21 FTP • 443 HTTPS • 110 POP3 • 23 TELNET • 25 SMTP

  14. Private Network

  15. Cable Modem

  16. Private Network thru Cable Modem

  17. Tools • Connection properties • arp • ping • ipconfig • pathping • nslookup • Enable/Disable/Repair

  18. TCP/IP properties • Control Panel • Network connections • Locate the connection (typically Local Area Network) • Right click • Find the ‘properties’ tab • Client for Microsoft networks • File/printer sharing • Internet Protocol (TCP/IP)

  19. Properties of TCP/IP • DHCP • Look for my IP address using a DCHP server which assigns it to me • Should also retrieve the settings for • Gateway (way out of network) • DNS (lookup service for URL to IP) • Network (subnet) mask • Alternative • Specify the IP yourself • Make sure it’s not already assigned • Specify your own netmask, DNS, gateway

  20. Properties of TCP/IP • Need to talk between local devices • No need for gateway in general • Unless you’re looking up URLs, no need for DNS • Network mask should be consistent with IP address pattern on that network segment • ‘mismatch’ will cause the packet to be sent to the router (gateway) • Thinks the address is not local • ‘mismatch’ may believe that a foreign address is on your local network • Will not be routed

  21. Toolbox Applying your knowledge

  22. Tools • ipconfig / ifconfig • ping • pathping • tracert / traceroute • arp • netstat • nslookup • dig • whois • host

  23. So many tools… • So little time… • Live incident or autopsy • Volatile information first • Disturbing the system • Durable / non-volatile information

  24. Windows Volatile Information Going, Going……

  25. Volatile • Information residing in memory • Temporary nature • Gone on shutdown • Time sensitive • Gone before shutdown • What do you go for first??? • Minimize the footprint you leave as you collect the data

  26. Order of Volatility • Registers and cache • Routing table, arp tables, process table, kernel statistics, connections • Temp file systems • Hard disk / non-volatile storage systems • Remote / offsite logging and monitoring data • Physical configuration and network topology • Archival media

  27. Types of Volatile Information • System time • Users on system • Processes running • Connections • Status of the network • Clipboard • Command history • Services and drivers

  28. Common Errors • No documentation on the baseline system • Failing to document your collection process • Shutdown or reboot of machine • Closing down terminal or shell should also not be done • Reliance on the suspect machine

  29. Methodology • Preparation • Document the Incident • Policy Verification • Volatile Data Collection Strategy • Volatile Collection Setup • Volatile Collection Process

  30. Preparation • Toolkit • Guidelines • Policies

  31. Documentation • Profile • How detected • Scenario • Time of occurrence • Who/what reported • Hardware and software involved • Contacts for involved personnel • How critical is suspicious system • Collection Logbook • Who is collecting • History of tools used and executed commands • Generated output and reports • Timestamp of executed commands • Expected system changes as you execute commands • Forensics toolkit logbook • Usage, output and affects

  32. Policy Verification • Examine policies for violations of rights by your actions • User signed policies • Consent • Establish your legal boundaries

  33. Volatile Data Collection Strategy • Types of data to collect • Tools to do the job • Where is output saved? • Administrative vs. user access • Media access (USB, floppy, CD) • Machine connected to network

  34. Volatile Collection Setup • Trusted command shell • Establish transmission and storage method • Ensure integrity of forensic toolkit output • MD5 hash

  35. Volatile Collection Process • Collect uptime, time, date, command history • Generate time/date to establish audit trail • Begin command history to document your collection • Collect all volatile information system and network information • End collection with date/time and command history

  36. System Time

  37. Systeminfo.exe • XP and 2003

  38. Uptime • Uptime from www.dwam.net/docs/aintx • Psinfo from Sysinternals

  39. Users • Psloggedon (Sysinternals) • Netusers.exe (somarsoft) • Two switches • /l local logged on • /h history • Net session • Users • Name / IP of client • Client type

  40. Processes • Identify • Executable • Command line used • How long was it running? • Security context • Modules or dll it’s accessing • Memory used

  41. Pslist • Sysinternals

  42. Task Manager

  43. Pslist -t

  44. ListDLLs • Sysinternals

  45. handle • Sysinternals

  46. Tasklist

  47. PS • Aintx

  48. Cmdline • DiamondCS • www.diamondcs.com.au

  49. Process Memory • Current state of processes • Passwords • Server addresses • Remote connections

  50. pmdump • www.NTSecurity.nu