forensic computer analysis l.
Skip this Video
Download Presentation
Forensic Computer Analysis

Loading in 2 Seconds...

play fullscreen
1 / 122

Forensic Computer Analysis - PowerPoint PPT Presentation

  • Uploaded on

Forensic Computer Analysis. ISMT350. Overview. Why do we care? Forensic Science Overview Process and Tools Evidence on Networks Advanced Analysis Errors & Uncertainty. Why do we Care?. Determine what happened Determine extent of damage Inform other universities of problems

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Forensic Computer Analysis' - hila

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Why do we care?
  • Forensic Science Overview
  • Process and Tools
  • Evidence on Networks
  • Advanced Analysis
  • Errors & Uncertainty
why do we care
Why do we Care?
  • Determine what happened
  • Determine extent of damage
  • Inform other universities of problems
  • Prevention & preparation for future
  • Mitigate risk & liability
  • If necessary, apprehend & prosecute


improper evidence handling why we need to avoid
Improper Evidence HandlingWhy we need to avoid…
  • Open to unfair dismissal claims
  • Vulnerable to false accusations
    • Researcher accused of hacking
  • Privacy violation leads to counter suit
  • Information leakage leads to larger problem
  • Unresolved incidents create problems
    • Larger problem goes unrecognized
  • Develop poor evidence handling skills
forensic science overview6
Forensic Science Overview
  • Science applied to the discovery of truth
  • Locard’s exchange principle
      • whenever two objects come in contact with each other, they transfer material from one to the other. The Locard exchange produces the trace evidence of interest from fingerprints to mud
  • Authorization
  • Locate / identify evidence
  • Collection, documentation & preservation
    • everything that you will need in two years
  • Crime reconstruction (forensic analysis)
    • when, where, how, what, who, why
    • reproducible & free from bias/distortion
  • Report / present
continuity of offense coo
Continuity of Offense (COO)
  • Seek sources, conduits, and targets
    • Connect the dots
  • Corroborating evidence
    • Multiple independent sources

Victim’s mail








Access logs

Authentication logs

pornography transmission pivotal case study
Pornography: TransmissionPivotal Case Study
  • The theory behind child pornography laws in the U S traditionally has been that such material is illegal not because of the content of the material itself, but because of the harm the production and distribution of such material causes children who are used to create the child pornography.
  • U S versus Hilton, invalidated part of the Child Pornography Prevention Act of 1996, 18 USC Section 2252A.
  • Hilton claimed to have been collecting child pornography for research purposes:
    • Met with an FBI agent and U S Customs officials on a number of occasions since 1995 to discuss curbing child pornography on the Internet.
    • Quoted in articles warning parents of the dangers of allowing their children to surf the 'Net unsupervised.
    • Police uncovered evidence that “made us question his motivation."
    • A case of police prosecuting people trying to help cure the Child Pornography problem?
pornography transmission
Pornography: Transmission

How to investigate a “US v. Hilton”

  • Modem logs
    • Shows PC was connected to Internet
  • Dial-up server logs
    • Confirms connection and account used
  • MAC times and Registry (LastWrite)
    • File modification, creation, and access times
  • FTP logs
    • On PC: file name, time, remote directory
    • On server: file name, size, time, account, IP
relational reconstruction
Relational Reconstruction
  • Improve understanding of events
  • Locate additional sources of evidence
  • Example: Accounting server break-in
log file correlation
Log File Correlation
  • Sort each source independently, then combine
    • Correlate MAC times and LastWrite times of Registry keys with Eventlogs, PC modem & ISP logs

05-15-2000 16:32:53.93 - Initializing modem.

05-15-2000 16:32:53.93 - Send: AT

05-15-2000 16:32:53.93 - Recv: AT

05-15-2000 16:32:54.05 - Recv: OK

05-15-2000 16:32:54.05 - Interpreted response: Ok

05-15-2000 16:32:54.05 - Send: AT&FE0V1&C1&D2 S0=0 W1

05-15-2000 16:32:54.07 - Recv: AT&FE0V1&C1&D2 S0=0 W1

05-15-2000 16:32:54.19 - Recv: OK

05-15-2000 16:32:54.19 - Interpreted response: Ok

05-15-2000 16:32:54.20 - Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3

05-15-2000 16:32:54.22 - Recv: OK

05-15-2000 16:32:54.22 - Interpreted response: Ok

05-15-2000 16:32:54.26 - Dialing.

05-15-2000 16:32:54.26 - Send: ATDT##########

  • Histogram of events over time
    • High number of events at key times
  • Histogram of time periods may show unusual gaps
    • MAC times
    • System log entries
search methodology
Search Methodology

Identify the crime scene

  • Area 1: Local Nodes
    • PDA’s
    • Laptops
  • Area 2: Wireless devices
    • Mobile equipment
    • 802.11b
  • Area 3: Wireless networks
    • Core systems (BSC, MSC, SMS)
  • Area 4: Remote networks
    • Routers, switches, cables
    • Remote nodes
authorization example
Authorization Example
  • Floppy found in desk drawer
  • Collected by IT staff
    • No authorization
      • Not clear if search was legal
    • Process not documented
      • Not clear who found disk
    • Disk not labeled
      • Not clear which disk among several disks
  • Hot potato – drop it!
    • High risk of counter suit
chain of custody
Chain of Custody
  • Who collected & handled the evidence
  • Fewer people handling the evidence

=> Fewer people testify

  • Standard forms & procedures

=> Consistency

collection preservation
Collection & Preservation
  • Acquire evidence
    • EABD versus removing hard drive
    • save evidence on sterilized media
    • calculate MD5 checksum of evidence
    • digitally sign evidence (MD5, time & person)
  • Documentation
    • acquisition & verification process
    • who, where, how, when, and sometimes why
  • Lock original in safe
    • alternately use a custodian
message digests
Message Digests
  • 128-bit “fingerprint”
    • 16 hexadecimal values
  • Two messages with same digest
    • Computationally infeasible
  • Search disk for file with same MD5
  • md5sum netstat.exe

=> 447282012156d360a862b30c7dd2cf3d

what to collect
What to Collect?
  • The original disk
  • An exact copy of the original disk
  • Log files from the disk (e.g. UNIX wtmp)
  • Interpreted logs (output of last)
    • Information lost in summarization
  • Relevant portions of interpreted logs
    • Output of last username
    • May miss some relevant entries
  • Written notes describing command output

The approach depends on the circumstances

remote collection
Remote Collection
  • Document collection process (log to file)
  • May alert the suspect
  • Stepping in evidence
    • Same as at console
  • Forgotten evidence
    • Planning and procedures
  • Jurisdiction
    • May be only means - foreign countries
    • May cause an international incident
  • Evidence only available remotely (SNMP)
to shutdown or not to shutdown
To shutdown or not to shutdown
  • Network state
  • Processes in memory (MB/GB)
  • Kernel memory
  • Swap space
  • Lose cached data not yet written to disk
  • Lose data protected by EFS/PGP disk
  • Corrupt existing data
limitations of live exam
Limitations of Live Exam?
  • Hasty
    • prone to error
    • automation helps avoid errors
  • Stepping in evidence
    • automation minimizes changes
    • not 100% (overwrite user.dmp)
  • Might miss something
    • alternate data streams
  • Can’t see deleted data
    • anyone have a floppy diskette?
  • Can’t trust operating system
challenge concealment
Challenge Concealment
  • Deleted binary
    • Copy in /proc/pid/file
    • icat /dev/hda inode > recovered
  • Log deletion or wiping
    • wzap clears wtmp entries
  • Altering file attributes
  • Hidden files/Alternate Data Streams
    • hfind.exe (Foundstone)
    • Device files in Recycle Bin
  • Rootkits/Loadable Kernel Modules (Knark)
  • Encryption
the coroner s toolkit
The Coroner’s Toolkit
  • grave-robber output
    • coroner.log
    • proc with MD5 of output
    • command_out with MD5 of output
    • body - mactime database
    • removed_but_running
    • conf_vault
    • trust
    • MD5_all
    • MD5_all.md5
case example

Case Example

W2K Domain Controller Hacked

Unusual port

Messy examination

Cleanup fails!

initial assessment
Initial Assessment
  • Routine Network Vulnerability Scan
    • BO2K on port 1177 of W2K DC
  • Physical Assessment
    • Located in locked closet
  • Initial Examination
    • All security patches applied
    • NT Security Event logging enabled
    • fport: c:\winnt\system32\wlogin.exe
  • System cannot be shutdown
    • Central to operation of network
network assessment
Network Assessment
  • Accessible from the Internet
  • No dial-up access
  • Many services enabled
    • file sharing
    • Internet Information Server
    • FTP (anonymous FTP disabled)
  • IIS fully patched
assess and preserve
Assess and Preserve
  • Toolkit of known good executables
    • Save output to external/remote disk
    • Note md5 values of output
  • Check for keystroke grabber / sniffer
    • No fakegina or klogger
    • Yes sniffer (system32\packet.sys)
  • MAC times to locate other files
    • Installed IRC bot in C:\WINNT\Java
    • No obvious access of sensitive information
  • Could have obtained passwords via lsass
  • Could have access to other machines
  • No unusual logons in Security Event Logs
  • IIS logs from before security patch installation
    • Shows compromise via Web server
  • AntiVirus messages in Application Event Logs

1/19/2002,1:09:11 AM,1,0,5,Norton AntiVirus,N/A, CONTROL, Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\Java\w.exe by: Scheduled scan. Action: Clean failed : Quarantine succeeded : Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\system32\wlogin.exe by: Scheduled scan. Action: Clean failed : Quarantine failed :

1/19/2002,1:09:11 AM,4,0,2,Norton AntiVirus,N/A, CONTROL, Scan Complete: Viruses:2 Infected:2 Scanned:62093 Files/Folders/Drives Omitted:89

  • IP addresses from Web server logs
  • IRC bot files
    • eggdrop bot files contained information about servers, nicknames, channels, and channel passwords that could be used to gather additional information
  • Change passwords and examine other hosts
  • HKLM\System\CurrentControlSent\Services
    • C:\WINNT\System32\wlogin.exe
  • Machine fails to reboot
    • Extended downtime
  • MAC times incomplete
    • C:\subdir
  • Wlogin is zeroed out
    • Accidental by examiner
    • Intentional by Norton/intruder?
    • No binary to analyze
lessons learned
Lessons Learned
  • Intrusion prior to patching
    • Do not assume that system was secure
  • Lastwrite time of wlogin Registry key
    • Missed opportunity
  • Attempt to recover piecemeal
    • Don’t make matters worse than intruder
    • Make a plan and make a backup plan
forensic analysis overview
Forensic Analysis Overview
  • Locate, recover, and interpret evidence
  • Low level analysis vs interpreted data
  • Timeline – when
  • Relational reconstruction – where
  • Functional reconstruction – how
  • Synthesis – what, why
    • crime reconstruction
    • risk assessment
    • motive and intent
  • Data may not be trustworthy
    • seek corroborating data on network
analysis process
Analysis Process
  • Access evidentiary images & backups
  • File inventory with hash values, etc.
  • Recover deleted data (files, folders, etc.)
  • Recover slack and unallocated space
  • Exclude known/unnecessary files
  • Remove duplicates
  • Process/decrypt/decompress files
    • swap and hibernation files
  • Index text data
file systems
File Systems
  • General creation process
    • Allocation table and folder entries created
    • Time stamps set
    • Track written
    • Slack space
    • Perhaps artefacts generated
      • MS Word file menu Registry entries
  • Windows: FAT12, FAT16, FAT32, NTFS
  • Unix: UFS, ext2, ext3
  • Macintosh: HFS Plus
  • MFT records overwritten quickly
  • Index entries are overwritten quickly
    • Reference handbook
    • How quickly are blocks reused
  • Timestamp in MFT Record in table only modified when name is changed
  • Sourceforge for more information
macos hfs plus
MacOS (HFS Plus)
  • Catalog file
    • Balance tree
    • File threads
  • Time formats
    • GMT v local
  • No access time

linux a forensic platform
Linux – A Forensic Platform

# dd if=/dev/fd0 | md5sum

2880+0 records in

2880+0 records out

5f4ed28dce5232fb36c22435df5ac867 -

# dd if=/dev/fd0 of=floppy.image bs=512

# md5sum floppy.image

5f4ed28dce5232fb36c22435df5ac867 floppy.image

# mount -t vfat -o ro,noexec,loop floppy.image /mnt

# find /mnt -type f -exec sha1sum {} \;

86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls

81e62f9f73633e85b91e7064655b0ed190228108 /mnt/Computer.xml

0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc

# grep -aibf searchlist floppy.image

75441:you and your entire business ransom.

75500:I want you to deposit $50,000 in the account

75767:Don't try anything, and dont contact the cops.

the coroner s toolkit42
The Coroner’s Toolkit
  • ils -A /dev/hda1 (free inodes)
  • ils –o /dev/hda1 (removed open files)
  • icat /dev/hda1 inode
  • pcat pid
  • mactime -R -d / 12/13/2001-12/14/2001
  • mactime -d /export/home 10/30/2001
  • grave-robber -d . -E /
  • Perl is a requirement
log file correlation43
Log File Correlation
  • Use the time range from wtmp logs

# last

user pts/3 Sat Oct 20 19:45 - 01:08 (05:23)

# mactime -b body -l "Sat Oct 20 19:45 - 01:08 (05:23)"

Oct 21 01 01:32:30 75428 .a. -r-xr-xr-x root bin /usr/bin/ftp

accessdata forensic toolkit ftk
AccessData Forensic Toolkit® (FTK™)
  • The most popular of email forensic software tools
  • View over 270 different file formats with Stellent's Outside In Viewer Technology.
  • Generate audit logs and case reports.
  • Compatible with the Password Recovery ToolkitTM and Distributed Network Attack®.
  • Full text indexing powered by dtSearch® yields instant text search results.
  • Advance searches for JPEG images and Internet text.
  • Locate binary patterns using Live Search.
  • Automatically recover deleted files and partitions.
  • Target key files quickly by creating custom file filters.
  • Supported File & Acquisition Formats
  • File formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3.
  • Image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD.
  • Email & Zip File Analysis
  • Supports: Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN email.
  • View, search, print, and export email messages and attachments.
  • Recover deleted and partially deleted email.
  • Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files.
  • Known File Filter™ (KFF™)
  • Identify and flag standard operating system and program files.
  • Identify and flag known child pornography and other potential evidence files
  • Includes hash datasets from NIST and Hashkeeper
  • Registry Viewer™
  • Access and decrypt protected storage data
  • View independent registry files
  • Report generation
  • Integrates with AccessData's forensic Tools
email forensics how ftk is used
Email ForensicsHow FTK is used …
  • Email is one of the most common ways people communicate
  • Studies have shown that more email is generated every day than phone conversations and paper documents combined
  • Forensic Analysis of email clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document Discovery is complete without requesting, searching and organizing email
email forensics identification and extraction
Email Forensics Identification and Extraction
  • The first step in an email examination is to identify the sources of email and how the email servers and clients are used in an organization
  • More than just a way of sending messages email clients and servers have expanded into full databases, document repositories, contact managers, time mangers, colanders and many other applications
    • E.g., Microsoft Exchange customized to be used as a complete Customer Relationship Manager (CRM)
    • Lotus Notes and Domino Server are used beyond an email system
    • Many users store their personal calendars, contacts and even synchronize their  email clients with their Personal Digital Assistants (PDA)
    • Organizations use database enabled email and messaging servers to manage cases, track clients and share data
  • Computer forensics should start their collection of evidence with email
email forensics deleted email
Email ForensicsDeleted Email
  • Many user believe that once they delete email from their client that the mail is unrecoverable
  • Nothing could be farther from the truth, many times emails can forensically extracted even after deletion
  • Many users also do not grasp the concept that email has a sender AND a recipient or multiple recipients
  • Emails may reside on servers unbeknown to the user, or on backup tapes that were created during the normal course of business
  • Of course they may also be extracted from the hard disk of the client or the server. 
  • Forensic programs are able to recover deleted email, calendars and more from users email clients and email servers.
email forensics web mail or web based email
Email ForensicsWeb Mail or Web Based Email
  • It is completely possible to forensically recover email that was created or received by web based email systems and from free web based email services such as Hotmail, Gmail (Google Mail) and Yahoo Mail
  • These types of mail systems use a browser to interface with the email server, the browser inherently caches information to the disk drive in the system used to retrieve or generate the email thereby effectively saving a copy to the disk
  • Forensic examiners can extract the HTML based Email from disk drive of the system used to create or retrieve the email messages 
  • Many Web Based or Web mail services, including Yahoo and Hotmail have shared calendaring services, personal calendars and contact managers as email. 
  • Anytime these services are accessed they may be cached to the disk as well. 
email forensics correlating email messages
Email ForensicsCorrelating Email Messages
  •  New evidence is essentially created by
  •  Correlating emails by date, subject, recipient or sender
  • These yield a map of inferences, events and entities
  • And open up opportunities for more complex pattern analysis
  • Forensic software is especially important in providing these correlations
encase forensic guidance software
EnCase Forensic (Guidance Software)
  • EnCase Forensic is the most popular software for computer forensic investigation
  • A single tool, capable of conducting large-scale and complex investigations from beginning to end:
    • Acquires data in a forensically sound manner using software with an unparalleled record in courts worldwide.
    • Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.
    • Automates complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis.
    • Find information despite efforts to hide, cloak or delete.
    • Easily manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space.
    • Transfer evidence files directly to law enforcement or legal representatives as necessary.
    • Review options allow non-investigators, such as attorneys, to review evidence with ease.
    • Reporting options enable quick report preparation.
encase forensic
EnCase Forensic
  • "Conditions" permit users to create complex, multifaceted filters, using EnScript® programming language.
encase forensic55
EnCase Forensic
  • The block size and error granularity settings interface
encase forensic logical evidence files
"Single Files" allows an examiner to drag and drop particular files of interest into EnCase for analysis

"Logical Evidence Files" can be created and locked from "Single Files," as well as from specific files of interest from an EnCase preview of subject media.

EnCase ForensicLogical Evidence Files
password recovery toolkit
Password Recovery Toolkit
  • PRTK: Combinations & permutations
    • Import FTK keyword list
    • Missed obvious combinations
  • 40-bit Encryption
    • Windows 2000 EFS (export)
    • MS Word / Excel
evidence on networks

Evidence on Networks

Associating Online Activity with Logs

Server logs

E-mail server logs

Web server logs

case example69

Case Example

Harassment Complaint


Unauthorized e-mail access

Suspect pool

Process accounting

Bash history

harassment janesmith
Harassment (janesmith)
  • Make sure logs are consistent

mailserver# grep 'Login user=janesmith' syslog*

syslog:Sep 24 17:11:40 mailserver ipop3d[6466]: [ID 234311] Login user=janesmith []

  • What to look for next?
harassment continued
Harassment (continued)
  • wtmp logs indicate that her e-mail account was accessed from on Dec 9 at 13:14

emailserver# last janesmith

janesmith pts/114 Sun Dec 9 13:14 - 13:19 (00:05)

  • MAC times show that the .pinerc file was created on Dec 9 suggesting that this was the first time Pine was used to access e-mail in this account.
harassment continued72
Harassment (continued)
  • wtmp logs on show that seven people were logged in on Dec 9 at 13:14

Note: clock on was 4 minutes fast

server4% last

walterp pts/14 roosevelt.nasa.g Sun Dec 9 13:10 - 13:17 (00:07)

johnsmith pts/2 pc01.admin.nasa. Sun Dec 9 13:09 - 13:29 (00:10)

stephens pts/13 Sun Dec 9 13:01 - 16:16 (03:15)

hansmol pts/3 Fri Dec 7 14:14 - 10:53 (6+20:38)

ianjones pts/7 nasavpn-22.nasa. Fri Dec 7 08:39 - 01:23 (5+16:44)

harassment continued73
Harassment (continued)
  • RADIUS logs show suspect disconnected prior to offense,NASA\ianjones,12/07/2002,08:43:07,IAS,NTSERVER,5,7029,6,2,7,1,8,,25,311 1 10/08/2001 19:38:34 22348,40,1,44,E0D03B6B,66,,45,1,41,0,61,5,4108,,4116,0,4128,NASA VPN,4136,4,4142,0,NASA\ianjones,12/07/2002,09:27:12,IAS,NTSERVER,5,7029,6,2,7,1,8,,25,311 1 10/08/2001 19:38:34 22348,40,2,42,36793575,43,6837793,44,E0D03B6B,46,35619,47,417258,48,59388,49,1,66,,45,1,41,0,61,5,4108,,4116,0,4128,NASA VPN,4136,4,4142,0

harassment continued74
Harassment (continued)
  • However, kept process accounting logs and an examination of these logs show only one SSH connection at the time in question. This indicates that another account (johnsmith) was used to connect to the complainants e-mail account.

server4% lastcomm | grep ssh

ssh S timsteel ?? 0.11 secs Sun Dec 9 10:24

ssh S johnsmith ?? 0.02 secs Sun Dec 9 13:10

ssh S richevans ?? 0.03 secs Sun Dec 9 12:10

harassment continued75
Harassment (continued)
  • Confirmed using bash history

server4# grep janesmith /home/johnsmith/.bash_history

ssh -l janesmith

network traffic
Network Traffic
  • Historical data
    • Performance monitoring
    • NetFlow & Argus
    • IDS (may include full packet capture)
  • Traffic capture
    • Temporal considerations
    • Preservation
    • Reconstruction and analysis
    • Tools
      • Dsniff, NetWitness, Sandstorm, Nixsun, SilentRunner
      • Many for Unix (e.g., ngrep, review)
performance monitoring
Performance Monitoring
  • Shows patterns on a device
    • Spikes in traffic
    • Loss of connectivity to a segment
  • Multi Router Traffic Grapher (MRTG)
netflow and snort overview
Netflow and Snort Overview
  • NetFlow
    • flows represent unidirectional collection of similar packets
    • NetFlow logs contain basic flow information (src, dst, times, size)
  • Snort
    • based on libpcap
    • detects known attacks
    • highly configurable
using snort and netflow
Using Snort and NetFlow
  • Host logs may be overwritten
  • Intrusion Detection System shows partial picture

[**] FTP-site-exec [**]

02/23-04:51:38.012306 ->

TCP TTL:46 TOS:0x0 ID:20194 IpLen:20 DgmLen:468 DF

***AP*** Seq: 0x11A6920B Ack: 0xD567116C Win: 0x3EBC

TCP Options (3) => NOP NOP TS: 98258650 1405239787

  • NetFlow logs show more complete picture

Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets

0223.04:51:38.841 0223.04:51:48.685 2 2721 13 21 6 2 3 144

netflow losses
Netflow Losses
  • Sequence numbers show gaps

% flow-header < ft-v05.2002-04-15.183000-0400

# mode: normal

# capture hostname: flow

# exporter IP address:

# capture start: Mon Apr 15 18:30:00 2002

# capture end: Mon Apr 15 18:45:00 2002

# capture period: 900 seconds

# compress: on

# byte order: big

# stream version: 3

# export version: 5

# lost flows: 179520

# corrupt packets: 0

# sequencer resets: 1

# capture flows: 206760

traffic monitoring capture
Traffic Monitoring/Capture
  • tcpdump (68 bytes default capture)
  • Ethereal
  • Wiretap
    • Live Capture
    • Protecting systems
  • ECPA
    • Stored communications & records
    • Maintenance and protect users
  • USA Patriot Act
libpcap losses
libpcap losses
  • High speed links overload sniffers
  • Protocol type 11 (honeynet)
  • Applies to all libpcap based sniffers
    • snort, tcpdump, NetWitness

# tcpdump -X host

tcpdump: listening on xl0

.....[data displayed on screen]…


29451 packets received by filter

4227 packets dropped by kernel

  • Isolates traffic
    • Sniffing is more difficult
  • CatOS Switched Port Analyzer (SPAN)
  • Spanning/Mirroring ports
    • Only copies valid Ethernet packets
    • Not all error information duplicated
    • Low priority of span may increase losses
  • Hardware taps
    • Copy signals without removing layers
    • May split Tx and Rx (reassembly required)
nic losses
NIC Losses
  • Applies to all NICs (firewalls, switches, etc.)

% netstat -nid

Kernel Interface table


eth0 1500 0 19877416 0 0 128 7327647 0 0 0 BRU

% /sbin/ifconfig

eth0 Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5

inet addr: Bcast:



RX packets:19877480 errors:0 dropped:0 overruns:128 frame:0

TX packets:7327676 errors:0 dropped:0 overruns:0 carrier:1

collisions:442837 txqueuelen:100

Interrupt:23 Base address:0xec80

case example86

Case Example

Intellectual Property Theft (rootkit)

intellectual property
Intellectual Property
  • IDS logs show intrusion

[**] FTP-site-exec [**]

09/14-12:27: -> 130.132.x.y

09/14-12:28: -> 130.132.x.y

09/14-12:33: -> 130.132.x.y

  • Concern: system contains sensitive data
ip theft assess damage
IP Theft (assess damage)
  • Initial examination of compromised host showed no signs of compromise
    • no wtmp entries from site exec exploit
    • no syslog entries
    • no odd processes using ps or files using ls
  • System clock was 5 hours fast (Δt = 5hrs)
  • Oddities on system suggested compromise
    • difference between ps & lsof; /tmp/.tmp/
ip theft analysis
IP Theft (analysis)
  • Used EnCase to analyze evidence
  • Recovered deleted syslogs (noting Δt)

Sep 14 17:07:22 host ftpd[617]: FTP session closed

Sep 15 00:21:54 host ftpd[622]: ANONYMOUS FTP LOGIN FROM [], 1À1Û1É°F̀1À1ÛC‰ÙA°?̀ëk^1À1ɍ^^AˆF^Df¹ÿ^A°'̀1À^^A°=̀1À1ۍ^^H‰C^B1ÉþÉ1À^^H°^L̀þÉuó1ÀˆF^I^^H°=̀þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰óN^HV^L°^K̀1À1Û°^Àèÿÿÿ0bin0sh1..11

Sep 14 17:22:54 host inetd[448]: pid 622: exit status 1

ip theft reconstruction
IP Theft (reconstruction)
  • Confirmed source of initial intrusion
  • Determined that target was high risk
  • Determined motive and intent
    • not aware of sensitive information on host
    • used host for DoS, scanning, and IRC
  • Determined that a sniffer had been used
  • Located other compromised systems
    • notified system owners on outside networks
timestamp oddities
Timestamp Oddities
  • Moved file in Windows
    • Last write time before creation time
  • Corrupt timestamps
    • Windows folder and .lnk
    • MacOS
  • Some logs are in order of the end of the event
    • Process accounting
    • CISCO NetFlow
artefacts of file transfer
Artefacts of File Transfer

File transferred to external media

  • MS Word Metadata
  • Program’s file menu (registry key LastWrite)
    • MS Word, Powerpoint, Excel, etc.
    • WinZip, WinAmp
    • Explorer (e.g., RecentDocs, RunMRU)
    • Internet Explorer (history, cache, TypedURLs)
  • Shortcut (.lnk) files
    • Recent\Desktop (time ordered CAM)
  • Recycler
  • May be in unallocated space/swap/hibernation
network artefacts
Network Artefacts
  • Downloaded files
  • Interactive connections
    • Telnet Lastmachine (registry)
    • Secure CRT .ini
    • Secure Shell
  • Unix directory listing on Windows PC
  • Web, e-mail, Usenet, IRC, etc.
  • IIS Transactions
    • pagefile.sys
  • Mapped network drives
    • NetHood (profile, MFT, registry, unallocated)
internet accounts
Internet Accounts

Key Name: SID\Software\Microsoft\Internet Account Manager\Accounts\00000004

Class Name: <NO CLASS>

Last Write Time: 7/5/2002 - 4:33 AM

downloaded files
Downloaded Files
  • Tape Archive (.tar)
mapped network drive
Mapped Network Drive
  • Explorer (\\name\drive)
    • StreamMRU, RunMRU, RecentDocs
  • Scattered
    • User.dmp, swap, unallocated space
    • Grep expression: \\\\[A-Z]+\\[A-Z]+
unix mounted drives
Unix Mounted Drives
  • df, mount, samba
  • /etc/fstab:

/dev/hda1 / ext2 defaults 1 1

/dev/hda7 /tmp ext2 defaults 1 2

/dev/hda5 /usr ext2 defaults 1 2

/dev/hda6 /var ext2 defaults 1 2

/dev/hda8 swap swap defaults 0 0

/dev/fd0 /mnt/floppy ext2 user,noauto 0 0

/dev/hdc /mnt/cdrom iso9660 user,noauto,ro 0 0

none /dev/pts devpts gid=5,mode=620 0 0

none /proc proc defaults 0 0

remote-server:/home/accts /home/accts nfs bg,hard,intr,rsize=8192,wsize=8192

remote-server:/var/spool/mail /var/spool/mail nfs bg,hard,intr,noac,rsize=8192,wsize=8192

remote logs and printing
Remote Logs and Printing
  • /etc/syslog.conf

*.* @remote-server

  • /etc/printcap:








file transfer protocol
File Transfer Protocol
  • On PC: file name, time, remote directory
  • On server: file name, size, time, account, IP
  • Linux ncftp (.ncftp/trace; .ncftp/history)

xferlog: Nov 12 19:53:23 1998 15 780800 /home/user/image.jpg a _ o r user

WS_FTP: 98.11.12 19:53 A C:\download\image.jpg <-- FTP Server /home/user image.jpg

SESSION STARTED at: Sun Oct 21 01:05:44 2001

Program Version: NcFTP 3.0.0/220 February 19 1999, 05:20 PM

<cut for brevity>

01:05:44 Connecting to

01:05:52 > get openssl-0.9.6.tar.gz

SESSION ENDED at: Sun Oct 21 01:06:50 2001

network artefacts unix ls
Network Artefacts (Unix ls)

Grep search

  • [d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-] (space)
more unix mac artefacts
More Unix/Mac Artefacts
  • SSH
    • authorized_keys (incoming)
    • known_hosts (outgoing)
  • .xauth/refcount/xfs/hostname
  • Unix xterm buffers show sessions
  • Transactions of various servers
  • Windows remnants on Unix
    • Directory files e.g., C:\winnt\system32\*.exe
case example106

Case Example

Intellectual Property Theft (Insider)

initial complaint
Initial Complaint
  • Employee stole information prior to leaving
    • Terminated on Sept 16, 2002
  • Unknown documents from workstation
  • clients.mdb
    • Client contact database
    • Stored on W2K workstation
  • projectX
    • Secret project details
    • Stored on Unix file server
  • What do you look for?
w2k workstation
W2K Workstation
  • Security (card swipe) records
    • Suspect entered building at 08:45am
  • Logon/Logoff record

C:\>ntlast /ad 16/9/2002 /v

Record Number: 18298

ComputerName: WKSTN11

EventID: 528 - Successful Logon

Logon: Tue Sep 16 08:50:58am 2002

Logoff: Tue Sep 16 09:10:00am 2002

Details -

ClientName: user11

ClientID: (0x0,0xDCF9)

ClientMachine: WKSTN11

ClientDomain: CORPX

LogonType: Interactive

  • How to collect this information as evidence?
w2k workstation109
W2K Workstation
  • Transfer of clients.mdb
    • Accessed 09/16/2002 08:58:30 EST
    • \Windows\CurrentVersion\Explorer\RecentDocs
  • Suspect’s environment temp\clients.xls
    • Created at 08:59:14
    • Last modified at 08:58:49
  • Suspect’s e-mail outbox
    • Shows clients.xls sent to Hotmail
  • What information would you seek on network?
w2k workstation110
W2K Workstation
  • Other file accessed at same time
    • private.doc
  • Registry OpenSaveMRU entry
  • Recent .lnk written and accessed
    • Recent A: .lnk written and accessed
  • What would you expect to find on associated floppy diskette?
unix file server
Unix File Server
  • SSH Client Access
    • Accessed:
      • \user11\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to SshClient.lnk
      • Files in \user11\Application Data\SSH\
      • \user11\Application Data\SSH\ HostKeys\key_22_srv1
  • How to collect evidence?

% last user11

user11 pts/77 Sep 16 09:05 - 09:06 (00:01)

% ls –altu

-rwxr-xr-x 1 admin staff 8529583 Sep 16 09:05 projectX

  • ProjectX file found in c:\temp on wkstn11
    • What timestamps changed in transfer?
w2k workstation112
W2K Workstation
  • Deleted projectX file found in c:\temp
    • Created: 09:05am
    • Accessed: 09:07am
    • Modified: 09/12/2002 10:07:07am
  • Explorer\RecentDocs\NetHood
    • \\competitorpc\upload
    • LastWrite 09/13/2002 11:04AM
  • Explain time discrepancy
errors uncertainty

Errors & Uncertainty

Nothing can be known if nothing has happened; and yet, while still awaiting the discovery of the criminal, while yet only on the way to the locality of the crime, one comes unconsciously to formulate a theory doubtless not quite void of foundation but having only a superficial connection with the reality; you heave already heard a similar story, perhaps you have formerly seen an analogous case…

Gross, H., Criminal Investigation: (Sweet & Maxwell, Ltd. 1924)

errors and uncertainty
Errors and Uncertainty
  • Offender/victim covering behavior
  • Preconceived theories
  • Accepting others’ assumptions
  • Technological limitations
  • Mistakes and misinterpretation
  • Evidence dynamics
    • Handbook - Chapter 1
  • Uncertainty and loss
    • Casey, E: “Error, Uncertainty and Loss in Digital Evidence”, International Journal of Digital Evidence, Volume 1, Issue 2, 2002 (
evidence eliminator
Evidence Eliminator

Evidence Eliminator v5.053 started work: 3/4/01 9:26:04 PM

OS Detected: Win95 [Win95 4.0.1111.1024]

Eliminating Folder: C:\WINDOWS\applog\

No folder found: C:\WINDOWS\applog\

Eliminating IE Typed URL History...

Data Found: String data: [url1-C:\My Documents\]

Eliminating IE Typed AutoComplete data...

Eliminating IE Download Folder record...

Eliminating IE Error Logs...

Eliminating File: C:\WINDOWS\IE4 Error Log.txt

No file found: C:\WINDOWS\IE4 Error Log.txt

Eliminating Folder: C:\WINDOWS\Local Settings\Temporary Internet Files\

Eliminating folder tree: C:\WINDOWS\Local Settings\Temporary Internet Files\ including root folder...

lily pad examples
Lily Pad Examples
  • SubSeven with IRC
    • File sharing
    • Denial of service
  • Unix intrusion
    • Bypass firewall
    • Attack from within
remote storage
Remote Storage
  • Compromised host
  • Shell/Web account
  • Online services
  • Mounted network shares
    • Sniffers that log to remote shares
    • Home directory on remote server
intruder concealment
Intruder Concealment
  • Deleted binary
    • Copy in /proc/pid/file
    • icat /dev/hda inode > recovered
  • Log deletion or wiping
    • wzap clears wtmp entries
  • Altering file attributes
  • Hidden files/Alternate Data Streams
    • hfind.exe
    • Device files in Recycle Bin
  • Rootkits/Loadable Kernel Modules (Knark)
  • Encryption
altering file attributes
Altering File Attributes
  • Attrib
  • Alter MAC times
  • touch in Unix
    • ls -altc
  • Microsoft SetFileTime() API
  • Hide from search tools
    • dir /t[:a]
    • afind.exe (FoundStone)
alternate data streams
Alternate Data Streams
  • c:\temp> lads

LADS - Freeware version 3.01

(C) Copyright 1998-2002 Frank Heyne Software (

Scanning directory C:\temp\

size ADS in file

---------- ---------------------------------

17 C:\temp\myfile.txt:hidden

17 C:\temp\myfile.txt:onetwothree

17 C:\temp\myfile.txt:test

51 bytes found in 3 alternate data streams

maresware copy ads
Maresware: copy_ads

C:\>d:\marsware\copy_ads -p c:\ -d d:\evidence\ads

Program started Wed Sep 25 13:58:09 2002 GMT, 09:58 EST (-5*)


C:\hidden\makeads:hidden2.txt 32 09/25/2002 09:43w EST


==> d:\evidence\ads\makeads\makeads[hidden2.txt]

C:\hidden\makeads\regularfile.txt 25 09/25/2002 09:19:19w EST


==> d:\evidence\ads\makeads\regularfile.txt

C:\research\makeads\regularfile.txt:hidden1.txt 17 09/25/2002 09:19:19w EST


==> d:\evidence\ads\makeads\regularfile.txt[hidden1.txt]

Processed 16 directories, 118 files, totaling 7,703,785 bytes:

Found 1 directories with 1 alternate data streams.

Found 1 files with 1 alternate data streams.

Total 2 data streams byte count = 49 bytes

  • Creates backdoors
  • Replace system components to hide:
    • files
    • processes
    • promiscuous mode
    • network connections
  • Often includes tools
    • Sniffers
    • Log wiping utilities
    • Patches