Forensic Analysis

1. Forensic Analysis Torres, Ricardo

2. It’s A Matter Of Time • Security is a deterrence not a guarantee. • “Computer forensics defined: Preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis using well-defined methodologies and procedures.” Warren G. Kruse II and Jay G. Heiser, Computer Forensics: Incident Response Essentials (2002)

3. Outside Consideration • The Law Internet Crime Complaint Center (IC3) “The Internet Fraud Complaint Center (IFCC) was established as a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) to serve as a means to receive Internet related criminal complaints, research, develop and refer the criminal complaints to law enforcement agencies for any investigation they deem to be appropriate. The IFCC was intended, and continues to emphasize serving the broader law enforcement community, to include federal, as well as state and local agencies, which are combating Internet crime and in many cases participating in Cyber Crime Task Forces.” http://www.ic3.gov/

4. Log & Document • Incident profile: method of detection, who or what detected it (and contact information), date/time information, hardware & software involved • Document each procedure performed. • Document each tool used (origin, description, footprint).

5. Volatile Data First • What it is: Resides in system memory. Is lost if the machine is rebooted. Includes: lists of running processes, open connections, and users logged in • Don’t trust the compromised system. • Statically- Vs Dynamicly-Linked Utilities

6. lsof (LiSt Open Files) • Let’s list all the open socket files. [root@athena rtorres]# lsof –i (Looks mostly harmless, but look who we happened to catch online) sshd 30967 root 3u IPv6 12763368 TCP 128.198.61.10:ssh->en186-01.eas.uccs.edu:3234 (ESTABLISHED) sshd 30969 cs301 3u IPv6 12763368 TCP 128.198.61.10:ssh->en186-01.eas.uccs.edu:3234 (ESTABLISHED)

7. lsof (LiSt Open Files) • Let’s see if we can figure out what he’s doing by looking at all open files (without doing a DNS record). [root@athena rtorres]# lsof –n vim 2035 cs301 4u REG 253,0 16384 2548525 /home/cs301/public_html/java/jdbc/.CookieDB.java.swp Looks like he’s doing some database programming.

8. last • Let’s look at logins in the month of October. [root@athena rtorres]# last -f /var/log/wtmp.1 We are greeted with 55 entries. 1 is the pseudo-user reboot. After eliminating multiple entries we are left with 15 users (and root).

9. lastb • Now, failed logins in October. [root@athena rtorres]# lastb –f /var/log/btmp.1 20,000 lines takes us from October 2nd to October 29th (in comparison, it’s only good for the 2nd to the 8th of November). So, obviously there’s been a lot of attempts to gain access.

10. Logs • Check all of the logs you have. A careless intruder may have covered his/her tracks in one place only to forget another. • The History command shows a list of most recently used commands. • Cron logs show scheduled tasks.

11. Some Other Things • The uptime command can be helpful. • The top command shows processor usage in real-time. • ps –ux also allows viewing of current processes. • lsof +L1 lists files set for deletion. • chkconfig --list can help identify malware that starts at one of the five run levels. • Netstat can be used to help identify suspect IP addresses.

12. Where to? • Persistent data Needle in a haystack: Hopefully your analysis has given you a good place to start looking. • Disconnect the compromised system from the network? How critical is the system? • Boot from a ‘disk’. • Work off of an image rather than the original (mirror image or bit-wise copy).