Forensic Computer Analysis
ISMT350
Overview






Why do we care?
Forensic Science Overview
Process and Tools
Evidence on Networks
Advanced Analysis
Errors & Uncertainty
Why do we Care?






Determine what happened
Determine extent of damage
Inform other universities of problems
Prevention & preparation for future
Mitigate risk & liability
If necessary, apprehend & prosecute
=
Forensic Science Overview
Improper Evidence Handling
Why we need to avoid…


Open to unfair dismissal claims
Vulnerable to false accusations




Privacy violation leads to counter suit
Information leakage leads to larger problem
Unresolved incidents create problems


Researcher accused of hacking
Larger problem goes unrecognized
Develop poor evidence handling skills
Forensic Science Overview


Science applied to the discovery of truth
Locard’s exchange principle






whenever two objects come in contact with each other,
they transfer material from one to the other. The Locard
exchange produces the trace evidence of interest from
fingerprints to mud
Authorization
Locate / identify evidence
Collection, documentation & preservation
 everything that you will need in two years
Crime reconstruction (forensic analysis)
 when, where, how, what, who, why
 reproducible & free from bias/distortion
Report / present
Continuity of Offense (COO)

Seek sources, conduits, and targets


Connect the dots
Corroborating evidence

Multiple independent sources
Kiosk
NT DC
Router
Proxy
Hotmail
NetFlow
Access logs
Authentication logs
Victim’s mail
server/PC
Pornography: Transmission
Pivotal Case Study



The theory behind child pornography laws in the U S traditionally has
been that such material is illegal not because of the content of the
material itself, but because of the harm the production and distribution
of such material causes children who are used to create the child
pornography.
U S versus Hilton, invalidated part of the Child Pornography Prevention
Act of 1996, 18 USC Section 2252A.
Hilton claimed to have been collecting child pornography for research
purposes:




Met with an FBI agent and U S Customs officials on a number of occasions
since 1995 to discuss curbing child pornography on the Internet.
Quoted in articles warning parents of the dangers of allowing their children to
surf the 'Net unsupervised.
Police uncovered evidence that “made us question his motivation."
A case of police prosecuting people trying to help cure the Child
Pornography problem?
Pornography: Transmission
How to investigate a “US v. Hilton”
 Modem logs


Dial-up server logs


Confirms connection and account used
MAC times and Registry (LastWrite)


Shows PC was connected to Internet
File modification, creation, and access times
FTP logs


On PC: file name, time, remote directory
On server: file name, size, time, account, IP
Relational Reconstruction



Improve understanding of events
Locate additional sources of evidence
Example: Accounting server break-in
Log File Correlation

Sort each source independently, then combine

Correlate MAC times and LastWrite times of Registry
keys with Eventlogs, PC modem & ISP logs
05-15-2000 16:32:53.93 - Initializing modem.
05-15-2000 16:32:53.93 - Send: AT
05-15-2000 16:32:53.93 - Recv: AT
05-15-2000 16:32:54.05 - Recv: OK
05-15-2000 16:32:54.05 - Interpreted response: Ok
05-15-2000 16:32:54.05 - Send: AT&FE0V1&C1&D2 S0=0 W1
05-15-2000 16:32:54.07 - Recv: AT&FE0V1&C1&D2 S0=0 W1
05-15-2000 16:32:54.19 - Recv: OK
05-15-2000 16:32:54.19 - Interpreted response: Ok
05-15-2000 16:32:54.20 - Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3
05-15-2000 16:32:54.22 - Recv: OK
05-15-2000 16:32:54.22 - Interpreted response: Ok
05-15-2000 16:32:54.26 - Dialing.
05-15-2000 16:32:54.26 - Send: ATDT##########
Time Pattern Analysis
Mon
Tues
Wed
Thurs
Fri
Sat
Sun
8am
9am
10am
x
11am
x
12pm
1pm
2pm
3pm
4pm
5pm
x
6pm
7pm
x = event
x
x
x
x
Histograms

Histogram of events over time


High number of events at key times
Histogram of time periods may show unusual
gaps


MAC times
System log entries
EnCase Timeline (patterns)
Search Methodology
Identify the crime scene
 Area 1: Local Nodes



Area 2: Wireless devices



Mobile equipment
802.11b
Area 3: Wireless networks


PDA’s
Laptops
Core systems (BSC, MSC, SMS)
Area 4: Remote networks


Routers, switches, cables
Remote nodes
Authorization Example


Floppy found in desk drawer
Collected by IT staff

No authorization


Process not documented


Not clear who found disk
Disk not labeled


Not clear if search was legal
Not clear which disk among several disks
Hot potato – drop it!

High risk of counter suit
Chain of Custody



Who collected & handled the evidence
Fewer people handling the evidence
=> Fewer people testify
Standard forms & procedures
=> Consistency
Collection & Preservation

Acquire evidence





Documentation



EABD versus removing hard drive
save evidence on sterilized media
calculate MD5 checksum of evidence
digitally sign evidence (MD5, time & person)
acquisition & verification process
who, where, how, when, and sometimes why
Lock original in safe

alternately use a custodian
Message Digests

128-bit “fingerprint”


Two messages with same digest



16 hexadecimal values
Computationally infeasible
Search disk for file with same MD5
md5sum netstat.exe
=> 447282012156d360a862b30c7dd2cf3d
What to Collect?




The original disk
An exact copy of the original disk
Log files from the disk (e.g. UNIX wtmp)
Interpreted logs (output of last)


Relevant portions of interpreted logs



Information lost in summarization
Output of last username
May miss some relevant entries
Written notes describing command output
The approach depends on the circumstances
Remote Collection



Document collection process (log to file)
May alert the suspect
Stepping in evidence


Forgotten evidence


Planning and procedures
Jurisdiction



Same as at console
May be only means - foreign countries
May cause an international incident
Evidence only available remotely (SNMP)
To shutdown or not to shutdown







Network state
Processes in memory (MB/GB)
Kernel memory
Swap space
Lose cached data not yet written to disk
Lose data protected by EFS/PGP disk
Corrupt existing data
Limitations of Live Exam?

Hasty



Stepping in evidence



alternate data streams
Can’t see deleted data


automation minimizes changes
not 100% (overwrite user.dmp)
Might miss something


prone to error
automation helps avoid errors
anyone have a floppy diskette?
Can’t trust operating system
Challenge Concealment

Deleted binary



Log deletion or wiping





wzap clears wtmp entries
Altering file attributes
Hidden files/Alternate Data Streams


Copy in /proc/pid/file
icat /dev/hda inode > recovered
hfind.exe (Foundstone)
Device files in Recycle Bin
Rootkits/Loadable Kernel Modules (Knark)
Encryption
The Coroner’s Toolkit

grave-robber output









coroner.log
proc with MD5 of output
command_out with MD5 of output
body - mactime database
removed_but_running
conf_vault
trust
MD5_all
MD5_all.md5
Case Example
W2K Domain Controller Hacked
Unusual port
 Messy examination
 Cleanup fails!

Initial Assessment

Routine Network Vulnerability Scan


Physical Assessment


Located in locked closet
Initial Examination




BO2K on port 1177 of W2K DC
All security patches applied
NT Security Event logging enabled
fport: c:\winnt\system32\wlogin.exe
System cannot be shutdown

Central to operation of network
Network Assessment



Accessible from the Internet
No dial-up access
Many services enabled




file sharing
Internet Information Server
FTP (anonymous FTP disabled)
IIS fully patched
Assess and Preserve
Toolkit of known good executables



Check for keystroke grabber / sniffer






No fakegina or klogger
Yes sniffer (system32\packet.sys)
MAC times to locate other files


Save output to external/remote disk
Note md5 values of output
Installed IRC bot in C:\WINNT\Java
No obvious access of sensitive information
Could have obtained passwords via lsass
Could have access to other machines
Logs


No unusual logons in Security Event Logs
IIS logs from before security patch installation


Shows compromise via Web server
AntiVirus messages in Application Event Logs
1/19/2002,1:09:11 AM,1,0,5,Norton AntiVirus,N/A, CONTROL,
Virus
Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\Java\w.exe by:
Scheduled scan. Action: Clean failed : Quarantine succeeded : Virus
Found!Virus name: BO2K.Trojan Variant in File:
C:\WINNT\system32\wlogin.exe by: Scheduled scan. Action: Clean failed :
Quarantine failed :
1/19/2002,1:09:11 AM,4,0,2,Norton AntiVirus,N/A, CONTROL,
Scan
Complete: Viruses:2 Infected:2 Scanned:62093 Files/Folders/Drives
Omitted:89
Leads


IP addresses from Web server logs
IRC bot files

eggdrop bot files contained information about
servers, nicknames, channels, and channel
passwords that could be used to gather additional
information
Remediation


Change passwords and examine other hosts
HKLM\System\CurrentControlSent\Services


Machine fails to reboot


Extended downtime
MAC times incomplete


C:\WINNT\System32\wlogin.exe
C:\subdir
Wlogin is zeroed out



Accidental by examiner
Intentional by Norton/intruder?
No binary to analyze
Lessons Learned

Intrusion prior to patching


Lastwrite time of wlogin Registry key


Do not assume that system was secure
Missed opportunity
Attempt to recover piecemeal


Don’t make matters worse than intruder
Make a plan and make a backup plan
Forensic Analysis Overview






Locate, recover, and interpret evidence
Low level analysis vs interpreted data
Timeline – when
Relational reconstruction – where
Functional reconstruction – how
Synthesis – what, why




crime reconstruction
risk assessment
motive and intent
Data may not be trustworthy

seek corroborating data on network
Analysis Process







Access evidentiary images & backups
File inventory with hash values, etc.
Recover deleted data (files, folders, etc.)
Recover slack and unallocated space
Exclude known/unnecessary files
Remove duplicates
Process/decrypt/decompress files


swap and hibernation files
Index text data
File Systems

General creation process





Allocation table and folder entries created
Time stamps set
Track written
Slack space
Perhaps artefacts generated




MS Word file menu Registry entries
Windows: FAT12, FAT16, FAT32, NTFS
Unix: UFS, ext2, ext3
Macintosh: HFS Plus
FAT
NTFS


MFT records overwritten quickly
Index entries are overwritten quickly




Reference handbook
How quickly are blocks reused
Timestamp in MFT Record in table only
modified when name is changed
Sourceforge for more information

http://sourceforge.net/projects/linux-ntfs/
Unix
MacOS (HFS Plus)

Catalog file



Time formats


Balance tree
File threads
GMT v local
No access time
http://developer.apple.com/technotes/tn/tn1150.html
Linux – A Forensic Platform
# dd if=/dev/fd0 | md5sum
2880+0 records in
2880+0 records out
5f4ed28dce5232fb36c22435df5ac867 # dd if=/dev/fd0 of=floppy.image bs=512
# md5sum floppy.image
5f4ed28dce5232fb36c22435df5ac867 floppy.image
# mount -t vfat -o ro,noexec,loop floppy.image /mnt
# find /mnt -type f -exec sha1sum {} \;
86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls
81e62f9f73633e85b91e7064655b0ed190228108 /mnt/Computer.xml
0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc
# grep -aibf searchlist floppy.image
75441:you and your entire business ransom.
75500:I want you to deposit $50,000 in the account
75767:Don't try anything, and dont contact the cops.
The Coroner’s Toolkit








ils -A /dev/hda1 (free inodes)
ils –o /dev/hda1 (removed open files)
icat /dev/hda1 inode
pcat pid
mactime -R -d / 12/13/2001-12/14/2001
mactime -d /export/home 10/30/2001
grave-robber -d . -E /
Perl is a requirement
Log File Correlation

Use the time range from wtmp logs
# last
user pts/3
66-65-113-65.nyc Sat Oct 20 19:45 - 01:08 (05:23)
# mactime -b body -l "Sat Oct 20 19:45 - 01:08 (05:23)"
Oct 21 01 01:32:30 75428 .a. -r-xr-xr-x root bin
/usr/bin/ftp
Computer Forensics Software
AccessData Forensic Toolkit® (FTK™)









The most popular of email forensic software tools
View over 270 different file formats with Stellent's Outside In Viewer Technology.
Generate audit logs and case reports.
Compatible with the Password Recovery ToolkitTM and Distributed Network Attack®.
Full text indexing powered by dtSearch® yields instant text search results.
Advance searches for JPEG images and Internet text.
Locate binary patterns using Live Search.
Automatically recover deleted files and partitions.
Target key files quickly by creating custom file filters.



Supported File & Acquisition Formats
File formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3.
Image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD.














Email & Zip File Analysis
Supports: Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN email.
View, search, print, and export email messages and attachments.
Recover deleted and partially deleted email.
Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files.
Known File Filter™ (KFF™)
Identify and flag standard operating system and program files.
Identify and flag known child pornography and other potential evidence files
Includes hash datasets from NIST and Hashkeeper
Registry Viewer™
Access and decrypt protected storage data
View independent registry files
Report generation
Integrates with AccessData's forensic Tools
Email Forensics
How FTK is used …



Email is one of the most common ways people
communicate
Studies have shown that more email is generated
every day than phone conversations and paper
documents combined
Forensic Analysis of email clients and servers has
been in the spotlight of civil and criminal cases
worldwide and no examination of Document
Discovery is complete without requesting, searching
and organizing email
Email Forensics
Identification and Extraction

The first step in an email examination is to identify the sources of email
and how the email servers and clients are used in an organization

More than just a way of sending messages email clients and servers
have expanded into full databases, document repositories, contact
managers, time mangers, colanders and many other applications





E.g., Microsoft Exchange customized to be used as a complete Customer
Relationship Manager (CRM)
Lotus Notes and Domino Server are used beyond an email system
Many users store their personal calendars, contacts and even synchronize
their email clients with their Personal Digital Assistants (PDA)
Organizations use database enabled email and messaging servers to
manage cases, track clients and share data
Computer forensics should start their collection of evidence with email
Email Forensics
Deleted Email






Many user believe that once they delete email from their client
that the mail is unrecoverable
Nothing could be farther from the truth, many times emails can
forensically extracted even after deletion
Many users also do not grasp the concept that email has a
sender AND a recipient or multiple recipients
Emails may reside on servers unbeknown to the user, or on
backup tapes that were created during the normal course of
business
Of course they may also be extracted from the hard disk of the
client or the server.
Forensic programs are able to recover deleted email, calendars
and more from users email clients and email servers.
Email Forensics
Web Mail or Web Based Email





It is completely possible to forensically recover email that was created
or received by web based email systems and from free web based
email services such as Hotmail, Gmail (Google Mail) and Yahoo Mail
These types of mail systems use a browser to interface with the email
server, the browser inherently caches information to the disk drive in the
system used to retrieve or generate the email thereby effectively saving
a copy to the disk
Forensic examiners can extract the HTML based Email from disk drive
of the system used to create or retrieve the email messages
Many Web Based or Web mail services, including Yahoo and Hotmail
have shared calendaring services, personal calendars and contact
managers as email.
Anytime these services are accessed they may be cached to the disk
as well.
Email Forensics
Correlating Email Messages





New evidence is essentially created by
Correlating emails by date, subject, recipient or
sender
These yield a map of inferences, events and entities
And open up opportunities for more complex pattern
analysis
Forensic software is especially important in
providing these correlations
EnCase Forensic (Guidance Software)


EnCase Forensic is the most popular software for computer forensic
investigation
A single tool, capable of conducting large-scale and complex
investigations from beginning to end:








Acquires data in a forensically sound manner using software with an
unparalleled record in courts worldwide.
Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X,
Solaris and more — using a single tool.
Automates complex and routine tasks with prebuilt EnScript® modules, such
as Initialized Case and Event Log analysis.
Find information despite efforts to hide, cloak or delete.
Easily manage large volumes of computer evidence, viewing all relevant
files, including "deleted" files, file slack and unallocated space.
Transfer evidence files directly to law enforcement or legal representatives
as necessary.
Review options allow non-investigators, such as attorneys, to review
evidence with ease.
Reporting options enable quick report preparation.
EnCase Functions
The EnCase Forensic GUI.
EnCase Forensic

"Conditions" permit users to create complex,
multifaceted filters, using EnScript®
programming language.
EnCase Forensic

The block size and error granularity settings
interface
EnCase Forensic
Logical Evidence Files


"Single Files" allows an
examiner to drag and drop
particular files of interest
into EnCase for analysis
"Logical Evidence Files" can
be created and locked from
"Single Files," as well as
from specific files of interest
from an EnCase preview of
subject media.
TASK Case Screen
TASK Host Screen
TASK Host Manager Screen
TASK Analysis Screen
FTK E-mail Extraction
SMART Main Screen
SMART Case View
PDA Seizure
Password Recovery Toolkit

PRTK: Combinations & permutations


Import FTK keyword list
Missed obvious combinations
DNA

40-bit Encryption


Windows 2000 EFS (export)
MS Word / Excel
Evidence on Networks
Associating Online Activity with Logs
Server logs
 E-mail server logs
 Web server logs

Internet activity -> data
Internet activity
Logs
Active
PPP Dial-up
TACACS/RADIUS Terminal Server
Router/Firewall
Syslog/Netflow
show conns
Host logon
wtmp/NT
Eventlog
utmp/nbtstat -c
Web server
access/error
netstat -an
E-mail server
messages/syslog
spool
FTP server
xferlog
netstat -an
IRC
server/bot logs
netstat -an
Wireless
device logs
device query
Case Example
Harassment Complaint
Complaint
 Unauthorized e-mail access
 Suspect pool
 Process accounting
 Bash history

Harassment (janesmith)

Make sure logs are consistent
mailserver# grep 'Login user=janesmith' syslog*
syslog:Sep 24 17:11:40 mailserver ipop3d[6466]: [ID
234311 mail.info] Login user=janesmith
host=johnsmith.nasa.gov [192.168.135.156]

What to look for next?
Harassment (continued)

wtmp logs indicate that her e-mail account was
accessed from server4.nasa.gov on Dec 9 at
13:14
emailserver# last janesmith
janesmith pts/114 server4.nasa.gov Sun Dec 9 13:14 - 13:19 (00:05)

MAC times show that the .pinerc file was
created on Dec 9 suggesting that this was the
first time Pine was used to access e-mail in
this account.
Harassment (continued)

wtmp logs on server4.nasa.gov show that seven
people were logged in on Dec 9 at 13:14
Note: clock on server4.nasa.gov was 4 minutes fast
server4% last
walterp pts/14 roosevelt.nasa.g Sun Dec 9 13:10 - 13:17 (00:07)
johnsmith pts/2 pc01.admin.nasa. Sun Dec 9 13:09 - 13:29 (00:10)
stephens pts/13 lincoln.nasa.com Sun Dec 9 13:01 - 16:16 (03:15)
hansmol pts/3 homepc.isp.com Fri Dec 7 14:14 - 10:53 (6+20:38)
ianjones pts/7 nasavpn-22.nasa. Fri Dec 7 08:39 - 01:23 (5+16:44)
Harassment (continued)

RADIUS logs show suspect disconnected
prior to offense
192.168.1.219,NASA\ianjones,12/07/2002,08:43:07,IAS,NTSE
RVER,5,7029,6,2,7,1,8,192.168.16.22,25,311 1
192.168.1.45 10/08/2001 19:38:34
22348,40,1,44,E0D03B6B,66,64.252.248.134,45,1,41,0,61,
5,4108,192.168.1.219,4116,0,4128,NASA
VPN,4136,4,4142,0
192.168.1.219,NASA\ianjones,12/07/2002,09:27:12,IAS,NTSE
RVER,5,7029,6,2,7,1,8,192.168.16.22,25,311 1
192.168.1.45 10/08/2001 19:38:34
22348,40,2,42,36793575,43,6837793,44,E0D03B6B,46,356
19,47,417258,48,59388,49,1,66,64.252.248.134,45,1,41,0,6
1,5,4108,192.168.1.219,4116,0,4128,NASA
VPN,4136,4,4142,0
Harassment (continued)

However, server4.nasa.gov kept process
accounting logs and an examination of these
logs show only one SSH connection at the time
in question. This indicates that another account
(johnsmith) was used to connect to the
complainants e-mail account.
server4% lastcomm | grep ssh
ssh
S timsteel
??
ssh
S johnsmith ??
ssh
S richevans ??
0.11 secs Sun Dec 9 10:24
0.02 secs Sun Dec 9 13:10
0.03 secs Sun Dec 9 12:10
Harassment (continued)

Confirmed using bash history
server4# grep janesmith /home/johnsmith/.bash_history
ssh -l janesmith mailserver.ispX.com
Network Traffic

Historical data




Performance monitoring
NetFlow & Argus
IDS (may include full packet capture)
Traffic capture




Temporal considerations
Preservation
Reconstruction and analysis
Tools


Dsniff, NetWitness, Sandstorm, Nixsun, SilentRunner
Many for Unix (e.g., ngrep, review)
Performance Monitoring

Shows patterns on a device



Spikes in traffic
Loss of connectivity to a segment
Multi Router Traffic Grapher (MRTG)

www.mrtg.org
Netflow and Snort Overview

NetFlow



flows represent unidirectional collection of similar packets
NetFlow logs contain basic flow information (src, dst, times,
size)
Snort



based on libpcap
detects known attacks
highly configurable
Using Snort and NetFlow


Host logs may be overwritten
Intrusion Detection System shows partial picture
[**] FTP-site-exec [**]
02/23-04:51:38.012306 192.168.164.88:2721 -> 192.168.168.2:21
TCP TTL:46 TOS:0x0 ID:20194 IpLen:20 DgmLen:468 DF
***AP*** Seq: 0x11A6920B Ack: 0xD567116C Win: 0x3EBC
TCP Options (3) => NOP NOP TS: 98258650 1405239787

NetFlow logs show more complete picture
Start
DstP
End
P Fl Pkts
Sif SrcIPaddress
Octets
0223.04:51:38.841 0223.04:51:48.685 2
192.168.168.2 21 6 2 3
144
SrcP DIf DstIPaddress
192.168.164.88 2721 13
Netflow Losses

Sequence numbers show gaps
% flow-header < ft-v05.2002-04-15.183000-0400
# mode:
normal
# capture hostname: flow
# exporter IP address: 130.132.1.100
# capture start:
Mon Apr 15 18:30:00 2002
# capture end:
Mon Apr 15 18:45:00 2002
# capture period:
900 seconds
# compress:
on
# byte order:
big
# stream version:
3
# export version:
5
# lost flows:
179520
# corrupt packets:
0
# sequencer resets: 1
# capture flows:
206760
Traffic Monitoring/Capture


tcpdump (68 bytes default capture)
Ethereal
Authorization

Wiretap



ECPA



Live Capture
Protecting systems
Stored communications & records
Maintenance and protect users
USA Patriot Act
libpcap losses



High speed links overload sniffers
Protocol type 11 (honeynet)
Applies to all libpcap based sniffers

snort, tcpdump, NetWitness
# tcpdump -X host 192.168.12.5
tcpdump: listening on xl0
.....[data displayed on screen]…
^C
29451 packets received by filter
4227 packets dropped by kernel
Switches

Isolates traffic



CatOS Switched Port Analyzer (SPAN)
Spanning/Mirroring ports





Sniffing is more difficult
Only copies valid Ethernet packets
Not all error information duplicated
Low priority of span may increase losses
http://www.cisco.com/warp/public/473/41.html
Hardware taps


Copy signals without removing layers
May split Tx and Rx (reassembly required)
NIC Losses

Applies to all NICs (firewalls, switches, etc.)
% netstat -nid
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 19877416
0
0
128
7327647
0
0
0
BRU
% /sbin/ifconfig
eth0
Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5
inet addr:128.36.232.10 Bcast:128.36.232.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19877480 errors:0 dropped:0 overruns:128 frame:0
TX packets:7327676 errors:0 dropped:0 overruns:0 carrier:1
collisions:442837 txqueuelen:100
Interrupt:23 Base address:0xec80
Case Example
Intellectual Property Theft (rootkit)
Intellectual Property

IDS logs show intrusion
[**] FTP-site-exec [**]
09/14-12:27: 208.181.151.231 -> 130.132.x.y
09/14-12:28: 24.11.120.215 -> 130.132.x.y
09/14-12:33: 64.28.102.2 -> 130.132.x.y

Concern: system contains sensitive
data
IP Theft (assess damage)

Initial examination of compromised host showed no
signs of compromise





no wtmp entries from site exec exploit
no syslog entries
no odd processes using ps or files using ls
System clock was 5 hours fast (Δt = 5hrs)
Oddities on system suggested compromise

difference between ps & lsof; /tmp/.tmp/
IP Theft (analysis)


Used EnCase to analyze evidence
Recovered deleted syslogs (noting Δt)
Sep 14 17:07:22 host ftpd[617]: FTP session closed
Sep 15 00:21:54 host ftpd[622]: ANONYMOUS FTP LOGIN FROM
231.efinityonline.com
[208.181.151.231], •
1À1Û1É°F̀
1À1ÛC‰ÙA°?̀
ëk^1À1ɀ
^^AˆF^D
f¹ÿ^A°'Í€
1À•
^^A°=̀
1À1ۀ
^^H‰C^B1ÉþÉ1À€
^^H°^L̀
þÉuó1ÀˆF^I€
^^H
°=Í€
þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰ó•
N^H•
V^L°^KÍ€
1À1Û°^AÍ€
è•
ÿÿÿ0bin0sh1..11
Sep 14 17:22:54 host inetd[448]: pid 622: exit status 1
Linux in EnCase
IP Theft (reconstruction)



Confirmed source of initial intrusion
Determined that target was high risk
Determined motive and intent




not aware of sensitive information on host
used host for DoS, scanning, and IRC
Determined that a sniffer had been used
Located other compromised systems

notified system owners on outside networks
Advanced Analysis
Timestamp Oddities

Moved file in Windows


Corrupt timestamps



Last write time before creation time
Windows folder and .lnk
MacOS
Some logs are in order of the end of the event


Process accounting
CISCO NetFlow
Artefacts of File Transfer
File transferred to external media
 MS Word Metadata
 Program’s file menu (registry key LastWrite)





Shortcut (.lnk) files



MS Word, Powerpoint, Excel, etc.
WinZip, WinAmp
Explorer (e.g., RecentDocs, RunMRU)
Internet Explorer (history, cache, TypedURLs)
Recent\Desktop (time ordered CAM)
Recycler
May be in unallocated space/swap/hibernation
Recent Lnk to External Disk
Network Artefacts


Downloaded files
Interactive connections






Unix directory listing on Windows PC
Web, e-mail, Usenet, IRC, etc.
IIS Transactions


Telnet Lastmachine (registry)
Secure CRT .ini
Secure Shell
pagefile.sys
Mapped network drives

NetHood (profile, MFT, registry, unallocated)
Internet Accounts

HKEY_USERS
Key Name:
SID\Software\Microsoft\Internet Account
Manager\Accounts\00000004
Class Name:
<NO CLASS>
Last Write Time: 7/5/2002 - 4:33 AM
Downloaded Files

Tape Archive (.tar)
Mapped Network Drive

Explorer (\\name\drive)


StreamMRU, RunMRU, RecentDocs
Scattered


User.dmp, swap, unallocated space
Grep expression: \\\\[A-Z]+\\[A-Z]+
Unix Mounted Drives


df, mount, samba
/etc/fstab:
/dev/hda1
/
ext2 defaults
11
/dev/hda7
/tmp
ext2 defaults
12
/dev/hda5
/usr
ext2 defaults
12
/dev/hda6
/var
ext2 defaults
12
/dev/hda8
swap
swap defaults
00
/dev/fd0
/mnt/floppy ext2 user,noauto
00
/dev/hdc
/mnt/cdrom iso9660 user,noauto,ro
00
none
/dev/pts
devpts gid=5,mode=620 0 0
none
/proc
proc defaults
00
remote-server:/home/accts
/home/accts
nfs
bg,hard,intr,rsize=8192,wsize=8192
remote-server:/var/spool/mail /var/spool/mail nfs
bg,hard,intr,noac,rsize=8192,wsize=8192
Remote Logs and Printing

*.*

/etc/syslog.conf
@remote-server
/etc/printcap:
lp0|lp:\
:sd=/var/spool/lpd/lp0:\
:mx#0:\
:sh:\
:rm=remote-server:\
:rp=lp0:\
:if=/var/spool/lpd/lp0/filter:
Network Artefacts (Telnet)

Telnet registry
File Transfer Protocol


On PC: file name, time, remote
directory
On server: file name, size, time,
account, IP
xferlog: Nov 12 19:53:23 1998 15 216.58.30.131 780800 /home/user/image.jpg a _ o r user
WS_FTP: 98.11.12 19:53 A C:\download\image.jpg <-- FTP Server /home/user image.jpg

Linux ncftp (.ncftp/trace; .ncftp/history)
SESSION STARTED at: Sun Oct 21 01:05:44 2001
Program Version: NcFTP 3.0.0/220 February 19 1999, 05:20 PM
<cut for brevity>
01:05:44 Connecting to 129.132.7.170...
01:05:52 > get openssl-0.9.6.tar.gz
SESSION ENDED at: Sun Oct 21 01:06:50 2001
Network Artefacts (Unix ls)
Grep search

[d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\][rwx\-][rwx\-] (space)
More Unix/Mac Artefacts

SSH






authorized_keys (incoming)
known_hosts (outgoing)
.xauth/refcount/xfs/hostname
Unix xterm buffers show sessions
Transactions of various servers
Windows remnants on Unix

Directory files e.g., C:\winnt\system32\*.exe
Case Example
Intellectual Property Theft (Insider)
Initial Complaint

Employee stole information prior to leaving



Unknown documents from workstation
clients.mdb



Client contact database
Stored on W2K workstation
projectX



Terminated on Sept 16, 2002
Secret project details
Stored on Unix file server
What do you look for?
W2K Workstation

Security (card swipe) records


Suspect entered building at 08:45am
Logon/Logoff record
C:\>ntlast /ad 16/9/2002 /v
Record Number: 18298
ComputerName: WKSTN11
EventID: 528 - Successful Logon
Logon: Tue Sep 16 08:50:58am 2002
Logoff: Tue Sep 16 09:10:00am 2002
Details ClientName: user11
ClientID:
(0x0,0xDCF9)
ClientMachine: WKSTN11
ClientDomain: CORPX
LogonType:
Interactive

How to collect this information as evidence?
W2K Workstation

Transfer of clients.mdb


HKEY_USERS



Created at 08:59:14
Last modified at 08:58:49
Suspect’s e-mail outbox


\Windows\CurrentVersion\Explorer\RecentDocs
Suspect’s environment temp\clients.xls


Accessed 09/16/2002 08:58:30 EST
Shows clients.xls sent to Hotmail
What information would you seek on network?
W2K Workstation

Other file accessed at same time



Registry OpenSaveMRU entry
Recent .lnk written and accessed


private.doc
Recent A: .lnk written and accessed
What would you expect to find on associated
floppy diskette?
Unix File Server

SSH Client Access

Accessed:




\user11\Application Data\Microsoft\Internet
Explorer\Quick Launch\Shortcut to SshClient.lnk
Files in \user11\Application Data\SSH\
\user11\Application Data\SSH\ HostKeys\key_22_srv1
How to collect evidence?
% last user11
user11 pts/77 wkstn11.corpx.com Sep 16 09:05 - 09:06 (00:01)
% ls –altu
-rwxr-xr-x 1 admin staff 8529583 Sep 16 09:05 projectX

ProjectX file found in c:\temp on wkstn11

What timestamps changed in transfer?
W2K Workstation

Deleted projectX file found in c:\temp




Explorer\RecentDocs\NetHood



Created: 09:05am
Accessed: 09:07am
Modified: 09/12/2002 10:07:07am
\\competitorpc\upload
LastWrite 09/13/2002 11:04AM
Explain time discrepancy
Errors & Uncertainty
Nothing can be known if nothing has happened; and yet, while
still awaiting the discovery of the criminal, while yet only on the
way to the locality of the crime, one comes unconsciously to
formulate a theory doubtless not quite void of foundation but
having only a superficial connection with the reality; you heave
already heard a similar story, perhaps you have formerly seen an
analogous case…
Gross, H., Criminal Investigation: (Sweet & Maxwell, Ltd. 1924)
Errors and Uncertainty






Offender/victim covering behavior
Preconceived theories
Accepting others’ assumptions
Technological limitations
Mistakes and misinterpretation
Evidence dynamics


Handbook - Chapter 1
Uncertainty and loss

Casey, E: “Error, Uncertainty and Loss in Digital Evidence”,
International Journal of Digital Evidence, Volume 1, Issue 2, 2002
(www.ijde.org)
Evidence Eliminator
Evidence Eliminator v5.053 started work: 3/4/01 9:26:04 PM
OS Detected: Win95 [Win95 4.0.1111.1024]
Eliminating Folder: C:\WINDOWS\applog\
No folder found: C:\WINDOWS\applog\
Eliminating IE Typed URL History...
Data Found: String data: [url1-C:\My Documents\]
Eliminating IE Typed AutoComplete data...
Eliminating IE Download Folder record...
Eliminating IE Error Logs...
Eliminating File: C:\WINDOWS\IE4 Error Log.txt
No file found: C:\WINDOWS\IE4 Error Log.txt
Eliminating Folder: C:\WINDOWS\Local Settings\Temporary Internet Files\
Eliminating folder tree: C:\WINDOWS\Local Settings\Temporary Internet Files\
including root folder...
Lily Pad Examples

SubSeven with IRC



File sharing
Denial of service
Unix intrusion


Bypass firewall
Attack from within
Remote Storage



Compromised host
Shell/Web account
Online services



www.freedrive.com
www.filesanywhere.com
Mounted network shares


Sniffers that log to remote shares
Home directory on remote server
Intruder Concealment

Deleted binary



Log deletion or wiping





wzap clears wtmp entries
Altering file attributes
Hidden files/Alternate Data Streams


Copy in /proc/pid/file
icat /dev/hda inode > recovered
hfind.exe
Device files in Recycle Bin
Rootkits/Loadable Kernel Modules (Knark)
Encryption
Altering File Attributes



Attrib
Alter MAC times
touch in Unix



ls -altc
Microsoft SetFileTime() API
Hide from search tools


dir /t[:a]
afind.exe (FoundStone)
Alternate Data Streams

c:\temp> lads
LADS - Freeware version 3.01
(C) Copyright 1998-2002 Frank Heyne Software (http://www.heysoft.de)
Scanning directory C:\temp\
size
---------17
17
17
ADS in file
--------------------------------C:\temp\myfile.txt:hidden
C:\temp\myfile.txt:onetwothree
C:\temp\myfile.txt:test
51 bytes found in 3 alternate data streams
Maresware: copy_ads
C:\>d:\marsware\copy_ads -p c:\ -d d:\evidence\ads
Program started Wed Sep 25 13:58:09 2002 GMT, 09:58 EST (-5*)
FILES: DIRECTORY
C:\hidden\makeads:hidden2.txt 32 09/25/2002 09:43w EST
C:\hidden\makeads:hidden2.txt
==> d:\evidence\ads\makeads\makeads[hidden2.txt]
C:\hidden\makeads\regularfile.txt 25 09/25/2002 09:19:19w EST
C:\research\makeads\regularfile.txt
==> d:\evidence\ads\makeads\regularfile.txt
C:\research\makeads\regularfile.txt:hidden1.txt 17 09/25/2002 09:19:19w EST
C:\research\makeads\regularfile.txt:hidden1.txt
==> d:\evidence\ads\makeads\regularfile.txt[hidden1.txt]
Processed 16 directories, 118 files, totaling 7,703,785 bytes:
Found 1 directories with 1 alternate data streams.
Found 1 files with 1 alternate data streams.
Total 2 data streams byte count = 49 bytes
Rootkits


Creates backdoors
Replace system components to hide:





files
processes
promiscuous mode
network connections
Often includes tools



Sniffers
Log wiping utilities
Patches