7.2 Forensics Toolkits UTSA IS 3523 ID & Incident Response Kaufman What We Will Cover • “Who said there were no free lunches anymore?” • Types of tools ◦ ◦ ◦ ◦ ◦ ◦ Cygwin Data Integrity Tools Drive Tools Viewers Search Tools Forensics Programs UTSA IS 3523 ID & Incident Response Kaufman CYGWIN • A Unix environment for Windows: ◦ A DLL (cygwin1.dll) that acts as a UNIX emulation layer providing substantial UNIX API functionality ◦ A collection of tools, ported from UNIX, which provide UNIX/Linux look and feel ◦ The Cygwin DLL works with all versions of Windows since Windows 95, with the exception of Windows CE UTSA IS 3523 ID & Incident Response Kaufman CYGWIN • Where to get it: ◦ www.redhat.com/download/cygwin.html • What’s included: ◦ date time uptime uname –a ◦ hostname whoamienv ◦ ps netstat arp UTSA IS 3523 ID & Incident Response Kaufman Data Integrity Tools • Goal: maintain the chain of evidence and integrity of tools • Maresware’s Disk_crc ◦ http://www.dmares.com • MD5 Summer ◦ http://sourceforge.net/projects/md5summer UTSA IS 3523 ID & Incident Response Kaufman Network Tool • NetCat/Cryptcat ◦ Creates a channel of communication between hosts ◦ Used during forensics to create a reliable, TCP connection between the target system and the forensic workstation ◦ Cryptcat provides for encryption ◦ http://netcat.sourceforge.net/ ◦ http://cryptcat.sourceforge.net/ UTSA IS 3523 ID & Incident Response Kaufman Netcat Commands • Forensic workstation (192.168.1.1) command ◦ E:\>nc –l –p 2222 > yourfilename ◦ Translation: execute netcat in listen mode on port 2222 and pipe inbound traffic to “yourfilename” • Sending output from target system ◦ A:> pslist | nc 192.168.1.1 2222 ◦ Translation: execute pslist and pipe output to netcat and netcat will transmit to 192.168.1.1 port 2222 UTSA IS 3523 ID & Incident Response Kaufman Netcat in Action Hacked Machine time Forensics Workstation date loggedon fport pslist Nbtstat - c 1) 2) 3) 4) Run trusted commands on Hacked Machine Send output of commands to forensics workstation using netcat Perform off-line review MD5SUM output files UTSA IS 3523 ID & Incident Response Kaufman Netcat Command Sequence Hacked Machine time Forensics Workstation 192.168.1.1 date loggedon fport pslist Nbtstat - c A:>time | nc 192.168.1.1 2222 A:>date | nc 192.168.1.1 2222 * * A:>Nbtstat – c | nc 192.168.1.1 2222 UTSA IS 3523 ID & Incident Response Kaufman C:>nc – l – p 2222 > forensics.txt C:>md5sum forensics.txt > ????? Drive Tools • Goal: allow collection of various hard/floppy/CD forensics • Partition tools ◦ fdisk (for Linux, DOS version obsolete) ◦ Partinfo (free ftp://ftp.powerquest.com/pub/utilities) ◦ PartitionMagic (includes Partinfo but cost $) • CD-R utilities ◦ CD-R diagnostics (www.cdrom-prod.com/software.html) • Unerase Tools ◦ Windows: Norton Utilities Diskedit & unerase ◦ Unix: e2recover (www.praeclarus.demon.co.uk) ◦ FilesScavenger (www.quetek.com/) UTSA IS 3523 ID & Incident Response Kaufman Drive Tools (cont’d.) • Drive imagers ◦ ◦ ◦ ◦ NTI’s SafeBack (www.forensics-intl.com) SnapBack (www.cdp.com) Ghost (www.symantec.com) Dd—the Unix command • Disk wipers ◦ DiskScrub from NTI UTSA IS 3523 ID & Incident Response Kaufman File Viewers • Goal: allow investigator to discover, view, and analyze files on all operating systems • QuickViewPlus – (www.jasc.com) ◦ Views over 200 file types • Conversion Plus (www.dataviz.com) ◦ Views Mac files on Windows • ThumbsPlus – (www.cerious.com) ◦ Catalogs and displays all image files UTSA IS 3523 ID & Incident Response Kaufman Search Tools • Goal: find keywords pertinent to investigation • Danny Mares StringSearch (www.maresware.com) • Hidden streams ◦ SFind (www.foundstone.com) ◦ Streams (www.sysinternals.com/ntw2k/source/misc.html) UTSA IS 3523 ID & Incident Response Kaufman Forensics Programs • Focus: collect and analyze data • Forensic Toolkit – www.foundstone.com ◦ Focus is on Windows NT systems • The Coroners Toolkit (TCT) – www.fish.com ◦ Investigates a hacked Unix host ◦ ◦ ◦ ◦ graverobber mac utility unrm utility lazarus tool UTSA IS 3523 ID & Incident Response Kaufman Forensics Programs (cont’d.) • SANS Investigative Forensic Toolkit (SIFT) ◦ http://digital-forensics.sans.org/community/downloads UTSA IS 3523 ID & Incident Response Kaufman Forensics Programs (cont’d.) • ForenSix by Dr. Fred Cohen ◦ www.all.net ◦ Runs on Linux, but can access many different file systems • EnCase (www.encase.com) ◦ Claims to be the only fully integrated Windows-based forensics application UTSA IS 3523 ID & Incident Response Kaufman Foundstone Tools • http://www.foundstone.com/resources/forensics.ht m ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Pasco 1.0 – IE activity forensic tool Galleta 1.0 – Examine content of cookie files from IE Rifiuti 1.0 – Examine Info2 file in the Recycle Bin Vision 1.0 – Reports open TCP/UDP ports and maps to owning process NTLast 3.0 – Security Log Analyzer ShoWin 2.0 – Show information about Windows BinText 3.0 - Finds strings in a file Patchit 2.0 – Binary file byte patching program UTSA IS 3523 ID & Incident Response Kaufman Vision System Info UTSA IS 3523 ID & Incident Response Kaufman Vision Processes View UTSA IS 3523 ID & Incident Response Kaufman Vision Services View UTSA IS 3523 ID & Incident Response Kaufman Vision Services View UTSA IS 3523 ID & Incident Response Kaufman File Watch UTSA IS 3523 ID & Incident Response Kaufman Sysinternals Tools • http://www.sysinternals.com/ntw2k/utilities.shtml • Monitoring Tools ◦ ◦ ◦ ◦ ◦ ◦ Diskmon 1.1 – monitors disk activity Filemon 1.1 – monitors file activity ListDLLs 2.23 – List all currently loaded DLLs NTFSInfo—Gives size and location of MFT Portmon 3.02—monitors serial and parallel ports Process Explorer 6.03 – find our what files, registry keys, and other objects process which DLLs ◦ PSTools 1.82 ◦ Regmon 6.06 – monitors registry activity UTSA IS 3523 ID & Incident Response Kaufman Sysinternals Tools (cont’d.) • Utilities ◦ AccessEnum 1.0 – used to find holes in file permissions ◦ NTRecover 1.0 – access dead NT disks over a serial connection ◦ NTFSDOS 3.02 – Access NTFS drives read-only from DOS ◦ Remote Recover 2.0-- access dead NT disks over a network connection UTSA IS 3523 ID & Incident Response Kaufman pstools UTSA IS 3523 ID & Incident Response Kaufman pslist UTSA IS 3523 ID & Incident Response Kaufman Process Explorer-View 1 UTSA IS 3523 ID & Incident Response Kaufman Process Explorer-View 2 UTSA IS 3523 ID & Incident Response Kaufman FILEMON UTSA IS 3523 ID & Incident Response Kaufman REGMON UTSA IS 3523 ID & Incident Response Kaufman TCP/IP Monitor One Single IE Access to One Web Site UTSA IS 3523 ID & Incident Response Kaufman Other Useful Tools • Password Crackers (see pg 145) ◦ ◦ ◦ ◦ ◦ L0phtCrack – www.atstake.com John the Ripper – www.openwall.com/john Chntpw – home.eunet.no/~pnordahl/ntpasswd Fast ZipCracker – www.netgate.com.uy/~fpapa AccessData – www.accessdata.com ◦ Provides entry to a wide range of application encrypted files ◦ Elcom – www.elcomsoft.com UTSA IS 3523 ID & Incident Response Kaufman Other Useful Tools (cont’d.) • Internet References ◦ Matching Hardware Types to MAC addresses ◦ www.cavebear.com/CaveBear/Ethernet/vendor.html ◦ Proxy Servers available to the Public ◦ www.proxys4all.com ◦ List of Defaced Web sites ◦ www.attrition.org ◦ List of HTTP status codes ◦ www.w3.org/Protocols/HTTP/HTRESP.html ◦ File Formats and Header Specifications ◦ www.wotsit.org ◦ UTSA IS 3523 ID & Incident Response Kaufman McAfee Visual Trace Hostile Activity From China UTSA IS 3523 ID & Incident Response Kaufman Forensics Toolkit Summary • Lots of free lunches are out there when it comes to forensic tools and utilities…do some research! UTSA IS 3523 ID & Incident Response Kaufman Next Steps • Review the required reading for this module. ◦ Slide decks 7.1 and 7.2 ◦ Incident Response and Computer Forensics (Mandia), pgs. 173-195 ◦ Guide to integrating Forensic Techniques into Incident Response (Kent et al., NIST, 2006) (attached to 7.1) • Take Quiz 7.3. • Keep working on Lab 03. UTSA IS 3523 ID & Incident Response Kaufman UTSA IS 3523 ID & Incident Response Kaufman 36
