Lesson 10 Incident Response Toolkits “Who said there were no free lunches anymore?” Overview • Cygwin • Data Integrity Tools • Drive Tools • Viewers • Search Tools • Forensics Programs UTSA IS 6353 Security Incident Response CYGWIN • A Unix environment for Windows: – A DLL (cygwin1.dll) which acts as a UNIX emulation layer providing substantial UNIX API functionality – A collection of tools, ported from UNIX, which provide UNIX/Linux look and feel – The Cygwin DLL works with all versions of Windows since Windows 95, with the exception of Windows CE UTSA IS 6353 Security Incident Response CYGWIN • Where to get it: – www.redhat.com/download/cygwin.html • What’s included: – date time uptime – hostname whoami – ps netstat arp UTSA IS 6353 Security Incident Response uname –a env Data Integrity Tools Goal: maintain the chain of evidence and integrity of tools • Maresware’s Disk_crc – http://www.dmares.com • New Technologies Incorporated – DiskSig and CRCMD5 – www.forensics_intl.com • MD5 Summer – http://sourceforge.net/projects/md5summer UTSA IS 6353 Security Incident Response Network Tool • NetCat/Cryptcat – Creates a channel of communication between hosts – Used during forensics to create a reliable, TCP connection between the target system and the forensic workstation – Cryptcat provides for encryption http://www.l0pht.com/~weld/netcat http://farm9.com/content/Free_Tools/Cryptcat UTSA IS 6353 Security Incident Response Netcat Commands • Forensic workstation (192.168.1.1) command – E:\>nc –l –p 2222 > yourfilename – Translation: execute netcat in listen mode on port 2222 and pipe inbound traffic to “yourfilename” • Sending output from target system – A:> pslist | nc 192.168.1.1 2222 – Translation: execute pslist and pipe output to netcat and netcat will transmit to 192.168.1.1 port 2222 UTSA IS 6353 Security Incident Response Netcat in Action Hacked Machine time Forensics Workstation date loggedon fport pslist Nbtstat - c 1) 2) 3) 4) Run trusted commands on Hacked Machine Send output of commands to forensics workstation using netcat Perform off-line review MD5SUM output files UTSA IS 6353 Security Incident Response Netcat Command Sequence Hacked Machine time Forensics Workstation 192.168.1.1 date loggedon fport pslist Nbtstat - c A:>time | nc 192.168.1.1 2222 A:>date | nc 192.168.1.1 2222 * * A:>Nbtstat – c | nc 192.168.1.1 2222 UTSA IS 6353 Security Incident Response C:>nc – l – p 2222 > forensics.txt C:>md5sum forensics.txt > ????? Drive Tools Goal: allow collection of various hard/floppy/CD forensics • Partition Tools – fdisk (for Linux, DOS version obsolete) – Partinfo (free ftp://ftp.powerquest.com/pub/utilities) – PartitionMagic(includes Partinfo but cost $) • CD-R Utilities – CD-R Diagnostics (www.cdrom-prod.com/software.html) • Unerase Tools – Windows: Norton Utilities Diskedit & unerase – Unix: e2recover (www.praeclarus.demon.co.uk) – FilesScavenger (www.quetek.com/) UTSA IS 6353 Security Incident Response Drive Tools(2) • Drive Imagers – – – – NTI’s SafeBack (www.forensics-intl.com) SnapBack (www.cdp.com) Ghost (www.symantec.com) Dd—the Unix command • Disk Wipers – DiskScrub from NTI UTSA IS 6353 Security Incident Response File Viewers Goal: allow investigator to discover, view, and analyze files on all operating systems • QuickViewPlus – (www.jasc.com) – Views over 200 file types • Conversion Plus (www.dataviz.com) – Views Mac files on Windows • ThumbsPlus – (www.cerious.com) – Catalogs and displays all image files UTSA IS 6353 Security Incident Response Search Tools Goal: find keywords pertinent to investigation • NTI;s dtSearch (www.forensics-intl.com) – Searches text files including Outlook .pst files • Danny Mares StringSearch (www.maresware.com) • Hidden Streams – SFind (www.foundstone.com) – Streams (www.sysinternals.com/ntw2k/source/misc.html) UTSA IS 6353 Security Incident Response Forensics Programs • Focus: collect and analyze data • Forensic Toolkit – www.foundstone.com – Focus is on Windows NT systems • The Coroners Toolkit (TCT) – www.fish.com – Investigates a hacked Unix host • • • • graverobber mac utility unrm utility lazarus tool UTSA IS 6353 Security Incident Response Forensics Programs(2) • New Technologies Inc (NTI) – www.forensicsintl.com – – – – – – – – Command-line tools that run very fast CRCMD5 DiskScrub DiskSig FileList—sorts files by last use GetFree—captures unallocated data GetSlack—Captures file slack Net Threat Analyzer—Internet Abuse Analyzer PTable –analyze/document hard drive partitions TextSearch Plus UTSA IS 6353 Security Incident Response Forensics Programs(3) • ForenSix by Dr. Fred Cohen – www.all.net – Runs on Linux but can access many different file systems • EnCase (www.encase.com) – Claims to be the only fully integrated Windowsbased forensics application UTSA IS 6353 Security Incident Response Foundstone Tools http://www.foundstone.com/resources/forensics.htm • • • • • • • • Pasco 1.0 – IE activity forensic tool Galleta 1.0 – Examine content of cookie files from IE Rifiuti 1.0 – Examine Info2 file in the Recycle Bin Vision 1.0 – Reports open TCP/UDP ports and maps to owning process NTLast 3.0 – Security Log Analyzer ShoWin 2.0 – Show information about Windows BinText 3.0 - Finds strings in a file Patchit 2.0 – Binary file byte patching program UTSA IS 6353 Security Incident Response Vision System Info Vision Processes View Vision Services View Vision Services View File Watch Sysinternals Tools http://www.sysinternals.com/ntw2k/utilities.shtml • Monitoring Tools – – – – – – Diskmon 1.1 – monitors disk activity Filemon 1.1 – monitors file activity ListDLLs 2.23 – List all currently loaded DLLs NTFSInfo—Gives size and location of MFT Portmon 3.02—monitors serial and parallel ports Process Explorer 6.03 – find our what files, registry keys, and other objects process which DLLs – PSTools 1.82 – Regmon 6.06 – monitors registry activity UTSA IS 6353 Security Incident Response Sysinternals Tools(2) • Utilities – AccessEnum 1.0 – used to find holes in file permissions – NTRecover 1.0 – access dead NT disks over a serial connection – NTFSDOS 3.02 – Access NTFS drives readonly from DOS – Remote Recover 2.0-- access dead NT disks over a network connection UTSA IS 6353 Security Incident Response pstools pslist pslist Process Explorer-View 1 Process Explorer-View 2 FILEMON REGMON TCP/IP Monitor One Sinlge IE Access to One Web Site Other Useful Tools • Password Crackers (see pg 145) – – – – – L0phtCrack – www.atstake.com John the Ripper – www.openwall.com/john Chntpw – home.eunet.no/~pnordahl/ntpasswd Fast ZipCracker – www.netgate.com.uy/~fpapa AccessData – www.accessdata.com • Provides entry to a wide range of application encrypted files – Elcom – www.elcomsoft.com UTSA IS 6353 Security Incident Response Other Useful Tools(2) • Internet References – Matching Hardware Types to MAC addresses • www.cavebear.com/CaveBear/Ethernet/vendor.html – Proxy Servers available to the Public • www.proxys4all.com – List of Defaced Web sites • www.attrition.org – List of HTTP status codes • www.w3.org/Protocols/HTTP/HTRESP.html – File Formats and Header Specifications • www.wotsit.org UTSA IS 6353 Security Incident Response McAfee Visual Trace Hostile Activity From China Summary Lots of free lunches out there when it comes to forensic tools and utilities…do some research! UTSA IS 6353 Security Incident Response