Comparison Analysis - Drexel University
advertisement
DREXEL UNIVERSITY Info 710 Project Network Incident Investigation, Acquisition, and Response John Misczak, John Ehring & Chris Grabosky 9/2/2010 Table of Contents Introduction .................................................................................................................................................. 3 Network Forensics Discussion....................................................................................................................... 3 Types of Forensic Data .................................................................................................................................. 4 Statistical Data .......................................................................................................................................... 4 Alert Data .................................................................................................................................................. 4 Session Data .............................................................................................................................................. 4 Full Content Data ...................................................................................................................................... 4 Relevant Tools ............................................................................................................................................... 4 Packet Sniffing Tools ................................................................................................................................. 4 Packet Analyzers ....................................................................................................................................... 5 Text Search Utilities .................................................................................................................................. 5 Trace Tools ................................................................................................................................................ 5 Network Statistics Tools............................................................................................................................ 5 Intrusion Detection ................................................................................................................................... 5 Network Monitoring ................................................................................................................................. 6 Windows Network Evidence Acquisition ...................................................................................................... 6 First Trace.................................................................................................................................................. 6 Statistical Analysis ................................................................................................................................. 6 Alert Data Analysis ................................................................................................................................ 8 Session Data Analysis .......................................................................................................................... 11 Full Content Data Analysis .................................................................................................................. 13 Second Trace ........................................................................................................................................... 14 Statistical Analysis ............................................................................................................................... 14 Alert Data Analysis .............................................................................................................................. 16 Session Data Analysis .......................................................................................................................... 20 Full Content Data Analysis .................................................................................................................. 21 UNIX First Trace .......................................................................................................................................... 23 Physical Properties .................................................................................................................................. 23 Basic Content Analysis ............................................................................................................................ 25 Alerts ....................................................................................................................................................... 27 Sessions ................................................................................................................................................... 31 Full Content Analysis ............................................................................................................................... 34 Comparison Analysis ................................................................................................................................... 40 Conclusion ................................................................................................................................................... 41 Works Cited ................................................................................................................................................. 42 Introduction Before forensic experts begin any investigation, they must fully grasp and understand the basic core principles of digital forensics. Most importantly, digital forensics experts must understand the proper protocol which must be followed before any investigation can occur; failure to do so could result in perfectly good digital evidence being thrown out due to being inadmissible. Additionally, a forensic investigator must have a solid understanding of the types of data involved in a network acquisition investigation. Statistical, alert, session, and full content data can all provide various clues into the underpinnings of what actually happened during a network event. Once these types of data are understood, a digital forensics expert can begin their analysis using a variety of tools. These tools can change depending on the operating system in question, but they are generally based on the same principles and forensic techniques. Packet sniffing tools, packet analyzers, text search utilities, trace tools, network statistics tools, intrusion detection, and network monitoring can each provide specific data sets to a forensic expert. In our analysis of network incident investigation, acquisition, and response, we will demonstrate typical network acquisition processes using various types of data and specific tools common to forensic experts. We will conduct a network acquisition process on both the Windows and UNIX environments. Finally, we will compare these two environments to see what they share and how they differ from one another. Network Forensics Discussion Ben Laurie describes network forensics as “using evidence remaining after an attack on a computer to determine how the attack was carried out and what the attacker did” (Laurie, 2004, p. 51). However, this simplistic definition does not do the field justice. Network Forensics is a discipline within the greater context of digital forensics which focuses on the collection of data, intrusion detection, and evidence gathering via the monitoring of a network. It can be used to gather evidence after the fact, as Laurie suggested, but can also be used to find evidence of a future attack or an attack in progress, as well as when a potential attack is likely to take place. Furthermore, network forensics has the potential for usefulness beyond calculated attacks; digital forensic evidence can be used to support prosecution of other crimes, such as the distribution or retention of child pornography. As Laurie describes, network forensics involves much more than the collection of leftover data, as many cybercriminals are fully aware of their actions, and so seek to conceal their crimes. By utilizing a number of network forensic techniques, security professionals can help unmask these crimes and find real, useable evidence of wrong-doing and illegal activities which can be used in a court of law. Attackers are likely to distort or remove evidence of their crimes by “modifying logs, deleting core dumps, and installing software...which can’t be seen by using standard utilities” (Laurie, 2004, p. 51). It is the duty of a network forensics specialist to understand the potentialities behind these cover-ups and to look for the clues which can reveal that data has been tampered with or altered. Many network attacks fail. For example, buffer overflow attacks require the execution of code from a very specific location in order to be successful. This location depends highly on the operating system, its build, and compilers used. Often, attacks will not know the exact location of this directory and will be forced to try several variations before a successful attack is made. Forensics experts can use these failed attempts to help determine what took place and what data could have been modified (Laurie, 2004). Types of Forensic Data Statistical Data Statistical data is the summary information from a log dump that may provide a first direction into forensic analysis (such as which protocol or application had been used). This type of data can be created by using such applications as tcpdstat (for basic summary information) or Argus (for network flow summary information). Alert Data Alert data consists of a more in-depth analysis based on patterns from a log dump. It can help to identify possibly malicious activity. Intrusion detection applications, such as Snort, are capable of producing this type of data. Session Data Session data looks at session information from a higher level in the OSI model and identifies nodes that were communicating, including messages sent and received, as well as information about those messages. Session data can help to identify strange session information like an overflow of SYN packets or dropped connections, which can be a telltale sign of malicious or criminal activity. Full Content Data Full content looks into the full packet including control information anduser data (payload). This type of data can help to identify actual attack information. However, obtaining this information is a very time consuming process due to the large amounts of data involved. Therefore, previous analysis is necessary to identify which packets should be analyzed for their full content. Relevant Tools Packet Sniffing Tools Packet sniffing tools, such as tcpdump (for UNIX operating systems) and windump (for Windows operating systems) can be used by network forensics experts to “convert binary data in packets to human readable format”, intrusion detection, or logging traffic for later evidence collecting (Fuentes & Dulal, 2005, p. 169). These types of tools can be used to create dumps of communications through the TCP/IP and TCP/UDP stack to be analyzed for inconsistencies or evidence of an attack by understanding the exact correspondence between sender and receiver. Tcpdump, of which windump is a Windows- friendly port, was created in the early 1990s, is one of the most basic packet sniffing tools available; it is a fundamental part of more complicated tools, such as Ethereal (Fuentes & Dulal, 2005). Packet Analyzers Packet analyzers, such as Ethereal and the more up-to-date Wireshark (both available on UNIX and Windows platforms, as well as other operating systems), expand upon the work of packet sniffing tools such as tcpdump. Included in packet analyzers are the functionality of packet sniffers, in addition to a GUI (making the application more user-friendly), as well as filters which can display or capture particular types of records. Packet analyzers, while similar in function to packet sniffers, “make it easier to make sense of a stream of ongoing network communications” (Fuentes & Dulal, 2005, p. 173). By providing an interface which can more easily make sense of a considerable amount of data, the work of a network analyst is severely reduced. Text Search Utilities Text search utilities, such as ngrap and grep (which stands for “global regular expression print”), print every line in a specific data set which contain a specific sequence of characters, regardless of whether or not it is a word or part of another word (Goebelbecker, 1995). These text search utilities are extremely useful to forensics experts because theyallow large quantities of log data (or output from network dumps) to be quickly filtered for relevant information. Trace Tools Trace tools, such as tcptrace (developed by Shawn Ostermannfor the UNIX platform), helps to analyze TCP dump files and identify session information. Tcptrace can work with packet sniffers/analyzers, such as tcpdump, windump, Ethereal, and Wireshark, by using their data dumps as input. Once this input is analyzed, tcptrace can provide information such as elapsed time between sending and receiving packets, the specific segments of the packets which are sent and received, throughput, and total bytes (Ostermann, 2003). Network Statistics Tools Network statistics tools, such as tcpdstat (developed by Dave Dittrich for the UNIX operating system), “produce a per-protocol breakdown of traffic by bytes and packets, with average and maximum transfer rates” from input gleaned packet sniffers/analyzers, such as tcpdump or Wireshark (Dittrich). These types of tools allowforensics experts to obtain basic summary information of a network dump. Intrusion Detection Many intrusion detection tools which are “capable of performing real-time traffic analysis and packet logging on IP networks” are currently available(Roesch). Snort is the leading tool in this market, one of the reasons we have chosen it as our primary intrusion detection tool. Snort’s main usesinclude performing protocol analysis, content searching/matching, detection of attacks, stealth port scans, and OS fingerprinting attempts, among other types of attacks (Roesch). Specifically for our investigation, we will run Snort in batch mode against already collected data to find patterns in the logs consistent with malicious activity. Network Monitoring Though many network monitoring software suites are available, we have chosen Argus for its ability to transform Wireshark/Ethereal output (libpcap data) into session data, capable of being analyzed with other tools. Additionally, Argus can itself analyze packet files and “generate summary network flow data” ( QoSient, LLC, 2010). Argus can also be used to analyze network streams and produce audits for live networks. Windows Network Evidence Acquisition First Trace The file that our team starts with for the first trace is the first part of the capture file from JBR Bank’s incident, labeled s2a.lpc. While this file contains a wealth of network evidence data due to it being a packet capture of a JBR Bank system, it is rather difficult to assess the exact cause and severity of the incident by looking at it as whole. Instead, the preferred method is to work from the outside in, starting with the statistical data of the capture. Statistical Analysis In order to perform some statistical analysis on the capture file, the team elected to use its first tool, a program called tcpdstat (http://staff.washington.edu/dittrich/talks/core02/tools/tools.html). In order to get tcpdstat to properly compile on a Linux platform, however, the team had to download the packages build-essential and libpcapdev-0.8 first. Once these packages were installed from their respective repositories, tcpdstat compiled and was available for use. The team then used tcpdstat to analyze the capture file and output the results of the analysis into a text file for easier viewing. With the file created, its contents can be opened and viewed in any text editor. The team chose to relocate its output and results files to another machine not involved in the forensic analysis in order to prevent any volatile data from being overwritten. When viewing the results of running the capture file through tcpdstat, a few scenarios came to light that are possibly backed by evidence of the capture file’s statistics. First, the highest packet counts are fairly typical except for one entry. While IP, TCP, HTTP, and HTTPS are all frequently used protocols in regular web traffic, the high packet count for the “other” field indicates that a protocol unknown by tcpdstat is used frequently in the trace, or many different unknown protocols were used a few times each. The latter theory was found to carry more weight once the team noticed that numerous other protocols had just a few packets each. Thus, it is highly likely that someone was attempting to send small amounts of a large variety of traffic in order to see what got through; in other words, a port scan may have been performed on this JBR Bank system. However, there could be many possible reasons why this pattern of traffic occurred that do not include an attack or malicious individual; therefore, the team could not arrive at a conclusion at this point In the investigation, and moved onto the next type of analysis. Alert Data Analysis While tcpdstat was useful for statistical analysis, it has little to no value as a tool that examines and helps analyze network alert data. Thus, the team had to turn to its second tool, the open-source intrusion detection system called Snort. Snort is a useful tool due to its flexibility; it can either be activated as a live on the wire detection system, or it can be run after the fact on a collected batch of data. Since the team already had the capture file, the second option was chosen. Snort was run through the command line with a number of flags that configured it to run in the fashion that the team desired. The flag “-c /etc/snort/snort.conf” tells Snort where to look for its rules file that governs how the program will function and what it will look for. The “-r s2a.lpc” parameter gives snort the location of the file to consider; since snort was being run from the directory that included the file, the team did not have to include the full path. The “-b” flag tells snort to run in the aforementioned batch mode, while “-l /var/log/snort” informs the program what directory to place its log files in. The alert file generated by running snort contains a number of alerts based on data traffic patterns in the capture file. While a first look at the file may yield nothing more than a rather large column of text, one can quickly see that the various incidents are delimited by the series of characters “[**]” surrounding the title of the incident. Even in the first few alerts, the phrase “Attempted Information Leak” and “Web Application Attack” occur multiple times. For each of these attacks, the victim IP address that acts as the destination for attacks and source for leaks is 103.98.91.41, which the team had been informed, was the IP address of the JBR Bank system. Furthermore, the attacks appear to be occurring over TCP Port 80, which is frequently used on a web server such as the one employed by JBR Bank. Furthermore, near the end of the alert file, the requests on TCP port 80 stop and numerous amounts of other requests are made. These include using ICMP, SNMP, the SOCKS web proxy to gather additional information about the system, such as what services are running and therefore can be used to the attacker’s advantage. By first closely examining the key port of the web server and then fanning out to investigate other potential avenues of attack or exploitation, it is clear that the party who was interacting with the JBR Bank system has intentions other than simply accessing the bank’s web site. In order to find out exactly what those intentions may be, the team moved onto the next set of data for this trace. Session Data Analysis While tcpdstat and Snort have helped the team with statistical and alert data respectively, so far they fall short when it comes to examining session data. For that purpose, the team elected to use the tool Argus to once again examine the capture file for possible information that would help in the investigation. Once again, flags were used when running Argus from the command line; “-d” switches Argus to background mode, whereas “-r s2a.lpc” tells Argus the data for review is in the file s2a.lpc and “-w s2a.argus” instructs Argus on where to put its output. Subsequently, the team used Argus’ client, “ra”, to decipher the Argus data and place it into a text file that could be easily read. Numerous switches were employed yet again; “-a” turns on summary statistics for the data, whereas “-c” formats the output with bytes sent by a system first, followed by bytes received by the system next. The “-n” switch does not allow ra to replace Ips and port numbers with known host names and services, thereby allowing the team to more easily connect the dots with the other types of data collected in this investigation. “-r s2a.argus” tells ra to read the data from the s2a Argus file, whereas “grep –v drops” takes the status report that Argus would normally add to the text file and removes it. The output is formatted with a line wrap in order to present the screenshot at a readable size. The destination for each line of traffic is TCP port 80, and about 6 packets were sent and received in each case. More importantly, the FIN packet seen frequently means that each connection was closed after it was used for a brief period of time, meaning that a number of different vulnerabilities for the web server’s port 80 were attempted in order to see what worked and what failed. Later on in the output, a number of ports are contacted with one packet each, with the server replying with one packet to each connection as well. The large number of ports that this occurs to is either a rather significant coincidence, or strong evidence that someone performed a port scan on the JBR Bank system. Now that the team has become suspicious of these connections to multiple ports on the system, it would like to see the contents of the packets in question. This desire entails more significant analysis, however, in the form of complete content investigation. Full Content Data Analysis Since the team wanted to examine the entire content of individual packets, the popular packet capture and trace file tool Wireshark was enlisted. Wireshark allowed the team to search for packets based on the timestamp in question (18:55:18 on September 23, 2003) as well as the port numbers (1359, 305, 698, etc.) that were possibly scanned by a malicious individual. In numerous communications from the attacker’s system (IP address 95.16.3.79.47990) to the JBR Bank web server (IP address 103.98.91.41.698), a hexadecimal pattern of “5555 5555 5555” was found in the content field of the packet. This pattern was corroborated with network security information sources as being the signature of a reconnaissance tool called Nmap. At this point, the team feels fairly certain that a malicious individual has been gathering intelligence for an attack on JBR Bank’s web server; however, the team does not know what the attacker is after or exactly what method he/she will be using. Fortunately, another trace file was also given to the team in the hopes of containing additional information and answers. Second Trace Statistical Analysis With most of the information gleaned from the first capture file, the team turned to the second packet capture for its second trace investigation. Once again, the first type of data to be examined was that of statistical data, as it gave a broad overview of the trace and allowed the team to choose its next moves. Just like before, the trace file, this time called s2b.lpc, was run through tcpdstat in order to generate some summary statistics for review. The resulting output text file, s2b.tcpdstat.txt, is much shorter than last time but still contains enough relevant data to make a few insights and decisions on next action items. Once again, the protocol labeled “other” has a high amount of traffic; in fact, it represents nearly 84% of all application layer traffic. The team realized that a high amount of traffic unrecognized by tcpdstat could simply be newer protocols being used in the exchange of information; however, with strong evidence to support port scanning and vulnerability reconnaissance from the first capture file, the strong presence of unknown protocol traffic is more cause for concern. Alert Data Analysis Just as in the first trace, the second capture file was passed through the team’s intrusion detection program, Snort, to review any alerts that may be cause for concern. Several of the same switches were used, as well as the additional parameter of “>snort.stats” at the end of the command that places the statistics from Snort into a file for later review. Since all of the data needed for review is now in the snort.stats file, the team opened that file and began parsing through the information contained within. The team noticed that the number of TCP packets reported here matched that of the output from tcpdstat. Additionally, some of the packets categorized as “other” in tcpdstat are revealed to be ARP packets by Snort, a protocol not detected by tcpdstat. The team also notices that there were 176 alerts for this capture file, and decides to check out the s2b.alert file that was generated by Snort. The first several alerts are concerned with access to a printer through a potentially vulnerable web application. The links provided in the alert provide further information that can be used to bring background information to such an alert; for example, a buffer overflow in an Internet Printing module in the Windows 2000 operating system can possibly allow remote users to acquire root privileges. Gaining root would be one of the most desirable achievements an attacker could reach, so any incident related to giving root access is considered serious by the team. However, the attacker attempts three times to perform this trick through the printing extension, meaning that it may not have worked and the attacker was simply making sure it was the security of the system and not his own errors that caused the attempt to fail. Another alert seen clearly in this alert log is that of a denial of service, or DoS, attack. This type of attack could potentially bring down JBR Bank’s web server, causing them to lose public image as well as money due to the unavailability of tis banking services. With a few ideas about what types of attacks the intruder may have tried, the team decided to turn to session data to see what connections were made. Session Data Analysis Once again, the tool Argus was used on the second capture file in order to detect the traffic and connections going back and forth between the web server and other machines, including those belonging to the attacker. Just like before, the web server (destination for attacks, source for outgoing leaks or transmissions) has the IP address of 103.98.91.41. Also, the IP address of 95.208.123.64 is seen as the destination for an outgoing FTP connection; this was the same IP address seen attempting to exploit vulnerabilities in the Snort alert data. Furthermore, there are multiple connections through TCP port 60906, which is an unusually high port number that the team did not recognize at this point in the investigation. Lastly, the web server successfully establishes a connection with the attacking machine at 20:00:51 on October 1, 2003, as seen by the line indicating the connection on port 6667. With these notable items, port numbers, and timestamps in mind, the team turned to full packet examination once again in order to glean even more details about the attack. Full Content Data Analysis The team took a different approach than simply using Wireshark for this trace; rather, they decided to utilize a tool called tcpflow to narrow the packets down to just those that crossed TCP ports 21, 60906, 1465, and 6667, as they were the ports that became interesting due to previously found evidence. Tcpflow created eight files as a result of this command, which all follow a nomenclature of “sourceIPaddress.portnumber-destinationIPaddress.portnumber”. The file named 095.016.003.023.01408-103.098.091.041.60906 provides the first meaningful information for this part of the investigation, as it includes a series of commands. These commands didn’t tell the team much by themselves, so the team decided to open up the response message sent by JBR Bank’s web server, which was found by flipping the order of the addresses around. A number of files are found on the server, including several that should not be on a bank’s web server – notably nc.exe, which is a program called netcat that creates TCP connections that can be used as backdoors for attackers. Knowing that the intruder probably had an easy way in and out of the system now, the team turned its attention to subsequent messages sent between the web server and the attacker’s machine. The biggest interest surrounded the message 103.098.091.041.01465- 095.208.123.064.03753, which shows the web server providing the contents of a help file to the remote attacker and attempted transferring of an executable named “update.exe”. Due to information already obtained from JBR Bank, the team knows that a program named PsExec was in some way utilized in the attack. Armed with several types of data, including full content included in several of the packets sent to and from the victim system, the team decided to search for any mention of PsExec using a tool called Ngrep. The results from the ngrep search were placed in a file called s2b.ngrep.psexec.txt, which allowed the team to review the results at their leisure on a separate machine. The team noticed several mentions of PsExec in this results file; however, its repeated presence raised more questions than it answered. PsExec’s purpose is to establish a connection a system that an attacker is targeting, typically for the intruder’s own malicious purposes; however, it needs administrative rights to do so. The team already noticed the attacker attempt to gain root through the use of a printer extension vulnerability, but it appeared that the attempt(s) failed. Without any further log files or captures, the team could only hypothesize that the attacker eventually succeeded at compromising the aforementioned vulnerability, or found another similar one that worked. UNIX First Trace Physical Properties Just like the example Windows intrusion, there is another set of data collected from an intrusion of a UNIX system for BRJ, a software company. Although the platform is different, many of the mechanics and goals are the same as a Windows investigation. Since it was a remote intrusion, that is to say it was accessed via the network and not the keyboard plugged into the computer, network traffic could be captured into a Libpcap-formatted file with tcpdump. This tool will capture data from a given interface, in this case the UNIX system’s eth0, and record it to disk. However because there is both legitimate traffic in addition to the traffic from the intruder, this file can become massive quickly. Tcpslice was used to make the file smaller and slice it up to just the applicable pieces. This Libpcap file was delivered to the team for investigation in addition to output from Snort like a portscan log. The portscan file follows the pattern of “date source:port ->destination:port type” and can be seen here. The results of looking at this file shows that an attacker at the IP address of 94.90.84.93 issued a portscan to a wide array of ports on a BRJ Software server (102.60.21.3) on September 8 between 2:20:42 and 2:20:45 in the afternoon. This Snort log file with its 1552 lines (and thus a scan of 1552 ports on the system) simply says a scan occurred since it was recorded by the BRJ Software server. However it does not say what the BRJ Software server responded to the attacker (e.g. whether the port was open). Basic Content Analysis The physical appearance of a log file being large, like the Snort portscan file, is the first step of the investigation. By looking into that file and determining that a portscan occurred and the source IP address of the scan, the team is better prepared for the next step which is the basic content analysis. By looking at the Libpcap dump from the network interface, some basic statistics can be gathered by using the tool tcpdstat. This tool has done some basic information gathering that will further limit the scope of the digital forensic investigators. It shows the start and end time of the capture (roughly 75 minutes long) and the total capture size (14.73 MB captured of data from 56377 packets and with additional information stored, the total Libpcap file comes to 15.59 MB) and the most common protocols. Most data traveled over TCP/IP. At the application layer, the applications most used were FTP, telnet, and SSH. All of these may be used by the attacker as it allows file transfer as well as a shell to control the UNIX system. The advantage here is that FTP and telnet are not encrypted so any data that traversed the network for these application layer protocols was captured in the Libpcap dump and can be analyzed by deep packet inspection (full content analysis). If the attacker used SSH, the information would be encrypted and thus the full content analysis would yield nothing additional of worth. Alerts Because so much traffic used the FTP and telnet protocols, it still would not be very easy to jump right into full content analysis. Instead some additional investigation may yield a way to further narrow the search scope to identify the intruder and what he/she did. This further analysis can be done with Snort. Snort has many rules that are used to identify malicious, strange, or suspicious network traffic. By feeding the Libpcap file through Snort, it can generate files and use these predefined rules that may identify what the intruder was doing. By using the command snort -c /etc/snort/snort.conf -r s3.lpc -b -l ./SnortOut it generated two files in the SnortOut directory based on the rules prescribed in the Snort configuration file and the Libpcap (lpc) file. The one file that will be useful here is an alert file. Snort generated several alerts that should be of concern to the investigative team. The first alert mentions that the intruder attempted to gain access to a privileged user account (like root). Further entries later prove that it was the root user that was being accessed. To do this, the intruder was attempting to gain access to an exploit of a printing daemon (lprd). Snort rules are useful in that it may give a link to the security site SecurityFocus.com that will further explain what was going on. By properly exploiting this security vulnerability, it may be possible to gain access to this privileged account. The rule that generated it was the Snort attack-responses.rules file. The line with the yellow highlight shows that it was checking for raising an alert that the user was changed to root (often user ID 0 on UNIX systems). By gaining access to the root user, much more damage can be done to the system as well as allowing the intruder to have much more access to files. The investigators know that the intruder gained root access from the Snort log entry that said “id check returned root” which is created through the line highlighted in the attack-responses.rules file shown above. The entry shows that it was done in the time period where the intrusion happened from the same IP address of the likely intruder. Additionally, it was sent over telnet, an unencrypted channel. This is something that would not likely occur from BRJ employee as they should be using SSH. There are also many failed login attempts listed in the Snort log. While good because it means the person was locked out, it is still problematic as it does not show successful log in attempts. Because these login alerts eventually stop, it is likely that the intruder finally did gain access to the system. This is further proved through the userid check mentioned above which originates on the BRJ Software server on port 2323 (meaning the intruder was successfully able to access the server over port 2323). Sessions One possible solution that would fit the team’s findings thus far would be that the intruder was able to start a telnet server listening on port 2323 of the BRJ server through the lprd buffer overflow exploit. However additional investigation must occur to prove this. The additional information could be obtained through looking at the data logged from the telnet session. This is done with the tcptrace tool. The number of connections between 94.90.84.93 (a system not owned by BRJ and the same address the team has been tracking so far) and 102.60.21.3 (a BRJ system) is what is important here. These connections should not exist; their presence is indicative of a brute force attack on the lpr daemon. The complete/reset shown in the last column combined with the packets sent and received by the BRJ system (the two preceding columns) show that the brute force attack was failing for some time. If it succeeded, it would look like the first two connections (the legitimate connections between BRJ servers). There the packet count is well above the normal SYN/ACK/RST and instead a session occurs. Unfortunately for BRJ, eventually the attack does work. As seen below on the highlighted 1880 session, the intruder gains access to the system. Once he/she has access, the BRJ server begins sessions to talk to a remote system. The remote system is a new IP address of 94.178.4.82, and the port number of 21 points to it being an FTP server. The investigators now know that the intruder has compromised the BRJ system, is able to telnet in, gain root access, and FTP out of the system. This is further proven later by the traffic originating at the intruder’s IP and accessing the BRJ server successfully over port 514 (which means he/she can access the system and login with rlogin, rcp, or RSH). More connections exist later. One of those proves that the intruder can SSH to the BRJ server (problematic because, as mentioned previously, these sessions are encrypted so the investigators are unable to see exactly what was being done through network analysis). However what is strange is that the intruder, it seems, begins to use the BRJ server as a way to attack another server, 94.200.10.71. In the first three sessions listed above show that the intruder was able to send a finger request to the machine and then log into it via telnet. This is bad as it looks like it is coming from BRJ and not the attacker who first attacked BRJ. Then, using the BRJ server, the intruder begins to brute force his/her way into the 94.200.10.71 FTP server. Again, this eventually ends and at the session ID of 1696 it shows a successful session and a large file transfer. After this is the end of the file, but the file ends strangely as well. Traffic is going over port 2323 on the BRJ server, a port that should not be in use. More things are going on so further analysis is needed. Full Content Analysis The session analysis focused in on which sessions need more attention. This attention is given through full content analysis where the payload of each TCP/IP packet is examined in an attempt to reconstruct what communications were happening between the intruder and the BRJ server. This will allow BRJ to know what may have been taken, modified, removed, installed, or otherwise tampered on their UNIX system. Starting with sessions 2087 and 2089, the investigators can compare the data from these packets. A diff was done on the output of the tcpflow command that separated these sessions from the rest of the Libpcap capture file. The diff is shown below. The difference shows what made the 2089 session attack on the lpr daemon successful and what was unsuccessful in the 2087 session. With this information, the investigators know the latter was a success so the attention can now be focused on the 3879 session. The tcpflow command extracted two files. The first will be called the “input” file. This contains the commands that the intruder typed into the BRJ system. The other file will be called the “output” file as it contains what the BRJ UNIX server responded via telnet to the intruder’s commands. Screen shots of the two files are shown below. Here, the best technique would be to pull up both files side-by-side, then using experience with UNIX and Linux systems, the investigator would be able to match outputs with the appropriate input. So, for example, the intruder issued commands to figure out information about the system, the logged in user, and the network interface. Using the output file, the investigators get the exact same output that the intruder would have seen after issuing these commands. The basics of Linux or UNIX command line is required here to align the two files. However after doing so, the intruder’s malice seem to be that the intruder created a hidden directory /tmp/.kde, FTP to 94.178.4.82, and download the binary files that start with “knark” (a rootkit kernel module) to that directory. The intruder then adds a user “lpd” to the system with the same UID as root and enables RSH access for this (and all other users because the “++” was specified in the .rhosts file). After that, he/she does some basic poking about and kills the brute force program that he/she used to brute FTP into the 94.200.10.71 server, likely in an attempt to hide his/her tracks. The intruder later telnets in again, this time with an account he has the username and password for: richard. This access was likely gained through an easy to guess (or brute force) password. Once in, the intruder executes lpd that allows root access. After proving he is root by checking his/her active user ID and username, he begins to check commands like netstat and ps to see what is running on the system. Specifically, he or she is looking for a program datapipe. Using a rootkit, he/she is able to hide the datapipe process. The intruder repeats this process again later by logging in as the compromised account and running /usr/sbin/root lpd /bin/bash that dumps him into a root prompt (which kindly returns “Do you feel lucky today, hax0r”). Once in, he/she attempts to tar up /home and /var/mail and put it in the hidden directory /tmp/.kde he created earlier. Then, after failing to create an FTP connection to 94.20.1.9, he/she pings that server to see 90+% packet loss. The intruder eventually is able to connect to that server via FTP but the results are unknown from this trace. Again he/she logs in later but after seeing that the compromised account richard is logged in elsewhere, he/she disconnects, likely to avoid suspicion. That was the last time that there is record of the intruder logging in. However additional examination should occur on the FTP transfer he/she may have been able to begin. There is one file that says the IP address of that FTP server belongs to zeus.anonme.com. This file, created by using the tcpflow command on the Libpcap file to look specifically for port 21 traffic not going to 94.200.10.71, is the result of the first failed FTP connection to 94.20.1.9 mentioned above. The next file in the sequence shows that the intruder logged in successfully with the username shadowman, switched the transfer mode to binary, and tried to copy the files.tar.gz (the archive of the /var/mail and /home directories he/she created by logging in as richard earlier). So far, most of everything has been reconstructed. However there still is the business of when the intruder used SSH. Up until now, that SSH data could not be processed because it was encrypted. Although the SSH channel into the server was secure, if the intruder used a network resource that reached out of the BRJ machine that was not secure, the investigators can figure out what was being done. It looks like this is what happened: the intruder SSH’d into the BRJ system and, from there,FTP’d out of the server. Because FTP is not encrypted, that data was captured and can be dissected. Based on the server responses, it looks like the intruder logged in anonymously to a Windows NT FTP server. From there the intruder retrieved brutus.pl, net-telnet-3.03.tar.gx, allwords.txt, nat10.tar, john1.6.tar.gz, and datapipe.c. The first three of these were used to do a dictionary brute force attack on the FTP server (mentioned earlier). Because the Libpcap file captures everything, all of these files were recorded. Since the datapipe.c file is an uncompiled C file, it can be read simply by looking at the stream (unlike the tar files which are binary and would need to be reconstructed). This gives full insight into the whole process of what the intruder was doing. Comparison Analysis In performing both the Windows and UNIX evidence gathering activities, the team noticed a few similarities between the two processes, as well as a few major differences. While the two operating systems do not share much in common natively, they do both use the same network protocols to interact with other machines and the Internet. Thus, most, if not all, of the network evidence gathered in either investigation was relevant for both; which IP addresses belong to which machines and which ports correspond to which services did not change depending on which operating system was being investigated at the time. This correspondence allowed evidence found in one investigation to be of use in the other, preventing the team from having to reinvent the wheel. Additionally, the use of an unpatched vulnerability allowed the intruder to get his or her foot in the door in both cases. For the Windows machine, it was a buffer overflow in an Internet Printing extension; in the case of UNIX, it was a buffer overflow in the print spool protocol. Even though the intruder did not have access to an employee’s login credentials from the outset, he/she was still able to gain access and perform malicious actions through this weakness. Information available online allowed the team to recognize exactly which vulnerability was used after using Snort to examine the respective batch files; if such information was readily accessible, a patch or fix was most likely also obtainable that could have prevented or at least impaired these incidents. On the other hand, the two investigations yielded an expected number of dissimilarities. The Windows network evidence acquisition yielded typically general details; the team discovered that a port scan was used, which IP addresses were associated with the attack, and that a file was transferred to the victim machine in order to facilitate future access for the attacker. Most of the data examined in the Windows investigation stemmed from the capture files which were run through a number of tools, including Snort and Argus. Therefore, it was difficult to get a good idea of what exactly the attacker was doing, what he/she was looking for, and how much damage had been done at the point that the investigation took place. Conversely, the UNIX investigation provided a surprisingly large number of specifics that could be used by the team to draw conclusions about the incident. For starters, a record of every command the intruder used through his/her backdoor connection was discovered, allowing the team to follow in the attacker’s footsteps as the intrusion happen. Moreover, the specific exploit was identified, along with the affected port numbers and protocols. User credentials created and used by the attacker were also discovered, giving the team solid clues on where to look next on the machine to fully uncover the extent of the incident. This quantity of details helps the team more accurately assign responsibility for the intrusion and create a response plan that will cover up the vulnerabilities used and go about bringing the attacker to justice. Lastly, while the UNIX investigation could be performed using another UNIX machine, the Windows investigation required the use of a Linux machine with a number of pre-requisites established; namely, build-essential and libpcapdev-0.8. Such a requirement may prevent a less experienced user from performing the investigation, as a typical Windows user may not be familiar with Linux or its dependency and package management system to effectively work through such an examination. A UNIX user, alternatively, would be using the same platform that he/she was familiar with to perform the investigation, so the operating system learning curve is non-existent, thereby requiring that the user only learn how to use the right tools in the correct fashion. While this point is obsolete when an experienced forensics team that is well versed in all operating systems is involved, it does create a barrier to aspiring forensic professionals who may be trying to manually troubleshoot and inspect potentially malicious parts of their systems. Conclusion Knowledge of how computer systems interact was important to perform a forensic investigation. Knowing the mechanisms for access to both Windows and UNIX systems meant that the team would be ready for an investigation with the correct tools. These tools ranged from packet sniffers, to text editing and comparison tools, to network intrusion and detection systems. Each of these tools proved useful from a forensics perspective to analyze statistical data, or summary information, alert data, data that has been flagged as possibly malicious, session data, or higher level information that can reconstruct communication patterns, and full content data, or the raw data flowing over a network. These tools were applied on real world data for both Windows and UNIX systems. The attack on Windows systems was able to be located as a buffer overflow, eventually allowing access to the system. The UNIX system had a similar fate with a buffer overflow attack and the ability for the attacker to gain access to that system to attack others. In conclusion, these techniques are useful on virtually any system and may be used for a variety of reasons. This may include locating an attacker, determining if a virus has infected the network, looking for users doing unlawful or things against policy (like gaining access to files or copying files off secure systems), or a variety of other purposes. Depending on the level, the different types of forensic data can be collected and evaluated with these tools in a similar process. Although the intricacies of Windows and UNIX systems differ, the fact that both are networked operating systems means both are vulnerable for attack but can be examined in relatively similar ways. Works Cited QoSient, LLC. (2010, March 28). ARGUS -Auditing Network Activity - Getting Started. Retrieved August 5, 2010, from QoSient: http://www.qosient.com/argus/gettingstarted.shtml Dittrich, D. (n.d.). Tools written/modified by Dave Dittrich. Retrieved August 5, 2010, from University of Washington: http://staff.washington.edu/dittrich/talks/core02/tools/tools.html Fuentes, F., & Dulal, K. (2005). Ethereal vs. Tcpdump: a comparative study on packet sniffing tools for educational purpose. Journal of Computing Sciences in Colleges, 20 (4), 169-175. Goebelbecker, E. (1995). Using grep: Moving from DOS? Discover the power of this Linux utility. Linux Journal (18es). Laurie, B. (2004). Network Forensics. Queue, 2 (4), 50-56. Liskov, B., Curtis, D., Johnson, P., & Scheifer, R. (1987). Implementation of Argus. ACM Symposium on Operating Systems Principles , 111-122. Ostermann, S. (2003, November 4). tcptrace - Official Homepage. Retrieved August 5, 2010, from tcptrace: http://tcptrace.org/ Roesch, M. (n.d.). About Snort. Retrieved August 5, 2010, from Snort :: About Snort: http://www.snort.org/snort
