1. Forensic Computer Analysis
ISMT350

2. Overview Why do we care? Forensic Science Overview Process and Tools
Evidence on Networks
Advanced Analysis
Errors & Uncertainty

3. Why do we Care? Determine what happened Determine extent of damage
Inform other universities of problems
Prevention & preparation for future
Mitigate risk & liability
If necessary, apprehend & prosecute =

4. Forensic Science Overview

5. Improper Evidence Handling Why we need to avoid…
Open to unfair dismissal claims
Vulnerable to false accusations
Researcher accused of hacking
Privacy violation leads to counter suit
Information leakage leads to larger problem
Unresolved incidents create problems
Larger problem goes unrecognized
Develop poor evidence handling skills

6. Forensic Science Overview
Science applied to the discovery of truth
Locard’s exchange principle
whenever two objects come in contact with each other, they transfer material from one to the other. The Locard exchange produces the trace evidence of interest from fingerprints to mud
Authorization
Locate / identify evidence
Collection, documentation & preservation
everything that you will need in two years
Crime reconstruction (forensic analysis)
when, where, how, what, who, why
reproducible & free from bias/distortion
Report / present

7. Continuity of Offense (COO)
Seek sources, conduits, and targets
Connect the dots
Corroborating evidence
Multiple independent sources
Victim’s mail
server/PC
Kiosk
Router
Proxy
Hotmail
NT DC
NetFlow
Access logs
Authentication logs

8. Pornography: Transmission Pivotal Case Study
The theory behind child pornography laws in the U S traditionally has been that such material is illegal not because of the content of the material itself, but because of the harm the production and distribution of such material causes children who are used to create the child pornography.
U S versus Hilton, invalidated part of the Child Pornography Prevention Act of 1996, 18 USC Section 2252A.
Hilton claimed to have been collecting child pornography for research purposes:
Met with an FBI agent and U S Customs officials on a number of occasions since 1995 to discuss curbing child pornography on the Internet.
Quoted in articles warning parents of the dangers of allowing their children to surf the 'Net unsupervised.
Police uncovered evidence that “made us question his motivation."
A case of police prosecuting people trying to help cure the Child Pornography problem?

9. Pornography: Transmission
How to investigate a “US v. Hilton”
Modem logs
Shows PC was connected to Internet
Dial-up server logs
Confirms connection and account used
MAC times and Registry (LastWrite)
File modification, creation, and access times
FTP logs
On PC: file name, time, remote directory
On server: file name, size, time, account, IP

10. Relational Reconstruction
Improve understanding of events
Locate additional sources of evidence
Example: Accounting server break-in

11. Log File Correlation Sort each source independently, then combine
Correlate MAC times and LastWrite times of Registry keys with Eventlogs, PC modem & ISP logs
:32: Initializing modem.
:32: Send: AT
:32: Recv: AT
:32: Recv: OK
:32: Interpreted response: Ok
:32: Send: AT&FE0V1&C1&D2 S0=0 W1
:32: Recv: AT&FE0V1&C1&D2 S0=0 W1
:32: Recv: OK
:32: Interpreted response: Ok
:32: Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3
:32: Recv: OK
:32: Interpreted response: Ok
:32: Dialing.
:32: Send: ATDT##########

12. Time Pattern Analysis x = event Mon Tues Wed Thurs Fri Sat Sun 8am 9am
12pm
1pm
2pm
3pm
4pm
5pm
6pm
7pm
x = event

13. Histograms Histogram of events over time
High number of events at key times
Histogram of time periods may show unusual gaps
MAC times
System log entries

14. EnCase Timeline (patterns)

15. Search Methodology Identify the crime scene Area 1: Local Nodes
PDA’s
Laptops
Area 2: Wireless devices
Mobile equipment
802.11b
Area 3: Wireless networks
Core systems (BSC, MSC, SMS)
Area 4: Remote networks
Routers, switches, cables
Remote nodes

16. Authorization Example
Floppy found in desk drawer
Collected by IT staff
No authorization
Not clear if search was legal
Process not documented
Not clear who found disk
Disk not labeled
Not clear which disk among several disks
Hot potato – drop it!
High risk of counter suit

17. Chain of Custody Who collected & handled the evidence
Fewer people handling the evidence
=> Fewer people testify
Standard forms & procedures
=> Consistency

18. Collection & Preservation
Acquire evidence
EABD versus removing hard drive
save evidence on sterilized media
calculate MD5 checksum of evidence
digitally sign evidence (MD5, time & person)
Documentation
acquisition & verification process
who, where, how, when, and sometimes why
Lock original in safe
alternately use a custodian

19. Message Digests 128-bit “fingerprint” Two messages with same digest
16 hexadecimal values
Two messages with same digest
Computationally infeasible
Search disk for file with same MD5
md5sum netstat.exe
=> d360a862b30c7dd2cf3d

20. What to Collect? The original disk An exact copy of the original disk
Log files from the disk (e.g. UNIX wtmp)
Interpreted logs (output of last)
Information lost in summarization
Relevant portions of interpreted logs
Output of last username
May miss some relevant entries
Written notes describing command output
The approach depends on the circumstances

21. Remote Collection Document collection process (log to file)
May alert the suspect
Stepping in evidence
Same as at console
Forgotten evidence
Planning and procedures
Jurisdiction
May be only means - foreign countries
May cause an international incident
Evidence only available remotely (SNMP)

22. To shutdown or not to shutdown
Network state
Processes in memory (MB/GB)
Kernel memory
Swap space
Lose cached data not yet written to disk
Lose data protected by EFS/PGP disk
Corrupt existing data

23. Limitations of Live Exam?
Hasty
prone to error
automation helps avoid errors
Stepping in evidence
automation minimizes changes
not 100% (overwrite user.dmp)
Might miss something
alternate data streams
Can’t see deleted data
anyone have a floppy diskette?
Can’t trust operating system

24. Challenge Concealment
Deleted binary
Copy in /proc/pid/file
icat /dev/hda inode > recovered
Log deletion or wiping
wzap clears wtmp entries
Altering file attributes
Hidden files/Alternate Data Streams
hfind.exe (Foundstone)
Device files in Recycle Bin
Rootkits/Loadable Kernel Modules (Knark)
Encryption

25. The Coroner’s Toolkit grave-robber output coroner.log
proc with MD5 of output
command_out with MD5 of output
body - mactime database
removed_but_running
conf_vault
trust
MD5_all
MD5_all.md5

26. Case Example W2K Domain Controller Hacked Unusual port
Messy examination
Cleanup fails!

27. Initial Assessment Routine Network Vulnerability Scan
BO2K on port 1177 of W2K DC
Physical Assessment
Located in locked closet
Initial Examination
All security patches applied
NT Security Event logging enabled
fport: c:\winnt\system32\wlogin.exe
System cannot be shutdown
Central to operation of network

28. Network Assessment Accessible from the Internet No dial-up access
Many services enabled
file sharing
Internet Information Server
FTP (anonymous FTP disabled)
IIS fully patched

29. Assess and Preserve Toolkit of known good executables
Save output to external/remote disk
Note md5 values of output
Check for keystroke grabber / sniffer
No fakegina or klogger
Yes sniffer (system32\packet.sys)
MAC times to locate other files
Installed IRC bot in C:\WINNT\Java
No obvious access of sensitive information
Could have obtained passwords via lsass
Could have access to other machines

30. Logs No unusual logons in Security Event Logs
IIS logs from before security patch installation
Shows compromise via Web server
AntiVirus messages in Application Event Logs
1/19/2002,1:09:11 AM,1,0,5,Norton AntiVirus,N/A, CONTROL, Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\Java\w.exe by: Scheduled scan. Action: Clean failed : Quarantine succeeded : Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\system32\wlogin.exe by: Scheduled scan. Action: Clean failed : Quarantine failed :
1/19/2002,1:09:11 AM,4,0,2,Norton AntiVirus,N/A, CONTROL, Scan Complete: Viruses:2 Infected:2 Scanned: Files/Folders/Drives Omitted:89

31. Leads IP addresses from Web server logs IRC bot files
eggdrop bot files contained information about servers, nicknames, channels, and channel passwords that could be used to gather additional information

32. Remediation Change passwords and examine other hosts
HKLM\System\CurrentControlSent\Services
C:\WINNT\System32\wlogin.exe
Machine fails to reboot
Extended downtime
MAC times incomplete
C:\subdir
Wlogin is zeroed out
Accidental by examiner
Intentional by Norton/intruder?
No binary to analyze

33. Lessons Learned Intrusion prior to patching
Do not assume that system was secure
Lastwrite time of wlogin Registry key
Missed opportunity
Attempt to recover piecemeal
Don’t make matters worse than intruder
Make a plan and make a backup plan

34. Forensic Analysis Overview
Locate, recover, and interpret evidence
Low level analysis vs interpreted data
Timeline – when
Relational reconstruction – where
Functional reconstruction – how
Synthesis – what, why
crime reconstruction
risk assessment
motive and intent
Data may not be trustworthy
seek corroborating data on network

35. Analysis Process Access evidentiary images & backups
File inventory with hash values, etc.
Recover deleted data (files, folders, etc.)
Recover slack and unallocated space
Exclude known/unnecessary files
Remove duplicates
Process/decrypt/decompress files
swap and hibernation files
Index text data

36. File Systems General creation process
Allocation table and folder entries created
Time stamps set
Track written
Slack space
Perhaps artefacts generated
MS Word file menu Registry entries
Windows: FAT12, FAT16, FAT32, NTFS
Unix: UFS, ext2, ext3
Macintosh: HFS Plus

37. FAT

38. NTFS MFT records overwritten quickly
Index entries are overwritten quickly
Reference handbook
How quickly are blocks reused
Timestamp in MFT Record in table only modified when name is changed
Sourceforge for more information

39. Unix

40. MacOS (HFS Plus) Catalog file Time formats No access time Balance tree
File threads
Time formats
GMT v local
No access time

41. Linux – A Forensic Platform
# dd if=/dev/fd0 | md5sum
records in
records out
5f4ed28dce5232fb36c22435df5ac867 -
# dd if=/dev/fd0 of=floppy.image bs=512
# md5sum floppy.image
5f4ed28dce5232fb36c22435df5ac867 floppy.image
# mount -t vfat -o ro,noexec,loop floppy.image /mnt
# find /mnt -type f -exec sha1sum {} \;
86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls
81e62f9f73633e85b91e b0ed /mnt/Computer.xml
0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc
# grep -aibf searchlist floppy.image
75441:you and your entire business ransom.
75500:I want you to deposit $50,000 in the account
75767:Don't try anything, and dont contact the cops.

42. The Coroner’s Toolkit ils -A /dev/hda1 (free inodes)
ils –o /dev/hda1 (removed open files)
icat /dev/hda1 inode
pcat pid
mactime -R -d / 12/13/ /14/2001
mactime -d /export/home 10/30/2001
grave-robber -d . -E /
Perl is a requirement

43. Log File Correlation Use the time range from wtmp logs # last
user pts/ nyc Sat Oct 20 19: :08 (05:23)
# mactime -b body -l "Sat Oct 20 19: :08 (05:23)"
Oct :32: a. -r-xr-xr-x root bin /usr/bin/ftp

44. Computer Forensics Software

45. AccessData Forensic Toolkit® (FTK™)
The most popular of forensic software tools
View over 270 different file formats with Stellent's Outside In Viewer Technology.
Generate audit logs and case reports.
Compatible with the Password Recovery ToolkitTM and Distributed Network Attack®.
Full text indexing powered by dtSearch® yields instant text search results.
Advance searches for JPEG images and Internet text.
Locate binary patterns using Live Search.
Automatically recover deleted files and partitions.
Target key files quickly by creating custom file filters.
Supported File & Acquisition Formats
File formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3.
Image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD.
& Zip File Analysis
Supports: Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN .
View, search, print, and export messages and attachments.
Recover deleted and partially deleted .
Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files.
Known File Filter™ (KFF™)
Identify and flag standard operating system and program files.
Identify and flag known child pornography and other potential evidence files
Includes hash datasets from NIST and Hashkeeper
Registry Viewer™
Access and decrypt protected storage data
View independent registry files
Report generation
Integrates with AccessData's forensic Tools

46. Email Forensics How FTK is used …
is one of the most common ways people communicate
Studies have shown that more is generated every day than phone conversations and paper documents combined
Forensic Analysis of clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document Discovery is complete without requesting, searching and organizing

47. Email Forensics Identification and Extraction
The first step in an examination is to identify the sources of and how the servers and clients are used in an organization
More than just a way of sending messages clients and servers have expanded into full databases, document repositories, contact managers, time mangers, colanders and many other applications
E.g., Microsoft Exchange customized to be used as a complete Customer Relationship Manager (CRM)
Lotus Notes and Domino Server are used beyond an system
Many users store their personal calendars, contacts and even synchronize their  clients with their Personal Digital Assistants (PDA)
Organizations use database enabled and messaging servers to manage cases, track clients and share data
Computer forensics should start their collection of evidence with

48. Email Forensics Deleted Email
Many user believe that once they delete from their client that the mail is unrecoverable
Nothing could be farther from the truth, many times s can forensically extracted even after deletion
Many users also do not grasp the concept that has a sender AND a recipient or multiple recipients
s may reside on servers unbeknown to the user, or on backup tapes that were created during the normal course of business
Of course they may also be extracted from the hard disk of the client or the server. 
Forensic programs are able to recover deleted , calendars and more from users clients and servers.

49. Email Forensics Web Mail or Web Based Email
It is completely possible to forensically recover that was created or received by web based systems and from free web based services such as Hotmail, Gmail (Google Mail) and Yahoo Mail
These types of mail systems use a browser to interface with the server, the browser inherently caches information to the disk drive in the system used to retrieve or generate the thereby effectively saving a copy to the disk
Forensic examiners can extract the HTML based from disk drive of the system used to create or retrieve the messages 
Many Web Based or Web mail services, including Yahoo and Hotmail have shared calendaring services, personal calendars and contact managers as . 
Anytime these services are accessed they may be cached to the disk as well. 

50. Email Forensics Correlating Email Messages
 New evidence is essentially created by
 Correlating s by date, subject, recipient or sender
These yield a map of inferences, events and entities
And open up opportunities for more complex pattern analysis
Forensic software is especially important in providing these correlations

51. EnCase Forensic (Guidance Software)
EnCase Forensic is the most popular software for computer forensic investigation
A single tool, capable of conducting large-scale and complex investigations from beginning to end:
Acquires data in a forensically sound manner using software with an unparalleled record in courts worldwide.
Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.
Automates complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis.
Find information despite efforts to hide, cloak or delete.
Easily manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space.
Transfer evidence files directly to law enforcement or legal representatives as necessary.
Review options allow non-investigators, such as attorneys, to review evidence with ease.
Reporting options enable quick report preparation.

52. EnCase Functions

53. The EnCase Forensic GUI.

54. EnCase Forensic
"Conditions" permit users to create complex, multifaceted filters, using EnScript® programming language.

55. EnCase Forensic
The block size and error granularity settings interface

56. EnCase Forensic Logical Evidence Files
"Single Files" allows an examiner to drag and drop particular files of interest into EnCase for analysis
"Logical Evidence Files" can be created and locked from "Single Files," as well as from specific files of interest from an EnCase preview of subject media.

57. TASK Case Screen

58. TASK Host Screen

59. TASK Host Manager Screen

60. TASK Analysis Screen

61. FTK Extraction

62. SMART Main Screen

63. SMART Case View

64. PDA Seizure

65. Password Recovery Toolkit
PRTK: Combinations & permutations
Import FTK keyword list
Missed obvious combinations

66. DNA
40-bit Encryption
Windows 2000 EFS (export)
MS Word / Excel

67. Evidence on Networks Associating Online Activity with Logs Server logs
server logs
Web server logs

68. Internet activity -> data
Logs
Active
PPP Dial-up
TACACS/RADIUS
Terminal Server
Router/Firewall
Syslog/Netflow
show conns
Host logon
wtmp/NT Eventlog
utmp/nbtstat -c
Web server
access/error
netstat -an
server
messages/syslog
spool
FTP server
xferlog
IRC
server/bot logs
Wireless
device logs
device query
Mobile phone
transactions
location/conversations

69. Case Example Harassment Complaint Complaint Unauthorized e-mail access
Suspect pool
Process accounting
Bash history

70. Harassment (janesmith)
Make sure logs are consistent
mailserver# grep 'Login user=janesmith' syslog*
syslog:Sep 24 17:11:40 mailserver ipop3d[6466]: [ID mail.info] Login user=janesmith host=johnsmith.nasa.gov [ ]
What to look for next?

71. Harassment (continued)
wtmp logs indicate that her account was accessed from server4.nasa.gov on Dec 9 at 13:14
server# last janesmith
janesmith pts/114 server4.nasa.gov Sun Dec 9 13: :19 (00:05)
MAC times show that the .pinerc file was created on Dec 9 suggesting that this was the first time Pine was used to access in this account.

72. Harassment (continued)
wtmp logs on server4.nasa.gov show that seven people were logged in on Dec 9 at 13:14
Note: clock on server4.nasa.gov was 4 minutes fast
server4% last
walterp pts/14 roosevelt.nasa.g Sun Dec 9 13: :17 (00:07)
johnsmith pts/2 pc01.admin.nasa. Sun Dec 9 13: :29 (00:10)
stephens pts/13 lincoln.nasa.com Sun Dec 9 13: :16 (03:15)
hansmol pts/3 homepc.isp.com Fri Dec 7 14: :53 (6+20:38)
ianjones pts/7 nasavpn-22.nasa. Fri Dec 7 08: :23 (5+16:44)

73. Harassment (continued)
RADIUS logs show suspect disconnected prior to offense
,NASA\ianjones,12/07/2002,08:43:07,IAS,NTSERVER,5,7029,6,2,7,1,8, ,25, /08/ :38: ,40,1,44,E0D03B6B,66, ,45,1,41,0,61,5,4108, ,4116,0,4128,NASA VPN,4136,4,4142,0
,NASA\ianjones,12/07/2002,09:27:12,IAS,NTSERVER,5,7029,6,2,7,1,8, ,25, /08/ :38: ,40,2,42, ,43, ,44,E0D03B6B,46,35619,47,417258,48,59388,49,1,66, ,45,1,41,0,61,5,4108, ,4116,0,4128,NASA VPN,4136,4,4142,0

74. Harassment (continued)
However, server4.nasa.gov kept process accounting logs and an examination of these logs show only one SSH connection at the time in question. This indicates that another account (johnsmith) was used to connect to the complainants account.
server4% lastcomm | grep ssh
ssh S timsteel ?? secs Sun Dec 9 10:24
ssh S johnsmith ?? secs Sun Dec 9 13:10
ssh S richevans ?? secs Sun Dec 9 12:10

75. Harassment (continued)
Confirmed using bash history
server4# grep janesmith /home/johnsmith/.bash_history
ssh -l janesmith mailserver.ispX.com

76. Network Traffic Historical data Traffic capture Performance monitoring
NetFlow & Argus
IDS (may include full packet capture)
Traffic capture
Temporal considerations
Preservation
Reconstruction and analysis
Tools
Dsniff, NetWitness, Sandstorm, Nixsun, SilentRunner
Many for Unix (e.g., ngrep, review)

77. Performance Monitoring
Shows patterns on a device
Spikes in traffic
Loss of connectivity to a segment
Multi Router Traffic Grapher (MRTG)

78. Netflow and Snort Overview
flows represent unidirectional collection of similar packets
NetFlow logs contain basic flow information (src, dst, times, size)
Snort
based on libpcap
detects known attacks
highly configurable

79. Using Snort and NetFlow
Host logs may be overwritten
Intrusion Detection System shows partial picture
[**] FTP-site-exec [**]
02/23-04:51: :2721 -> :21
TCP TTL:46 TOS:0x0 ID:20194 IpLen:20 DgmLen:468 DF
***AP*** Seq: 0x11A6920B Ack: 0xD567116C Win: 0x3EBC
TCP Options (3) => NOP NOP TS:
NetFlow logs show more complete picture
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets
:51: :51:

80. Netflow Losses Sequence numbers show gaps
% flow-header < ft-v
# mode: normal
# capture hostname: flow
# exporter IP address:
# capture start: Mon Apr 15 18:30:
# capture end: Mon Apr 15 18:45:
# capture period: seconds
# compress: on
# byte order: big
# stream version:
# export version:
# lost flows:
# corrupt packets:
# sequencer resets: 1
# capture flows:

81. Traffic Monitoring/Capture
tcpdump (68 bytes default capture)
Ethereal

82. Authorization Wiretap ECPA USA Patriot Act Live Capture
Protecting systems
ECPA
Stored communications & records
Maintenance and protect users
USA Patriot Act

83. libpcap losses High speed links overload sniffers
Protocol type 11 (honeynet)
Applies to all libpcap based sniffers
snort, tcpdump, NetWitness
# tcpdump -X host
tcpdump: listening on xl0
.....[data displayed on screen]… ^C
29451 packets received by filter
4227 packets dropped by kernel

84. Switches Isolates traffic CatOS Switched Port Analyzer (SPAN)
Sniffing is more difficult
CatOS Switched Port Analyzer (SPAN)
Spanning/Mirroring ports
Only copies valid Ethernet packets
Not all error information duplicated
Low priority of span may increase losses
Hardware taps
Copy signals without removing layers
May split Tx and Rx (reassembly required)

85. NIC Losses Applies to all NICs (firewalls, switches, etc.)
% netstat -nid
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth BRU
% /sbin/ifconfig
eth Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5
inet addr: Bcast:
Mask:
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets: errors:0 dropped:0 overruns:128 frame:0
TX packets: errors:0 dropped:0 overruns:0 carrier:1
collisions: txqueuelen:100
Interrupt:23 Base address:0xec80

86. Intellectual Property Theft (rootkit)
Case Example
Intellectual Property Theft (rootkit)

87. Intellectual Property
IDS logs show intrusion
[**] FTP-site-exec [**]
09/14-12:27: > x.y
09/14-12:28: > x.y
09/14-12:33: > x.y
Concern: system contains sensitive data

88. IP Theft (assess damage)
Initial examination of compromised host showed no signs of compromise
no wtmp entries from site exec exploit
no syslog entries
no odd processes using ps or files using ls
System clock was 5 hours fast (Δt = 5hrs)
Oddities on system suggested compromise
difference between ps & lsof; /tmp/.tmp/

89. IP Theft (analysis) Used EnCase to analyze evidence
Recovered deleted syslogs (noting Δt)
Sep 14 17:07:22 host ftpd[617]: FTP session closed
Sep 15 00:21:54 host ftpd[622]: ANONYMOUS FTP LOGIN FROM 231.efinityonline.com [ ], 1À1Û1É°F̀1À1ÛC‰ÙA°?̀ëk^1À1ɍ^^AˆF^Df¹ÿ^A°'̀1À^^A°=̀1À1ۍ^^H‰C^B1ÉþÉ1À^^H°^L̀þÉuó1ÀˆF^I^^H°=̀þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰óN^HV^L°^K̀1À1Û°^Àèÿÿÿ0bin0sh1..11
Sep 14 17:22:54 host inetd[448]: pid 622: exit status 1

90. Linux in EnCase

91. IP Theft (reconstruction)
Confirmed source of initial intrusion
Determined that target was high risk
Determined motive and intent
not aware of sensitive information on host
used host for DoS, scanning, and IRC
Determined that a sniffer had been used
Located other compromised systems
notified system owners on outside networks

92. Advanced Analysis

93. Timestamp Oddities Moved file in Windows Corrupt timestamps
Last write time before creation time
Corrupt timestamps
Windows folder and .lnk
MacOS
Some logs are in order of the end of the event
Process accounting
CISCO NetFlow

94. Artefacts of File Transfer
File transferred to external media
MS Word Metadata
Program’s file menu (registry key LastWrite)
MS Word, Powerpoint, Excel, etc.
WinZip, WinAmp
Explorer (e.g., RecentDocs, RunMRU)
Internet Explorer (history, cache, TypedURLs)
Shortcut (.lnk) files
Recent\Desktop (time ordered CAM)
Recycler
May be in unallocated space/swap/hibernation

95. Recent Lnk to External Disk

96. Network Artefacts Downloaded files Interactive connections
Telnet Lastmachine (registry)
Secure CRT .ini
Secure Shell
Unix directory listing on Windows PC
Web, , Usenet, IRC, etc.
IIS Transactions
pagefile.sys
Mapped network drives
NetHood (profile, MFT, registry, unallocated)

97. Internet Accounts HKEY_USERS
Key Name: SID\Software\Microsoft\Internet Account Manager\Accounts\
Class Name: <NO CLASS>
Last Write Time: 7/5/ :33 AM

98. Downloaded Files
Tape Archive (.tar)

99. Mapped Network Drive Explorer (\\name\drive) Scattered
StreamMRU, RunMRU, RecentDocs
Scattered
User.dmp, swap, unallocated space
Grep expression: \\\\[A-Z]+\\[A-Z]+
HKEY_USER: SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\NetHood

100. Unix Mounted Drives df, mount, samba /etc/fstab:
/dev/hda / ext2 defaults
/dev/hda /tmp ext2 defaults
/dev/hda /usr ext2 defaults
/dev/hda /var ext2 defaults
/dev/hda swap swap defaults
/dev/fd /mnt/floppy ext2 user,noauto
/dev/hdc /mnt/cdrom iso9660 user,noauto,ro
none /dev/pts devpts gid=5,mode=
none /proc proc defaults
remote-server:/home/accts /home/accts nfs bg,hard,intr,rsize=8192,wsize=8192
remote-server:/var/spool/mail /var/spool/mail nfs bg,hard,intr,noac,rsize=8192,wsize=8192

101. Remote Logs and Printing
/etc/syslog.conf
*.* @remote-server
/etc/printcap:
lp0|lp:\
:sd=/var/spool/lpd/lp0:\
:mx#0:\
:sh:\
:rm=remote-server:\
:rp=lp0:\
:if=/var/spool/lpd/lp0/filter:

102. Network Artefacts (Telnet)
Telnet registry

103. File Transfer Protocol
On PC: file name, time, remote directory
On server: file name, size, time, account, IP
Linux ncftp (.ncftp/trace; .ncftp/history)
xferlog: Nov 12 19:53: /home/user/image.jpg a _ o r user
WS_FTP: :53 A C:\download\image.jpg <-- FTP Server /home/user image.jpg
SESSION STARTED at: Sun Oct 21 01:05:
Program Version: NcFTP 3.0.0/220 February , 05:20 PM
<cut for brevity>
01:05:44 Connecting to
01:05:52 > get openssl tar.gz
SESSION ENDED at: Sun Oct 21 01:06:

104. Network Artefacts (Unix ls)
Grep search
[d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-] (space)

105. More Unix/Mac Artefacts
SSH
authorized_keys (incoming)
known_hosts (outgoing)
.xauth/refcount/xfs/hostname
Unix xterm buffers show sessions
Transactions of various servers
Windows remnants on Unix
Directory files e.g., C:\winnt\system32\*.exe

106. Intellectual Property Theft (Insider)
Case Example
Intellectual Property Theft (Insider)

107. Initial Complaint Employee stole information prior to leaving
Terminated on Sept 16, 2002
Unknown documents from workstation
clients.mdb
Client contact database
Stored on W2K workstation
projectX
Secret project details
Stored on Unix file server
What do you look for?

108. W2K Workstation Security (card swipe) records Logon/Logoff record
Suspect entered building at 08:45am
Logon/Logoff record
C:\>ntlast /ad 16/9/2002 /v
Record Number: 18298
ComputerName: WKSTN11
EventID: Successful Logon
Logon: Tue Sep 16 08:50:58am 2002
Logoff: Tue Sep 16 09:10:00am 2002
Details -
ClientName: user11
ClientID: (0x0,0xDCF9)
ClientMachine: WKSTN11
ClientDomain: CORPX
LogonType: Interactive
How to collect this information as evidence?

109. W2K Workstation Transfer of clients.mdb HKEY_USERS
Accessed 09/16/ :58:30 EST
HKEY_USERS
\Windows\CurrentVersion\Explorer\RecentDocs
Suspect’s environment temp\clients.xls
Created at 08:59:14
Last modified at 08:58:49
Suspect’s outbox
Shows clients.xls sent to Hotmail
What information would you seek on network?

110. W2K Workstation Other file accessed at same time
private.doc
Registry OpenSaveMRU entry
Recent .lnk written and accessed
Recent A: .lnk written and accessed
What would you expect to find on associated floppy diskette?

111. Unix File Server SSH Client Access How to collect evidence?
Accessed:
\user11\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to SshClient.lnk
Files in \user11\Application Data\SSH\
\user11\Application Data\SSH\ HostKeys\key_22_srv1
How to collect evidence?
% last user11
user11 pts/77 wkstn11.corpx.com Sep 16 09: :06 (00:01)
% ls –altu
-rwxr-xr-x 1 admin staff Sep 16 09:05 projectX
ProjectX file found in c:\temp on wkstn11
What timestamps changed in transfer?

112. W2K Workstation Deleted projectX file found in c:\temp
Created: 09:05am
Accessed: 09:07am
Modified: 09/12/ :07:07am
Explorer\RecentDocs\NetHood
\\competitorpc\upload
LastWrite 09/13/ :04AM
Explain time discrepancy

113. Errors & Uncertainty
Nothing can be known if nothing has happened; and yet, while still awaiting the discovery of the criminal, while yet only on the way to the locality of the crime, one comes unconsciously to formulate a theory doubtless not quite void of foundation but having only a superficial connection with the reality; you heave already heard a similar story, perhaps you have formerly seen an analogous case…
Gross, H., Criminal Investigation: (Sweet & Maxwell, Ltd. 1924)

114. Errors and Uncertainty
Offender/victim covering behavior
Preconceived theories
Accepting others’ assumptions
Technological limitations
Mistakes and misinterpretation
Evidence dynamics
Handbook - Chapter 1
Uncertainty and loss
Casey, E: “Error, Uncertainty and Loss in Digital Evidence”, International Journal of Digital Evidence, Volume 1, Issue 2, 2002 (

115. Evidence Eliminator
Evidence Eliminator v5.053 started work: 3/4/01 9:26:04 PM
OS Detected: Win95 [Win ]
Eliminating Folder: C:\WINDOWS\applog\
No folder found: C:\WINDOWS\applog\
Eliminating IE Typed URL History...
Data Found: String data: [url1-C:\My Documents\]
Eliminating IE Typed AutoComplete data...
Eliminating IE Download Folder record...
Eliminating IE Error Logs...
Eliminating File: C:\WINDOWS\IE4 Error Log.txt
No file found: C:\WINDOWS\IE4 Error Log.txt
Eliminating Folder: C:\WINDOWS\Local Settings\Temporary Internet Files\
Eliminating folder tree: C:\WINDOWS\Local Settings\Temporary Internet Files\ including root folder...

116. Lily Pad Examples SubSeven with IRC Unix intrusion File sharing
Denial of service
Unix intrusion
Bypass firewall
Attack from within

117. Remote Storage Compromised host Shell/Web account Online services
Mounted network shares
Sniffers that log to remote shares
Home directory on remote server

118. Intruder Concealment Deleted binary Log deletion or wiping
Copy in /proc/pid/file
icat /dev/hda inode > recovered
Log deletion or wiping
wzap clears wtmp entries
Altering file attributes
Hidden files/Alternate Data Streams
hfind.exe
Device files in Recycle Bin
Rootkits/Loadable Kernel Modules (Knark)
Encryption

119. Altering File Attributes
Alter MAC times
touch in Unix
ls -altc
Microsoft SetFileTime() API
Hide from search tools
dir /t[:a]
afind.exe (FoundStone)

120. Alternate Data Streams
c:\temp> lads
LADS - Freeware version 3.01
(C) Copyright Frank Heyne Software (
Scanning directory C:\temp\
size ADS in file
17 C:\temp\myfile.txt:hidden
17 C:\temp\myfile.txt:onetwothree
17 C:\temp\myfile.txt:test
51 bytes found in 3 alternate data streams

121. Maresware: copy_ads
C:\>d:\marsware\copy_ads -p c:\ -d d:\evidence\ads
Program started Wed Sep 25 13:58: GMT, 09:58 EST (-5*)
FILES: DIRECTORY
C:\hidden\makeads:hidden2.txt /25/ :43w EST
C:\hidden\makeads:hidden2.txt
==> d:\evidence\ads\makeads\makeads[hidden2.txt]
C:\hidden\makeads\regularfile.txt /25/ :19:19w EST
C:\research\makeads\regularfile.txt
==> d:\evidence\ads\makeads\regularfile.txt
C:\research\makeads\regularfile.txt:hidden1.txt /25/ :19:19w EST
C:\research\makeads\regularfile.txt:hidden1.txt
==> d:\evidence\ads\makeads\regularfile.txt[hidden1.txt]
Processed 16 directories, 118 files, totaling 7,703,785 bytes:
Found 1 directories with 1 alternate data streams.
Found 1 files with 1 alternate data streams.
Total 2 data streams byte count = 49 bytes

122. Rootkits Creates backdoors Replace system components to hide:
files
processes
promiscuous mode
network connections
Often includes tools
Sniffers
Log wiping utilities
Patches