Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Computer Analysis

Similar presentations


Presentation on theme: "Forensic Computer Analysis"— Presentation transcript:

1 Forensic Computer Analysis
ISMT350

2 Overview Why do we care? Forensic Science Overview Process and Tools
Evidence on Networks Advanced Analysis Errors & Uncertainty

3 Why do we Care? Determine what happened Determine extent of damage
Inform other universities of problems Prevention & preparation for future Mitigate risk & liability If necessary, apprehend & prosecute =

4 Forensic Science Overview

5 Improper Evidence Handling Why we need to avoid…
Open to unfair dismissal claims Vulnerable to false accusations Researcher accused of hacking Privacy violation leads to counter suit Information leakage leads to larger problem Unresolved incidents create problems Larger problem goes unrecognized Develop poor evidence handling skills

6 Forensic Science Overview
Science applied to the discovery of truth Locard’s exchange principle whenever two objects come in contact with each other, they transfer material from one to the other. The Locard exchange produces the trace evidence of interest from fingerprints to mud Authorization Locate / identify evidence Collection, documentation & preservation everything that you will need in two years Crime reconstruction (forensic analysis) when, where, how, what, who, why reproducible & free from bias/distortion Report / present

7 Continuity of Offense (COO)
Seek sources, conduits, and targets Connect the dots Corroborating evidence Multiple independent sources Victim’s mail server/PC Kiosk Router Proxy Hotmail NT DC NetFlow Access logs Authentication logs

8 Pornography: Transmission Pivotal Case Study
The theory behind child pornography laws in the U S traditionally has been that such material is illegal not because of the content of the material itself, but because of the harm the production and distribution of such material causes children who are used to create the child pornography. U S versus Hilton, invalidated part of the Child Pornography Prevention Act of 1996, 18 USC Section 2252A. Hilton claimed to have been collecting child pornography for research purposes: Met with an FBI agent and U S Customs officials on a number of occasions since 1995 to discuss curbing child pornography on the Internet. Quoted in articles warning parents of the dangers of allowing their children to surf the 'Net unsupervised. Police uncovered evidence that “made us question his motivation." A case of police prosecuting people trying to help cure the Child Pornography problem?

9 Pornography: Transmission
How to investigate a “US v. Hilton” Modem logs Shows PC was connected to Internet Dial-up server logs Confirms connection and account used MAC times and Registry (LastWrite) File modification, creation, and access times FTP logs On PC: file name, time, remote directory On server: file name, size, time, account, IP

10 Relational Reconstruction
Improve understanding of events Locate additional sources of evidence Example: Accounting server break-in

11 Log File Correlation Sort each source independently, then combine
Correlate MAC times and LastWrite times of Registry keys with Eventlogs, PC modem & ISP logs :32: Initializing modem. :32: Send: AT :32: Recv: AT :32: Recv: OK :32: Interpreted response: Ok :32: Send: AT&FE0V1&C1&D2 S0=0 W1 :32: Recv: AT&FE0V1&C1&D2 S0=0 W1 :32: Recv: OK :32: Interpreted response: Ok :32: Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3 :32: Recv: OK :32: Interpreted response: Ok :32: Dialing. :32: Send: ATDT##########

12 Time Pattern Analysis x = event Mon Tues Wed Thurs Fri Sat Sun 8am 9am
12pm 1pm 2pm 3pm 4pm 5pm 6pm 7pm x = event

13 Histograms Histogram of events over time
High number of events at key times Histogram of time periods may show unusual gaps MAC times System log entries

14 EnCase Timeline (patterns)

15 Search Methodology Identify the crime scene Area 1: Local Nodes
PDA’s Laptops Area 2: Wireless devices Mobile equipment 802.11b Area 3: Wireless networks Core systems (BSC, MSC, SMS) Area 4: Remote networks Routers, switches, cables Remote nodes

16 Authorization Example
Floppy found in desk drawer Collected by IT staff No authorization Not clear if search was legal Process not documented Not clear who found disk Disk not labeled Not clear which disk among several disks Hot potato – drop it! High risk of counter suit

17 Chain of Custody Who collected & handled the evidence
Fewer people handling the evidence => Fewer people testify Standard forms & procedures => Consistency

18 Collection & Preservation
Acquire evidence EABD versus removing hard drive save evidence on sterilized media calculate MD5 checksum of evidence digitally sign evidence (MD5, time & person) Documentation acquisition & verification process who, where, how, when, and sometimes why Lock original in safe alternately use a custodian

19 Message Digests 128-bit “fingerprint” Two messages with same digest
16 hexadecimal values Two messages with same digest Computationally infeasible Search disk for file with same MD5 md5sum netstat.exe => d360a862b30c7dd2cf3d

20 What to Collect? The original disk An exact copy of the original disk
Log files from the disk (e.g. UNIX wtmp) Interpreted logs (output of last) Information lost in summarization Relevant portions of interpreted logs Output of last username May miss some relevant entries Written notes describing command output The approach depends on the circumstances

21 Remote Collection Document collection process (log to file)
May alert the suspect Stepping in evidence Same as at console Forgotten evidence Planning and procedures Jurisdiction May be only means - foreign countries May cause an international incident Evidence only available remotely (SNMP)

22 To shutdown or not to shutdown
Network state Processes in memory (MB/GB) Kernel memory Swap space Lose cached data not yet written to disk Lose data protected by EFS/PGP disk Corrupt existing data

23 Limitations of Live Exam?
Hasty prone to error automation helps avoid errors Stepping in evidence automation minimizes changes not 100% (overwrite user.dmp) Might miss something alternate data streams Can’t see deleted data anyone have a floppy diskette? Can’t trust operating system

24 Challenge Concealment
Deleted binary Copy in /proc/pid/file icat /dev/hda inode > recovered Log deletion or wiping wzap clears wtmp entries Altering file attributes Hidden files/Alternate Data Streams hfind.exe (Foundstone) Device files in Recycle Bin Rootkits/Loadable Kernel Modules (Knark) Encryption

25 The Coroner’s Toolkit grave-robber output coroner.log
proc with MD5 of output command_out with MD5 of output body - mactime database removed_but_running conf_vault trust MD5_all MD5_all.md5

26 Case Example W2K Domain Controller Hacked Unusual port
Messy examination Cleanup fails!

27 Initial Assessment Routine Network Vulnerability Scan
BO2K on port 1177 of W2K DC Physical Assessment Located in locked closet Initial Examination All security patches applied NT Security Event logging enabled fport: c:\winnt\system32\wlogin.exe System cannot be shutdown Central to operation of network

28 Network Assessment Accessible from the Internet No dial-up access
Many services enabled file sharing Internet Information Server FTP (anonymous FTP disabled) IIS fully patched

29 Assess and Preserve Toolkit of known good executables
Save output to external/remote disk Note md5 values of output Check for keystroke grabber / sniffer No fakegina or klogger Yes sniffer (system32\packet.sys) MAC times to locate other files Installed IRC bot in C:\WINNT\Java No obvious access of sensitive information Could have obtained passwords via lsass Could have access to other machines

30 Logs No unusual logons in Security Event Logs
IIS logs from before security patch installation Shows compromise via Web server AntiVirus messages in Application Event Logs 1/19/2002,1:09:11 AM,1,0,5,Norton AntiVirus,N/A, CONTROL, Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\Java\w.exe by: Scheduled scan. Action: Clean failed : Quarantine succeeded : Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\system32\wlogin.exe by: Scheduled scan. Action: Clean failed : Quarantine failed : 1/19/2002,1:09:11 AM,4,0,2,Norton AntiVirus,N/A, CONTROL, Scan Complete: Viruses:2 Infected:2 Scanned: Files/Folders/Drives Omitted:89

31 Leads IP addresses from Web server logs IRC bot files
eggdrop bot files contained information about servers, nicknames, channels, and channel passwords that could be used to gather additional information

32 Remediation Change passwords and examine other hosts
HKLM\System\CurrentControlSent\Services C:\WINNT\System32\wlogin.exe Machine fails to reboot Extended downtime MAC times incomplete C:\subdir Wlogin is zeroed out Accidental by examiner Intentional by Norton/intruder? No binary to analyze

33 Lessons Learned Intrusion prior to patching
Do not assume that system was secure Lastwrite time of wlogin Registry key Missed opportunity Attempt to recover piecemeal Don’t make matters worse than intruder Make a plan and make a backup plan

34 Forensic Analysis Overview
Locate, recover, and interpret evidence Low level analysis vs interpreted data Timeline – when Relational reconstruction – where Functional reconstruction – how Synthesis – what, why crime reconstruction risk assessment motive and intent Data may not be trustworthy seek corroborating data on network

35 Analysis Process Access evidentiary images & backups
File inventory with hash values, etc. Recover deleted data (files, folders, etc.) Recover slack and unallocated space Exclude known/unnecessary files Remove duplicates Process/decrypt/decompress files swap and hibernation files Index text data

36 File Systems General creation process
Allocation table and folder entries created Time stamps set Track written Slack space Perhaps artefacts generated MS Word file menu Registry entries Windows: FAT12, FAT16, FAT32, NTFS Unix: UFS, ext2, ext3 Macintosh: HFS Plus

37 FAT

38 NTFS MFT records overwritten quickly
Index entries are overwritten quickly Reference handbook How quickly are blocks reused Timestamp in MFT Record in table only modified when name is changed Sourceforge for more information

39 Unix

40 MacOS (HFS Plus) Catalog file Time formats No access time Balance tree
File threads Time formats GMT v local No access time

41 Linux – A Forensic Platform
# dd if=/dev/fd0 | md5sum records in records out 5f4ed28dce5232fb36c22435df5ac867 - # dd if=/dev/fd0 of=floppy.image bs=512 # md5sum floppy.image 5f4ed28dce5232fb36c22435df5ac867 floppy.image # mount -t vfat -o ro,noexec,loop floppy.image /mnt # find /mnt -type f -exec sha1sum {} \; 86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls 81e62f9f73633e85b91e b0ed /mnt/Computer.xml 0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc # grep -aibf searchlist floppy.image 75441:you and your entire business ransom. 75500:I want you to deposit $50,000 in the account 75767:Don't try anything, and dont contact the cops.

42 The Coroner’s Toolkit ils -A /dev/hda1 (free inodes)
ils –o /dev/hda1 (removed open files) icat /dev/hda1 inode pcat pid mactime -R -d / 12/13/ /14/2001 mactime -d /export/home 10/30/2001 grave-robber -d . -E / Perl is a requirement

43 Log File Correlation Use the time range from wtmp logs # last
user pts/ nyc Sat Oct 20 19: :08 (05:23) # mactime -b body -l "Sat Oct 20 19: :08 (05:23)" Oct :32: a. -r-xr-xr-x root bin /usr/bin/ftp

44 Computer Forensics Software

45 AccessData Forensic Toolkit® (FTK™)
The most popular of forensic software tools View over 270 different file formats with Stellent's Outside In Viewer Technology. Generate audit logs and case reports. Compatible with the Password Recovery ToolkitTM and Distributed Network Attack®. Full text indexing powered by dtSearch® yields instant text search results. Advance searches for JPEG images and Internet text. Locate binary patterns using Live Search. Automatically recover deleted files and partitions. Target key files quickly by creating custom file filters. Supported File & Acquisition Formats File formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3. Image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD. & Zip File Analysis Supports: Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN . View, search, print, and export messages and attachments. Recover deleted and partially deleted . Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files. Known File Filter™ (KFF™) Identify and flag standard operating system and program files. Identify and flag known child pornography and other potential evidence files Includes hash datasets from NIST and Hashkeeper Registry Viewer™ Access and decrypt protected storage data View independent registry files Report generation Integrates with AccessData's forensic Tools

46 Email Forensics How FTK is used …
is one of the most common ways people communicate Studies have shown that more is generated every day than phone conversations and paper documents combined Forensic Analysis of clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document Discovery is complete without requesting, searching and organizing

47 Email Forensics Identification and Extraction
The first step in an examination is to identify the sources of and how the servers and clients are used in an organization More than just a way of sending messages clients and servers have expanded into full databases, document repositories, contact managers, time mangers, colanders and many other applications E.g., Microsoft Exchange customized to be used as a complete Customer Relationship Manager (CRM) Lotus Notes and Domino Server are used beyond an system Many users store their personal calendars, contacts and even synchronize their  clients with their Personal Digital Assistants (PDA) Organizations use database enabled and messaging servers to manage cases, track clients and share data Computer forensics should start their collection of evidence with

48 Email Forensics Deleted Email
Many user believe that once they delete from their client that the mail is unrecoverable Nothing could be farther from the truth, many times s can forensically extracted even after deletion Many users also do not grasp the concept that has a sender AND a recipient or multiple recipients s may reside on servers unbeknown to the user, or on backup tapes that were created during the normal course of business Of course they may also be extracted from the hard disk of the client or the server.  Forensic programs are able to recover deleted , calendars and more from users clients and servers.

49 Email Forensics Web Mail or Web Based Email
It is completely possible to forensically recover that was created or received by web based systems and from free web based services such as Hotmail, Gmail (Google Mail) and Yahoo Mail These types of mail systems use a browser to interface with the server, the browser inherently caches information to the disk drive in the system used to retrieve or generate the thereby effectively saving a copy to the disk Forensic examiners can extract the HTML based from disk drive of the system used to create or retrieve the messages  Many Web Based or Web mail services, including Yahoo and Hotmail have shared calendaring services, personal calendars and contact managers as .  Anytime these services are accessed they may be cached to the disk as well. 

50 Email Forensics Correlating Email Messages
 New evidence is essentially created by  Correlating s by date, subject, recipient or sender These yield a map of inferences, events and entities And open up opportunities for more complex pattern analysis Forensic software is especially important in providing these correlations

51 EnCase Forensic (Guidance Software)
EnCase Forensic is the most popular software for computer forensic investigation A single tool, capable of conducting large-scale and complex investigations from beginning to end: Acquires data in a forensically sound manner using software with an unparalleled record in courts worldwide. Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool. Automates complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis. Find information despite efforts to hide, cloak or delete. Easily manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space. Transfer evidence files directly to law enforcement or legal representatives as necessary. Review options allow non-investigators, such as attorneys, to review evidence with ease. Reporting options enable quick report preparation.

52 EnCase Functions

53 The EnCase Forensic GUI.

54 EnCase Forensic "Conditions" permit users to create complex, multifaceted filters, using EnScript® programming language.

55 EnCase Forensic The block size and error granularity settings interface

56 EnCase Forensic Logical Evidence Files
"Single Files" allows an examiner to drag and drop particular files of interest into EnCase for analysis "Logical Evidence Files" can be created and locked from "Single Files," as well as from specific files of interest from an EnCase preview of subject media.

57 TASK Case Screen

58 TASK Host Screen

59 TASK Host Manager Screen

60 TASK Analysis Screen

61 FTK Extraction

62 SMART Main Screen

63 SMART Case View

64 PDA Seizure

65 Password Recovery Toolkit
PRTK: Combinations & permutations Import FTK keyword list Missed obvious combinations

66 DNA 40-bit Encryption Windows 2000 EFS (export) MS Word / Excel

67 Evidence on Networks Associating Online Activity with Logs Server logs
server logs Web server logs

68 Internet activity -> data
Logs Active PPP Dial-up TACACS/RADIUS Terminal Server Router/Firewall Syslog/Netflow show conns Host logon wtmp/NT Eventlog utmp/nbtstat -c Web server access/error netstat -an server messages/syslog spool FTP server xferlog IRC server/bot logs Wireless device logs device query Mobile phone transactions location/conversations

69 Case Example Harassment Complaint Complaint Unauthorized e-mail access
Suspect pool Process accounting Bash history

70 Harassment (janesmith)
Make sure logs are consistent mailserver# grep 'Login user=janesmith' syslog* syslog:Sep 24 17:11:40 mailserver ipop3d[6466]: [ID mail.info] Login user=janesmith host=johnsmith.nasa.gov [ ] What to look for next?

71 Harassment (continued)
wtmp logs indicate that her account was accessed from server4.nasa.gov on Dec 9 at 13:14 server# last janesmith janesmith pts/114 server4.nasa.gov Sun Dec 9 13: :19 (00:05) MAC times show that the .pinerc file was created on Dec 9 suggesting that this was the first time Pine was used to access in this account.

72 Harassment (continued)
wtmp logs on server4.nasa.gov show that seven people were logged in on Dec 9 at 13:14 Note: clock on server4.nasa.gov was 4 minutes fast server4% last walterp pts/14 roosevelt.nasa.g Sun Dec 9 13: :17 (00:07) johnsmith pts/2 pc01.admin.nasa. Sun Dec 9 13: :29 (00:10) stephens pts/13 lincoln.nasa.com Sun Dec 9 13: :16 (03:15) hansmol pts/3 homepc.isp.com Fri Dec 7 14: :53 (6+20:38) ianjones pts/7 nasavpn-22.nasa. Fri Dec 7 08: :23 (5+16:44)

73 Harassment (continued)
RADIUS logs show suspect disconnected prior to offense ,NASA\ianjones,12/07/2002,08:43:07,IAS,NTSERVER,5,7029,6,2,7,1,8, ,25, /08/ :38: ,40,1,44,E0D03B6B,66, ,45,1,41,0,61,5,4108, ,4116,0,4128,NASA VPN,4136,4,4142,0 ,NASA\ianjones,12/07/2002,09:27:12,IAS,NTSERVER,5,7029,6,2,7,1,8, ,25, /08/ :38: ,40,2,42, ,43, ,44,E0D03B6B,46,35619,47,417258,48,59388,49,1,66, ,45,1,41,0,61,5,4108, ,4116,0,4128,NASA VPN,4136,4,4142,0

74 Harassment (continued)
However, server4.nasa.gov kept process accounting logs and an examination of these logs show only one SSH connection at the time in question. This indicates that another account (johnsmith) was used to connect to the complainants account. server4% lastcomm | grep ssh ssh S timsteel ?? secs Sun Dec 9 10:24 ssh S johnsmith ?? secs Sun Dec 9 13:10 ssh S richevans ?? secs Sun Dec 9 12:10

75 Harassment (continued)
Confirmed using bash history server4# grep janesmith /home/johnsmith/.bash_history ssh -l janesmith mailserver.ispX.com

76 Network Traffic Historical data Traffic capture Performance monitoring
NetFlow & Argus IDS (may include full packet capture) Traffic capture Temporal considerations Preservation Reconstruction and analysis Tools Dsniff, NetWitness, Sandstorm, Nixsun, SilentRunner Many for Unix (e.g., ngrep, review)

77 Performance Monitoring
Shows patterns on a device Spikes in traffic Loss of connectivity to a segment Multi Router Traffic Grapher (MRTG)

78 Netflow and Snort Overview
flows represent unidirectional collection of similar packets NetFlow logs contain basic flow information (src, dst, times, size) Snort based on libpcap detects known attacks highly configurable

79 Using Snort and NetFlow
Host logs may be overwritten Intrusion Detection System shows partial picture [**] FTP-site-exec [**] 02/23-04:51: :2721 -> :21 TCP TTL:46 TOS:0x0 ID:20194 IpLen:20 DgmLen:468 DF ***AP*** Seq: 0x11A6920B Ack: 0xD567116C Win: 0x3EBC TCP Options (3) => NOP NOP TS: NetFlow logs show more complete picture Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets :51: :51:

80 Netflow Losses Sequence numbers show gaps
% flow-header < ft-v # mode: normal # capture hostname: flow # exporter IP address: # capture start: Mon Apr 15 18:30: # capture end: Mon Apr 15 18:45: # capture period: seconds # compress: on # byte order: big # stream version: # export version: # lost flows: # corrupt packets: # sequencer resets: 1 # capture flows:

81 Traffic Monitoring/Capture
tcpdump (68 bytes default capture) Ethereal

82 Authorization Wiretap ECPA USA Patriot Act Live Capture
Protecting systems ECPA Stored communications & records Maintenance and protect users USA Patriot Act

83 libpcap losses High speed links overload sniffers
Protocol type 11 (honeynet) Applies to all libpcap based sniffers snort, tcpdump, NetWitness # tcpdump -X host tcpdump: listening on xl0 .....[data displayed on screen]… ^C 29451 packets received by filter 4227 packets dropped by kernel

84 Switches Isolates traffic CatOS Switched Port Analyzer (SPAN)
Sniffing is more difficult CatOS Switched Port Analyzer (SPAN) Spanning/Mirroring ports Only copies valid Ethernet packets Not all error information duplicated Low priority of span may increase losses Hardware taps Copy signals without removing layers May split Tx and Rx (reassembly required)

85 NIC Losses Applies to all NICs (firewalls, switches, etc.)
% netstat -nid Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth BRU % /sbin/ifconfig eth Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5 inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:128 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:1 collisions: txqueuelen:100 Interrupt:23 Base address:0xec80

86 Intellectual Property Theft (rootkit)
Case Example Intellectual Property Theft (rootkit)

87 Intellectual Property
IDS logs show intrusion [**] FTP-site-exec [**] 09/14-12:27: > x.y 09/14-12:28: > x.y 09/14-12:33: > x.y Concern: system contains sensitive data

88 IP Theft (assess damage)
Initial examination of compromised host showed no signs of compromise no wtmp entries from site exec exploit no syslog entries no odd processes using ps or files using ls System clock was 5 hours fast (Δt = 5hrs) Oddities on system suggested compromise difference between ps & lsof; /tmp/.tmp/

89 IP Theft (analysis) Used EnCase to analyze evidence
Recovered deleted syslogs (noting Δt) Sep 14 17:07:22 host ftpd[617]: FTP session closed Sep 15 00:21:54 host ftpd[622]: ANONYMOUS FTP LOGIN FROM 231.efinityonline.com [ ], 1À1Û1ɰF̀1À1ÛC‰ÙA°?̀ëk^1À1ɍ^^AˆF^Df¹ÿ^A°'̀1À^^A°=̀1À1ۍ^^H‰C^B1ÉþÉ1À^^H°^L̀þÉuó1ÀˆF^I^^H°=̀þ^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰óN^HV^L°^K̀1À1Û°^Àèÿÿÿ0bin0sh1..11 Sep 14 17:22:54 host inetd[448]: pid 622: exit status 1

90 Linux in EnCase

91 IP Theft (reconstruction)
Confirmed source of initial intrusion Determined that target was high risk Determined motive and intent not aware of sensitive information on host used host for DoS, scanning, and IRC Determined that a sniffer had been used Located other compromised systems notified system owners on outside networks

92 Advanced Analysis

93 Timestamp Oddities Moved file in Windows Corrupt timestamps
Last write time before creation time Corrupt timestamps Windows folder and .lnk MacOS Some logs are in order of the end of the event Process accounting CISCO NetFlow

94 Artefacts of File Transfer
File transferred to external media MS Word Metadata Program’s file menu (registry key LastWrite) MS Word, Powerpoint, Excel, etc. WinZip, WinAmp Explorer (e.g., RecentDocs, RunMRU) Internet Explorer (history, cache, TypedURLs) Shortcut (.lnk) files Recent\Desktop (time ordered CAM) Recycler May be in unallocated space/swap/hibernation

95 Recent Lnk to External Disk

96 Network Artefacts Downloaded files Interactive connections
Telnet Lastmachine (registry) Secure CRT .ini Secure Shell Unix directory listing on Windows PC Web, , Usenet, IRC, etc. IIS Transactions pagefile.sys Mapped network drives NetHood (profile, MFT, registry, unallocated)

97 Internet Accounts HKEY_USERS
Key Name: SID\Software\Microsoft\Internet Account Manager\Accounts\ Class Name: <NO CLASS> Last Write Time: 7/5/ :33 AM

98 Downloaded Files Tape Archive (.tar)

99 Mapped Network Drive Explorer (\\name\drive) Scattered
StreamMRU, RunMRU, RecentDocs Scattered User.dmp, swap, unallocated space Grep expression: \\\\[A-Z]+\\[A-Z]+ HKEY_USER: SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\NetHood

100 Unix Mounted Drives df, mount, samba /etc/fstab:
/dev/hda / ext2 defaults /dev/hda /tmp ext2 defaults /dev/hda /usr ext2 defaults /dev/hda /var ext2 defaults /dev/hda swap swap defaults /dev/fd /mnt/floppy ext2 user,noauto /dev/hdc /mnt/cdrom iso9660 user,noauto,ro none /dev/pts devpts gid=5,mode= none /proc proc defaults remote-server:/home/accts /home/accts nfs bg,hard,intr,rsize=8192,wsize=8192 remote-server:/var/spool/mail /var/spool/mail nfs bg,hard,intr,noac,rsize=8192,wsize=8192

101 Remote Logs and Printing
/etc/syslog.conf *.* @remote-server /etc/printcap: lp0|lp:\ :sd=/var/spool/lpd/lp0:\ :mx#0:\ :sh:\ :rm=remote-server:\ :rp=lp0:\ :if=/var/spool/lpd/lp0/filter:

102 Network Artefacts (Telnet)
Telnet registry

103 File Transfer Protocol
On PC: file name, time, remote directory On server: file name, size, time, account, IP Linux ncftp (.ncftp/trace; .ncftp/history) xferlog: Nov 12 19:53: /home/user/image.jpg a _ o r user WS_FTP: :53 A C:\download\image.jpg <-- FTP Server /home/user image.jpg SESSION STARTED at: Sun Oct 21 01:05: Program Version: NcFTP 3.0.0/220 February , 05:20 PM <cut for brevity> 01:05:44 Connecting to 01:05:52 > get openssl tar.gz SESSION ENDED at: Sun Oct 21 01:06:

104 Network Artefacts (Unix ls)
Grep search [d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-] (space)

105 More Unix/Mac Artefacts
SSH authorized_keys (incoming) known_hosts (outgoing) .xauth/refcount/xfs/hostname Unix xterm buffers show sessions Transactions of various servers Windows remnants on Unix Directory files e.g., C:\winnt\system32\*.exe

106 Intellectual Property Theft (Insider)
Case Example Intellectual Property Theft (Insider)

107 Initial Complaint Employee stole information prior to leaving
Terminated on Sept 16, 2002 Unknown documents from workstation clients.mdb Client contact database Stored on W2K workstation projectX Secret project details Stored on Unix file server What do you look for?

108 W2K Workstation Security (card swipe) records Logon/Logoff record
Suspect entered building at 08:45am Logon/Logoff record C:\>ntlast /ad 16/9/2002 /v Record Number: 18298 ComputerName: WKSTN11 EventID: Successful Logon Logon: Tue Sep 16 08:50:58am 2002 Logoff: Tue Sep 16 09:10:00am 2002 Details - ClientName: user11 ClientID: (0x0,0xDCF9) ClientMachine: WKSTN11 ClientDomain: CORPX LogonType: Interactive How to collect this information as evidence?

109 W2K Workstation Transfer of clients.mdb HKEY_USERS
Accessed 09/16/ :58:30 EST HKEY_USERS \Windows\CurrentVersion\Explorer\RecentDocs Suspect’s environment temp\clients.xls Created at 08:59:14 Last modified at 08:58:49 Suspect’s outbox Shows clients.xls sent to Hotmail What information would you seek on network?

110 W2K Workstation Other file accessed at same time
private.doc Registry OpenSaveMRU entry Recent .lnk written and accessed Recent A: .lnk written and accessed What would you expect to find on associated floppy diskette?

111 Unix File Server SSH Client Access How to collect evidence?
Accessed: \user11\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to SshClient.lnk Files in \user11\Application Data\SSH\ \user11\Application Data\SSH\ HostKeys\key_22_srv1 How to collect evidence? % last user11 user11 pts/77 wkstn11.corpx.com Sep 16 09: :06 (00:01) % ls –altu -rwxr-xr-x 1 admin staff Sep 16 09:05 projectX ProjectX file found in c:\temp on wkstn11 What timestamps changed in transfer?

112 W2K Workstation Deleted projectX file found in c:\temp
Created: 09:05am Accessed: 09:07am Modified: 09/12/ :07:07am Explorer\RecentDocs\NetHood \\competitorpc\upload LastWrite 09/13/ :04AM Explain time discrepancy

113 Errors & Uncertainty Nothing can be known if nothing has happened; and yet, while still awaiting the discovery of the criminal, while yet only on the way to the locality of the crime, one comes unconsciously to formulate a theory doubtless not quite void of foundation but having only a superficial connection with the reality; you heave already heard a similar story, perhaps you have formerly seen an analogous case… Gross, H., Criminal Investigation: (Sweet & Maxwell, Ltd. 1924)

114 Errors and Uncertainty
Offender/victim covering behavior Preconceived theories Accepting others’ assumptions Technological limitations Mistakes and misinterpretation Evidence dynamics Handbook - Chapter 1 Uncertainty and loss Casey, E: “Error, Uncertainty and Loss in Digital Evidence”, International Journal of Digital Evidence, Volume 1, Issue 2, 2002 (

115 Evidence Eliminator Evidence Eliminator v5.053 started work: 3/4/01 9:26:04 PM OS Detected: Win95 [Win ] Eliminating Folder: C:\WINDOWS\applog\ No folder found: C:\WINDOWS\applog\ Eliminating IE Typed URL History... Data Found: String data: [url1-C:\My Documents\] Eliminating IE Typed AutoComplete data... Eliminating IE Download Folder record... Eliminating IE Error Logs... Eliminating File: C:\WINDOWS\IE4 Error Log.txt No file found: C:\WINDOWS\IE4 Error Log.txt Eliminating Folder: C:\WINDOWS\Local Settings\Temporary Internet Files\ Eliminating folder tree: C:\WINDOWS\Local Settings\Temporary Internet Files\ including root folder...

116 Lily Pad Examples SubSeven with IRC Unix intrusion File sharing
Denial of service Unix intrusion Bypass firewall Attack from within

117 Remote Storage Compromised host Shell/Web account Online services
Mounted network shares Sniffers that log to remote shares Home directory on remote server

118 Intruder Concealment Deleted binary Log deletion or wiping
Copy in /proc/pid/file icat /dev/hda inode > recovered Log deletion or wiping wzap clears wtmp entries Altering file attributes Hidden files/Alternate Data Streams hfind.exe Device files in Recycle Bin Rootkits/Loadable Kernel Modules (Knark) Encryption

119 Altering File Attributes
Alter MAC times touch in Unix ls -altc Microsoft SetFileTime() API Hide from search tools dir /t[:a] afind.exe (FoundStone)

120 Alternate Data Streams
c:\temp> lads LADS - Freeware version 3.01 (C) Copyright Frank Heyne Software ( Scanning directory C:\temp\ size ADS in file 17 C:\temp\myfile.txt:hidden 17 C:\temp\myfile.txt:onetwothree 17 C:\temp\myfile.txt:test 51 bytes found in 3 alternate data streams

121 Maresware: copy_ads C:\>d:\marsware\copy_ads -p c:\ -d d:\evidence\ads Program started Wed Sep 25 13:58: GMT, 09:58 EST (-5*) FILES: DIRECTORY C:\hidden\makeads:hidden2.txt /25/ :43w EST C:\hidden\makeads:hidden2.txt ==> d:\evidence\ads\makeads\makeads[hidden2.txt] C:\hidden\makeads\regularfile.txt /25/ :19:19w EST C:\research\makeads\regularfile.txt ==> d:\evidence\ads\makeads\regularfile.txt C:\research\makeads\regularfile.txt:hidden1.txt /25/ :19:19w EST C:\research\makeads\regularfile.txt:hidden1.txt ==> d:\evidence\ads\makeads\regularfile.txt[hidden1.txt] Processed 16 directories, 118 files, totaling 7,703,785 bytes: Found 1 directories with 1 alternate data streams. Found 1 files with 1 alternate data streams. Total 2 data streams byte count = 49 bytes

122 Rootkits Creates backdoors Replace system components to hide:
files processes promiscuous mode network connections Often includes tools Sniffers Log wiping utilities Patches


Download ppt "Forensic Computer Analysis"

Similar presentations


Ads by Google