Digital Forensics

Module 8

CS 996

4/6/2005 Module 8 2

Outline of Module #8

Presentation on hping

Discussion of important forensic cases

Windows host forensics and Windows forensic tools

Network forensic tools and methods

4/6/2005 Module 8 3

CFAA (Computer Fraud and Abuse Act)

Title 18 US Code § 10301984: protected only Federal computer installations1996: amended to include all Internet computers (relatively late!!)Also have state laws against computer abuse(a)(2)(C) access computer without authorization; obtain information from protected computer; interstate or foreigncommunication

4/6/2005 Module 8 4

CFAA, continued

(a)(5)(A)Cause transmission of program, information, code or command; intentionally cause damage without authorization to protected computer

Accessing protected computer without authorization; causing damage

(a)(5)(B)Loss during any 1-year period aggregating at least $5000 in value

4/6/2005 Module 8 5

CFAA Cases

Shurgard Storage Centers v. Safeguard Self Storage

Employees emailed trade secrets to new employer

Employees said they were “authorized”

Court determined they were no longer authorized

E.F. Cultural Travel v. ExploricaStudent travel sites

Explorica scraped EF web site for fares

“Damage” = loss = lost business + goodwill

4/6/2005 Module 8 6

Federal Court System

Trial courts: at least one per state

New York has 4Southern district

Northern district

Eastern district

Western district

Appeals courts11 circuits

4/6/2005 Module 8 7

Federal Court of Appeals

4/6/2005 Module 8 8

AA v. FareChase (2003)

FareChase markets software to help browse travel web sites, including www.aa.com

FareChase aggregates fare information

AA sued to block access to its site

Texas Penal Code § 33.02“a person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner”.

4/6/2005 Module 8 9

FareChase Proxy Architecture

TRAVEL AGENT

FARECHASE

SERVER

INTERNET

WWW.AA.COM

WWW.DELTA.COM

WWW.UNITED.COM

4/6/2005 Module 8 10

Analysis of Damage to Site

WEB SITE RESPONSE TIME

0.00

2.00

4.00

6.00

8.00

10.00

12.00

14.00

16.00

0 200000 400000 600000 800000 1000000

NUMBER OF DAILY USERS

RE

SPO

NSE

TIM

E (S

EC)

4/6/2005 Module 8 11

McDanel v. United States

Convicted under CFAA June 25, 2002Sent 30 messages/sec to Tornado clients regarding security exposure at Tornado

Referred them to his web site

He caused “damage” to Tornado mail serversAvailability

Integrity

Appealed to 9th Circuit Court of AppealsWhat do you think?

4/6/2005 Module 8 12

Investigating Windows Systems

BasicApplication log filesTemp filesRecently used documentsRecycle binHistory + temporary Internet files

Registry Hidden Files

ADS.chk files (fragments from Windows crashes)Swap space

4/6/2005 Module 8 13

Swap Files in Windows

Win2000 & WinXPPagefile.sys

C:\

Win98Win386.swp

C:\

4/6/2005 Module 8 14

Configure Virtual Memory (Win2000)

4/6/2005 Module 8 15

View win386.swp in Hex Editor

4/6/2005 Module 8 16

NTFS Swap Files

Use NTFSDOS to boot systemwww.sysinternals.com

Mounts NTFS drive read only

View file with hex editor

4/6/2005 Module 8 17

Windows Investigation (Before Looking for Deleted Files!)

Check application logsC:\winnt\system32\config\appevent.evt

Recently used documentsC:\Documents and Settings\User\Recent

Contains shortcuts to recently used files

Programs from start > run menuHKEY_CURRENT_USER\software\microsoft\

windows\current version\explorer\RunMRU

4/6/2005 Module 8 18

More Windows Investigation

Windows Temp FilesC:\WINNT\Temp

C:\Documents and Settings\User\Local Settings\Temp

Find {Files, Computers, Text} Dialog BoxHKEY_CURRENT_USER\software\microsoft\

Internet explorer\explorer bars\ID\

Files Names MRU

ComputerNamedMRU

ContainingTextMRU

4/6/2005 Module 8 19

C:\doc+settings\user\recent

4/6/2005 Module 8 20

Browser Files

AOL (v8; v9)MSN ExplorerFireFoxNetscape NavigatorOpera (6.x,7.x)IE

C:\documents and settings\user\local settings\HistoryTemporary Internet Files

C:\documents and settings\user\cookies

4/6/2005 Module 8 21

What Other Apps Are Being Run?

Yahoo MessengerLogs: c:\program files\Yahoo!\messenger\profiles\user\archive

Message cache: c:\program files\yahoo!\messenger\cache

Investigate history for all apps

4/6/2005 Module 8 22

Investigating .chk Files

4/6/2005 Module 8 23

Don’t Forget

Recycle bin!

Windows search functions!

4/6/2005 Module 8 24

Windows Search Functions: Type

4/6/2005 Module 8 25

More Search: Date Range

4/6/2005 Module 8 26

dtsearch: Investigative Searching

www.dtsearch.com

Search desktop, network or www!

Free evaluation

Step #1: build document index of wordsIndex specific folders

Index entire harddrive!

Step #2: run searches

4/6/2005 Module 8 27

Search Options

Boolean

Stemming: grammatical forms

Phonic: sounds like

Fuzzy: misspellings

Synonyms

Files filters: date, size, name, etc.

4/6/2005 Module 8 28

dtsearch: web

4/6/2005 Module 8 29

dtsearch: email messages

4/6/2005 Module 8 30

dtsearch: Outlook .pst Files

4/6/2005 Module 8 31

FORENSIC SOURCES OF INFORMATION

HARD DRIVEREGISTRY & CONTENT

ROUTER SYSLOG FILES

SERVER LOG FILES

LIVE SNIFFER DATA COLLECTION

FIREWALL LOG FILES

IP INVESTIGATIONSINTERNET ARCHIVES

ISP RECORDS

4/6/2005 Module 8 32

Network Sniffers

Wildpackets Etherpeek: network engineers

Eeye IRIS: user friendly

Ethereal: free!

Kismet (Linux): wireless and free!

CommView (www.tamosoft.com)

CommView for WiFi

4/6/2005 Module 8 33

Eeye IRIS Features

Easy to use

Reconstructs TCP sessionsRenders HTML content

FiltersUsual IP, MAC, port, etc.

Word filters

Does packet loggingNo content

Pen register (out)/trap and trace (in)

4/6/2005 Module 8 34

4/6/2005 Module 8 35

4/6/2005 Module 8 36

IRIS: Creating Filters

4/6/2005 Module 8 37

IRIS: Packet Logging

4/6/2005 Module 8 38

Etherpeek

4/6/2005 Module 8 39

Teleport Pro

4/6/2005 Module 8 40

Investigating the Registry

Registrar Lite editor (free at www.resplendence.com)

Investigate old user names

Most recently used files

Recent searches for files

4/6/2005 Module 8 41

4/6/2005 Module 8 42

NTFS Alternate Data Streams

• Method of hiding executables or proprietary content

• Uses NTFS file system multiple attributes• Syntax---{file name}:{stream name}• Create: type textfile > visible.txt:hidden.txt• View: more < visible.txt:hidden.txt• Reference: www.heysoft.de

– LADS—List Alternate Data Streams

4/6/2005 Module 8 43

NTFS Alternate Data Streams

Method of hiding exec files or content

W2k.stream “proof of concept” virus

Uses NTFS Master File Table (MFT) Structure

File #1 Time Security.. ADS Pointer #1

File #2 Time Security.. ADS Pointer #2

.

.

File #N Time Security ……………

4/6/2005 Module 8 44

Create ADS

4/6/2005 Module 8 45

Run LADS

4/6/2005 Module 8 46

View Hidden Files

4/6/2005 Module 8 47

ADS test

4/6/2005 Module 8 48

ADS Test

4/6/2005 Module 8 49

ADS Test

4/6/2005 Module 8 50

Additional ADS References

http://patriot.net/~carvdawg/docs

/dark_side.html

http://seifried.org/security/advisories/kssa-003.html

http://www1.acm.org/hlb/col-edit/digital_village/apr-04/dv_4-04.html

4/6/2005 Module 8 51

Network Mapping (NetworkView)

4/6/2005 Module 8 52

SIM Tools: Why Event Logging?

Security Information Management

One critical part of security infrastructurePrevention

Detection

Response

Regulatory requirementsMedical: HIPAA

Financial: GLB

4/6/2005 Module 8 53

HIPAA Logging Requirements

§ 164.308 Administrative Safeguards(a) (1) Security Management Process

Information system activity review (Required)

(a) (5) Security Awareness and TrainingLog-in monitoring (Addressable)

(a) (6) Security Incident ProceduresIdentify and respond to suspected or known security incidents; …document security incidents and their outcomes (Required)

§ 164.312 Technical Safeguards(b) Audit controls to record and examine activity in systems that contain or use electronic PHI

4/6/2005 Module 8 54

Gramm Leach Bliley (GLB)

FFIEC Handbook (Federal Financial Institutions Examination Council)

“Control access to applications by logging access and security events”

“Secure access to the OS of all system components by logging and monitoring user or program access to sensitive resources and alerting on security events”

4/6/2005 Module 8 55

Log Files as Forensic Evidence

Federal Rules of Evidencewww.usdoj.gov/criminal/cybercrime/

usamarch2001_4.htm

Part of regularly conducted business activity

Authentication of recordsWas data altered?

Is software reliable?

Are computer records hearsay?US v. Blackburn (1993)

4/6/2005 Module 8 56

SECURITY INFORMATION MANAGEMENT

MANAGEMENT STATION

AGGREGATOR

FIREWALL/IDS

END USER END USERHOST

HUBSWITCH

ROUTER

ARCHIVE

STORAGE

SYSLOG DATA

AGGREGATOR

4/6/2005 Module 8 57

Syslog Protocol

RFC 3164

Uses UDP port 514

Message formatPriority field: 0-7

Header field: host name and time stamp

Message field: ASCII characters describing event

DEVICE RELAY

COLLECTOR

4/6/2005 Module 8 58

Syslog Priority Levels

Debug messageDebugging7

InformationInformational6

NormalNotifications5

Warning messageWarnings4

Error messagesErrors3

Critical conditionCritical2

Immediate actionAlerts1

System unusableEmergencies0

DESCRIPTIONTYPESEVERITY

4/6/2005 Module 8 59

Limitations of Syslog

UDP not reliable

No authentication or encryption

RFC 3195: reliable syslog

draft-ietf-syslog-sign-14.txt: signed syslog

4/6/2005 Module 8 60

Security Information Vendors

LogLogic, Addamark, NiksunSandstorm

Data Collection/Analysis

Network Intelligence, Forensics Explorers

Data Aggregation/ Analysis

Intellitactics, NetForensics, ArcSight, GuardedNet, Open Services

Correlate Information

Secure DecisionsVisualize Information

VendorFunction

4/6/2005 Module 8 61

Network Traffic Recorders

Record all traffic on network

Niksun NetDetector

Sandstorm NetIntercept

4/6/2005 Module 8 62

NetForensics Architecture

ORACLE DATABASE

REPORTING TOOL: REAL TIME ANALYSIS; FORENSIC REPORTS

NF ENGINE: EVENT AGGREGATION AND

CORRELATION

ROUTER

IDS

HOST

FIREWALL

AGENTS

4/6/2005 Module 8 63

Event Correlation

Rules based: If…then…else

Statistical: monitor changes in event statistics

Behavioral: monitor trends in security events

4/6/2005 Module 8 64

Intellitactics Message Architecture

SYSLOG MESSAGE: DATE, TIME STAMP, SOURCE, DESTINATION, EVENT CODE (CISCO PIX 106001—DENY INBOUND TCP CONNECTION)

CREATE NORMALIZED TYPE FIELD BASED ON EVENT TYPE

ADD ZONE FIELDS BASED ON SOURCE LOCATION, TARGET LOCATION AND FIREWALL LOCATION

ADD PRIORITY FIELD: TYPE FIELD + ASSET CLASSIFICATION

4/6/2005 Module 8 65

Log Logic Log Appliance

Archiving of log file dataUses intelligent data compression technique

Allows real time and historical threat analysisCisco message IDMessage volumeRegular expression filter

LX-1000Up to 1000 messages/second90 GB storage: 90 days storage

Archive server: 2 TB and 2 years of data

4/6/2005 Module 8 66

LogLogic Log Appliance

FIREWALLCHECK POINT

NETSCREEN

CISCO PIX ARCHIVE SERVER

LOG APPLIANCE

STRIPPED-DOWN LINUX OS

MYSQL DATABASE

WWW, SMTP

SYSLOG & PROPRIETARY MESSAGES

4/6/2005 Module 8 67

Summarization of Log Files

WWW SERVER

PC USER

PIX FIREWALL

LOGLOGIC LOGAPPLIANCE

20-50 TCP CONNECTIONS PER

WEB PAGE

TAKES 60-150 MESSAGES AND SUMMARIZES TO ONE

DATABASE RECORD

SYSLOG MESSASGES

4/6/2005 Module 8 68

Applications of Log File Forensics

Help diagnose virus infectionsAnalysis of time zero events

Monitor inside traffic for infected machines

Help analyze hacker events

Set log alerts to catch breaches in real time

4/6/2005 Module 8 69

Log File Formats

CheckPointProprietary binary format, not human readableTime | Action | Firewall | Interface | Product |Source | Source Port | Dest. | Service | Protocol |Translation (NAT)

Cisco PIX

Syslog formatDate | Time | IP/Hostname | Message Code | Message

NetScreen

Syslog formatDate | Time | Module | Severity | Type | Message Text

4/6/2005 Module 8 70

Significance of Priority Levels

Resolve firewall operational issues

Debug7

Key to performing audit and policy verification

Informational6

Work done on the firewall

Notifications5

Packet anomalies, policy conflicts

Alert, Critical, Error, Warning

1-4

FUNCTIONTYPESSEVERITY

4/6/2005 Module 8 71

Example PIX Syslog Messages

Deny inbound UDP from A.B.C.D/Port to L.M.N.O/Port

1060062

No response from other firewall1030011

Not used0

DescriptionCisco #Severity

4/6/2005 Module 8 72

Example Syslog Messages, cont.

User logged out6111035

IP fragment malformed; total size exceeds 65,535 bytes

2090044

Deny inbound from outside: IP_addr to inside: IP_addr

1060103

DescriptionCisco #Severity

4/6/2005 Module 8 73

Example Syslog Messages, cont.

User executed command string that does not alter configuration

1110097

Start PIX firewall1990056

DescriptionCisco #Level

4/6/2005 Module 8 74

Severity 5 + 6 Messages

Contain critical information about traffic in/out of network

%PIX-5-304001: user 192.168.69.71 Accessed URL 10.133.219.25: www.example.com

%PIX-6-302013: Built TCP connection number for interface_name: real_address/real_port to interface_name:real_address/real_port

4/6/2005 Module 8 75

4/6/2005 Module 8 76

Real Time Reporting

4/6/2005 Module 8 77

LogApp Configure Email Alerts

4/6/2005 Module 8 78

4/6/2005 Module 8 79

4/6/2005 Module 8 80

4/6/2005 Module 8 81

4/6/2005 Module 8 82