Digital Forensics
Module 8
CS 996
4/6/2005 Module 8 2
Outline of Module #8
Presentation on hping
Discussion of important forensic cases
Windows host forensics and Windows forensic tools
Network forensic tools and methods
4/6/2005 Module 8 3
CFAA (Computer Fraud and Abuse Act)
Title 18 US Code § 10301984: protected only Federal computer installations1996: amended to include all Internet computers (relatively late!!)Also have state laws against computer abuse(a)(2)(C) access computer without authorization; obtain information from protected computer; interstate or foreigncommunication
4/6/2005 Module 8 4
CFAA, continued
(a)(5)(A)Cause transmission of program, information, code or command; intentionally cause damage without authorization to protected computer
Accessing protected computer without authorization; causing damage
(a)(5)(B)Loss during any 1-year period aggregating at least $5000 in value
4/6/2005 Module 8 5
CFAA Cases
Shurgard Storage Centers v. Safeguard Self Storage
Employees emailed trade secrets to new employer
Employees said they were “authorized”
Court determined they were no longer authorized
E.F. Cultural Travel v. ExploricaStudent travel sites
Explorica scraped EF web site for fares
“Damage” = loss = lost business + goodwill
4/6/2005 Module 8 6
Federal Court System
Trial courts: at least one per state
New York has 4Southern district
Northern district
Eastern district
Western district
Appeals courts11 circuits
4/6/2005 Module 8 7
Federal Court of Appeals
4/6/2005 Module 8 8
AA v. FareChase (2003)
FareChase markets software to help browse travel web sites, including www.aa.com
FareChase aggregates fare information
AA sued to block access to its site
Texas Penal Code § 33.02“a person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner”.
4/6/2005 Module 8 9
FareChase Proxy Architecture
TRAVEL AGENT
FARECHASE
SERVER
INTERNET
WWW.AA.COM
WWW.DELTA.COM
WWW.UNITED.COM
4/6/2005 Module 8 10
Analysis of Damage to Site
WEB SITE RESPONSE TIME
0.00
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
0 200000 400000 600000 800000 1000000
NUMBER OF DAILY USERS
RE
SPO
NSE
TIM
E (S
EC)
4/6/2005 Module 8 11
McDanel v. United States
Convicted under CFAA June 25, 2002Sent 30 messages/sec to Tornado clients regarding security exposure at Tornado
Referred them to his web site
He caused “damage” to Tornado mail serversAvailability
Integrity
Appealed to 9th Circuit Court of AppealsWhat do you think?
4/6/2005 Module 8 12
Investigating Windows Systems
BasicApplication log filesTemp filesRecently used documentsRecycle binHistory + temporary Internet files
Registry Hidden Files
ADS.chk files (fragments from Windows crashes)Swap space
4/6/2005 Module 8 13
Swap Files in Windows
Win2000 & WinXPPagefile.sys
C:\
Win98Win386.swp
C:\
4/6/2005 Module 8 14
Configure Virtual Memory (Win2000)
4/6/2005 Module 8 15
View win386.swp in Hex Editor
4/6/2005 Module 8 16
NTFS Swap Files
Use NTFSDOS to boot systemwww.sysinternals.com
Mounts NTFS drive read only
View file with hex editor
4/6/2005 Module 8 17
Windows Investigation (Before Looking for Deleted Files!)
Check application logsC:\winnt\system32\config\appevent.evt
Recently used documentsC:\Documents and Settings\User\Recent
Contains shortcuts to recently used files
Programs from start > run menuHKEY_CURRENT_USER\software\microsoft\
windows\current version\explorer\RunMRU
4/6/2005 Module 8 18
More Windows Investigation
Windows Temp FilesC:\WINNT\Temp
C:\Documents and Settings\User\Local Settings\Temp
Find {Files, Computers, Text} Dialog BoxHKEY_CURRENT_USER\software\microsoft\
Internet explorer\explorer bars\ID\
Files Names MRU
ComputerNamedMRU
ContainingTextMRU
4/6/2005 Module 8 19
C:\doc+settings\user\recent
4/6/2005 Module 8 20
Browser Files
AOL (v8; v9)MSN ExplorerFireFoxNetscape NavigatorOpera (6.x,7.x)IE
C:\documents and settings\user\local settings\HistoryTemporary Internet Files
C:\documents and settings\user\cookies
4/6/2005 Module 8 21
What Other Apps Are Being Run?
Yahoo MessengerLogs: c:\program files\Yahoo!\messenger\profiles\user\archive
Message cache: c:\program files\yahoo!\messenger\cache
Investigate history for all apps
4/6/2005 Module 8 22
Investigating .chk Files
4/6/2005 Module 8 23
Don’t Forget
Recycle bin!
Windows search functions!
4/6/2005 Module 8 24
Windows Search Functions: Type
4/6/2005 Module 8 25
More Search: Date Range
4/6/2005 Module 8 26
dtsearch: Investigative Searching
www.dtsearch.com
Search desktop, network or www!
Free evaluation
Step #1: build document index of wordsIndex specific folders
Index entire harddrive!
Step #2: run searches
4/6/2005 Module 8 27
Search Options
Boolean
Stemming: grammatical forms
Phonic: sounds like
Fuzzy: misspellings
Synonyms
Files filters: date, size, name, etc.
4/6/2005 Module 8 28
dtsearch: web
4/6/2005 Module 8 29
dtsearch: email messages
4/6/2005 Module 8 30
dtsearch: Outlook .pst Files
4/6/2005 Module 8 31
FORENSIC SOURCES OF INFORMATION
HARD DRIVEREGISTRY & CONTENT
ROUTER SYSLOG FILES
SERVER LOG FILES
LIVE SNIFFER DATA COLLECTION
FIREWALL LOG FILES
IP INVESTIGATIONSINTERNET ARCHIVES
ISP RECORDS
4/6/2005 Module 8 32
Network Sniffers
Wildpackets Etherpeek: network engineers
Eeye IRIS: user friendly
Ethereal: free!
Kismet (Linux): wireless and free!
CommView (www.tamosoft.com)
CommView for WiFi
4/6/2005 Module 8 33
Eeye IRIS Features
Easy to use
Reconstructs TCP sessionsRenders HTML content
FiltersUsual IP, MAC, port, etc.
Word filters
Does packet loggingNo content
Pen register (out)/trap and trace (in)
4/6/2005 Module 8 34
4/6/2005 Module 8 35
4/6/2005 Module 8 36
IRIS: Creating Filters
4/6/2005 Module 8 37
IRIS: Packet Logging
4/6/2005 Module 8 38
Etherpeek
4/6/2005 Module 8 39
Teleport Pro
4/6/2005 Module 8 40
Investigating the Registry
Registrar Lite editor (free at www.resplendence.com)
Investigate old user names
Most recently used files
Recent searches for files
4/6/2005 Module 8 41
4/6/2005 Module 8 42
NTFS Alternate Data Streams
• Method of hiding executables or proprietary content
• Uses NTFS file system multiple attributes• Syntax---{file name}:{stream name}• Create: type textfile > visible.txt:hidden.txt• View: more < visible.txt:hidden.txt• Reference: www.heysoft.de
– LADS—List Alternate Data Streams
4/6/2005 Module 8 43
NTFS Alternate Data Streams
Method of hiding exec files or content
W2k.stream “proof of concept” virus
Uses NTFS Master File Table (MFT) Structure
File #1 Time Security.. ADS Pointer #1
File #2 Time Security.. ADS Pointer #2
.
.
File #N Time Security ……………
4/6/2005 Module 8 44
Create ADS
4/6/2005 Module 8 45
Run LADS
4/6/2005 Module 8 46
View Hidden Files
4/6/2005 Module 8 47
ADS test
4/6/2005 Module 8 48
ADS Test
4/6/2005 Module 8 49
ADS Test
4/6/2005 Module 8 50
Additional ADS References
http://patriot.net/~carvdawg/docs
/dark_side.html
http://seifried.org/security/advisories/kssa-003.html
http://www1.acm.org/hlb/col-edit/digital_village/apr-04/dv_4-04.html
4/6/2005 Module 8 51
Network Mapping (NetworkView)
4/6/2005 Module 8 52
SIM Tools: Why Event Logging?
Security Information Management
One critical part of security infrastructurePrevention
Detection
Response
Regulatory requirementsMedical: HIPAA
Financial: GLB
4/6/2005 Module 8 53
HIPAA Logging Requirements
§ 164.308 Administrative Safeguards(a) (1) Security Management Process
Information system activity review (Required)
(a) (5) Security Awareness and TrainingLog-in monitoring (Addressable)
(a) (6) Security Incident ProceduresIdentify and respond to suspected or known security incidents; …document security incidents and their outcomes (Required)
§ 164.312 Technical Safeguards(b) Audit controls to record and examine activity in systems that contain or use electronic PHI
4/6/2005 Module 8 54
Gramm Leach Bliley (GLB)
FFIEC Handbook (Federal Financial Institutions Examination Council)
“Control access to applications by logging access and security events”
“Secure access to the OS of all system components by logging and monitoring user or program access to sensitive resources and alerting on security events”
4/6/2005 Module 8 55
Log Files as Forensic Evidence
Federal Rules of Evidencewww.usdoj.gov/criminal/cybercrime/
usamarch2001_4.htm
Part of regularly conducted business activity
Authentication of recordsWas data altered?
Is software reliable?
Are computer records hearsay?US v. Blackburn (1993)
4/6/2005 Module 8 56
SECURITY INFORMATION MANAGEMENT
MANAGEMENT STATION
AGGREGATOR
FIREWALL/IDS
END USER END USERHOST
HUBSWITCH
ROUTER
ARCHIVE
STORAGE
SYSLOG DATA
AGGREGATOR
4/6/2005 Module 8 57
Syslog Protocol
RFC 3164
Uses UDP port 514
Message formatPriority field: 0-7
Header field: host name and time stamp
Message field: ASCII characters describing event
DEVICE RELAY
COLLECTOR
4/6/2005 Module 8 58
Syslog Priority Levels
Debug messageDebugging7
InformationInformational6
NormalNotifications5
Warning messageWarnings4
Error messagesErrors3
Critical conditionCritical2
Immediate actionAlerts1
System unusableEmergencies0
DESCRIPTIONTYPESEVERITY
4/6/2005 Module 8 59
Limitations of Syslog
UDP not reliable
No authentication or encryption
RFC 3195: reliable syslog
draft-ietf-syslog-sign-14.txt: signed syslog
4/6/2005 Module 8 60
Security Information Vendors
LogLogic, Addamark, NiksunSandstorm
Data Collection/Analysis
Network Intelligence, Forensics Explorers
Data Aggregation/ Analysis
Intellitactics, NetForensics, ArcSight, GuardedNet, Open Services
Correlate Information
Secure DecisionsVisualize Information
VendorFunction
4/6/2005 Module 8 61
Network Traffic Recorders
Record all traffic on network
Niksun NetDetector
Sandstorm NetIntercept
4/6/2005 Module 8 62
NetForensics Architecture
ORACLE DATABASE
REPORTING TOOL: REAL TIME ANALYSIS; FORENSIC REPORTS
NF ENGINE: EVENT AGGREGATION AND
CORRELATION
ROUTER
IDS
HOST
FIREWALL
AGENTS
4/6/2005 Module 8 63
Event Correlation
Rules based: If…then…else
Statistical: monitor changes in event statistics
Behavioral: monitor trends in security events
4/6/2005 Module 8 64
Intellitactics Message Architecture
SYSLOG MESSAGE: DATE, TIME STAMP, SOURCE, DESTINATION, EVENT CODE (CISCO PIX 106001—DENY INBOUND TCP CONNECTION)
CREATE NORMALIZED TYPE FIELD BASED ON EVENT TYPE
ADD ZONE FIELDS BASED ON SOURCE LOCATION, TARGET LOCATION AND FIREWALL LOCATION
ADD PRIORITY FIELD: TYPE FIELD + ASSET CLASSIFICATION
4/6/2005 Module 8 65
Log Logic Log Appliance
Archiving of log file dataUses intelligent data compression technique
Allows real time and historical threat analysisCisco message IDMessage volumeRegular expression filter
LX-1000Up to 1000 messages/second90 GB storage: 90 days storage
Archive server: 2 TB and 2 years of data
4/6/2005 Module 8 66
LogLogic Log Appliance
FIREWALLCHECK POINT
NETSCREEN
CISCO PIX ARCHIVE SERVER
LOG APPLIANCE
STRIPPED-DOWN LINUX OS
MYSQL DATABASE
WWW, SMTP
SYSLOG & PROPRIETARY MESSAGES
4/6/2005 Module 8 67
Summarization of Log Files
WWW SERVER
PC USER
PIX FIREWALL
LOGLOGIC LOGAPPLIANCE
20-50 TCP CONNECTIONS PER
WEB PAGE
TAKES 60-150 MESSAGES AND SUMMARIZES TO ONE
DATABASE RECORD
SYSLOG MESSASGES
4/6/2005 Module 8 68
Applications of Log File Forensics
Help diagnose virus infectionsAnalysis of time zero events
Monitor inside traffic for infected machines
Help analyze hacker events
Set log alerts to catch breaches in real time
4/6/2005 Module 8 69
Log File Formats
CheckPointProprietary binary format, not human readableTime | Action | Firewall | Interface | Product |Source | Source Port | Dest. | Service | Protocol |Translation (NAT)
Cisco PIX
Syslog formatDate | Time | IP/Hostname | Message Code | Message
NetScreen
Syslog formatDate | Time | Module | Severity | Type | Message Text
4/6/2005 Module 8 70
Significance of Priority Levels
Resolve firewall operational issues
Debug7
Key to performing audit and policy verification
Informational6
Work done on the firewall
Notifications5
Packet anomalies, policy conflicts
Alert, Critical, Error, Warning
1-4
FUNCTIONTYPESSEVERITY
4/6/2005 Module 8 71
Example PIX Syslog Messages
Deny inbound UDP from A.B.C.D/Port to L.M.N.O/Port
1060062
No response from other firewall1030011
Not used0
DescriptionCisco #Severity
4/6/2005 Module 8 72
Example Syslog Messages, cont.
User logged out6111035
IP fragment malformed; total size exceeds 65,535 bytes
2090044
Deny inbound from outside: IP_addr to inside: IP_addr
1060103
DescriptionCisco #Severity
4/6/2005 Module 8 73
Example Syslog Messages, cont.
User executed command string that does not alter configuration
1110097
Start PIX firewall1990056
DescriptionCisco #Level
4/6/2005 Module 8 74
Severity 5 + 6 Messages
Contain critical information about traffic in/out of network
%PIX-5-304001: user 192.168.69.71 Accessed URL 10.133.219.25: www.example.com
%PIX-6-302013: Built TCP connection number for interface_name: real_address/real_port to interface_name:real_address/real_port
4/6/2005 Module 8 75
4/6/2005 Module 8 76
Real Time Reporting
4/6/2005 Module 8 77
LogApp Configure Email Alerts
4/6/2005 Module 8 78
4/6/2005 Module 8 79
4/6/2005 Module 8 80
4/6/2005 Module 8 81
4/6/2005 Module 8 82