Thursday, April 24, 2008

Real Digital Forensics

Real Digital Forensics

by Keith Jones, Richard Bejtlich, and Curtis Rose

1 - Windows Live Response

Never save data locally on the hd, as there is a chance you may be overwriting evidence

Always use the -b option with md5sum, to perform the hash in binary mode

-k option with cryptcat, allows you to set the encryption password

Volatile Data

* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps

To truly verify a system binary, you must compare hashes with trusted source

Common attack involves changing a servers routing table to redirect traffic and bypass firewalls

Firedaemon turns any process into a service

userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so you must net use a remote share

dumpcheck.exe allows you to examine userdump output. More debugging tools and symbols here

Garner's DD allows full memory dump by mapping virtual address space to /Device/PhysicalMemory object

Nonvolatile Data

* System version and patch level
* File system time and date stamps
* Registry data
* Auditing policy
* History of logins
* System event logs
* User accounts
* IIS logs
* Suspicious files

Regdmp(Reg /export) will copy registry. Provides programs executed on bootup and entries created by the intruder's tools

NTLast provides a history of logins

IIS logs to c:\winnt\system32\logfiles\W3SVC by default. More info at

After a successful bo attempt, there should be no logging as the server typically crashes

2 - Unix Live Response

Much of the process is the same for Windows Live Response, however differences are noted

Volatile Data

* Loaded kernel modules
* Mounted file systems

Review loaded kernel modules via the lsmod command. If the module is hidden, there is no way to detect it in the live response process

Nonvolatile Data

* Syslog logs
* User history files

On redhat, rpm -qa will list installed software and patches

On unix there is no create time as in windows, so the inode last changed "ctime" is all you have

Time can often be saved by comparing files to known good or bad hashsets (see NSRL)

/var/run/utmp contains users that are currently logged in(w command)

/var/log/wtmp contains the history of logins (last command)

zap2 is a common tool for hackers to clear these entries

datapipe is used to redirect ports on the local machine, allows for firewall bypass

/etc/syslog.conf contains settings for syslog logging

kill -31, this signal is undefined on Linux, often used by kernel level rootkits

Windows files cannot be deleted while still in use by a process in memory. However unix files can be deleted and stay resident only in memory until reboot. Binary images of processes can be found in /proc/ , also the /proc//fd directory contains all the open files for that process

3 - Collecting Network-Based Evidence

4 types of Network Based Evidence

* Full content data
* Session data
* Alert data
* Statistical data

Scanmap3d provides graphing for snortIDS

Hubs are half-duplex and create collisions as opposed to a Tap which is expensive, but full-duplex

Span ports will miss traffic on heavily loaded networks and some can only monitor a single vlan in a single direction

Flowgrep can search for regex accross tcp packet streams

FRHED free hex editor for windows

Argus for session logging

4 - Analyzing NBE for a Windows Intrusion

TCPslice can be used to split up pcaps into smaller sessions

High counts of "other" protocol can indicate either heavy use of a single unknown protocol or a vast amount of unrecognized protocols

Often low counts of various protocols are characteristic of port scans

Batch mode in snort will run snort against a pcap

Nitko is a common tool for web scanning

No tool currently exists to read and reconstruct SMS sessions

5 - Analyzing NBE for a Unix Intrusion

227 Entering Passive Mode (192,168,1,1,192,1) You must covert 192,1 into a real TCP port number

(192 * 256) + 1 = Port 49,153

6 - Before You Jump Right In ...

Forensic Air-Lite from Forensic Computers, Inc

Sample Toolkit: digital camera, multi-function screwdriver, flashlight, dremel, extra jumpers, extra screws, cable ties, internal pc power extension cords, extra IDE cables, scsi cables, scsi terminators, chain of custody forms, evidence labels, pens, evidence envelopes, evidence tape, anti-static bag, evidence hard drives, boot floppies/cdrom, blank cd/dvds/floppies, network hub/switch, network cable, forensic dongles, power strip, and OS install media.

Document the original hard drive: make, model, serial num, evidence tag num, geometry, capacity, and jumper settings

Document the original system: make, model, serial num, media evidence tags, expansion cards, peripheral connections, physical location

Agent notes worksheet should contain relevant info sucah as conference calls, shipment tracking numbers, relevant findings, etc

After duplication, you must label the evidence hard drive: Case num, Evidence tag num(s), contents, acquired by, and date

Chain of custody forms should contain: source individual, source location, destination individual, destination location, transfer date

When access is required to evidence safe, it must be recorded in the Evidence Access Log: date, name, case num, time in, and time out

7 - Commerical-Based Forensic Duplications

You typically must jumper the drives as Master for everything to operate correctly

Firewire allows the hard drives to be hot swappable

Ensure you use the Windows eject/disconnect function to prevent data corruption

By default EnCase will duplicate and create a series of 640MB files

Be sure to use the Evidence tag number as the device unique identifier in EnCase

Generally duplication will take longer with compression but the evidence files will be smaller

Not recommened to set a password for an evidence file

Hashing feature should always be enabled for duplication

8 - Noncommercial-Based Forensic Duplications

When booting to your forensic workstation, make sure the bios is configured to boot from OS hard drive and not the evidence hard drive.

conv=notrunc,noerror,sync - notrunc will stop truncation in the event of an error, noerror tells dd to continue when an error is encountered, and sync will replace bad blocks with zeros

After dd is complete, immediately make the file read-only and hash it

Images duplicated on Linux(ext3) will not be usable on FAT32 unless broken into 2G chunks using count & skip dd functions

DD rescue will traverse hard drives forwards and backwards and use variable blocks on bad hard drives

9 - Common Forensic Analysis Techniques

Recommended to first recover deleted files

Associate a dd image with a physical device with Enhanced_Loopback

# losetup /dev/loop0 .dd

fdisk -l /dev/loop0

Utilize NSRL to weed out known files

10 - Web Browsing Activity Reconstruction

Securityfocus Browser Forensics Part 1 , Part 2

IE has 3 types of evidence: browsing history, cookies, and Temp Internet Files(Cache)

Index.dat containsbrowsing history and links to cookies and cache

C:\Doc and Set\\Cookies - contains index.dat and all user's cookies

C:\Doc and Set\\L Set\History\ - contains cached sites by date

C:\Doc and Set\\Temporary Internet Files\ - contains all cached content

FTK's browser reconstruction is far superior to Encase

Cookies contain variable names and values, time of download, time of expiration, and status info

Galleta will parse cookies for you

In Index.dat at byte offset 0x50, a listing of cache directories is found

If an Index.dat file is large enough, it may contain more then one hash table

URL and LEAK both mean the suspect viewed the site

Index.dat uses MS FILETIME which is number of 100-nanoseconds since 00:00 1 Jan 1601

Most use UNIXTIME which is number of seconds since 00:00 1 Jan 1970

Unixtime = .0000001 * Filetime + 11,644,473,600, run result through unix cmd local-time

11 - E-Mail Reconstruction

Paraben's Network Email Examiner

Munpack will undecode MIME file attachments in email

12 - Microsoft Windows Registry Reconstruction

System registry files are saved to C:\WINDOWS\system32\config in default, software, and system

User registry files are found in ntuser.dat in the profile directory

Installed programs can be found in Microsoft\Windows\CurrentVersion\Uninstall or

Microsoft\Windows\CurrentVersion\App Paths

A registry search for MRU will give you a list of Most Recently Used docs/apps

Software\Microsoft\Internet Explorer\TypedURLs is a good one

13 - FTA - Using Linux for Analyzing Files of Unknown Origin

Using the -g option with gcc will include debugging information

strip command will remove all symbols from the compiled binary

Using the -static option with gcc will embed the needed libraries in the binary making it self contained

The -S option with gcc will make an assembly language file

By default strings will not scan the entire file, you must use the -a option

The -tx option with strings will add the offset

nm -a command will show you all the symbols in a binary

ldd command will list all the shared objects in a dynamic binary

Good idea to compare hashes of shared objects with known good ones to confirm any tampering

ELF format reference, also /usr/include/elf.h describes the ELF structure

readelf --file-header will list out the header information

readelf --section-headers will list out the section information

readelf --program-headers will list out locations of elf segments

readelf -symbols provides similar info to nm

readelf --debug-dump gets all the debugging information

readelf --hex-dump=

objdump -l -source will disassemble the binary into assembly(dead listing)

kill -l will list out all the signals

Strace executes a binary and intercepts all system calls and signals.

Ltrace intercepts all library calls

14 - FTA -A Hands-On Analysis of the Linux File aio

Without using the -v option in hexdump, duplicate lines are replaced with an asterisk

System call services are found in /usr/include/asm/unistd.h


/proc is a pseud-file system that is only populated by volatile data when the system is running.

the maps file in /proc/ will show you mapped memory

cat /proc/version to confirm that the compiler and OS versions match

15 - FTA - Analyzing Files of Unknown Origin(Windows)

Visual C++ Toolkit 2005

BinText provides a gui for strings output

PE and COFF Specifications

The cygwin pe_map command is similar to objdump

link -dump -all displays all the PE format info along with hex dump of the sections

IDA File -> Produce enables you to generate and export the dissasembly listing

Strace for Windows


Unpacking Tools , unpacking may some times result in execution of code

ProcDump will allow you to edit the PE structure to fix any errors

16 - Building the Ultimate Response CD

Live response tools should not be dependent on files from the suspect system. Utilize filemon to determine dependecies and copy them to your response tools directory. Different versions of OSes will have different response toolkits. Also, trusted tools should be prepended with t_ to differentiate them.

17 - Making Your CD-ROM a Bootable Environment

18 - Forensic Duplication and Analysis of PDAs

For your workstation to recognize a PALM pda you will need the drivers along with HotSync

For Encase to communicate with a Palm, Hotsync must be exited

Acquistion should be done with a fresh set of batteries or in a cradle to avoid data loss

The device should be in console mode(Shortcut-Dot-Dot-Two) and configured to stay on in the cradle

Paraben's PDA Seizure installs a file(CESeizure.dll) on the device in unallocated space

19 - Forensic Duplication of USB and Compact Flash Memory Devices

mount -r /dev/sda /mnt/usb in read only mode

20 - Forensic Analysis of USB and Compact Flash Memory Devices

USB drives usually only have one large FAT partition, sometimes with no partition table

Fatback simulates cmd prompt for your image

21 - Tracing Email

Anytime an email's header field starts with X, it is an optional field used by any email server

Always read headers from the bottom up, to find the source

Anonymous Remailers

22 - Domain Name Ownership