Real Digital Forensics
by Keith Jones, Richard Bejtlich, and Curtis Rose
1 - Windows Live Response
Never save data locally on the hd, as there is a chance you may be overwriting evidence
Always use the -b option with md5sum, to perform the hash in binary mode
-k option with cryptcat, allows you to set the encryption password
Volatile Data
* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps
To truly verify a system binary, you must compare hashes with trusted source
Common attack involves changing a servers routing table to redirect traffic and bypass firewalls
Firedaemon turns any process into a service
userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so you must net use a remote share
dumpcheck.exe allows you to examine userdump output. More debugging tools and symbols here
Garner's DD allows full memory dump by mapping virtual address space to /Device/PhysicalMemory object
Nonvolatile Data
* System version and patch level
* File system time and date stamps
* Registry data
* Auditing policy
* History of logins
* System event logs
* User accounts
* IIS logs
* Suspicious files
Regdmp(Reg /export) will copy registry. Provides programs executed on bootup and entries created by the intruder's tools
NTLast provides a history of logins
IIS logs to c:\winnt\system32\logfiles\W3SVC by default. More info at http://www.iisfaq.com
After a successful bo attempt, there should be no logging as the server typically crashes
2 - Unix Live Response
Much of the process is the same for Windows Live Response, however differences are noted
Volatile Data
* Loaded kernel modules
* Mounted file systems
Review loaded kernel modules via the lsmod command. If the module is hidden, there is no way to detect it in the live response process
Nonvolatile Data
* Syslog logs
* User history files
On redhat, rpm -qa will list installed software and patches
On unix there is no create time as in windows, so the inode last changed "ctime" is all you have
Time can often be saved by comparing files to known good or bad hashsets (see NSRL)
/var/run/utmp contains users that are currently logged in(w command)
/var/log/wtmp contains the history of logins (last command)
zap2 is a common tool for hackers to clear these entries
datapipe is used to redirect ports on the local machine, allows for firewall bypass
/etc/syslog.conf contains settings for syslog logging
kill -31, this signal is undefined on Linux, often used by kernel level rootkits
Windows files cannot be deleted while still in use by a process in memory. However unix files can be deleted and stay resident only in memory until reboot. Binary images of processes can be found in /proc/ , also the /proc//fd directory contains all the open files for that process
3 - Collecting Network-Based Evidence
4 types of Network Based Evidence
* Full content data
* Session data
* Alert data
* Statistical data
Scanmap3d provides graphing for snortIDS
Hubs are half-duplex and create collisions as opposed to a Tap which is expensive, but full-duplex
Span ports will miss traffic on heavily loaded networks and some can only monitor a single vlan in a single direction
Flowgrep can search for regex accross tcp packet streams
FRHED free hex editor for windows
Argus for session logging
4 - Analyzing NBE for a Windows Intrusion
TCPslice can be used to split up pcaps into smaller sessions
High counts of "other" protocol can indicate either heavy use of a single unknown protocol or a vast amount of unrecognized protocols
Often low counts of various protocols are characteristic of port scans
Batch mode in snort will run snort against a pcap
Nitko is a common tool for web scanning
No tool currently exists to read and reconstruct SMS sessions
5 - Analyzing NBE for a Unix Intrusion
227 Entering Passive Mode (192,168,1,1,192,1) You must covert 192,1 into a real TCP port number
(192 * 256) + 1 = Port 49,153
6 - Before You Jump Right In ...
Forensic Air-Lite from Forensic Computers, Inc
Sample Toolkit: digital camera, multi-function screwdriver, flashlight, dremel, extra jumpers, extra screws, cable ties, internal pc power extension cords, extra IDE cables, scsi cables, scsi terminators, chain of custody forms, evidence labels, pens, evidence envelopes, evidence tape, anti-static bag, evidence hard drives, boot floppies/cdrom, blank cd/dvds/floppies, network hub/switch, network cable, forensic dongles, power strip, and OS install media.
Document the original hard drive: make, model, serial num, evidence tag num, geometry, capacity, and jumper settings
Document the original system: make, model, serial num, media evidence tags, expansion cards, peripheral connections, physical location
Agent notes worksheet should contain relevant info sucah as conference calls, shipment tracking numbers, relevant findings, etc
After duplication, you must label the evidence hard drive: Case num, Evidence tag num(s), contents, acquired by, and date
Chain of custody forms should contain: source individual, source location, destination individual, destination location, transfer date
When access is required to evidence safe, it must be recorded in the Evidence Access Log: date, name, case num, time in, and time out
7 - Commerical-Based Forensic Duplications
You typically must jumper the drives as Master for everything to operate correctly
Firewire allows the hard drives to be hot swappable
Ensure you use the Windows eject/disconnect function to prevent data corruption
By default EnCase will duplicate and create a series of 640MB files
Be sure to use the Evidence tag number as the device unique identifier in EnCase
Generally duplication will take longer with compression but the evidence files will be smaller
Not recommened to set a password for an evidence file
Hashing feature should always be enabled for duplication
8 - Noncommercial-Based Forensic Duplications
When booting to your forensic workstation, make sure the bios is configured to boot from OS hard drive and not the evidence hard drive.
conv=notrunc,noerror,sync - notrunc will stop truncation in the event of an error, noerror tells dd to continue when an error is encountered, and sync will replace bad blocks with zeros
After dd is complete, immediately make the file read-only and hash it
Images duplicated on Linux(ext3) will not be usable on FAT32 unless broken into 2G chunks using count & skip dd functions
DD rescue will traverse hard drives forwards and backwards and use variable blocks on bad hard drives
9 - Common Forensic Analysis Techniques
Recommended to first recover deleted files
Associate a dd image with a physical device with Enhanced_Loopback
# losetup /dev/loop0.dd
fdisk -l /dev/loop0
Utilize NSRL to weed out known files
10 - Web Browsing Activity Reconstruction
Securityfocus Browser Forensics Part 1 , Part 2
IE has 3 types of evidence: browsing history, cookies, and Temp Internet Files(Cache)
Index.dat containsbrowsing history and links to cookies and cache
C:\Doc and Set\\Cookies - contains index.dat and all user's cookies
C:\Doc and Set\\L Set\History\ - contains cached sites by date
C:\Doc and Set\\Temporary Internet Files\ - contains all cached content
FTK's browser reconstruction is far superior to Encase
Cookies contain variable names and values, time of download, time of expiration, and status info
Galleta will parse cookies for you
In Index.dat at byte offset 0x50, a listing of cache directories is found
If an Index.dat file is large enough, it may contain more then one hash table
URL and LEAK both mean the suspect viewed the site
Index.dat uses MS FILETIME which is number of 100-nanoseconds since 00:00 1 Jan 1601
Most use UNIXTIME which is number of seconds since 00:00 1 Jan 1970
Unixtime = .0000001 * Filetime + 11,644,473,600, run result through unix cmd local-time
11 - E-Mail Reconstruction
Paraben's Network Email Examiner
Munpack will undecode MIME file attachments in email
12 - Microsoft Windows Registry Reconstruction
System registry files are saved to C:\WINDOWS\system32\config in default, software, and system
User registry files are found in ntuser.dat in the profile directory
Installed programs can be found in Microsoft\Windows\CurrentVersion\Uninstall or
Microsoft\Windows\CurrentVersion\App Paths
A registry search for MRU will give you a list of Most Recently Used docs/apps
Software\Microsoft\Internet Explorer\TypedURLs is a good one
13 - FTA - Using Linux for Analyzing Files of Unknown Origin
Using the -g option with gcc will include debugging information
strip command will remove all symbols from the compiled binary
Using the -static option with gcc will embed the needed libraries in the binary making it self contained
The -S option with gcc will make an assembly language file
By default strings will not scan the entire file, you must use the -a option
The -tx option with strings will add the offset
nm -a command will show you all the symbols in a binary
ldd command will list all the shared objects in a dynamic binary
Good idea to compare hashes of shared objects with known good ones to confirm any tampering
ELF format reference, also /usr/include/elf.h describes the ELF structure
readelf --file-header will list out the header information
readelf --section-headers will list out the section information
readelf --program-headers will list out locations of elf segments
readelf -symbols provides similar info to nm
readelf --debug-dump gets all the debugging information
readelf --hex-dump=
objdump -l -source will disassemble the binary into assembly(dead listing)
kill -l will list out all the signals
Strace executes a binary and intercepts all system calls and signals.
Ltrace intercepts all library calls
14 - FTA -A Hands-On Analysis of the Linux File aio
Without using the -v option in hexdump, duplicate lines are replaced with an asterisk
System call services are found in /usr/include/asm/unistd.h
Hexworkshop
/proc is a pseud-file system that is only populated by volatile data when the system is running.
the maps file in /proc/ will show you mapped memory
cat /proc/version to confirm that the compiler and OS versions match
15 - FTA - Analyzing Files of Unknown Origin(Windows)
Visual C++ Toolkit 2005
BinText provides a gui for strings output
PE and COFF Specifications
The cygwin pe_map command is similar to objdump
link -dump -alldisplays all the PE format info along with hex dump of the sections
IDA File -> Produce enables you to generate and export the dissasembly listing
Strace for Windows
PEiD
Unpacking Tools , unpacking may some times result in execution of code
ProcDump will allow you to edit the PE structure to fix any errors
16 - Building the Ultimate Response CD
Live response tools should not be dependent on files from the suspect system. Utilize filemon to determine dependecies and copy them to your response tools directory. Different versions of OSes will have different response toolkits. Also, trusted tools should be prepended with t_ to differentiate them.
17 - Making Your CD-ROM a Bootable Environment
18 - Forensic Duplication and Analysis of PDAs
For your workstation to recognize a PALM pda you will need the drivers along with HotSync
For Encase to communicate with a Palm, Hotsync must be exited
Acquistion should be done with a fresh set of batteries or in a cradle to avoid data loss
The device should be in console mode(Shortcut-Dot-Dot-Two) and configured to stay on in the cradle
Paraben's PDA Seizure installs a file(CESeizure.dll) on the device in unallocated space
19 - Forensic Duplication of USB and Compact Flash Memory Devices
mount -r /dev/sda /mnt/usb in read only mode
20 - Forensic Analysis of USB and Compact Flash Memory Devices
USB drives usually only have one large FAT partition, sometimes with no partition table
Fatback simulates cmd prompt for your image
21 - Tracing Email
Anytime an email's header field starts with X, it is an optional field used by any email server
Always read headers from the bottom up, to find the source
Anonymous Remailers
22 - Domain Name Ownership
by Keith Jones, Richard Bejtlich, and Curtis Rose
1 - Windows Live Response
Never save data locally on the hd, as there is a chance you may be overwriting evidence
Always use the -b option with md5sum, to perform the hash in binary mode
-k option with cryptcat, allows you to set the encryption password
Volatile Data
* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps
To truly verify a system binary, you must compare hashes with trusted source
Common attack involves changing a servers routing table to redirect traffic and bypass firewalls
Firedaemon turns any process into a service
userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so you must net use a remote share
dumpcheck.exe allows you to examine userdump output. More debugging tools and symbols here
Garner's DD allows full memory dump by mapping virtual address space to /Device/PhysicalMemory object
Nonvolatile Data
* System version and patch level
* File system time and date stamps
* Registry data
* Auditing policy
* History of logins
* System event logs
* User accounts
* IIS logs
* Suspicious files
Regdmp(Reg /export) will copy registry. Provides programs executed on bootup and entries created by the intruder's tools
NTLast provides a history of logins
IIS logs to c:\winnt\system32\logfiles\W3SVC
After a successful bo attempt, there should be no logging as the server typically crashes
2 - Unix Live Response
Much of the process is the same for Windows Live Response, however differences are noted
Volatile Data
* Loaded kernel modules
* Mounted file systems
Review loaded kernel modules via the lsmod command. If the module is hidden, there is no way to detect it in the live response process
Nonvolatile Data
* Syslog logs
* User history files
On redhat, rpm -qa will list installed software and patches
On unix there is no create time as in windows, so the inode last changed "ctime" is all you have
Time can often be saved by comparing files to known good or bad hashsets (see NSRL)
/var/run/utmp contains users that are currently logged in(w command)
/var/log/wtmp contains the history of logins (last command)
zap2 is a common tool for hackers to clear these entries
datapipe is used to redirect ports on the local machine, allows for firewall bypass
/etc/syslog.conf contains settings for syslog logging
kill -31, this signal is undefined on Linux, often used by kernel level rootkits
Windows files cannot be deleted while still in use by a process in memory. However unix files can be deleted and stay resident only in memory until reboot. Binary images of processes can be found in /proc/
3 - Collecting Network-Based Evidence
4 types of Network Based Evidence
* Full content data
* Session data
* Alert data
* Statistical data
Scanmap3d provides graphing for snortIDS
Hubs are half-duplex and create collisions as opposed to a Tap which is expensive, but full-duplex
Span ports will miss traffic on heavily loaded networks and some can only monitor a single vlan in a single direction
Flowgrep can search for regex accross tcp packet streams
FRHED free hex editor for windows
Argus for session logging
4 - Analyzing NBE for a Windows Intrusion
TCPslice can be used to split up pcaps into smaller sessions
High counts of "other" protocol can indicate either heavy use of a single unknown protocol or a vast amount of unrecognized protocols
Often low counts of various protocols are characteristic of port scans
Batch mode in snort will run snort against a pcap
Nitko is a common tool for web scanning
No tool currently exists to read and reconstruct SMS sessions
5 - Analyzing NBE for a Unix Intrusion
227 Entering Passive Mode (192,168,1,1,192,1) You must covert 192,1 into a real TCP port number
(192 * 256) + 1 = Port 49,153
6 - Before You Jump Right In ...
Forensic Air-Lite from Forensic Computers, Inc
Sample Toolkit: digital camera, multi-function screwdriver, flashlight, dremel, extra jumpers, extra screws, cable ties, internal pc power extension cords, extra IDE cables, scsi cables, scsi terminators, chain of custody forms, evidence labels, pens, evidence envelopes, evidence tape, anti-static bag, evidence hard drives, boot floppies/cdrom, blank cd/dvds/floppies, network hub/switch, network cable, forensic dongles, power strip, and OS install media.
Document the original hard drive: make, model, serial num, evidence tag num, geometry, capacity, and jumper settings
Document the original system: make, model, serial num, media evidence tags, expansion cards, peripheral connections, physical location
Agent notes worksheet should contain relevant info sucah as conference calls, shipment tracking numbers, relevant findings, etc
After duplication, you must label the evidence hard drive: Case num, Evidence tag num(s), contents, acquired by, and date
Chain of custody forms should contain: source individual, source location, destination individual, destination location, transfer date
When access is required to evidence safe, it must be recorded in the Evidence Access Log: date, name, case num, time in, and time out
7 - Commerical-Based Forensic Duplications
You typically must jumper the drives as Master for everything to operate correctly
Firewire allows the hard drives to be hot swappable
Ensure you use the Windows eject/disconnect function to prevent data corruption
By default EnCase will duplicate and create a series of 640MB files
Be sure to use the Evidence tag number as the device unique identifier in EnCase
Generally duplication will take longer with compression but the evidence files will be smaller
Not recommened to set a password for an evidence file
Hashing feature should always be enabled for duplication
8 - Noncommercial-Based Forensic Duplications
When booting to your forensic workstation, make sure the bios is configured to boot from OS hard drive and not the evidence hard drive.
conv=notrunc,noerror,sync - notrunc will stop truncation in the event of an error, noerror tells dd to continue when an error is encountered, and sync will replace bad blocks with zeros
After dd is complete, immediately make the file read-only and hash it
Images duplicated on Linux(ext3) will not be usable on FAT32 unless broken into 2G chunks using count & skip dd functions
DD rescue will traverse hard drives forwards and backwards and use variable blocks on bad hard drives
9 - Common Forensic Analysis Techniques
Recommended to first recover deleted files
Associate a dd image with a physical device with Enhanced_Loopback
# losetup /dev/loop0
fdisk -l /dev/loop0
Utilize NSRL to weed out known files
10 - Web Browsing Activity Reconstruction
Securityfocus Browser Forensics Part 1 , Part 2
IE has 3 types of evidence: browsing history, cookies, and Temp Internet Files(Cache)
Index.dat containsbrowsing history and links to cookies and cache
C:\Doc and Set\
C:\Doc and Set\
C:\Doc and Set\
FTK's browser reconstruction is far superior to Encase
Cookies contain variable names and values, time of download, time of expiration, and status info
Galleta will parse cookies for you
In Index.dat at byte offset 0x50, a listing of cache directories is found
If an Index.dat file is large enough, it may contain more then one hash table
URL and LEAK both mean the suspect viewed the site
Index.dat uses MS FILETIME which is number of 100-nanoseconds since 00:00 1 Jan 1601
Most use UNIXTIME which is number of seconds since 00:00 1 Jan 1970
Unixtime = .0000001 * Filetime + 11,644,473,600, run result through unix cmd local-time
11 - E-Mail Reconstruction
Paraben's Network Email Examiner
Munpack will undecode MIME file attachments in email
12 - Microsoft Windows Registry Reconstruction
System registry files are saved to C:\WINDOWS\system32\config in default, software, and system
User registry files are found in ntuser.dat in the profile directory
Installed programs can be found in Microsoft\Windows\CurrentVersion\Uninstall or
Microsoft\Windows\CurrentVersion\App Paths
A registry search for MRU will give you a list of Most Recently Used docs/apps
Software\Microsoft\Internet Explorer\TypedURLs is a good one
13 - FTA - Using Linux for Analyzing Files of Unknown Origin
Using the -g option with gcc will include debugging information
strip command will remove all symbols from the compiled binary
Using the -static option with gcc will embed the needed libraries in the binary making it self contained
The -S option with gcc will make an assembly language file
By default strings will not scan the entire file, you must use the -a option
The -tx option with strings will add the offset
nm -a command will show you all the symbols in a binary
ldd command will list all the shared objects in a dynamic binary
Good idea to compare hashes of shared objects with known good ones to confirm any tampering
ELF format reference, also /usr/include/elf.h describes the ELF structure
readelf --file-header
readelf --section-headers
readelf --program-headers
readelf -symbols provides similar info to nm
readelf --debug-dump gets all the debugging information
readelf --hex-dump=
objdump -l -source
kill -l will list out all the signals
Strace executes a binary and intercepts all system calls and signals.
Ltrace intercepts all library calls
14 - FTA -A Hands-On Analysis of the Linux File aio
Without using the -v option in hexdump, duplicate lines are replaced with an asterisk
System call services are found in /usr/include/asm/unistd.h
Hexworkshop
/proc is a pseud-file system that is only populated by volatile data when the system is running.
the maps file in /proc/
cat /proc/version to confirm that the compiler and OS versions match
15 - FTA - Analyzing Files of Unknown Origin(Windows)
Visual C++ Toolkit 2005
BinText provides a gui for strings output
PE and COFF Specifications
The cygwin pe_map command is similar to objdump
link -dump -all
IDA File -> Produce enables you to generate and export the dissasembly listing
Strace for Windows
PEiD
Unpacking Tools , unpacking may some times result in execution of code
ProcDump will allow you to edit the PE structure to fix any errors
16 - Building the Ultimate Response CD
Live response tools should not be dependent on files from the suspect system. Utilize filemon to determine dependecies and copy them to your response tools directory. Different versions of OSes will have different response toolkits. Also, trusted tools should be prepended with t_ to differentiate them.
17 - Making Your CD-ROM a Bootable Environment
18 - Forensic Duplication and Analysis of PDAs
For your workstation to recognize a PALM pda you will need the drivers along with HotSync
For Encase to communicate with a Palm, Hotsync must be exited
Acquistion should be done with a fresh set of batteries or in a cradle to avoid data loss
The device should be in console mode(Shortcut-Dot-Dot-Two) and configured to stay on in the cradle
Paraben's PDA Seizure installs a file(CESeizure.dll) on the device in unallocated space
19 - Forensic Duplication of USB and Compact Flash Memory Devices
mount -r /dev/sda /mnt/usb in read only mode
20 - Forensic Analysis of USB and Compact Flash Memory Devices
USB drives usually only have one large FAT partition, sometimes with no partition table
Fatback simulates cmd prompt for your image
21 - Tracing Email
Anytime an email's header field starts with X, it is an optional field used by any email server
Always read headers from the bottom up, to find the source
Anonymous Remailers
22 - Domain Name Ownership
Comments
Post a Comment