System Forensics, Investigation, and Response
Day 1
port 445 for windows – fileshares, cifs, smb fileshares, netbios a little, direcotry services, rpc, lots of stuff.
0xEBFE jumps back two spaces and loops to produce a processor spike.
Computer Forensics Primer..5
AUP should wave all rights of privacy.
Does the person who gave you computer have authority to investigate machine?
Do you have the authority to investigate machine? Forensics must be part of job description. (Forensic Investigator or Forensic Analsys)
Who approved you to start case.
Make sure you have approval. (cya)
# Following best practices (like chain of custody) of data integrity is used to show expertise in handling evidence. Law enforcement is leagaly bound to follow chain of custody rules. Absence of tampering cannot be used to throw out evidence because it 'could' be tampered with. Evidence of tampering must be present to bring up evidence tampering arguments.
# live image
Forensic Investigation Methodology..19
System Description..21
Evidence Collection..22
Timeline..23
Media Analysys..24
Media Analysys Examples..25
String/Keyword Search..26
Data Recovery..27
Reporting..28
Verification Exercise..29
File System Essentials..30
physical
Drive itself
first 512 bytes(one sector) are MBR
In MBR are partition table and boot loader (LILO, Grub, Windows has one, partition magic has one)
length of partions is in MBR
partition ends in 55aa
DOS based partitions are used by x86 Intel systems despite OS
the 512 byte MBR can have a max of 4 partitions max in MBR
partition table tells starting sector, number of sectors and type (ext3, ntfs, swap)
one of the 4 can designate an extended partion
At the begining of the extended partion is a 512 byte sector of another partition table, or an extended partition table.
file system
uses 512 byte sectors
cluster, fragment or block (depending on OS) can be multiple sectors.
data
everything sits at the data layer
Similar to Card Catalog
Generic name for metadata is inode. In windows ntfs=master file table entry; fat=fat directory.
many blocks or cluster can be associated with a file,
Name
file type (dir, exe, link)
Pointer to start of file on device (Data)
Link Count
Size
Security Mechanisms
mac times
filename
How the three layers interact
Physical layer–Hard drive
File system Layer–includes partitioning information
Data Layer–Start of partition, addressable block or cluster. allocated/not allocated. multiple sectors.
metadata layer is card catalog. points to data layer
filename points to inode number.
Page 42 has Partition table entry contents
mount (to determine the device name)
dd if=/dev/hda bs=512 count=1 of=mbr.img
Common Types of Partitions..43
Partition Exercise..44
Data Storage..45
Data Layer Allocated or Unallocated?..46
Slack Space..47
Contiguous Disk Space..48
Metadata Layer..49
Metadata in File System..50
File System Metadata..51
Security..52
File System Security..53
File Name Layer..54
File System Forensic Intro..55
Linux FileSystem Basics (Ext2 and EXT3)..56
Linux Ext2/Ext3
File system layer (Superblock)
Block size
Total Number of Blocks
Number of Blocks per group
Number of reserved blocks(prior to first block group.)
total number of inodes
number of inodes per block group
table of contents at each block group Page 58
inode has enough pointer for 12 addressed. 13th entry is an indirect block list. 14th is double indirect block.
Windows File System Basics..70
Windows File System Evolution..71
FAT Filesystem..72
Fat 12 and 16..73
Fat 32..74
FAT Format..75
FAT Boot Sector..76
FAT12/16 Partition Boot Sector..77
FAT12/16 Boot Sector..78
FAT32 Partition Boot Sector..79
FAT 32 Boot Sector..80
FAT Content Data..81
FAT Cluster Chains..82
FAT Root Directroy (Metadata Layer)..83
FAT Directory Entry..84
FAT Directory Entry and the FAT Cluster Chains Relationship..85
FAT Timestamps..86
What data still exists upon file deletion?..87
FAT Review..88
NTFS New Technologies File System..89
NTFS Partition Boot Sector..90
NTF Boot Sector..91
NT Volumes..92
NTFS - Clusters (Data Layer)..93
NTFS - MFT (Metadata Layer)..94
NTFS File (Metadata Layer)..95
Master File Table Entry..96
Master File Table Entry Layout..97
NTFS Timestamps..98
MFT Record Header..99
$STANDARD_INFO Entry..100
$STANDARD_INFORMATION Attributes..101
$FILE_NAME Entry..102
$FILE_NAME Attributes..103
$Data Entry..104
$Data Attributes..105
NTFS - File Creation..106
NTFS - File Deletion…107
NTFS - Directories (File Name Layer)..108
Windows NTFS Reserved Files..109
NTFS - Forensic Notes..110
What data still exists upon file deletion?..112
NTFS - Forensic Time Example..113
File System Summary..115
Day 2
Forensic Methodology Illustrated
Network Forensics..9
If there is suspician of activity, install a wiretap. Since you are protecting your network, there is legal precedent to use a wiretap. There must be “probable cause.”
Law enforcement, however, must have a supena.
Hackers will start out doing a
whois
lookup which gives information about primary network, mail exchange leading to internet cache, newsgroups, administrators asking questions leading to OS type, firewalls, etc.
packet 1776 has ftp data string. Filter on that.
tcp port == 24 shows putty
Linux Compromise: Forensic Verification..13
Helix..22
Set up forensics workstation to receive data via netcat
cd /images/unixforensics
nc -l -p 31337 > vmware_memory_dump
Use the programs from the cd. Memdump output should be sent via netcat (nc).
mount /dev/cdrom
cd /mnt/cdrom/Static-Binaries/linux_x86
./memdump | ./nc -vv 192.168.2.1 31337
Output can be sent via netcat (nc), just set up listener on forensics workstation.
./uptime
./uname -a
./date
./fdisk -l
./mount
./netstat -anp
./lsof -n
./ls -lit
on forensics workstation:
cd /images/unixforensics
nc -vv -l -p 31337 > vmware_bodyfile/mac
on hacked machine:
mount /dev/cdrom
cd /mnt/cdrom/Static-Binaries/linux_x86
./mac-robber / | ./nc -vv 192.168.2.2 31337
on forensics workstation:
cd /images/unixforensics
mactime -b vmware_bodyfile.mac > timeline-vmware.txt
less timeline-vmware.txt
* MACtime Evidence..46
* Volitile Information..47
* Creating a Timeline..48
* Creating your First Timeline..51
* **mac-robber** Usage..52
* **mactime**..53
* Searching the file system [timeline]..57
commands hacker initially used
w
last
add user jack
changed password to jack -checks password sc
secure copy rootkit
netstat
top
ps
creates /usr/sbin/mkxfs
creates /dev/ida/.. /sl2
/dev/ida/.drag-on
commonly trojanized files
these files look odd because the c time is only modified
ifconfig
ps
netstat
top
files with just a time have been accessed or executed.
logclear
linsniffer
.drag-on
..(space)
The modification times indicate that the innodes themselves werer changed (likely indicating that the files were decompressed). The c time shows that the files themselves were modified, which typically hpapens during installation.
lsof and netstat
set up nc listener
./lsof -n | ./nc 192.168.2.2 31337
./netstat -nap | ./nc 192.168.2.2 31337
lsof is a process list of open files on the system listing even deleted files that are still in use.
mkxsf is probably a trojanized ssh
inodes are sequential on a newly installed system.
./ls -lit /usr/bin | ./sort | ./less
directories to look at are /usr/bin, /usr/sbin, /sbin
To look at all files:
./ls -litR
if files are modified, they will have sequential inode allocations also. Look for very high or vary low numbers
Evidence Integrity..70
Cryptographic Hashes..71
md5sum..72
md5sum
./md5deep -r / | ./nc 192.168.2.2 31337 -w 3
* National Software Reference Library..76
Forensic Imaging..77
Gathering the Evidence..78
Bit Image Creation (Overview)..79
No Standard!..80
Imagin Conditions..81
Logical or Physical Backups..82
Normal Backup Software..83
dd..84
dd if=INFILE of=OUTFILE
bs= block size
count=N
skip=N
conv=noerror,sync
ddfcl if=INFILE of=OUTFILE
hashwindow=0 (entire machine)
hashlog=drive.md5.txt
Host Protected Area
disk_stat /dev/hdb
removal (temporary)
disk_reset /dev/hdb
Before imaging nc these commands
mount
fdisk -l
On Forensics workstation:
cd /images/unixforensics
nc -l -p 31337 > vmware_dev_sda.img
md5sum vmware_dev_sda.img
On hacked machine:
mount /dev/cdrom /mnt/cdrom
cd /mnt/cdrom/Static_Binaries/linux_x86
fdisk -l
mount
./ddfcl if=/dev/sda hashwindow=0 | ./nc 129.168.2.2 31337
How do I extract logical partitions from the physical image? mmls..92
mmls Output
Extracting Partitions..94
mmls Output from your Image..95
Extracting Partitions..96
mmls disk1.dd
if mmls cannot determine the type, try
mmls -t dos disk1.dd
dd if=disk1.dd bs=512 skip=62 count 1028097 of=part1.dd
the first extened partition is numbered 5 and then not from there on.
do not normally extract extended partitions; they are just boundaries.
the first 512 bytes contains the MBR. At byte 446 is the start of the partition table. Each entry is 16 bytes long. The last 8 bytes are useful. The last four are the length of the partition and the four before that are the offset. Don't forget to add 63 for the partition boundary(?).
What do I do with the “image”?..97
mount 98
Bit Image Review..101
Disk Imaging: Hands-On..102
Mount Images for Analysis..103
mount root then mount the other partitions in there.
mount -t ext2 -o ro,loop,noexec vmware_dev_sda6.img /mnt/hack/unixforenseics_mount
mount -t ext2 -o ro,loop,noexec vmware_dev_sda1.img /mnt/hack/unixforenseics_mount/boot
Day 3
Grab - GUI Imaging Interface..104
Identifies file by using a configuration file called the magic file across systems.
/usr/share/directory/magic
Usage:
file <filename>
0:25:00
/usr/share/backgrounds/images/earthfromspace.jpg
/usr/share/backgrounds/images/stonebird.jpg
Each has the same starting byte string.
Thought process number 1.
Look for header then look for footer. All in between is the image.
Side note:
Vulnerability in Microsoft jpeg rendering. Heap overflow in comment string. Length always did -2 to find the comment field, so a value of less than 2 would give a really large number for a signed integer.
displays 4 or more ascii characters
List byte offset of string on the image:
strings --radix=d
byteoffset–>block number–>inodenumber–>metadata–>Filename
byteoffset/block size=block number
file size and name stored in metadata
datalayer comprised of data blocks
Idenfiy block the string sits in.
Find inode number with that block.
Then find filename.
File System Layer..133
fsstat dev_sda6.img | less
fsstat - FAT Image..135
fsstat - NTFS Image..138
fsstat Examples
Data Layer
dstat gives Allocated or Unallocated for a data unit
dstat dev_sda6.img 368055
dcat displays contents of a data unit
dcat dev_sda6.img 368055 |less
for hex display:
dcat -h dev_sda6.img 368055 |less
lists contents of unallocatted data (by default)
e dhoe sll blocks
l lists details
s show slack space (no slack in linux)
extract all unallocated data:
dls dev_sda6.img > dev_sda6.dls
extract between 8000 and 9000:
dls -el dev_sda6 8000-9000
since the blocks are now not in the same sequence because the allocated blocks are removed, use dcalc to cross to the origial block unumber
dcalc dev_sda6.img -u 233429
gives:
368055
takes every single data block and runs file against it.
carves out files based and sorts them on file header
mkdir /images/unixforensics/foremost_gzip (need to create a directory where the output will go)
foremost -o /images/unixforensics/foremost_gzip -c /usr/local/src/foremost.conf dev_sda6.dls
may need to remove the 13 data block. In the example, open in khexedit and got to blocksize(4096)*12 position. Delete blocksize(4096) amount of data.
in audit.txt, the gzip file is listed at byte offset 98304
98304/4096=24 (block number in unallocated dls file)
dcalc dev_sda6.img -u 24
8171 (block number)
give ifind the block and it will return an inode number that is/was associated with it.
ifind dev_sda6.img -d 8171
2880
displays metadata information about an inode
istat dev_sda6.img 2880
istat - FAT Image Example..169
istat - NTFS Image Example..170
Inode lister: ils..173
ils Audit: Hands-On..175
ils Post Mortem: Hands-On..176
list inode information
ils dev_sda6.img |grep 2880
copies files by inode number
icat -r dev_sda6.img
icat -r dev_sda6.img 2880 > /images/unixforensics/lk.tgz
Filename Layer..181
takes inode of directory and displays filenames in directory.
fls dev_sda6.img
fls -l dev_sda6.img
fls dev_sda6.img 174593
SleuthKit Exercises..190
Journal Layer..193
jls..196
jcat..198
like mac_robber, the folloing will create the timeline information
m tells the mount point to prepend the output with
r says recurse directories
fls -m / -r dev_sda6.img > /images/unixforensics/dev_sda6.fls
or on live system
fls -m / -r /dev/sda6 | less
extracts data on deleted inodes yet without the missing filename infomation
ils -m dev_sda6.img > /images/unixforensics/dev_sda6.ils
integrate them with cat
cat dev_sda6.?ls > dev_sda6.mac
the question mark says any charater
make the data human readable
mactime -b dev_sda6.mac > timeline_sda6.all
-d for comma deleniated
File Content Type..211
uses file to categorize everything on the system including deleted files, put them in directories.
Thumbnails Viewing..217
Hash Databases..218
Indexes and searches the database
hfind -i md5sum linux_hash.txt
hfind linux_hash.txt <md5 hash>
* sorter and hashes..220
hash all files
md5deep -r / > /mnt/LinuxFC3.txt
Use database to exclude known good files with sorter:
sorter -d sorter_dir -x LinuxFC3.txt hda1.dd
Autopsy Forencis Browser..221
Adding a Host..226
Adding an Image..228
Begining the Analysis..232
Live Autopsy Analysis..263
Autopsy Step-By-Step..268
Review..270
Forensic Investigation Methodology..271
Day 4
Windows File System Forensics..1
Windows Compromise: Forensic Verification- network capture..5
# smb ports are 139,445
In middle pane, filter on SMB Header, SMB Command: NT Create AndX (0xa2) will show filenames
This will include a bunch of junk.
Just save as RAW and edit in HexEditor searching the the file header listed in the file data section of wireshark. In this example 4d5a9000, then copy out the number of bytes specified in the packet 'Write AndX Request
Windows Incident Response..18
use an existing share or add a share of the cdrom using system_config_samba so the binaries will be available. restart smb.
Stand alone machines with xpsp2, the firewall will block port 445. As a part of domain, it should be open.
Netcat for Windows..26
First Data Collected..27
Date, Time, Uptime
Use the code in d:\IR\Cygwin on the Helix CDRom
date
time
uptime
hostname
uname -a
id
whoami
d:\IR\sysinternals\psinfo.exe
psinfo
Determine system environment.
Install date can be a clue that someone has tampered with a system.
Determine system running processes
d:\IR\sysinternals\pslist.exe
pslist
gather open ports and sockets. Determin which apps are listenting for network connections.
Shows current listening ports
d:\IR\Foundstone\fport.exe
fport
Windows Forensic Toolchest (WFT)..36
Benefits of WFT..37
Example WFT Reports..38
WFT ConfigurationFile..39
WFT Usage..40
WFT Macro Substitutions..41
How to Use WFT in Practice..42
WFT In Action..43
WFT Example..44
Helix WFT..47
WFT-Hands On..48
Remote WFT Using psexec..49
Password IR Tools..50
http://www.spectorsoft.com/ rootkit that is non hacker relaed to grab screenshots, email keylogger, all knds of stuff for $100.
Automatically record everything they do on the internet.
Objectives..56
dd.exe for Windows..57
for win2k, xp, 2003
d:\IR\FAU\dd.exe
dd.exe as a Backup Tool..58
Basic dd.exe Operation..59
dd.exe Physical Drives..60
\\.\PhysicalDrive1
If doing Physical drives, it is still better to use linux
\\.\C:
^Name^Windows^Linux^
| Physical | \\.\PhysicalDrive0 | /dev/hda /dev/sda |
| Logical | \\.\C: \\?\Volume{cc5deda7-d558-11d5-9226-806d6172696f} | /dev/hda1 /dev/sda1 |
D:\> dd.exe if=\\.\PhysicalDrive0 of=E:\drive0.img
D:\> dd.exe if=\\.\C: of=E:\images\Cdrive.img
Use logical imaging for RAID's
D:\> dd.exe if=\\.\PhysicalMemory of=D:\images\mem.img conv=noerror
An EOF error is normal.
Looking at memory..67
memparser..68
memparser <image of memory>
Memory Artifacts..69
MD5 Integrity Checks..70
MD5 C Drive Example..72
D:\> dd.exe if=\\.\C: of=D:\CDrive.img –md5sum –verifymd5 –md5out=D:\CDrive.md5
of=\\server\share\output.img
image memory over network share:
D:\> dd.exe if=\\.\PhysicalMemory of=\\Linuxforensics\images\windowsforensics\mem.img --md5sum --verifymd5 md5out=\\Linuxforensics\image\windowsforensics\mem.img.md5 conv=noerror
D:\> dd.exe if=\\.\C: of=\\Linuxforensics\images\windowsforensiscs\CDRIVE.img --md5sum --verifymd5 md5out=\\Linuxforensiscs\images\windowsforensics\CDrive.img.md5
Step-by-Step Imaging..77
Obtain Physical Memory
Obtain Volume Information
Image Drives (Logical or Physical).
Image Removable Media
Windows Forensics Using Linux..84
mount -t ntfs -o loop,ro,umask=0222,uid=forensic,gid=users /images/windowsforensics/hacked_ntfs.img /mnt/hack/windows_mount
mount -t ntfs -o umask=0222,loop,uid=forensic,gid=users,show_sys_files=true /images/windowsforensics/hacked_ntfs.img /mnt/hack/windows_mount/
showes $shares
mount -t smbfs -o ro,noexec,username=administrator //Winforensics/C$ /mnt/windows_forensic_server
Share C on compromised machine
mount C through Linux SMBFS in READ-ONLY mode
Share out directory form linux using SAMBA
Any machine can now examine the compromised machine without changing any of the files
use dls on the linux machine on the image.
dls -f ntfs hacked_ntfs.img -s > ntfs.slack
lazarus, foremost, dirty word search
slack space is tough to get a case from.
Objectives..96
E-Mail Forensics..97
E-Mail Headers..98
Forged SMTP Transaction..100
Resultant E-mail Headers..101
Word Forensics..102
Looking at Metadata in Hex-Editor..104
Using Sysinternal's strings to Examine Word Documents..105
Internet History..106
to examine index.dat file on linux
pasco
* Recycle Bin..107
Subfolder created with users sid where files are placed. files in recycle bin are not named by their normalnames. Time and date stamps remain. INFO or INFO2 file keeps a map of the original filename and location.
rifiuti can examine an INFO2 file
fifiuti INFO2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
HKEY_CURRENT_USERS\Software\Microsoft\Internet Explorer\TyperdURLs
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKEY_USERS\S-1-5-21-1801674531-1563985344-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
a tool to read last time a key was written
keytime <full key path> (case sesitive)
Windows Challenge..123
Day 5
Computer Investigative Law for Forensic Analysts..1
Topics Overview
Who Can Investigate:
Internal General..3
Commonly done in house.
First Responders Often play key role.
May have to block attack, but consider options and include others who have a say.
Internal Incident Response Policy..4
Internal First Responders..5
Internal Initial Prognosis..6
Initial estimate
Is it an attack at all?
Look at Logging
Internal Ongoing Damage..7
May need to take steps to stop damage
If a suueptitious attack (e.g., intrusion), consult with others before taking steps that may alert intruder to discovery.
Do not “Hack Back”
Internal Report to others..8
Reporting to appropriate people
Need-to-know policy if insider
consider reportin to other victims/vendors
Internal Report to others..9
Internal Investigative Notes..10
Outsource General..12
Investigatios by third parties not unusual;
Same general rules-of-thumb apply to outsourcers as internal investigators
Insome jurisdictions, there may be a licensing requirement
Outsource Special Considerations..13
There are some special considerations
The scope what the client has autorized the outsourcer to do should be clear
Participation y client, and reporting to client
Outsourcer's duties of fidelity and confidentiality to the client also should be clear
Indemnity issues; what if the cousourcer violates rights of another; is client liable?
Government Calling Law Enforcement..14
Once an incident looks like criminal activity, consider calling law enforcement
Situations that suggest illegal activity
Pros and cons
Timing (call before internal investigation, after, during?)
How to make the call
Government Criminal Conduct..15
What is criminal?
Network Crimes (Computer Fraud and Abuse Act)
Wiretapping and Snooping (Wiretap Act; Electronic Communications Privacy Act)
Software Piracy
Using Network to commit traditional crimes
Network Crimes: The Federal Computer Fraud and Abuse Act (Pt 1)..16
“Damage” is defined as any impairment to the integrity of availability of data, a progam ,a system or information causing..17
$5,000 loss in 1-year period (government may aggregate certain losses), or
Impairment of medical records, or
Physical injury to a person, or
Threat to public health or safety or
Damage affectin a government system used for justice, national defense or national security.
Any reasonable cost to a victim counts as “loss” toward the $5,000 threshold, including:..18
Law enforcement can aggregate losses among multiple computer and victims to reach threshold if losses resulted from a related course of conduct.
Intentional Conduct
knowingly transmitting a “program information, code, or cammand”
resulting in “damage” (without autorization) to a “protected computer”
Applies to insiders (e.g., employees) or outsiders (e.g., hackers)
Applies even w/o “access” (e.g., virus, DoS)
Reckless Conduct..20
Intentionally accessing a protected computer without authorization and
Recklessly causing damage [even accedentally]
Applies only to outsiders (no authority to access).
Access to the victim computer required.
Conduct Neither Intentional Nor Reckless..21
Applies even if no intent to damage
Applies only to outsiders (no autority to access).
Access to the victim computer required.
| Crimes of Damage | Outsider (Hacker or Trespasser) | Insider Some Authority |
| Intentional Damage | Felony | Felony |
| Reckless Damage | Felony | No Crime |
| Other Damage | Misdemeanor | No Crime |
Network Crimes: The Federal Computer Fraud & Abuse Act (pt 2)..23
Network Crimes: The Federal Computer Fraud & Abuse Act (Pt 3)
Network Crimes: The Federal Computer Fraud & Abuse Act (Pt 3)
Network Crimes:..26
The Federal Wiretap Act [cat 5 cable]
The Electronic Communications Privacy Act [stored data, disk, memory, wiretap logs]
Child Porn..27
Intelectural Property
Cyberstalking, threats and harassment
Identity Theft
Fraud, Drug dealing, other, etc.
Government Common Cyber-Defenses..28 (Rob Lee Skipped to p.54)
Attrubution is often the Key
Trojan Horse/hacker
Virus/Worm
Other malware
Circumstances Can Add Light
Good Forensics can help confirm or debunk
Government International Aspects..30
Cases frequently involve several nation states
Multiple countries may be host to:
tools
Contraband
Evidence
Other Victims
Culprit
Goals..31
Procedures for domestic and international investigation
Faster mutual legal assistance
Trained and equipped personnel
Extradite or prosecute criminals
Mutual Legal Assistance requests ..32
Letters Rogatory
Slower
No obligation to assist
issued by courts
Assistance through US LE liaisons- FBI legal attaches, Secret Service Resident Agents..33
Informal law enforcement assistance
The G-8's 24/7 Point-of-contact network
Developed for use in cases involving electronic evidence
Have expanded outside the G-8
Supports preservation of evidence
Council of Europe..34,35
Cybercrime Convention
Recommendation 95(13)
G-8; High Tech Crime Subgroup of the Lyon Group..34,35
24/7 Pint of Contact
Multilateral Conferences
Asia-Pacific Economic Cooperation
Organization for Economic Cooperation and Development
Organization of American States
Interpol
United Nations
Government Pros and Cons..36
Statistics suggest victim reporting is uncommon– 20%
Required Notification..45
Some states [California being the first] have adopted notification requirements
Typically apply where personal information is compromised.
Most require notification to customers, but not to law enforcement
Congress shown interest in same
Government Who to Call..46
Plan (and meet) in advance..47
-
U.S. Attorney's CHIPS programs
DHS National Infrastructure protection Center Hotline: 202-323-3205
-
On-Line Reproting..48
List of FBI & USSS Field Offices
Government What is Expected from Victim?..49
What law enforcement needs:
Access to staff who can explain in technical detail what happened and what evidence exists
Initial interviews will typically take from 2 to 4 hours
Access to evidence such as log files and hard drives
possibility of testimony (grand jury, court)
What law enfocement doesn't need:..50
Proactive Measures
Acquiring Data:
| | contents of communications | Headers, logs, and other information |
| Access to stored communications | ECPA | ECPA |
| Real-time interception | Wiretap Act | Pen/Trap statute |
* Network Devices..60
Stored Data from Networks Often More complicated that stand-alone
Statutory rules based on the type of data on the network
Electronic communications Privacy Act (ECPA)
Others
Network Devices and ECPA..61
ECPA governs access to and disclosure of stored files
provider/customer/government roles
Cannot necessarily share stored files with others
Three main categories are covered
Communications (e.g., e-mail, voicemail, other files)
Transactional Data (e.g., Logs reflecting with whom users communicated)
Subscriber/Session Information
-
What stored communications records can network operators voluntarily provide to law enforcement?..62
A private provider may disclose all without violating ECPA
Content
Transactional data
User information
A public provider looks to statutory exceptions before disclosing content or non-content to government..64
Public provider may voluntarily disclose the content of communications to government when:
Consent to do so exists (e.g., via a banner)
Rights and property will be protected.
Contents inadvertently obtained & pertain to commission of a crime.
The provider, in good faith, believes that an emergency involving dager of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.
Public provider may voluntarily disclose non-content records concerning a customer or subscriber:..65
When consent from the subscriber to do so exists (e.g., via a banner or user agreement)
To protect provider's rights and property
To the government “if the provider,in good faith, believes that an emergency involving dager of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.”
To any person other than a governmental entity
Real-Time..67
Cannot intercept contents unless an exception applies; it's a wiretap
Three Key exceptions:
Monitoring; Provider Exception..68
Allows provider to conduct reasonable monitoring
Is a limited exception. Not a crminal investigator's privilege.
System administrator can track hackers within their networks in order to prevent further damage.
scope not unlimited, need to tailor monitoring to its purpose.
Monitoring; Consent Exception..70
Interception allowed when user consents “in fact”
Banner the Network
Your use of this network constitutes consent to monitoring and disclosure of the fruits of monitoring. You have no reasonable expectation of privacy on this network
obtain the written consent of autorized users.
Monitoring; Trespasser Exception..71
Computer trespasser exception
Allows law enforcement to intercept communication to or from “computer tresspassers”
Even if trespasser is using system as a pass through to other down-stream victims
A “computer trespasser” cannot be a person known by the provider to have an existing contractual relationship with the provider for use of the system
Conditions:
The provider authorizes the interception,
The person intercepting is “under color of law”
The communication are relevant to an ongoing investigation and
No communications other than those sent to or received by the trespasser are intercepted.
Provider receives immunity
May combine this authority with other exceptions, such as consent.
Monitoring; Header Information..73
The Pen Registers, Trap and Trace Devices Statue governs real-time monitoring of traffic data (e.g., most e-mail header information, source and distination IP address and port)
Does not include content of communication (e.g., e-mail subject line or content of a downloaded file.)
For non-content informationlike packet headers, rules are more flexible
Provider exception is broad.
Consent of user still allows acquisition
Lawful Access Legislation..75
“Lawful Access” legislation
Common Scope of requirements
Common Permanent Capability Requirements
Ability to isolate target subscriber
capture in real-time
Without tipping-off the target
Target list secure from outsiders and un-cleared insiders
CALEA and IP switching
HIPPA..77
HIPAA Creates Uniform Federal Privacy Standard for Protected Health Information (PHI)
Covers
HHS Implemented Security Rule to Protect Electronic PHI
Covered Entities required to implemented safeguards
Penalties for violation potentially serious
If data from a “covered entity” made sure you're not in violation
SOX..79
Sarbanes-Oxley (US Public Company Account Reform and Investor Protection Act)
Aimed at preventin, detecting and responding to insider fraud
Serious sanctions for data destruction to impact government investigation
Corporate governance policies, including
GLB..80
Gramm-Leach-Bliley (Financial Services Modernization Act
Aimed at Financial Institution
Focus is protecting personally Identifiable financial information
FERPA..81
Family Education Rights and Privacy Act
Aimed at Educational Institutions
Focus is protecting personally identifiable information about students
Other Data Worthy of Mention..82
Child Pornography
Credit Card Information
Social Security Numbers
Passwords
Warez
Attorney Materials
Outside Reconnaissance..83
Common Network Tools
Aggressive
Tools
Normal Logging (Business Records)
Investigative tools
Courts like audit trails
Whatever tool you use, keep notes
Post Collection: Data Preservation..85
Chain of Custody
Who handled the evidence
Goals
Burden on party offering the evidence
does not necessarily require all to testify
admissibility v. weight
Evidence handling form may be useful
Secure location..87
Storage Procedures
Records of process followed
Data Analysis Investigative Report..88
Report Writing Fundamentals..91
Presentation in Court
Appendix - Honeypots Some Legal Issues..100
Day 6
Binary Analysis..2
Binary Analysis Outline..3
Binary Footprinting..4
Analyzing Binaries..5
file Analysis..6
ldd Analysis..9
strings Anaylysis..11
Code Analysis tools..13
Unix Code Analysis..14
gdb - debugger
objdump - Information from Object files
readelf - ELF format object files
strace - system call tracer
ald - Assembly language debugger
Windows Code Analysis..15
Windows Binary Analysis..16
File Analysis - wrap-up..18
Obtaining a Rogue Process..19
/proc tology..20
Obtaining a process..22
Solaris /proc-tology..23
BSD /proc-tology
Process Wiretapping..25
Malware Dissection..36
x2 is the program
gdb x2
objdump -x x2
readelf -a x2
Encrypted ?..47
Determining Encryption type..50
Executing the Exploit..51
Binary Executed..52
Usage..53
Findings..54
System Calls..55
Target Analysis:..57
strace “read” capture..58
Network Analysis..60
Scan Phase..61
Obtaining Shell..62
Snort Signatures..63
Decrypting the Binary..65
Decrypting the file..66
Teso Burneye..67
Conclusion..68
The Forensic Challenge Hands-On Case Study..70
-
Case Study Background..73
The Attack..75
Snort Allerts..76
Network Packet..77
Your Mission…..78
The Images and mount points..79
Analysis Tolls Available..80
Extacting the Images..81
Mounting the Images..82
Goals..84
Methodology..85
Forensic Investigation Methodology..86
MAC Timelines..87
File and Directory Analysis..89
Deleted File Analysis..90
Binary Analysis..91
Unallocated Disk Space..92
Ready??? Set??? Go!!!..93
The Analysis..95
Analysis Results..100
File Analysis..105
Unallocated Space Analysis..146
Swap Space Analysis..149
Find something on these
lots of 0x90's in a transmission is buffer overflow attack
winalysis
least privilage
Pen-trap, trap and trace
WinHex
substantial nexus