port 445 for windows – fileshares, cifs, smb fileshares, netbios a little, direcotry services, rpc, lots of stuff.

0xEBFE jumps back two spaces and loops to produce a processor spike.

AUP should wave all rights of privacy.

1. Does the person who gave you computer have authority to investigate machine?
2. Do you have the authority to investigate machine? Forensics must be part of job description. (Forensic Investigator or Forensic Analsys)
3. Who approved you to start case.
4. Make sure you have approval. (cya)

• Evidence Integrity..8

# Following best practices (like chain of custody) of data integrity is used to show expertise in handling evidence. Law enforcement is leagaly bound to follow chain of custody rules. Absence of tampering cannot be used to throw out evidence because it 'could' be tampered with. Evidence of tampering must be present to bring up evidence tampering arguments.

• Dirty Words List..9
• Image..10
• Forensic Incident Response..11
• Media Analysis..12
• Forensic Principles..13
• Two Situations Dead/Live..14
• Volitile Evidence..15

# live image

• Just the Facts Ma'am..16
• IR Forensics..17
• Forensic Methodology Summary..18

• System Description..21
• Evidence Collection..22
• Timeline..23
• Media Analysys..24
• Media Analysys Examples..25
• String/Keyword Search..26
• Data Recovery..27
• Reporting..28
• Verification Exercise..29

• Objectives..31
• Bits and Bytes..32
• Numbers..33
• Little Endian/Big Endian..34
  1. most systems are little endian.
  2. ppc macs are big endian
• File System 5-Layers..35

Drive itself

first 512 bytes(one sector) are MBR

In MBR are partition table and boot loader (LILO, Grub, Windows has one, partition magic has one)

length of partions is in MBR

partition ends in 55aa

DOS based partitions are used by x86 Intel systems despite OS

the 512 byte MBR can have a max of 4 partitions max in MBR

partition table tells starting sector, number of sectors and type (ext3, ntfs, swap)

one of the 4 can designate an extended partion

At the begining of the extended partion is a 512 byte sector of another partition table, or an extended partition table.

uses 512 byte sectors

cluster, fragment or block (depending on OS) can be multiple sectors.

everything sits at the data layer

Similar to Card Catalog

Generic name for metadata is inode. In windows ntfs=master file table entry; fat=fat directory.

many blocks or cluster can be associated with a file,

• Name
• file type (dir, exe, link)
• Pointer to start of file on device (Data)
• Link Count
• Size
• Security Mechanisms
• mac times

• points to inode number which points to location of data.

• data layer contains
  • filename points to inode number
    • inode contains block or cluster pointers

1. Physical layer–Hard drive
2. File system Layer–includes partitioning information
3. Data Layer–Start of partition, addressable block or cluster. allocated/not allocated. multiple sectors.
4. metadata layer is card catalog. points to data layer
5. filename points to inode number.

• File System Layer..36
• Data Layer..37
• DOS-Based Partitions..38
• Extended Partitions..39
• Example Partition Figure..40
• Master Boot Record..41
• Partition Table Contents..42

Page 42 has Partition table entry contents

mount (to determine the device name)
dd if=/dev/hda bs=512 count=1 of=mbr.img

• Common Types of Partitions..43
• Partition Exercise..44
• Data Storage..45
• Data Layer Allocated or Unallocated?..46
• Slack Space..47
• Contiguous Disk Space..48
• Metadata Layer..49
• Metadata in File System..50
• File System Metadata..51
• Security..52
• File System Security..53
• File Name Layer..54
• File System Forensic Intro..55

• Superblock (File System Layer)..57
• Ext2/3 SuperBlock..58

Linux Ext2/Ext3 File system layer (Superblock)

1. Block size
2. Total Number of Blocks
3. Number of Blocks per group
4. Number of reserved blocks(prior to first block group.)
5. total number of inodes
6. number of inodes per block group

table of contents at each block group Page 58

• Blocks (Data Layer)..59
• Block Groups..60
• File Access Permissions..61
• Unix File Types..62
• Timestamps..63
  1. modification - blocks that contain data have been modified
  2. access - data was read
  3. change - modification of metadata layer (inode itself). Deleting a file modifies inode link count to 0
  4. delete - always will match change time.

• Inode (Metadata Layer)..64
  1. File owner identifier
  2. File type
  3. File access permisions
  4. mac times
  5. number of links
  6. table of contents
  7. file size

inode has enough pointer for 12 addressed. 13th entry is an indirect block list. 14th is double indirect block.

• Data Pointers..65
• Directories..66
• What datastill exists upon file deletion?..67
• Linux Deleted Files..68
• Forensic Notes..69

• Windows File System Evolution..71
• FAT Filesystem..72
• Fat 12 and 16..73
• Fat 32..74
• FAT Format..75
• FAT Boot Sector..76
• FAT12/16 Partition Boot Sector..77
• FAT12/16 Boot Sector..78
• FAT32 Partition Boot Sector..79
• FAT 32 Boot Sector..80
• FAT Content Data..81
• FAT Cluster Chains..82
• FAT Root Directroy (Metadata Layer)..83
• FAT Directory Entry..84
• FAT Directory Entry and the FAT Cluster Chains Relationship..85
• FAT Timestamps..86
• What data still exists upon file deletion?..87
• FAT Review..88
• NTFS New Technologies File System..89
• NTFS Partition Boot Sector..90
• NTF Boot Sector..91
• NT Volumes..92
• NTFS - Clusters (Data Layer)..93
• NTFS - MFT (Metadata Layer)..94
• NTFS File (Metadata Layer)..95
• Master File Table Entry..96
• Master File Table Entry Layout..97
• NTFS Timestamps..98
• MFT Record Header..99
• $STANDARD_INFO Entry..100
• $STANDARD_INFORMATION Attributes..101
• $FILE_NAME Entry..102
• $FILE_NAME Attributes..103
• $Data Entry..104
• $Data Attributes..105
• NTFS - File Creation..106
• NTFS - File Deletion…107
• NTFS - Directories (File Name Layer)..108
• Windows NTFS Reserved Files..109
• NTFS - Forensic Notes..110
• What data still exists upon file deletion?..112
• NTFS - Forensic Time Example..113
• File System Summary..115

• Forensic Investigation Methodology..4
• Tool Theory..5
• Toolkits Defined..7

• Network Investigations..10

If there is suspician of activity, install a wiretap. Since you are protecting your network, there is legal precedent to use a wiretap. There must be “probable cause.”

Law enforcement, however, must have a supena.

Hackers will start out doing a

whois

lookup which gives information about primary network, mail exchange leading to internet cache, newsgroups, administrators asking questions leading to OS type, firewalls, etc.

packet 1776 has ftp data string. Filter on that.

tcp port == 24 shows putty

• Pre-Conditions for Wiretap..11
• Wiretap Benefits..12

• Hacker Methodology..14
• Network-Based Forensics..15
• Wireshark Primer..16
• Network Attack Hands-On..19

• Incident Response/Fornsic Verification..27
• Evidence Gathering Tools..29
• netcat..30
• Linux Verification..32
• Memdump..35
• Investigative Recon..37

Set up forensics workstation to receive data via netcat

cd /images/unixforensics
nc -l -p 31337 > vmware_memory_dump

Use the programs from the cd. Memdump output should be sent via netcat (nc).

mount /dev/cdrom
cd /mnt/cdrom/Static-Binaries/linux_x86

./memdump | ./nc -vv 192.168.2.1 31337  

Output can be sent via netcat (nc), just set up listener on forensics workstation.

./uptime
./uname -a
./date
./fdisk -l
./mount
./netstat -anp
./lsof -n
./ls -lit

• Timelines..38
  • gather data

on forensics workstation:

cd /images/unixforensics
nc -vv -l -p 31337 > vmware_bodyfile/mac

on hacked machine:

mount /dev/cdrom
cd /mnt/cdrom/Static-Binaries/linux_x86
./mac-robber / | ./nc -vv 192.168.2.2 31337  

• make human readable. Run mactime on the mac-robber file and redirect output to a file.

on forensics workstation:

cd /images/unixforensics
mactime -b vmware_bodyfile.mac > timeline-vmware.txt
less timeline-vmware.txt
  * MACtime Evidence..46
  * Volitile Information..47
  * Creating a Timeline..48
  * Creating your First Timeline..51
  * **mac-robber** Usage..52
  * **mactime**..53
  * Searching the file system [timeline]..57

commands hacker initially used

w
last
add user jack 
changed password to jack -checks password sc
secure copy rootkit
netstat 
top 
ps
creates /usr/sbin/mkxfs
creates /dev/ida/.. /sl2
/dev/ida/.drag-on

commonly trojanized files

these files look odd because the c time is only modified

ifconfig
ps
netstat
top

files with just a time have been accessed or executed.

logclear
linsniffer
.drag-on
..(space)

• Timeline Analysis Exercise..58

The modification times indicate that the innodes themselves werer changed (likely indicating that the files were decompressed). The c time shows that the files themselves were modified, which typically hpapens during installation.

• What can I use to look for rootkits? lsof and netstat..59

lsof and netstat

set up nc listener

./lsof -n | ./nc 192.168.2.2 31337
./netstat -nap | ./nc 192.168.2.2 31337

lsof is a process list of open files on the system listing even deleted files that are still in use.

mkxsf is probably a trojanized ssh

• lsof..60
• pcat (removed from Helix)..61
• Finding Clues Using Inodes..63

inodes are sequential on a newly installed system.

./ls -lit /usr/bin | ./sort | ./less

directories to look at are /usr/bin, /usr/sbin, /sbin

To look at all files:

./ls -litR

if files are modified, they will have sequential inode allocations also. Look for very high or vary low numbers

• Example Inode Listing in /usr/bin..65
• Other Files..66
• Log Files..67
• Forensic Response Step-By-Step..68
• Helix linux-ir.sh..69

• Cryptographic Hashes..71
• md5sum..72

md5sum

• md5deep..75

./md5deep -r / | ./nc 192.168.2.2 31337 -w 3
  * National Software Reference Library..76

• Gathering the Evidence..78
• Bit Image Creation (Overview)..79
• No Standard!..80
• Imagin Conditions..81
• Logical or Physical Backups..82
• Normal Backup Software..83
• dd..84

dd if=INFILE of=OUTFILE

    bs= block size
    count=N
    skip=N
    conv=noerror,sync

• dcfldd..86

ddfcl if=INFILE of=OUTFILE

    hashwindow=0 (entire machine)
    hashlog=drive.md5.txt

• Host Protected Area (HPA)..87
• HPA Detection..88

Host Protected Area

disk_stat /dev/hdb

• HPA Removal..89

removal (temporary)

disk_reset /dev/hdb

• Starting Netcat for Imaging..90
• Imaging the Compromised Machine..91

Before imaging nc these commands

mount
fdisk -l

On Forensics workstation:

cd /images/unixforensics
nc -l -p 31337 > vmware_dev_sda.img
md5sum vmware_dev_sda.img

On hacked machine:

mount /dev/cdrom /mnt/cdrom
cd /mnt/cdrom/Static_Binaries/linux_x86
fdisk -l
mount
./ddfcl if=/dev/sda hashwindow=0 | ./nc 129.168.2.2 31337

• How do I extract logical partitions from the physical image? mmls..92
• mmls Output
• Extracting Partitions..94
• mmls Output from your Image..95
• Extracting Partitions..96

mmls disk1.dd if mmls cannot determine the type, try

mmls -t dos disk1.dd

dd if=disk1.dd bs=512 skip=62 count 1028097 of=part1.dd

the first extened partition is numbered 5 and then not from there on.

do not normally extract extended partitions; they are just boundaries.

the first 512 bytes contains the MBR. At byte 446 is the start of the partition table. Each entry is 16 bytes long. The last 8 bytes are useful. The last four are the length of the partition and the four before that are the offset. Don't forget to add 63 for the partition boundary(?).

• What do I do with the “image”?..97
• mount 98
• Bit Image Review..101
• Disk Imaging: Hands-On..102
• Mount Images for Analysis..103

mount root then mount the other partitions in there.

mount -t ext2 -o ro,loop,noexec vmware_dev_sda6.img /mnt/hack/unixforenseics_mount
mount -t ext2 -o ro,loop,noexec vmware_dev_sda1.img /mnt/hack/unixforenseics_mount/boot

• Adepto/Grab..105

• Linux Media Analysis Using Open Source Toolkits..109

• Critical Tools Overview - Hex Editors..111
• KHexedit and WinHex..112
• Critical Tools Overview - file..114

Identifies file by using a configuration file called the magic file across systems.

/usr/share/directory/magic

Usage:

file <filename>

0:25:00

/usr/share/backgrounds/images/earthfromspace.jpg
/usr/share/backgrounds/images/stonebird.jpg

Each has the same starting byte string.

Thought process number 1.

Look for header then look for footer. All in between is the image.

Side note: Vulnerability in Microsoft jpeg rendering. Heap overflow in comment string. Length always did -2 to find the comment field, so a value of less than 2 would give a really large number for a signed integer.

• Critical Tools Overview - strings..116

displays 4 or more ascii characters List byte offset of string on the image:

strings --radix=d

byteoffset–>block number–>inodenumber–>metadata–>Filename

byteoffset/block size=block number

file size and name stored in metadata

datalayer comprised of data blocks

1. Idenfiy block the string sits in.
2. Find inode number with that block.
3. Then find filename.

• Critical Tools Overview - srch_strings..118
• Critical Tools Overview - grep..119
• strings Example..122

• The Sleuth Kit Programs..126

• fsstat..134

fsstat dev_sda6.img | less

• fsstat - FAT Image..135
• fsstat - NTFS Image..138
• fsstat Examples

• dstat..142

dstat gives Allocated or Unallocated for a data unit

dstat dev_sda6.img 368055

• dcat..143

dcat displays contents of a data unit

dcat dev_sda6.img 368055 |less

for hex display:

dcat -h dev_sda6.img 368055 |less

• dls..145

lists contents of unallocatted data (by default)

1. e dhoe sll blocks
2. l lists details
3. s show slack space (no slack in linux)

extract all unallocated data:

dls dev_sda6.img > dev_sda6.dls

extract between 8000 and 9000:

dls -el dev_sda6 8000-9000

• Extracting Slack Space..148
• dcalc..149

since the blocks are now not in the same sequence because the allocated blocks are removed, use dcalc to cross to the origial block unumber

dcalc dev_sda6.img -u 233429

gives:

368055

• lazarus..150

takes every single data block and runs file against it.

• foremost..156

carves out files based and sorts them on file header

mkdir /images/unixforensics/foremost_gzip (need to create a directory where the output will go)
foremost -o /images/unixforensics/foremost_gzip -c /usr/local/src/foremost.conf dev_sda6.dls

may need to remove the 13 data block. In the example, open in khexedit and got to blocksize(4096)*12 position. Delete blocksize(4096) amount of data.

in audit.txt, the gzip file is listed at byte offset 98304

98304/4096=24 (block number in unallocated dls file)

dcalc dev_sda6.img -u 24
8171  (block number)

• Add the .gz File Type to foremost..160
• Data Layer Review..163

• ifind..165

give ifind the block and it will return an inode number that is/was associated with it.

ifind dev_sda6.img -d 8171
2880

• istat..167

displays metadata information about an inode

istat dev_sda6.img 2880

• istat - FAT Image Example..169
• istat - NTFS Image Example..170
• Inode lister: ils..173
• ils Audit: Hands-On..175
• ils Post Mortem: Hands-On..176

list inode information

ils dev_sda6.img |grep 2880

• icat..177

copies files by inode number

icat -r dev_sda6.img
icat -r dev_sda6.img 2880 > /images/unixforensics/lk.tgz

• Metadata Layer Review..180

• fls..182

takes inode of directory and displays filenames in directory.

fls dev_sda6.img
fls -l dev_sda6.img
fls dev_sda6.img 174593

• ffind..187
• Filename Layer Review..189

• Journal Layer..193
• jls..196
• jcat..198

like mac_robber, the folloing will create the timeline information

• Data File: fls -m [timeline information]..201

1. m tells the mount point to prepend the output with
2. r says recurse directories

fls -m / -r dev_sda6.img > /images/unixforensics/dev_sda6.fls or on live system

fls -m / -r /dev/sda6 | less

• Data File: ils -m [timeline information]..203

extracts data on deleted inodes yet without the missing filename infomation

ils -m dev_sda6.img > /images/unixforensics/dev_sda6.ils

• Data File Conclusion..205

integrate them with cat

cat dev_sda6.?ls > dev_sda6.mac

the question mark says any charater

• mactime Examples mactime -b..206

make the data human readable

mactime -b dev_sda6.mac > timeline_sda6.all
-d for comma deleniated

• Timeline reading ..207

• file..212
• sorter..213

uses file to categorize everything on the system including deleted files, put them in directories.

• Thumbnails Viewing..217
• Hash Databases..218
  • hfind: Overview..219

Indexes and searches the database

hfind -i md5sum linux_hash.txt
hfind linux_hash.txt <md5 hash>
    * sorter and hashes..220

hash all files

md5deep -r / > /mnt/LinuxFC3.txt

Use database to exclude known good files with sorter:

sorter -d sorter_dir -x LinuxFC3.txt hda1.dd

• Adding a Host..226
• Adding an Image..228
• Begining the Analysis..232
• Live Autopsy Analysis..263
• Autopsy Step-By-Step..268

• Windows Forensic Myths..2
• Today's Agenda..3
• Forensic Investigation Methodology..4

• Background of Attack - Window 2000 - SMB and HTTP based with multiple files transfered..6

# smb ports are 139,445

• Ethereal - Hand-on..7
• Scanning Users and Group..8
• Initial System Access..9

In middle pane, filter on SMB Header, SMB Command: NT Create AndX (0xa2) will show filenames

• Folow TCP Stream..10

This will include a bunch of junk.

• Stripping the File..11

Just save as RAW and edit in HexEditor searching the the file header listed in the file data section of wireshark. In this example 4d5a9000, then copy out the number of bytes specified in the packet 'Write AndX Request

• Stripping the Header..12
• Stripping the footer..13
• Network Capture..14
• HTTP POST..15
• Network Forensics - Hands-On..16
• Network Capture Conclusion..17

• Objectives..19
  • Incident Response Enumeration
    1. system Enumeration
    2. Process Enumeration
    3. Network Connection and Open Ports
    4. File Enumeration
• The First Command..20
• Run-As Administrator..21
• cmd.exe..22
• Remote Command Shells..24

use an existing share or add a share of the cdrom using system_config_samba so the binaries will be available. restart smb.

• psexec Usage..25

Stand alone machines with xpsp2, the firewall will block port 445. As a part of domain, it should be open.

• Netcat for Windows..26
• First Data Collected..27

Date, Time, Uptime

• First Commands Example..28

Use the code in d:\IR\Cygwin on the Helix CDRom

date
time
uptime
hostname
uname -a
id
whoami

• System Environment..29

d:\IR\sysinternals\psinfo.exe

psinfo

• psinfo..30

Determine system environment.

Install date can be a clue that someone has tampered with a system.

• pslist..31

Determine system running processes

d:\IR\sysinternals\pslist.exe

pslist

• Gather Network Information..33

gather open ports and sockets. Determin which apps are listenting for network connections.

• fport..34

Shows current listening ports

d:\IR\Foundstone\fport.exe

fport

• Windows Forensic Toolchest (WFT)..36
• Benefits of WFT..37
• Example WFT Reports..38
• WFT ConfigurationFile..39
• WFT Usage..40
• WFT Macro Substitutions..41
• How to Use WFT in Practice..42
• WFT In Action..43
• WFT Example..44
• Helix WFT..47
• WFT-Hands On..48
• Remote WFT Using psexec..49
• Password IR Tools..50

http://www.spectorsoft.com/ rootkit that is non hacker relaed to grab screenshots, email keylogger, all knds of stuff for $100.

Automatically record everything they do on the internet.

• Helix Image Search..53
• Putting it all together..54

• Objectives..56
• dd.exe for Windows..57

for win2k, xp, 2003

d:\IR\FAU\dd.exe

• dd.exe as a Backup Tool..58
• Basic dd.exe Operation..59
• dd.exe Physical Drives..60

\\.\PhysicalDrive1 If doing Physical drives, it is still better to use linux

• dd.exe Logical Drives..61

\\.\C:

• dd.exe Translations..62

^Name^Windows^Linux^

• dd.exe Physical Drive Example..63

D:\> dd.exe if=\\.\PhysicalDrive0 of=E:\drive0.img

• dd.exe Logical Drive Example..64

D:\> dd.exe if=\\.\C: of=E:\images\Cdrive.img Use logical imaging for RAID's

• Physical Memory..65

D:\> dd.exe if=\\.\PhysicalMemory of=D:\images\mem.img conv=noerror An EOF error is normal.

• Looking at memory..67
• memparser..68

memparser <image of memory>

• Memory Artifacts..69
• MD5 Integrity Checks..70
• MD5 C Drive Example..72

D:\> dd.exe if=\\.\C: of=D:\CDrive.img –md5sum –verifymd5 –md5out=D:\CDrive.md5

• Network Shares..74

of=\\server\share\output.img image memory over network share:

  D:\> dd.exe if=\\.\PhysicalMemory of=\\Linuxforensics\images\windowsforensics\mem.img --md5sum --verifymd5 md5out=\\Linuxforensics\image\windowsforensics\mem.img.md5 conv=noerror
  D:\> dd.exe if=\\.\C: of=\\Linuxforensics\images\windowsforensiscs\CDRIVE.img --md5sum --verifymd5 md5out=\\Linuxforensiscs\images\windowsforensics\CDrive.img.md5

• Step-by-Step Imaging..77
  1. Obtain Physical Memory
  2. Obtain Volume Information
  3. Image Drives (Logical or Physical).
  4. Image Removable Media

• Windows Imaging - Hands On..78
• Helix Acquisition..80
• Helix FTK Imager..81
• Remote Imaging using psexec..82
• Objectives..83

• Why Linux?..85
• Mounting Images..86
• Mounting NTFS Example..87

mount -t ntfs -o loop,ro,umask=0222,uid=forensic,gid=users /images/windowsforensics/hacked_ntfs.img /mnt/hack/windows_mount

• Mounting NTFS Example System Files Shown..88

mount -t ntfs -o umask=0222,loop,uid=forensic,gid=users,show_sys_files=true /images/windowsforensics/hacked_ntfs.img /mnt/hack/windows_mount/ showes $shares

• Mounting Remote Drives..89

  mount -t smbfs -o ro,noexec,username=administrator //Winforensics/C$ /mnt/windows_forensic_server

• Virtual Hardware Write Blocker..90

1. Share C on compromised machine
2. mount C through Linux SMBFS in READ-ONLY mode
3. Share out directory form linux using SAMBA
4. Any machine can now examine the compromised machine without changing any of the files

• Examples from Previous Slide..91
• Anti-Virus Scanner..92
• Extracting Unallocated and Slack Space..93

use dls on the linux machine on the image.

dls -f ntfs hacked_ntfs.img -s > ntfs.slack

lazarus, foremost, dirty word search

slack space is tough to get a case from.

• Linux Windows Forensics..94

• Objectives..96
• E-Mail Forensics..97
• E-Mail Headers..98
• Forged SMTP Transaction..100
• Resultant E-mail Headers..101
• Word Forensics..102
• Looking at Metadata in Hex-Editor..104
• Using Sysinternal's strings to Examine Word Documents..105
• Internet History..106

to examine index.dat file on linux

pasco 
  * Recycle Bin..107

Subfolder created with users sid where files are placed. files in recycle bin are not named by their normalnames. Time and date stamps remain. INFO or INFO2 file keeps a map of the original filename and location.

• Linux “Recycle Bin” Examination..111

rifiuti can examine an INFO2 file

fifiuti INFO2

• sid2user..112
• What if INFO2 was Deleted..113
• INFO2 Hexedit..114
• System Registry..115
• Registry..116
• Search History..117

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU

• Typed URLs..118

HKEY_CURRENT_USERS\Software\Microsoft\Internet Explorer\TyperdURLs

• Last Commands Executed..119

HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

• Last Files Saved..120

  HKEY_USERS\S-1-5-21-1801674531-1563985344-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*

• Registry Key Last Write Time..121

a tool to read last time a key was written

keytime <full key path> (case sesitive)

• Objectives..122

• Challenge Hints..124
• Forensic Investigation Methodology..125
• Windows Programs..126

• Internal General..3
  • Commonly done in house.
  • First Responders Often play key role.
  • May have to block attack, but consider options and include others who have a say.
• Internal Incident Response Policy..4
  • provide guidance when faced with attacks
• Internal First Responders..5
  • First responder Panic can be a big problem
    • May result in lost evidence
    • May tip off the culprit
    • Response policy can help prevent missteps
• Internal Initial Prognosis..6
  • Initial estimate
    • Is it an attack at all?
      • What systems were affected?
      • How were they affected?
    • Look at Logging
      • Sources affected/
      • servers to or from data was sent?
      • Other downstream or upstream victims?
• Internal Ongoing Damage..7
  • May need to take steps to stop damage
  • If a suueptitious attack (e.g., intrusion), consult with others before taking steps that may alert intruder to discovery.
  • Do not “Hack Back”
• Internal Report to others..8
  • Reporting to appropriate people
    • look to POC list
    • Inside and outside company
    • Call law enforcement if suspected criminal activity involved
  • Need-to-know policy if insider
  • consider reportin to other victims/vendors
• Internal Report to others..9
  • Use protected Channels of Communictation
  • Watch for social engineering attemts
• Internal Investigative Notes..10
  • Keep Great notes
  • Keep Notes (and logs) secure
  • Keep records that will quantify the damage
    • Investigate the nature of the incident and its source;
    • Identify vulnerability where accessed, altered or otherwise damaged;
    • Determine whether and to what extent data, programs, systems or information were accessed, altered or otherwise damaged;
    • Recreate deleted or modified data, programs and files;
    • Reload and reconfigure damaged software;
    • Patch the system to prevent similar attacks;
    • Re-secure the data, program, system and information and protect from further damage.
• Outsource General..12
  • Investigatios by third parties not unusual;
  • Same general rules-of-thumb apply to outsourcers as internal investigators
  • Insome jurisdictions, there may be a licensing requirement
• Outsource Special Considerations..13
  • There are some special considerations
  • The scope what the client has autorized the outsourcer to do should be clear
    • What is permitted
    • What is forbidden
    • What to do if it is unclear
  • Participation y client, and reporting to client
  • Outsourcer's duties of fidelity and confidentiality to the client also should be clear
  • Indemnity issues; what if the cousourcer violates rights of another; is client liable?
• Government Calling Law Enforcement..14
  • Once an incident looks like criminal activity, consider calling law enforcement
  • Situations that suggest illegal activity
  • Pros and cons
  • Timing (call before internal investigation, after, during?)
  • How to make the call
• Government Criminal Conduct..15
  • What is criminal?
    • Network Crimes (Computer Fraud and Abuse Act)
    • Wiretapping and Snooping (Wiretap Act; Electronic Communications Privacy Act)
    • Software Piracy
    • Using Network to commit traditional crimes
  • Network Crimes: The Federal Computer Fraud and Abuse Act (Pt 1)..16
    • Criminalizes inflicting certain types of damage to a protected computer
    • A “Protected Computer” means a computer
      • used by the federal government or
      • used by a financial institution, or
      • one that affects interstate or foreign commerce or communication of the United States (can be outside the U.S.).
  • “Damage” is defined as any impairment to the integrity of availability of data, a progam ,a system or information causing..17
    • $5,000 loss in 1-year period (government may aggregate certain losses), or
    • Impairment of medical records, or
    • Physical injury to a person, or
    • Threat to public health or safety or
    • Damage affectin a government system used for justice, national defense or national security.
  • Any reasonable cost to a victim counts as “loss” toward the $5,000 threshold, including:..18
    • costs of
      • responding to an offense,
      • conducting a damage assessment
      • restoring the data, progam, system, or other winfomation to its condition prior to the attack, and
    • Lost revenue, and
    • Any cost or consequential damage from service interruption
  • Law enforcement can aggregate losses among multiple computer and victims to reach threshold if losses resulted from a related course of conduct.
  • Intentional Conduct
    • knowingly transmitting a “program information, code, or cammand”
    • resulting in “damage” (without autorization) to a “protected computer”
  • Applies to insiders (e.g., employees) or outsiders (e.g., hackers)
  • Applies even w/o “access” (e.g., virus, DoS)
  • Reckless Conduct..20
    • Intentionally accessing a protected computer without authorization and
    • Recklessly causing damage [even accedentally]
    • Applies only to outsiders (no authority to access).
  • Access to the victim computer required.
  • Conduct Neither Intentional Nor Reckless..21
    • accessing a protected computer withour autorization and causing damage
  • Applies even if no intent to damage
  • Applies only to outsiders (no autority to access).
  • Access to the victim computer required.

• Network Crimes: The Federal Computer Fraud & Abuse Act (pt 2)..23
  • Criminalizes certain privacy intusions, too
    • Prohibits intentinally accessing computer without or in excess of authorization and
    • Thereby obtain information:
      • In a financial record or credit report
      • From a federal agency or
      • From a protected computer (if conduct involved an interstate communication)
• Network Crimes: The Federal Computer Fraud & Abuse Act (Pt 3)
  • Criminalizes improper access to retricted government information too.
  • Criminalizes trespass on a government system.
• Network Crimes: The Federal Computer Fraud & Abuse Act (Pt 3)
  • Other provisions prohibit:
    • Accessing a protected computer with intent to defraud and therby furthers the fraud and obtains sonething of value
    • Trafficking in information through which a computer can be accessed (e.g., passwords) without authorization
    • Threatening by interstat communication to damage a protected computer with the intent to extort moneyor anything of value.
  • Attempts are illegal, too.
• Network Crimes:..26
  • The Federal Wiretap Act [cat 5 cable]
    • The wiretap act covers the illega interception in real time of voice and electronic communications as they traverse networks
  • The Electronic Communications Privacy Act [stored data, disk, memory, wiretap logs]
    • The Electronic Communications Privacy Act covers the illega access to certain stored voice and electronic communications
• Child Porn..27
• Intelectural Property
  • Crimial copyright
  • Criminal trademark
  • criminal trade secrets
  • Digital Millennium Copyright Act
• Cyberstalking, threats and harassment
• Identity Theft
• Fraud, Drug dealing, other, etc.
• Government Common Cyber-Defenses..28 (Rob Lee Skipped to p.54)
• Attrubution is often the Key
  • Trojan Horse/hacker
  • Virus/Worm
  • Other malware
• Circumstances Can Add Light
• Good Forensics can help confirm or debunk
• Government International Aspects..30
• Cases frequently involve several nation states
• Multiple countries may be host to:
  • tools
  • Contraband
  • Evidence
  • Other Victims
  • Culprit
• Goals..31
  • “No safe havens”
  • Harmonious substantive laws against computer crime
• Procedures for domestic and international investigation
• Faster mutual legal assistance
• Trained and equipped personnel
• Extradite or prosecute criminals
• Mutual Legal Assistance requests ..32
  • Through central authority
  • Relatively fast
  • Abailable at investigative stage
  • based on treaty
• Letters Rogatory
  • Slower
  • No obligation to assist
  • issued by courts
• Assistance through US LE liaisons- FBI legal attaches, Secret Service Resident Agents..33
• Informal law enforcement assistance
• The G-8's 24/7 Point-of-contact network
  • Developed for use in cases involving electronic evidence
  • Have expanded outside the G-8
  • Supports preservation of evidence
• Council of Europe..34,35
  • Cybercrime Convention
  • Recommendation 95(13)
• G-8; High Tech Crime Subgroup of the Lyon Group..34,35
  • 24/7 Pint of Contact
  • Multilateral Conferences
• Asia-Pacific Economic Cooperation
• Organization for Economic Cooperation and Development
• Organization of American States
• Interpol
• United Nations
• Government Pros and Cons..36
• Statistics suggest victim reporting is uncommon– 20%
• Required Notification..45
• Some states [California being the first] have adopted notification requirements
  • Typically apply where personal information is compromised.
  • Most require notification to customers, but not to law enforcement
• Congress shown interest in same
• Government Who to Call..46
• Plan (and meet) in advance..47
  • Infragard program: www.infragard.net
  • U.S. Attorney's CHIPS programs
  • DHS National Infrastructure protection Center Hotline: 202-323-3205
  • CCIPS Web Site: www.cybercrime.gov
    • How to report a crime
  • On-Line Reproting..48
    • www.secretservice.gov/forms/form_ssf4017.pdf
  • List of FBI & USSS Field Offices
    • www.fbi.gov/contact/fo/fo.htm
    • www.secretservice/field_offices.shtml
    • www.infragard.net/chapters/index.htm
    • www.extaskforce.org/Regional_Locations.htm
• Government What is Expected from Victim?..49
• What law enforcement needs:
  • Access to staff who can explain in technical detail what happened and what evidence exists
  • Initial interviews will typically take from 2 to 4 hours
  • Access to evidence such as log files and hard drives
  • possibility of testimony (grand jury, court)
• What law enfocement doesn't need:..50
  • To seize victim computers. You will not be shut down.
  • To disrupt business in order to conduct our investigation.
• Proactive Measures
  • Designate a point of contact who is responsible for interacting with law enforcement
  • stay alert to possibility being deemed an “agent of the government”

• The Goals..52
  • Find Relevant data
    • inculpatory - [finding blame]
    • exculpatory - [clearing guilt]
• Finding the Relevant..53
  • General Rule: More is better
    • Imaging is gold standard
      • …
      • not always practical or necessary
    • look for backup medial
    • place on clean, preferably unalterable nedia and keep chain of custody intact.
• Authority Generally..54
  • Authority is often the key to legality
  • Well documented permissions helpful
    • internal investigator: Incedent response policy, job description, or other documentation
    • Outside contractor: Contracts and work orders
    • Law Enforcement: Often in the form of search warrant or other legal process
  • Be careful of restrictions on Authority
  • Proper Authority is Important
    • Sanctions can be serious
• Acquiring Stored Data: Stand-Alone Devices..57
  • Before seizing, duplicating or analyzing a storage device, identify the source of your authority
    • Consent of or abandonment by owner
    • Contract with someone with authority
    • Terms of service with subscriber or user
    • Search Warrant (or other legal process)
• Network Storage and Real-Time..58
  • Acquiring stored data from a network
    • Reviewing stored content or
    • logfiles on a network server
  • Acquiring data in real-time
    • “Eavesdroping” on traffic(sniffing)
    • content or traffic information

* Network Devices..60

• Stored Data from Networks Often More complicated that stand-alone
• Statutory rules based on the type of data on the network
• Electronic communications Privacy Act (ECPA)
• Others
  • Health Insurance Portability & Accountability Act (HIPAA)
  • Sarbanes-Oxley (SOX)
• Network Devices and ECPA..61
• ECPA governs access to and disclosure of stored files
  • provider/customer/government roles
  • Cannot necessarily share stored files with others
  • Three main categories are covered
    • Communications (e.g., e-mail, voicemail, other files)
    • Transactional Data (e.g., Logs reflecting with whom users communicated)
    • Subscriber/Session Information
  • www.cybercrime.gov/searchmanual.htm
• What stored communications records can network operators voluntarily provide to law enforcement?..62
  • Public or private providor?
    • ISP selling access is a public provider
    • A company that provides e-mail & voice mail service to emplyees is a private provider (VT)
• A private provider may disclose all without violating ECPA
  • Content
  • Transactional data
  • User information
• A public provider looks to statutory exceptions before disclosing content or non-content to government..64
• Public provider may voluntarily disclose the content of communications to government when:
  • Consent to do so exists (e.g., via a banner)
  • Rights and property will be protected.
  • Contents inadvertently obtained & pertain to commission of a crime.
  • The provider, in good faith, believes that an emergency involving dager of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.
• Public provider may voluntarily disclose non-content records concerning a customer or subscriber:..65
  • When consent from the subscriber to do so exists (e.g., via a banner or user agreement)
  • To protect provider's rights and property
  • To the government “if the provider,in good faith, believes that an emergency involving dager of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.”
  • To any person other than a governmental entity
• Real-Time..67
• Cannot intercept contents unless an exception applies; it's a wiretap
• Three Key exceptions:
  • Provider Exception
  • Consent of a Party
  • Computer tresspasser Exception
• Monitoring; Provider Exception..68
• Allows provider to conduct reasonable monitoring
  • to protect provider's “rights or property” or
  • When done in normal course of employment while engaged in any activity which is a “necessary incident to the rendition of his service”
• Is a limited exception. Not a crminal investigator's privilege.
• System administrator can track hackers within their networks in order to prevent further damage.
• scope not unlimited, need to tailor monitoring to its purpose.
• Monitoring; Consent Exception..70
• Interception allowed when user consents “in fact”
• Banner the Network

Your use of this network constitutes consent to monitoring and disclosure of the fruits of monitoring. You have no reasonable expectation of privacy on this network

• obtain the written consent of autorized users.
• Monitoring; Trespasser Exception..71
• Computer trespasser exception
• Allows law enforcement to intercept communication to or from “computer tresspassers”
• Even if trespasser is using system as a pass through to other down-stream victims
• A “computer trespasser” cannot be a person known by the provider to have an existing contractual relationship with the provider for use of the system
• Conditions:
  • The provider authorizes the interception,
  • The person intercepting is “under color of law”
  • The communication are relevant to an ongoing investigation and
  • No communications other than those sent to or received by the trespasser are intercepted.
• Provider receives immunity
• May combine this authority with other exceptions, such as consent.
• Monitoring; Header Information..73
• The Pen Registers, Trap and Trace Devices Statue governs real-time monitoring of traffic data (e.g., most e-mail header information, source and distination IP address and port)
  • Pen Register: outgoing connection data
  • Trap and Trace: incoming connection data
• Does not include content of communication (e.g., e-mail subject line or content of a downloaded file.)
• For non-content informationlike packet headers, rules are more flexible
• Provider exception is broad.
• Consent of user still allows acquisition
• Lawful Access Legislation..75
• “Lawful Access” legislation
  • US (CALEA)
  • UK (RIPA)
  • Germany (Telecom Act among others)
• Common Scope of requirements
  • Agencies given authority to compel production of data (stored and real-time)
  • Establishment by service provider of permanent intercept capability & capacity
• Common Permanent Capability Requirements
  • Ability to isolate target subscriber
  • capture in real-time
    • Call content
    • Call associated data / call detail records
  • Without tipping-off the target
  • Target list secure from outsiders and un-cleared insiders
• CALEA and IP switching
• HIPPA..77
• HIPAA Creates Uniform Federal Privacy Standard for Protected Health Information (PHI)
• Covers
  • Health Plans
  • Health Care Clearinghouses, and
  • Certain Health Care Providers
• HHS Implemented Security Rule to Protect Electronic PHI
• Covered Entities required to implemented safeguards
• Penalties for violation potentially serious
• If data from a “covered entity” made sure you're not in violation
• SOX..79
• Sarbanes-Oxley (US Public Company Account Reform and Investor Protection Act)
• Aimed at preventin, detecting and responding to insider fraud
• Serious sanctions for data destruction to impact government investigation
• Corporate governance policies, including
  • Incident response
  • Data retention and collection policies
  • internal audits
• GLB..80
• Gramm-Leach-Bliley (Financial Services Modernization Act
• Aimed at Financial Institution
  • This includes a surprising number of organizations
  • Education institutions are included
• Focus is protecting personally Identifiable financial information
• FERPA..81
• Family Education Rights and Privacy Act
• Aimed at Educational Institutions
• Focus is protecting personally identifiable information about students
• Other Data Worthy of Mention..82
• Child Pornography
• Credit Card Information
• Social Security Numbers
• Passwords
• Warez
• Attorney Materials
• Outside Reconnaissance..83
• Common Network Tools
  • Whois
  • Traceroute
• Aggressive
  • Hack Back
  • Fire Back
• Tools
• Normal Logging (Business Records)
• Investigative tools
  • No single uniform standard
  • follow your procedures
  • If none exist, do the best you can
• Courts like audit trails
• Whatever tool you use, keep notes

• Chain of Custody
  • Who handled the evidence
  • Goals
    • The evidence is that which was collected
    • the evidence had not been altered
  • Burden on party offering the evidence
  • does not necessarily require all to testify
  • admissibility v. weight
  • Evidence handling form may be useful
  • Secure location..87
  • Storage Procedures
  • Records of process followed

• Investigator May need to prepare a report
• Each Organization may have its own format

• Fundamentals of report Writing
  • Clarity
  • accuracy
• Style and tone
  • Professional
  • no slang
  • No prejudice or bias
  • no unsupported opinions
• In drafting, consider..90
  • scientific method
  • Audience
  • Legal Utility
• Fundamentals..91
  • Reflect use of scientific method
  • Sound Methods were employed
  • Results are repeateble and reliable
  • analysis was thorough
  • analysis was unbiased
  • Document your work in such a manner that it can be replicated
• Audience..92
  • Corporate
    • Management
    • systems administrators
    • peers
  • Law enforcement
    • Prosecutor
    • judge
    • jurors
    • witnesses
  • know what your audience wants and expects to be covered
• level of detail..93
  • Document your work so your steps are:
    • clear
    • repeatable by others
  • Your audience is probably not technical
    • Relevant tool output / screen shots in the body of a paper
    • the rest in an appendix
• Legal Aspect..94
  • Report May be needed in court
    • Write in a clear and concise manner
    • Conclusions are supported by valid and previously stated facts
    • Don't say something you can't prove
  • You may need to testify about it

• Basic Rules of Evidence..95
  • Relevance
    • Pertains to an issue in the trial
    • Burden on party seeking admission
  • Authentication
    • The evidence is what it purports to be
    • Testimony, circumstantial evidence
    • Frequently stipulated to
  • Evidence of Tampering..96
    • Easy to make claim of tampering
    • Often only inadmissible it there's an affirmative showing
  • Techniques to show no tampering
    • hash values
    • write blockers
    • chain of custody forms
    • testimony
  • Best Evidence Rule..97
    • “Original” is normally required
    • Accurate Printout from Computer Deemed “Oringinal”
  • Summaries and Demonstrations
  • Lay Witness Testimony..98
    • Personal knowledge
    • No specail skill required
    • Opinions generally not allowed
  • Expert Witness Testimony..99
    • Special Skill required
    • No personal knowledge required
    • Can state opinioins
    • Daubert/Frye Tests

• Binary Analysis Outline..3
• Binary Footprinting..4
• Analyzing Binaries..5
• file Analysis..6
• ldd Analysis..9
• strings Anaylysis..11
• Code Analysis tools..13
• Unix Code Analysis..14
  • gdb - debugger
  • objdump - Information from Object files
  • readelf - ELF format object files
  • strace - system call tracer
  • ald - Assembly language debugger
• Windows Code Analysis..15
  • IDAPRO - disassembler
  • SoftICE - debugger
  • REGMON - sysinternals tool to monitor registry access
  • FILEMON - sysinternals tool to monitor file access
• Windows Binary Analysis..16
• File Analysis - wrap-up..18
• Obtaining a Rogue Process..19
• /proc tology..20
• Obtaining a process..22
• Solaris /proc-tology..23
• BSD /proc-tology

• strace..28
• apptrace..33

• Malware Analysis..37

x2 is the program

• Vulnerable SSHD Servers..38
• Examine Contents..39
• First Command file..40
• strings -a..41
• gdb debugger..42

gdb x2

• objdump..43

objdump -x x2

• readelf..44

readelf -a x2

• Encrypted ?..47
• Determining Encryption type..50
• Executing the Exploit..51
• Binary Executed..52
• Usage..53
• Findings..54
• System Calls..55
• Target Analysis:..57
• strace “read” capture..58
• Network Analysis..60
• Scan Phase..61
• Obtaining Shell..62
• Snort Signatures..63
• Decrypting the Binary..65
• Decrypting the file..66
• Teso Burneye..67
• Conclusion..68

• Accessible - http://project.honeynet.org..72
• Case Study Background..73
• The Attack..75
  • Snort Allerts..76
  • Network Packet..77
• Your Mission…..78
• The Images and mount points..79
• Analysis Tolls Available..80
• Extacting the Images..81
• Mounting the Images..82
• Goals..84
• Methodology..85
• Forensic Investigation Methodology..86
• MAC Timelines..87
• File and Directory Analysis..89
• Deleted File Analysis..90
• Binary Analysis..91
• Unallocated Disk Space..92
• Ready??? Set??? Go!!!..93

lots of 0x90's in a transmission is buffer overflow attack winalysis least privilage Pen-trap, trap and trace WinHex substantial nexus

http://www.citadelsystems.net/index.php/forensics-tools/34-data-carver/46-rapier