Digital Forensics. Outline. What is Digital Forensics? Outline cont. Jason Trent Laura Woodard

Transcription

1 Outline Digital Forensics Jason Trent Laura Woodard What is Digital Forensics Who uses it Why is it used Where is it used JBRWWW Example March 9, 2006 Outline cont. Info you can find/use from volatile data: The System Date and Time Current Network Connections Open TCP and UDP ports Which Executables are opening TCP or UDP Ports Cached NetBIOS name Table s Currently Logged On The internal routing table Running Processes Running Services Scheduled Jobs Open files Process Memory Dumps What is Digital Forensics? The use of specialized techniques for recovery, authentication, and analysis of electronic data. Used for reconstruction of computer usage, examination of residual data, and authentication of data by technical analysis or explanation of technical features of data and computer usage. 1

2 Who Uses It? Why is it Used? FBI Private companies It s services are used by many corporations. To view the amount of damage caused by an intruder. To find evidence of terrorism, child pornography, crimes of violence, theft or destruction of intellectual property, crimes, and fraud. Computer Crime The use of computers in crime falls into two general categories: They can be the instrument of an offence. Tool to commit theft, extortion, fraud, attacking other systems The can contain evidence pertaining to an offence. Communication with victims or accomplices, hiding evidence. Types of Evidence Trace evidence Carried from scene of crime or left behind Latent evidence You cannot see or otherwise sense latent evidence Special tools and procedures must be used to find it It is fragile and subject to contamination Electronic evidence falls in this category 2

3 Electronic Evidence Improper handling or examination may result in Alteration Damage Destruction Hence, rendering it useless in court or leading to erroneous conclusions. Certification of Evidence Proof that the evidence has not been contaminated Chain of evidence must be preserved Forensic Analysis Process Acquisition Obtain forensic copies of the target media Analysis Active file system, deleted files, slack space, unallocated space Reporting Archiving Where is it Used Used on location. Since dynamic memory information is very useful. Many places can t afford to shut down a server. Used in Labs. The info is used in court. 3

4 Do you always pull the plug when responding to an incident? NO! Victim can t afford to remove the system from the network. The data currently in memory may be the only evidence of the incident. JBRWWW Example Is a large, well-respected financial institution. Has a Web site to check account activity, pay bills electronically, and execute other financial tasks. Has machines it uses when investigating bugs in its online software and that are not protected by a firewall. On October 1st, 2003, an odd file is found on one of the customer desktop simulation systems. Notices an update.exe file located in C:\ on the Windows 2000 workstation (at IP address ) that was zero bytes long. This file was not placed on the machine during the normal business practice. 4

5 Who How Info from the volatile Data The System Date and Time Issue the time and date commands in the prompt. Possibly the why Current Network Connections Open TCP or UDP Ports Execute netstat an NetBios Port IRC NetBios FTP Port Nattyserver or ChilliASP Response machine An open rogue port usually denotes a backdoor running on the victim machine. Interested in ports above 1024 since they are short lived. 5

6 Which Executables are opening TCP or UDP Ports FPort, freely distributed at ww.foundstone.com To execute it all we need to do is execute FPort: Iroffer is a legitimate tool, it connects to IRC channels and offers remote control of JBRWWW. These two lines provide confirmation that there was an incident involving JBRWWW. We can also tell that they have a netcat session. Cached NetBIOS Name Table We see that Windows (up until version 2003) stored connection specifics by NetBIOS name rather than IP address. Issue nbstat command to dump the victim system s NetBIOS name cache since we want to map a NetBIOS name to an IP address. Note: this command will only show us the NetBIOS name table cache, not a complete history of connections. Cached NetBIOS Name Table cont. nbstat c we receive s Currently Logged On PsLoggedOn, distributed within the PsTools suite from When we execute it we get: There is one user logged in locally. The second login is also Administrator, but it is a remote login. For a user to be connected remotely, he or she must be connected to a NetBIOS port. For Windows 2000, it is TCP port 445 or 139. Therefore we now know the attacker s IP is

7 Internal Routing Table Altering the routing tables to redirect traffic in some manner. A benefit for the attacker of rerouting traffic is avoiding a security device, such as a firewall. Another reason an attacker may alter the route table is to redirect the flow of traffic to sniff (capture) the data flying by on the network connection. Internal Routing Table cont. We can examine the routing table by issuing the netstat command: Looks normal. Running Processes We would like to know what processes the attacker executed because they could contain backdoors or further the attacker s efforts into the victim s network. We can list the process table with the pslist tool from the PsTools suite distributed from Running Processes cont. Executing pslist gives us: 7

8 Running Services There was a process running with the name PSEXESVC. We can see a list of services with the PsService executable. Running Services cont. We can see that PSEXESVC service is running, we find information linking PSEXESVC to the PsExec tool. Note: that even if the PsExec tool were renamed, we would still see this service in the service listing. Services can hide programs in them. In addition, services can be forced to start up at reboot. Scheduled Jobs Allows an attacker to run commands when he is not even on the box. For an example, an attacker may want to schedule a job that will open a backdoor every night at 2AM. That way, your usual security port scans will not pick up the backdoor during work hours. By typing at, you can see the jobs that are scheduled. Open Files PsTools suite contains another tool we can use to retrieve open file information called Psfile. When we run it on JBRWWW, we see the following: 8

9 Open Files cont. Psfile reports a system pipe opened by PSEXESVC. We now see the word CAINE which is the name of the computer that connected to JBRWWW using PsExec. Process Memory Dumps To help us see what the attacker ran, we will capture the memory space of the suspect processes. The increasing sophistication of intrusion tools and techniques, the acquisition and processing of application and system memory may be of paramount importance. They may provide critical investigative evidentiary material of a volatile nature. Data that may be lost include: The command line used by the intruder to execute a process Remotely executed console commands and their output Clear text passwords Unencrypted data. Process Memory Dumps cont. Microsoft provides a utility called userdump.exe for the Windows NT family of operating systems that enables us to capture the memory space utilized by any executing process. This tool is a component of the Microsoft OEM Support tools package available at 000srv/Utility/3.0/NT45/EN-US/Oem3sr2.zip To execute userdump on a single suspect process, we simply supply it with a process ID that was gotten earlier using pslist (PID 1424) Process Memory Dumps cont. Then to examine the memory dump we run dumpchk.exe, a utility provided as a component of the Debugging Tools for Windows, which are available at uging/default.mspx. For brevity, won t show the output. 9

10 Process Memory Dumps cont. The output confirms the file name and location and provides a list of associated dynamic link library files along with timestamps and the command line utilized to initiate the netcat process. netcat was configured to detach from the console, listen on port 60,906, and execute a command shell whenever a connection occurred. Subsequent examination with dumpchk reveals that PID 1224 was initiated with a command line of iroffer myconfig, and PID 1,372 with ftp Process Memory Dumps cont. Because data stored by an application or process in memory may be in Unicode format, we need to use a Unicode-capable Windows version of the strings command. One is available at Running strings on the memory dump, you ll see the application environment, which provides, the computer name, the system path, the location on the file system of the executed application and the command line used. Process Memory Dumps cont. Nothing here is earth shattering, but, it does provide information that supports the analysis. Scenario Electric Power 4U Electric Power 4U is a mid-size electric power provider. They utilize a typical network-centric system to record billing information and provide that information to customers. 10

11 Vendor Vendor Ethernet LAN Vendor Home Attack Detected Dial-In Intranet Wireless Site LAN Modem Bank and Client/ Control Ethernet LAN Wireless Hub I/O Network Router Network Manufacturing 9:10 Automated analysis tools confirm suspicion that an attacker has invaded an EP4U at 9:00 9:30 All risks have successfully been mitigated, but how was the system compromised? I/O I/O I/O I/O I/O SOURCE: Erickson [1] Vendor Vendor Ethernet LAN Vendor Website Home Dial-In Intranet Wireless Wireless Hub Site LAN Modem Bank and Client/ Control Ethernet LAN Router Network Manufacturing Control network is only connected to the corporate network and requires passing through a firewall. No other entry points exist. I/O Network I/O I/O I/O I/O I/O SOURCE: Erickson [1] 11

12 Vendor Vendor Ethernet LAN Vendor Website Home Dial-In Modem Bank and Network Intranet Wireless Wireless Hub Client/ Router Site LAN Control Ethernet LAN Manufacturing I/O Network I/O I/O I/O I/O I/O SOURCE: Erickson [1] Network Vendor Vendor Ethernet LAN Vendor Website Home The firewall is configured to only allow the billing server communicate with the control network. This is done so that the billing server can gather billing data in near real time. Dial-In Intranet Wireless Wireless Hub Modem Bank and Client/ Router Network Investigation shows that the billing server was compromised at 7:30 Possible entry vectors Wireless LAN Modem Bank Site LAN Control Ethernet LAN I/O Network Manufacturing I/O I/O I/O I/O I/O SOURCE: Erickson [1] 12

13 Billing Vendor Vendor Ethernet LAN Vendor Website Home Investigation shows that the billing server had no communication with the wireless LAN or modem bank How did the attacker get through the firewall? Dial-In Intranet Wireless Wireless Hub Site LAN Modem Bank and Client/ Control Ethernet LAN Router Network Manufacturing I/O Network I/O I/O I/O I/O I/O SOURCE: Erickson [1] Vendor Vendor Ethernet LAN Vendor Website Home The only traffic allowed through the firewall is the web server. The web server is actually in the demilitarized zone (DMZ). The web server passes through the firewall to retrieve billing information and allow customers access to their account status and the ability to pay their bill. Dial-In Intranet Wireless Site LAN Modem Bank and Client/ Control Ethernet LAN Wireless Hub I/O Network Router Network Manufacturing I/O I/O I/O I/O I/O SOURCE: Erickson [1] 13

14 Web Vendor Vendor Ethernet LAN Vendor Website Home Analysis of the web server shows that it was compromised at 6:15. We have an IP address of the attacker, but will we be able to link it to them? Dial-In Intranet Wireless Wireless Hub Site LAN Modem Bank and Client/ Control Ethernet LAN Router Network Manufacturing I/O Network I/O I/O I/O I/O I/O SOURCE: Erickson [1] 6:15 Web Attacked Timeline 7:30 Billing Attacked 9:00 Attacked 9:30 Risk Mitigated 9:10 Compromise Confirmed Conclusion Unless absolutely necessary, don t pull the plug on a suspect or victim machine. There is a wealth of information that can be obtained from the volatile data that would be lost if you do. 14

15 If interested in Digital Forensics Cyberspeak cyberspeak.com Checkmake E-zine niiconsulting.com/ch eckmate/ Suggested Reading Computer Forensics and Privacy, Michael A. Caloyannides, Artech House, Handbook of Computer Crime Investigation: Forensic Tolls and Technology, ed. By Eoghan Casey, Academic Press, Suggested Reading Forensic Computer Analysis: An Introduction by Wietse Venema and Dan Farmer n.html Suggested Readings A Brief History of Computer Forensics, Mark Pollitt, Chairman, SWG-DE ryofcf.pdf 15

16 References 1. Programmable Logic Controllers: An Emphasis on Design and, Kelvin T. Erickson, Dogwood Valley Press,