coen 252 computer forensics data analysis techniques for hard drives
TRANSCRIPT
Data Analysis Techniques
Create forensic duplicate. Protect original as best evidence.
Review image file (with tools).
Report. Testify.
Data Analysis Techniques Sources of Evidence
Existing Files Deleted Files Logs Special system files (registry, cron) Email archives, printer spools Administrative settings Special types of files (lnk, prefetch)
Data Analysis Techniques
File restoration techniques FAT, NTFS
By hand with a hexeditor Specialty tools like Norton undeleteForensics software like encase, FTKMount drive on UNIX system and use
UNIX tools (Fatback)
Data Analysis Techniques
Unix system With a hex editor edit the link count in inodes, file
will then be linked to Lost&Found debugfs to relink a file to Lost&Found in ext2
Data Analysis TechniquesDeleted files are overwritten if Drive is wiped (e.g. part of PGP suite) New files are created on the partition New software is installed on the partition Applications running may update the partition
Data Analysis TechniquesDeleted files are overwritten if The partition stores the %systemroot%
directory and Windows modifies it for internal housekeeping.
If the partition contains the web browser cache
If the volume contains the TEMP directory At system shutdown / startup
Data Analysis TechniquesFree, slack and unallocated space Use a hex-editor Use a specialty tool that generates a file by
appending all slack and free space Use a forensics tool
Free: Outside of a partition.Slack: Allocated, but unused overhang in the last cluster of a
fileUnallocated: Not assigned to a current file.
Data Analysis TechniquesFirst Task: Generate database of all files
Full path. MAC-dates & -times. Logical size of file. MD5 hash (to counteract evidence deterioration).
Data Analysis Techniques Generate database of all files
Use MD5 hash to exclude well-known files from investigation.
Data Analysis Techniques Prepare drive for string searches.
Forensics tools do this automatically. Need to deal with proprietary formats. Compressed files need to be uncompressed. Encrypted files need to be unencrypted.
Data Analysis Techniques Perform string searches
On UNIX, use grep. Forensics tools preprocess forensic duplicates.
Data Analysis Techniques Perform String Searches
The “How” is easier than the “What”. Investigator and analyst need to work together:
“What are we looking for?” “What information do we need?”
Data Analysis Techniques
Example:
The hard drive of a robbery suspect contains numerous references to his “little excursions”.
To tie the suspect to the computer, establish usage by suspect alone by: Finding personal pictures (look for jpg). Restore old emails. Restore chat sessions.
http://www.signonsandiego.com/news/metro/santana/20010312-9999_1n12compute.html
Data Analysis TechniquesWhat to look for
Email Primary Source of Evidence. Email in transit is protected by the
EPCA and other statutes. Checking email after transition is
treated similar to searches of files.
Data Analysis TechniquesWhat to look for Print Spooler Files.
Typically deleted right after printing Usually not be overwritten Not used by modern printers
Data Analysis TechniquesWhat to look for
Web Cache Evidence All web browsers cache. Some delete files after session closes.
Ex.: United States v. Tucker: The government introduced Internet conversations taken from Tucker's
computer which showed that while he was looking for pictures he stated that he was into "young action" and would "like to start trading (3)27" and introduced a listing of Internet conversations documenting Tucker's trading of such images.
United States Court of Appeals, Eleventh Circuit.No. 97-2767
Data Analysis TechniquesWhat to look for Swap Files / Virtual Memory Files
Can be very large. Use Forensics Tools like Encase Alternatively: Hex Editors, Norton Disk
Commander (under Windows)
Windows Data Analysis Perform keyword searches. Review Logs. Review Registry. Review swap files. Review special application files:
Internet Cache Recycle Bin Printer Spool Email Files
Windows Data Analysis: Text Searches
Raw Data Level BinText (Foundstone) Disk Investigator (K. Soloway) SectorSpyXP (McCamy, Lexun Freeware)
Forensics Tools Encase FTK Mareswares
Windows Data AnalysisLogsWindows NT, 2000, XP, 2003, 7 maintain log
files System Log Application Log Security Log
Windows Data AnalysisLogsDrawbacks Default security logging is “no logging”. Do not record IP addresses Application log uses localized settings.
(Forensics workstation will not interpret these.)
Windows Data AnalysisLogs
Internet Information Services (IIS) has its own set of logs.
Uses W3C standards as a default
Windows Data AnalysisLogs Need to be enabled. More important for incidence response than
for law enforcement. Get HTTP status codes.
Windows Data AnalysisLogs
Many other applications log: Internal firewalls.
Create your own log from the timestamp of files around critical times. FileList (www.forensics-intl.com) will do this for
you.
Windows Data AnalysisReviewing Relevant Files
Recycle Bin Folder Recycled in Win95/98. Folder Recycler in WinNT/2000/XP.
Date and Time of Deletion in System file INFO in Win95 System file INFO2 in Win98
Information available in Win2000, WinXP
Windows Data AnalysisReviewing Relevant Files Windows moves deleted file into the recycle
bin. It deletes from there. Thus, files can be retrieved from deleted
recycle bin entries.
Windows Data AnalysisReviewing Relevant Files $Logfile entry in the MFT contains the log of
all file system transactions Deletion of a file leaves several entries in
$Logfile Not unusual to find files that are no longer on
the disk Shows that file was used by the system
Windows Data AnalysisReviewing Relevant Files Shortcuts can contain relevant information. Stored in the desktop folder.
A special agent of the Illinois Attorney General’s Office investigated a case involving child pornography. The agent located a shortcut file in the Windows/Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting child pornography to be displayed on the computer’s monitor when the shortcut was activated. Casey, p. 153
Windows Data AnalysisReviewing relevant files Prefetch files
Give better performance Used to collect information on what is necessary
to run a program Stored in Windows/prefetch Various tools to parse prefetch files Forensic significance:
Suggests that program has been executed Gives last time application was run Gives number of runs
Reviewing Relevant Files Scheduled Tasks
Windows 2000, XP, 2003 in Windows\Tasks Windows 7 Windows\System32\Tasks
.job files Scheduled task log SchedLgU.txt in Windows\Tasks
Windows Data AnalysisReviewing Relevant Files JUMP lists
List of files recently opened in Windows 7 Appdata\Roaming\Microsoft\Windows\Recent\
AutomaticDestinations First 16 characters of file name identify application Uses .lnk file format Gives time stamps Various analyzers exist
Windows Data AnalysisReviewing Relevant Files Thumbs.db (System file)
Contains thumbs pictures for folder. Not perfectly synchronized with folder. Deleted images might still be available.
Windows Data AnalysisReviewing Relevant Files Temporary files
Files with extension tmp Created by many applications
Emails with large attachments: Attachments are probably stored as temp files.
(Depends on email system.) Look for file extensions .tmp .
Windows Data AnalysisReviewing Relevant Files Internet Explorer (as well as other browsers)
use a cache. index.dat contains internet explorer cached
websites. Written in binary. Use Pasco from Foundstone.
Windows Data AnalysisReviewing Relevant Files Browser Cache
C:\Documents and Settings\ Username\ Local Settings\Temporary Internet Files
Or C:\Program Files\Netscape\Users\ Username\Cache
Windows Data AnalysisReviewing Relevant Files
Cookies can be partially decyphered. Use galleta from foundstone.
Windows Data AnalysisReviewing Relevant Files Typically, concatenate all cookies. Redirect galleta into an excel file. Investigate the excel file.
Windows Data AnalysisReviewing Relevant Files
Dial-up Networking rasautou –s gives autodial addresses
Windows Data AnalysisRegistry Database that stores settings and options for
32b MSWin OS Contains information and setting for
Hardware Software Users Preferences
Windows Data AnalysisRegistryWin95, Win98 USER.DAT, SYSTEM.DAT in WindowsWinME USER.DAT, SYSTEM.DAT, CLASSES.DATWinNT, 2000, XP In %SystemRoot%\System32\Config
Windows Data AnalysisRegistry
Use RegEdit to access.Before experimentation, make a backup of the registry.
Windows Data AnalysisRegistry Hierarchical structure Main branches are Hives Hives contain keys. Keys can contain subkeys and values
Windows Data AnalysisRegistry Six main branches
HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
Windows Data AnalysisRegistry
HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
Windows Data AnalysisRegistry
HKEY_CURRENT_CONFIG - links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
HKEY_DYN_DATA - points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dynamic and will change as devices are added and removed from the system.
Windows Data AnalysisRegistry
Registry Editor can import and export registry settings to / from a text file.
Copy registry hive files from the forensic duplicate to your forensic work station.
Import them into regedit.
IF YOU MESS UP THE REGISTRY, YOU NEED TO REBUILD YOUR SYSTEM.
Windows Data AnalysisRegistry In a recent investigation by the Los Angeles County Sheriff’s
Computer Crime Unit, a detective investigated an employee suspected of misappropriating confidential computer information stored by his company. When the detective examined one of the workplace computers, he found remnants of a key-trapping program in the registry. During an interview, the suspect admitted to having installed, used, and deleted the key-trapping program for the purposes of obtaining user names and passwords of coworkers.
Windows Data AnalysisRegistry
Use the registry to Find installed software (such as L0phtcrack). Manually deleted software.
Use backups of the registry to trace the installation and uninstallation of software.
Find data on user accounts
Windows Data AnalysisRegistry
Use the registry to obtain listing of applications that are set to run
automatically obtain registry entries that have been modified
lately Registry keys have LastWrite time
64b value representing 100 nanoseconds since January 1, 1601.
User accounts
Windows Data AnalysisMS Word files Word documents contain a revision log.
Used by Richard M. Smith to investigate a press release by PM Blair.
Turned out that press released was mainly a copy of an Middle East Review of International Affairs article.
.pdf, .html, … files generated from .doc files do not have this revision history.
Windows Data AnalysisUnusual or Hidden Files
NTSF uses a feature from Mac Hierarchical File System to store multiple entry under one file entry. “Data Streams”
Allow us to hide a file cp nc.exe logo.jpg:nc.exe Now nc.exe is hidden. Use SFind (foundstone) to find stremed
files.
Windows Data Analysis Print Spooler Files Print Spooler Files. (EMF under Win). EMF files are deleted after printing.
“Gap-Toothed Bandit”, Micheal Craig Dickman, used proceeds from bank robberies to support his struggling biotech start-up.
Arrested after a heist in La Jolla, 1999. SD RCFL found the demand notes as a deleted
EMF file on his laptop.
Data Analysis TechniquesWhat to look for Print Spooling uses temporary files.
contain data to be printed. data on the print job.
Two methods, RAW and EMF Shadow file .SHD info on print job .SPL contains data to be printed (RAW) .SPL contains file name, method, list of files with
print data EMF****.TMP
Data Analysis TechniquesWhat to look for
Department of Consumer Affairs in Orange County, CA, arrested a suspect for selling counterfeit state license certificates and seized his computer. Although the examiners had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer. When the examiners requested a second review from the California Department of Insurance, Fraud Division, the Computer Forensics Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation. The only evidence present on the drive were the enhanced metafiles. The defendant was convicted at trial. Casey, p. 163
Windows Data AnalysisRogue ProcessesTo find rogue processes on a duplicate image Restore the file system. Run a virus software. Disable writing to restored volume.
Windows Data AnalysisFind Hidden Doors
Schedule an event remote /s “cmd.exe” mysystem Remote command from NT Resource Kit remote /c “cmd.exe” mysystem Allows to connect with a command prompt
from outside the system Schedule this with the at or the soon
utility
Windows Data AnalysisReview last searches Use AFind (foundstone) to look for the last few
files accessed. Look at the Find scrollbox.
UNIX Data Analysis Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or
groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits
Unix Data AnalysisLogs Unix maintains a variety of logs. A hacker could change the logs. But you need to look at them. Placed in directories depending on UNIX flavor
/var/log usr/adm Var/adm
UNIX Data AnalysisLogs syslog Controlled by /etc/syslog.conf Uses syslogd Can be used to log remotely
Unix Data AnalysisLogs Look at the syslog.conf Three fields:
Facility field: subsystem that produced the log (e.g. mail)
Priority field: debug, info, notice, warning, err, crit, alert, emerg
Action field: how is the log recorded, typically name of log field (or IP address)
Unix Data AnalysisLogsRemote Syslog Server logs Attackers with root privileges can change the
logs Use a remote syslog server for safety Attacker can add spurious entries to the
remote syslog Harden remote syslog server
Unix Data AnalysisLogs
TCP Wrappers Host based access control for TCP and UDP
services Any connection attempt are logged via
syslogMay 13 23:11:45 victim sshd[12528]:
ROOT LOGIN REFUSED FROM www.scu.edu
May 13 23:19:03 victim in.tftpd[524]: connect from 10.10.10.10
Unix Data AnalysisHost Logging su command logs
Part of syslog Stored in var/log/messages
Currently logged in users Stored in utmp or wtmp Use w, who, finger, last to read Modified by many hacker tools
Unix Data AnalysisHost LoggingLogon attempt logs Recorded on most UNIX machines /var/messages in LINUX
Unix Data AnalysisHost Loggingcron Allows users to schedule programs for future
execution Often used for attacks Logged, typically in /var/cron/log
Unix Data AnalysisUser Activity Logging Every command by every user can be logged Shells store history files for each user
Unix Data AnalysisLogging
Attacker gains root access to system Deletes .bash-history file Links file to /dev/null Can no longer log
Look for the shell log:[linuxbox] # ls –altotal 52drwxr-x--- 5 root root 4096 Dec 12 04:47 .drwxr-x--- 5 root root 4096 Dec 8 01:27 ..-rw------- 1 root root 108 Dec 12 04:47 .XAuthority-rw-r--r-- 1 root root 1198 Aug 23 04:47 .XDefaultslrwxrwxrwx 1 root tty 9 Dec 8 14:12 .bash_history ->
/dev/null
UNIX Data AnalysisString Searches
grep String search within a file String search within a binary file Recursive searches
# grep root /etc/passwd
root:x:0:0:root: /root: /bin/bash
# grep PROMIC /sbin/ifconfig
Binary file /sbin/ifconfig matches
# grep –r –I password /
UNIX Data AnalysisString Searches
find Use to search for a file by name E.g., find “…” (a typical hacker trick to hide
a file)
Found one.
# find / -name “\.\.\.” –print
/home/hacker/MDAc/temp/…/root/…
UNIX Data AnalysisRelevant Files Finding relevant files after an incident is an
art. Careful about destroying evidence by running
system commands that will change times. Mount evidence drive read-only or better,
duplicate.
UNIX Data AnalysisRelevant Files Identify the time of the incident. Look for files accessed, created or modified
around that time. Use find with –atime, -ctime, -mtime option
UNIX Data AnalysisRelevant Files: SUID Programs UNIX allows applications to set the user-id
(SUID) and set the group-id (SGID). Programs runs with privileges of owner,
typically root. Programs are source of most privilege
escalation attacks.
UNIX Data AnalysisRelevant Files: SUID Programs Sometimes unprivileged users need to
accomplish tasks that require high privileges. For example, passwd needs to access the
password file in /etc/passwd But users should not be given access to
/etc/passwd
UNIX Data AnalysisRelevant Files: SUID Programs User invokes passwd passwd changes its UID (with SUID) passwd now runs with root UID passwd can now access the password file.
UNIX Data AnalysisRelevant Files: SUID Programs You recognize these programs with ls –l File permission have an s instead of an x -rwsr-xr-- SUID program -rwxr-sr-- SGID program
UNIX Data AnalysisRelevant Files: SUID Programs
SECURITY INCIDENT EXAMPLE Superuser is logged on as root and leaves
terminal unattended
Creates SUID shell. Anyone invoking /tmp/break-account gets root
privileges.
# cp /bin/sh /tmp/break-acct
#chmod 4755 /tmp/break-acct
UNIX Data AnalysisRelevant Files: SUID ProgramsOld Break-in /usr/lib/preserve is used by vi and ex editors
to make an automatic backup of a file that is edited when the users suddenly disconnects.
preserve writes file changes to a temp file in a special directory
UNIX Data AnalysisRelevant Files: SUID Programs preserve uses /bin/mail to send the user a
notification that the file has been saved. This temp file should not be accessible by
world. Thus, preserve needs root privileges
UNIX Data AnalysisRelevant Files: SUID Programs preserve was installed as SUID root. preserve ran /bin/mail as root. preserve executed the mail program with the
system function call. system uses sh to parse the string that it
executes.
UNIX Data AnalysisRelevant Files: SUID ProgramsProblem: Shell variable IFS tells sh how to interpret the
white spaces. Normally sets white spaces to be space, tab,
enter, etc. Attacker sets white spaces to “/”
UNIX Data AnalysisRelevant Files: SUID Programs Attacker runs vi. Attacker crashes system. preserve runs. system interprets /bin/mail as “bin mail” Thus, it executes any program called bin with
argument mail as root.
UNIX Data AnalysisRelevant Files: SUID Programs Find all SUID SGID with the following
command:
find starts in / Looks for files with permission 002000 (SGID)
or 004000 (SUID) Know what to expect.
# find / \( -perm -00400 –o –perm -002000 \) –type f -print
UNIX Data AnalysisRelevant Files: Hidden FilesHide “bad” files By giving them innocuous names By giving a name similar to a reasonable
name “ syslog” vs. “syslog” Calling a directory “…” (“.” current directory,
“..” parent directory)
UNIX Data AnalysisRelevant Files: Configuration Files Primary target to keep access for a hacker. etc/hosts.allow etc/hosts.deny determine
access policy. /etc/inetd.conf controls network services
UNIX Data AnalysisRelevant Files: Configuration Files Add an entry to inetd.conf:
Simple backdoor that listens on port 55000 Same telnet server as the one for port 23. Port 55000 might not be monitored
telnet2 stream tcp nowait root /usr/sbin/tcpd in.telnetd
UNIX Data AnalysisRelevant Files: cron cron facility used to schedule future
executions of programs /var/spool/cron /usr/spool/cron stores cron
jobs /etc/rc.d contains a listing of programs that
start when UNIX boots. Check all startup scripts for trojans.
UNIX Data AnalysisPhone Home Outgoing traffic is usually not monitored. Compromised system uses cron to initiate a
connection to an outside system. Outside system can control the compromised
system.
UNIX Data AnalysisRelevant Files: Startup User home directory contain startup files. .login .profile .cshrc
UNIX Data AnalysisRelevant Files: /tmp Only world-writable file system on a typical
UNIX system. Hangout for nefarious tools.
UNIX Data AnalysisUser Accounts
Each user has an entry in /etc/passwddvader:x:512:516:Darth
Vader:/home/dvader:/bin/bash User name Password (shadowed) User Id Group Id Comment field Home directory Default login shell
UNIX Data AnalysisUser Accounts /etc/groups defines groups:root::0:root, tschwarzbin::2:root,bin,daemonsys::3:root,bin,sys,admadm::4:root,adm,daemonuucp::5:root,uucp User names
UNIX Data AnalysisUser Accounts If suspicious of compromise, investigate user
accounts and group accounts.
UNIX Data AnalysisChecking for Unauthorized Access Points
Investigate all network services for potential access points. X-server FTP Telnet DNS Sendmail
finger SNMP IMAP POP HTTP HTTPS
UNIX Data AnalysisAnalyzing Trust Relationships If machine A trusts machine B, then anyone
on machine B can access services on machine A.
Don’t set up trust relationships. They allow an attacker to escalate privileges to
other machines Check files such as /etc/hosts.equiv or .rhosts
UNIX Data AnalysisAnalyzing Trust Relationships Network topology routes data through other
computers. Sniffing (esp. for passwords). Even possible in a switched environment:
arpredirect in dsniff
UNIX Data AnalysisLoadable Kernel Modules LKM can by dynamically loaded with root-level
access. Used to let a hacker maintain access. Adore, Knark, Itf