Download - COEN 152/252 Computer Forensics
![Page 1: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/1.jpg)
COEN 152/252Computer Forensics
Data Analysis Techniques for
Hard Drives
![Page 2: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/2.jpg)
Data Analysis Techniques
Create forensic duplicate. Protect original as best evidence.
Review image file (with tools).
Report. Testify. (via declaration or in-person)
![Page 3: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/3.jpg)
Data Analysis Techniques
Need collaboration between forensics investigators and attorneys, paralegals and witnesses.
![Page 4: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/4.jpg)
Data Analysis Techniques
Sources of Evidence Existing Files Deleted Files Logs Special system files (registry, cron) Email archives, printer spools Administrative settings
![Page 5: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/5.jpg)
Data Analysis Techniques
File restoration techniques FAT, NTFS
By hand with a hexeditor Specialty tools like Norton undelete Forensics software like EnCase, FTK Mount drive on UNIX system and
use UNIX tools (Fatback)
![Page 6: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/6.jpg)
Data Analysis Techniques Unix system
With a hex editor edit the link count in inodes, file will then be linked to Lost&Found
debugfs to relink a file to Lost&Found in ext2
![Page 7: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/7.jpg)
Data Analysis Techniques
Deleted files are overwritten if Drive is wiped (e.g. part of PGP suite) New files are created on the partition New software is installed on the
partition Applications running may update the
partition
![Page 8: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/8.jpg)
Data Analysis Techniques
Deleted files are overwritten if The partition stores the %systemroot%
directory and Windows modifies it for internal housekeeping.
If the partition contains the web browser cache
If the volume contains the TEMP directory Pagefile.sys Hiberfil.sys
![Page 9: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/9.jpg)
Data Analysis Techniques
Deleted files are overwritten At system shutdown / startup
![Page 10: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/10.jpg)
Data Analysis Techniques
Free, slack and unallocated space Use a hex-editor Use a specialty tool that generates a
file by appending all slack and free space
Use a forensics tool
Free: Outside of a partition.Slack: Allocated, but unused overhang in the last cluster of a fileUnallocated: Not assigned to a current file.
![Page 11: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/11.jpg)
Data Analysis Techniques
First Task: Generate database of all files
Full path. MAC-dates & -times. Logical size of file. MD5 hash (to counteract evidence
deterioration).
![Page 12: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/12.jpg)
Data Analysis Techniques
Generate database of all files Use MD5 hash to exclude well-known
files from investigation.
![Page 13: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/13.jpg)
Data Analysis Techniques
Prepare drive for string searches. Forensics tools do this automatically. Need to deal with proprietary formats. Compressed files need to be
uncompressed. Encrypted files need to be
unencrypted.
![Page 14: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/14.jpg)
Data Analysis Techniques
Perform string searches On UNIX, use grep. Forensics tools preprocess forensic
duplicates.
![Page 15: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/15.jpg)
Data Analysis Techniques
Perform String Searches The “How” is easier than the “What”. Investigator and analyst need to work
together: “What are we looking for?” “What information do we need?”
![Page 16: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/16.jpg)
Data Analysis Techniques
Example:The hard drive of a robbery suspect contains
numerous references to his “little excursions”.
To tie the suspect to the computer, establish usage by suspect alone by: Finding personal pictures (look for jpg). Restore old emails. Restore chat sessions.
http://www.signonsandiego.com/news/metro/santana/20010312-9999_1n12compute.html
![Page 17: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/17.jpg)
Data Analysis TechniquesWhat to look for
Email Primary Source of Evidence. Email in transit is protected by the
EPCA and other statutes. Checking email after transition is
treated similar to searches of files.
![Page 18: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/18.jpg)
Data Analysis TechniquesWhat to look for
Print Spooler Files. Typically deleted right after printing. Might not be overwritten.
![Page 19: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/19.jpg)
Data Analysis TechniquesWhat to look for
Web Cache Evidence All web browsers cache. Some delete files after session closes.
Ex.: United States v. Tucker: The government introduced Internet conversations taken from Tucker's
computer which showed that while he was looking for pictures he stated that he was into "young action" and would "like to start trading (3)27" and introduced a listing of Internet conversations documenting Tucker's trading of such images.
United States Court of Appeals, Eleventh Circuit.No. 97-2767
![Page 20: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/20.jpg)
Data Analysis TechniquesWhat to look for
Swap Files / Virtual Memory Files Can be very large. Use Forensics Tools like Encase Alternatively: Hex Editors, Norton
Disk Commander (under Windows)
![Page 21: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/21.jpg)
Windows Data Analysis Perform keyword searches. Review Logs. Review Registry. Review swap files. Review special application files:
Internet Cache Recycle Bin Printer Spool Email Files
![Page 22: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/22.jpg)
Windows Data Analysis: Text Searches
Raw Data Level BinText (Foundstone) Disk Investigator (K. Soloway) SectorSpyXP (McCamy, Lexun
Freeware) Forensics Tools
Encase FTK Mareswares
![Page 23: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/23.jpg)
Windows Data Analysis: Text Searches
![Page 24: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/24.jpg)
Windows Data AnalysisLogs
Windows NT, 2000, XP maintain log files
System Log Application Log Security Log
![Page 25: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/25.jpg)
Windows Data AnalysisLogs
Live System:
Use Event Viewer
![Page 26: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/26.jpg)
Windows Data AnalysisLogs Event Viewer Event Viewer
![Page 27: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/27.jpg)
Windows Data AnalysisLogs
Event Log Dump Use PsLogList (sysinternal) dumpel (Win2000 Resource Kit)
![Page 28: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/28.jpg)
Windows Data AnalysisLogs
From forensics duplicate secevent.evt appevent.evt sysevent.evt
![Page 29: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/29.jpg)
Windows Data AnalysisLogs
Drawbacks Default security logging is “no
logging”. Do not record IP addresses Application log uses localized
settings.(Forensics workstation will not interpret
these.)
![Page 30: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/30.jpg)
Windows Data AnalysisLogsInternet Information Services (IIS) has its
own set of logs. Uses W3C standards as a default
![Page 31: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/31.jpg)
Windows Data AnalysisLogs
Need to be enabled. More important for incidence
response than for law enforcement.
Get HTTP status codes.
![Page 32: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/32.jpg)
Windows Data AnalysisLogs
Many other applications log: Internal firewalls.
Create your own log from the timestamp of files around critical times. FileList (www.forensics-intl.com) will
do this for you.
![Page 33: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/33.jpg)
Windows Data AnalysisReviewing Relevant Files
Recycle Bin Folder Recycled in Win95/98. Folder Recycler in WinNT/2000/XP.
Date and Time of Deletion in System file INFO in Win95 System file INFO2 in Win98
Information available in Win2000, WinXP
![Page 34: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/34.jpg)
Windows Data AnalysisReviewing Relevant Files
Windows moves deleted file into the recycle bin.
It deletes from there. Thus, files can be retrieved from
deleted recycle bin entries.
![Page 35: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/35.jpg)
Windows Data AnalysisReviewing Relevant Files
$Logfile entry in the MFT contains the log of all file system transactions
Deletion of a file leaves several entries in $Logfile
Not unusual to find files that are no longer on the disk
Shows that file was used by the system
![Page 36: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/36.jpg)
Windows Data AnalysisReviewing Relevant Files
Shortcuts can contain relevant information.
Stored in the desktop folder.
A special agent of the Illinois Attorney General’s Office investigated a case involving child pornography. The agent located a shortcut file in the Windows/Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting child pornography to be displayed on the computer’s monitor when the shortcut was activated. Casey, p. 153
![Page 37: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/37.jpg)
Windows Data AnalysisReviewing Relevant Files
Thumbs.db (System file) Contains thumbs pictures for folder. Not perfectly synchronized with
folder. Deleted images might still be
available.
![Page 38: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/38.jpg)
Windows Data AnalysisReviewing Relevant Files
Temporary files Files with extension tmp Created by many applications
Emails with large attachments: Attachments are probably stored as
temp files. (Depends on email system.)
Look for file extensions .tmp .
![Page 39: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/39.jpg)
Windows Data AnalysisReviewing Relevant Files
Internet Explorer (as well as other browsers) use a cache.
index.dat contains internet explorer cached websites.
Written in binary. Use Pasco from Foundstone.
![Page 40: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/40.jpg)
Windows Data AnalysisReviewing Relevant Files
![Page 41: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/41.jpg)
Windows Data AnalysisReviewing Relevant Files
![Page 42: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/42.jpg)
Windows Data AnalysisReviewing Relevant Files
Browser Cache C:\Documents and Settings\
Username\ Local Settings\Temporary Internet Files
Or C:\Program Files\Netscape\Users\
Username\Cache
![Page 43: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/43.jpg)
Windows Data AnalysisReviewing Relevant Files
![Page 44: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/44.jpg)
Windows Data AnalysisReviewing Relevant Files Cookies can be partially decyphered. Use galleta from foundstone.
![Page 45: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/45.jpg)
Windows Data AnalysisReviewing Relevant Files
Typically, concatenate all cookies. Redirect galleta into an excel file. Investigate the excel file.
![Page 46: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/46.jpg)
Windows Data AnalysisReviewing Relevant Files Dial-up Networking
rasautou –s gives autodial addresses
![Page 47: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/47.jpg)
Windows Data AnalysisRegistry
Database that stores settings and options for 32b MSWin OS
Contains information and setting for Hardware Software Users Preferences
![Page 48: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/48.jpg)
Windows Data AnalysisRegistry
Win95, Win98 USER.DAT, SYSTEM.DAT in WindowsWinME USER.DAT, SYSTEM.DAT, CLASSES.DATWinNT, 2000, XP In %SystemRoot%\System32\Config
![Page 49: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/49.jpg)
Windows Data AnalysisRegistry Use RegEdit to access.
Before experimentation, make a backup of the registry.
![Page 50: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/50.jpg)
Windows Data AnalysisRegistry
Hierarchical structure Main branches are Hives Hives contain keys. Keys can contain subkeys and
values
![Page 51: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/51.jpg)
Windows Data AnalysisRegistry
![Page 52: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/52.jpg)
Windows Data AnalysisRegistry Six main branches
HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
![Page 53: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/53.jpg)
Windows Data AnalysisRegistry
HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
![Page 54: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/54.jpg)
Windows Data AnalysisRegistry
HKEY_CURRENT_CONFIG - links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
HKEY_DYN_DATA - points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dynamic and will change as devices are added and removed from the system.
![Page 55: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/55.jpg)
Windows Data AnalysisRegistry
Registry Editor can import and export registry settings to / from a text file.
Copy registry hive files from the forensic duplicate to your forensic work station.
Import them into regedit.
IF YOU MESS UP THE REGISTRY, YOU NEED TO REBUILD YOUR SYSTEM.
![Page 56: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/56.jpg)
Windows Data AnalysisRegistry In a recent investigation by the Los Angeles County
Sheriff’s Computer Crime Unit, a detective investigated an employee suspected of misappropriating confidential computer information stored by his company. When the detective examined one of the workplace computers, he found remnants of a key-trapping program in the registry. During an interview, the suspect admitted to having installed, used, and deleted the key-trapping program for the purposes of obtaining user names and passwords of coworkers.
![Page 57: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/57.jpg)
Windows Data AnalysisRegistry
![Page 58: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/58.jpg)
Windows Data AnalysisRegistry
Use the registry to Find installed software (such as
L0phtcrack). http://www.l0phtcrack.com/learn.html
Manually deleted software. Use backups of the registry to trace
the installation and uninstallation of software.
Find data on user accounts
![Page 59: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/59.jpg)
Windows Data AnalysisRegistry
Use the registry to obtain listing of applications that are
set to run automatically obtain registry entries that have been
modified lately Registry keys have LastWrite time
64b value representing 100 nanoseconds since January 1, 1601.
User accounts
![Page 60: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/60.jpg)
Windows Data AnalysisMS Word files
Word documents contain a revision log. Used by Richard M. Smith to investigate a
press release by PM Blair. Turned out that press release was mainly a
copy of an Middle East Review of International Affairs article.
.pdf, .html, … files generated from .doc files do not have this revision history.
![Page 61: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/61.jpg)
Windows Data Analysis.pfd files
.pdf files also contain meta-data Accessible in Adobe
Reader
![Page 62: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/62.jpg)
Windows Data AnalysisUnusual or Hidden Files NTSF uses a feature from Mac Hierarchical
File System to store multiple entry under one file entry. “Data Streams”
Allow us to hide a file copy nc.exe logo.jpg:nc.exe
Now nc.exe is hidden. Use SFind (foundstone) to find streamed
files. http://www.securityfocus.com/infocus/182
2 Excellent article on the use of ADS as a compromise tool.
![Page 63: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/63.jpg)
Windows Data Analysis Print Spooler Files
Print Spooler Files. (EMF under Win). EMF files are deleted after printing.
“Gap-Toothed Bandit”, Micheal Craig Dickman, used proceeds from bank robberies to support his struggling biotech start-up.
Arrested after a heist in La Jolla, 1999. SD RCFL found the demand notes as a deleted
EMF file on his laptop.
![Page 64: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/64.jpg)
Data Analysis TechniquesWhat to look for Print Spooling uses temporary files.
contain data to be printed. data on the print job.
Two methods, RAW and EMF Shadow file .SHD info on print job
settings .SPL contains data to be printed (RAW) .SPL contains file name, method, list of
files with print data EMF****.TMPRef: [MS-EMFSPOOL]: Enhanced Metafile Spool Format Specification
[MS-EMF]: Enhanced Metafile Format Specification
![Page 65: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/65.jpg)
Data Analysis TechniquesWhat to look for
Department of Consumer Affairs in Orange County, CA, arrested a suspect for selling counterfeit state license certificates and seized his computer. Although the examiners had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer. When the examiners requested a second review from the California Department of Insurance, Fraud Division, the Computer Forensics Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation. The only evidence present on the drive were the enhanced metafiles. The defendant was convicted at trial. Casey, p. 163
![Page 66: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/66.jpg)
Windows Data AnalysisRogue Processes
To find rogue processes on a duplicate image
Restore the file system. Run a virus software. Disable writing to restored volume.
![Page 67: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/67.jpg)
Windows Data AnalysisFind Hidden Doors
Schedule an event
remote /s “cmd.exe” mysystem Remote command from NT Resource Kit
remote /c “cmd.exe” mysystem Allows to connect with a command
prompt from outside the system Schedule this with the at or the soon
utility
![Page 68: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/68.jpg)
Windows Data AnalysisFind Hidden Doors ‘at’ will find any jobs that
have been scheduled:
![Page 69: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/69.jpg)
Windows Data AnalysisReview last searches
Use AFind (foundstone) to look for the last few files accessed.
Look at the Find scrollbox. Registry entry at:
![Page 70: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/70.jpg)
Windows Data AnalysisReview last searches
![Page 71: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/71.jpg)
Windows Data AnalysisReview Most Recently Used Windows Registry MRU subkeys
![Page 72: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/72.jpg)
Windows Data AnalysisReview Most Recently Used Windows Registry MRU subkeys
![Page 73: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/73.jpg)
UNIX Data Analysis Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or
groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits
![Page 74: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/74.jpg)
Unix Data AnalysisLogs Unix maintains a variety of logs. A hacker could change the logs. But you need to look at them. Placed in directories depending on
UNIX flavor /var/log usr/adm Var/adm
![Page 75: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/75.jpg)
UNIX Data AnalysisLogs
syslog Controlled by /etc/syslog.conf Uses syslogd Can be used to log remotely
![Page 76: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/76.jpg)
Unix Data AnalysisLogs
Look at the syslog.conf Three fields:
Facility field: subsystem that produced the log (e.g. mail)
Priority field: debug, info, notice, warning, err, crit, alert, emerg
Action field: how is the log recorded, typically name of log field (or IP address)
![Page 77: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/77.jpg)
Unix Data AnalysisLogs
Log entries In ASCII Usually world-readable Only writable by root
![Page 78: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/78.jpg)
Unix Data AnalysisLogs
Remote Syslog Server logs Attackers with root privileges can
change the logs Use a remote syslog server for
safety Attacker can add spurious entries to
the remote syslog Harden remote syslog server
![Page 79: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/79.jpg)
Unix Data AnalysisLogs
TCP Wrappers Host based access control for TCP
and UDP services Any connection attempt are logged
via syslogMay 13 23:11:45 victim sshd[12528]:
ROOT LOGIN REFUSED FROM www.scu.edu
May 13 23:19:03 victim in.tftpd[524]: connect from 10.10.10.10
![Page 80: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/80.jpg)
Unix Data AnalysisLogs
Other network logs Server specific logs, e.g. for FTP,
Apache, SSH ……
![Page 81: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/81.jpg)
Unix Data AnalysisHost Logging
su command logs Part of syslog Stored in var/log/messages
Currently logged in users Stored in utmp or wtmp Use w, who, finger, last to read Modified by many hacker tools
![Page 82: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/82.jpg)
Unix Data AnalysisHost Logging
Logon attempt logs Recorded on most UNIX machines /var/messages in LINUX
![Page 83: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/83.jpg)
Unix Data AnalysisHost Logging
cron Allows users to schedule programs
for future execution Often used for attacks Logged, typically in /var/cron/log
![Page 84: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/84.jpg)
Unix Data AnalysisUser Activity Logging
Every command by every user can be logged
Shells store history files for each user
![Page 85: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/85.jpg)
Unix Data AnalysisLogging
Attacker gains root access to system Deletes .bash-history file Links file to /dev/null Can no longer log
Look for the shell log:[linuxbox] # ls –altotal 52drwxr-x--- 5 root root 4096 Dec 12 04:47 .drwxr-x--- 5 root root 4096 Dec 8 01:27 ..-rw------- 1 root root 108 Dec 12 04:47
.XAuthority-rw-r--r-- 1 root root 1198 Aug 23 04:47 .XDefaultslrwxrwxrwx 1 root tty 9 Dec 8 14:12.bash_history -
> /dev/null
![Page 86: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/86.jpg)
UNIX Data AnalysisString Searches
grep String search within a file String search within a binary file Recursive searches
# grep root /etc/passwd
root:x:0:0:root: /root: /bin/bash
# grep PROMIC /sbin/ifconfig
Binary file /sbin/ifconfig matches
# grep –r –I password /
![Page 87: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/87.jpg)
UNIX Data AnalysisString Searches
find Use to search for a file by name E.g., find “…” (a typical hacker trick to
hide a file)
Found one.
# find / -name “\.\.\.” –print
/home/hacker/MDAc/temp/…/root/…
![Page 88: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/88.jpg)
UNIX Data AnalysisRelevant Files
Finding relevant files after an incident is an art.
Careful about destroying evidence by running system commands that will change times.
Mount evidence drive read-only or better, duplicate.
![Page 89: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/89.jpg)
UNIX Data AnalysisRelevant Files
Identify the time of the incident. Look for files accessed, created or
modified around that time. Use find with –atime, -ctime, -
mtime option
![Page 90: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/90.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
UNIX allows applications to set the user-id (SUID) and set the group-id (SGID).
Programs run with privileges of owner, typically root.
Programs are source of most privilege escalation attacks.
![Page 91: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/91.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
Sometimes unprivileged users need to accomplish tasks that require high privileges.
For example, passwd needs to access the password file in /etc/passwd
But users should not be given access to /etc/passwd
![Page 92: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/92.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
User invokes passwd passwd changes its UID (with
SUID) passwd now runs with root UID passwd can now access the
password file.
![Page 93: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/93.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
You recognize these programs with ls –l
File permission have an s instead of an x
-rwsr-xr-- SUID program -rwxr-sr-- SGID program
![Page 94: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/94.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
SECURITY INCIDENT EXAMPLE Superuser is logged on as root and
leaves terminal unattended
Creates SUID shell. Anyone invoking /tmp/break-account
gets root privileges.
# cp /bin/sh /tmp/break-acct
#chmod 4755 /tmp/break-acct
![Page 95: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/95.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
Old Break-in /usr/lib/preserve is used by vi and
ex editors to make an automatic backup of a file that is edited when the users suddenly disconnects.
preserve writes file changes to a temp file in a special directory
![Page 96: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/96.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
preserve uses /bin/mail to send the user a notification that the file has been saved.
This temp file should not be accessible by world.
Thus, preserve needs root privileges
![Page 97: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/97.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
preserve was installed as SUID root. preserve ran /bin/mail as root. preserve executed the mail
program with the system function call.
system uses sh to parse the string that it executes.
![Page 98: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/98.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
Problem: Shell variable IFS tells sh how to
interpret the white spaces. Normally sets white spaces to be
space, tab, enter, etc. Attacker sets white spaces to
“/”
![Page 99: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/99.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
Attacker runs vi. Attacker crashes system. preserve runs. system interprets /bin/mail as “bin
mail” Thus, it executes any program
called bin with argument mail as root.
![Page 100: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/100.jpg)
UNIX Data AnalysisRelevant Files: SUID Programs
Find all SUID SGID with the following command:
find starts in / Looks for files with permission
002000 (SGID) or 004000 (SUID) Know what to expect.
# find / \( -perm -00400 –o –perm -002000 \) –type f -print
![Page 101: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/101.jpg)
UNIX Data AnalysisRelevant Files: Hidden Files
Hide “bad” files By giving them innocuous names By giving a name similar to a
reasonable name “ syslog” vs. “syslog”
Calling a directory “…” (“.” current directory, “..” parent directory)
![Page 102: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/102.jpg)
UNIX Data AnalysisRelevant Files: Configuration Files
Primary target to keep access for a hacker.
etc/hosts.allow etc/hosts.deny determine access policy.
/etc/inetd.conf controls network services
![Page 103: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/103.jpg)
UNIX Data AnalysisRelevant Files: Configuration Files
Add an entry to inetd.conf:
Simple backdoor that listens on port 55000
Same telnet server as the one for port 23.
Port 55000 might not be monitored
telnet2 stream tcp nowait root /usr/sbin/tcpd in.telnetd
![Page 104: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/104.jpg)
UNIX Data AnalysisRelevant Files: cron
cron facility used to schedule future executions of programs
/var/spool/cron /usr/spool/cron stores cron jobs
/etc/rc.d contains a listing of programs that start when UNIX boots.
Check all startup scripts for trojans.
![Page 105: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/105.jpg)
UNIX Data AnalysisPhone Home
Outgoing traffic is usually not monitored.
Compromised system uses cron to initiate a connection to an outside system.
Outside system can control the compromised system.
![Page 106: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/106.jpg)
UNIX Data AnalysisRelevant Files: Startup
User home directory contain startup files.
.login .profile .cshrc
![Page 107: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/107.jpg)
UNIX Data AnalysisRelevant Files: /tmp
Only world-writable file system on a typical UNIX system.
Hangout for nefarious tools.
![Page 108: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/108.jpg)
UNIX Data AnalysisUser Accounts
Each user has an entry in /etc/passwddvader:x:512:516:Darth
Vader:/home/dvader:/bin/bash User name Password (shadowed) User Id Group Id Comment field Home directory Default login shell
![Page 109: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/109.jpg)
UNIX Data AnalysisUser Accounts
/etc/groups defines groups:root::0:root, tschwarzbin::2:root,bin,daemonsys::3:root,bin,sys,admadm::4:root,adm,daemonuucp::5:root,uucp
User names
![Page 110: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/110.jpg)
UNIX Data AnalysisUser Accounts
If suspicious of compromise, investigate user accounts and group accounts.
![Page 111: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/111.jpg)
UNIX Data AnalysisChecking for Unauthorized Access Points
Investigate all network services for potential access points.
X-server FTP Telnet DNS Sendmail
finger SNMP IMAP POP HTTP HTTPS
![Page 112: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/112.jpg)
UNIX Data AnalysisAnalyzing Trust Relationships If machine A trusts machine B,
then anyone on machine B can access services on machine A.
Don’t set up trust relationships. They allow an attacker to escalate
privileges to other machines Check files such as
/etc/hosts.equiv or .rhosts
![Page 113: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/113.jpg)
UNIX Data AnalysisAnalyzing Trust Relationships
Network topology routes data through other computers.
Sniffing (esp. for passwords). Even possible in a switched
environment: arpredirect in dsniff
![Page 114: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/114.jpg)
UNIX Data AnalysisLoadable Kernel Modules
LKM can by dynamically loaded with root-level access.
Used to let a hacker maintain access.
Adore, Knark, Itf
![Page 115: COEN 152/252 Computer Forensics](https://reader034.vdocuments.site/reader034/viewer/2022052317/56813437550346895d9b292c/html5/thumbnails/115.jpg)
UNIX Data AnalysisLoadable Kernel Modules
Trojan system utilities used to detect them.
Look for discrepancies between internal and external scans.
Detection tools are available.