lerman, adam 1 cook, joseph mallon, james info 710 term ...al495/eport/docs/info710... · lerman,...

Lerman, Adam 1 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009

Executive Summary / Statement of Project Goal Our goal for this project was to perform a Windows Live Incident Response to determine whether or not Mr. Liar, the V.P. of Finance of Company ABC, was involved in a corporate scandal, possibly embezzling money in addition to violating company policy. In doing so, we attempted to gather any relevant information from the system that would help to determine whether an incident actually took place, and, if so, to conclude whether or not Mr. Liar was involved. We carried out a number of commands using various tools on a Virtual Machine we created to serve as a mock system used by Mr. Liar, with the intent of acquiring the necessary data to be scrutinized and analyzed. Volatile data that we anticipated to be analyzed included the system date and time, current network connections, open TCP or UDP ports, the executables that were opening the ports, the cached NetBIOS name table, currently logged in users, the internal routing table, processes and services running, scheduled jobs, open files, and process memory dumps. Nonvolatile data included the system version and patch level, file system time and date stamps, registry data, auditing policy, login history, system event logs, user accounts, and files that looked suspicious. Upon completion of the examination, we have produced a formal report to document our procedures and what was found throughout the investigation in reference to the CFO, Mr. Begood’s, request.


Windows Live Response Acquisition Table of Contents

1. Introduction / Reason for Examination…………………………………………….3 2. Documentation……………………………………………………………………….3 3. Digital Forensics Process……………………………………………………….……4

a. Preparation……………………………………………………………………….4 b. Collection…………………………………………………………………………5 c. Examination………………………………………………………………….…..5 d. Analysis…………………………………………………………………………...5 e. Report……………………………………………………………………………..5

4. Examination of Volatile Data…..……………………..……………………………..6 a. The System Date and Time……………………………………………….…......6 b. Current Network Connections…………………………………………………..6 c. Open TCP and UDP Ports………………………………………………………7 d. Executables Opening Ports……………………………………………………...7 e. Cached NetBIOS Name Table…………………………………………………..8 f. Users Currently Logged On……………………………………………………..9 g. The Internal Routing Table……………………………………………………..9 h. Running Processes……………………………………………………………...10 i. Running Services……………………………………………………………….10 j. Scheduled Jobs………………………………………………………………….11 k. Open Files……………………………………………………………………….11 l. Process Memory Dumps……………………………………………………….11 m. Full System Memory Dumps…………………………………………………..12

5. Examination of Nonvolatile Data………………...………………………………..12 a. System Version and Patch Level………………………………………………12 b. File System Time and Date Stamps…………………………..………………..12 c. Registry Data…………………………………………………………………....13 d. The Auditing Policy…………………………………………………………….13 e. A History of Logins…………………………………………………………..…13 f. System Event Logs……………………………………………………...………13 g. User Accounts…………………………………………………………………...14 h. IIS Logs……………………………………………………………………….…14 i. Suspicious Files…………………………………………………………………14

6. Analysis……………………………………………………………………………...15 7. Report of Examination / Conclusion………………………………………………16

APPENDIX A: Documentation……………………………………………………17 APPENDIX B: Results……………………………………………………………..23 APPENDIX C: Formal Report Letter…………………………………………….37

Lerman, Adam 3 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 1. Introduction / Reason for Examination The Windows Live Incident Response is conducted as a result of a potential malicious or criminal event occurring on a computer running the Microsoft Windows operating system. Instead of confiscating the computer and removing it from operation and replacing it with another one, a live investigation can be performed. The intent is to gather any relevant information from the system that may help to determine whether an incident actually took place, and by whom. Data taken from the investigation can be volatile, meaning that it would be lost if the computer was powered off, or it may be nonvolatile. The latter refers to data that is recorded, such as system event logs. A live response also includes information such as current network connections, processes that are presently running, and files that are currently open.

The reason behind this particular Live Incident Response was to examine a computer used by the V.P. of Finance for Company ABC, who may be involved in a corporate scandal. For the last 3 quarters, there have been some financial irregularities noticed by the CFO, Mr. Johnny Begood, in which contractors stated that they had not been paid, while financial records showed they were. In addition, pornographic images had accidentally been stumbled upon on Mr. Liar’s computer by his administrative assistant, and it is our hope to determine whether or not Mr. Liar has been violating company policy by viewing and storing obscene pictures. 2. Documentation

When dealing with forensic evidence it is of utmost importance to routinely document ongoing practices. A number of forms were brought to the live acquisition investigation to be filled in and filed on permanent record. The following details the types of documents used and the information contained therein, copies of which can be found in Appendix A. Although we were not given full possession of the items described, it is necessary to retain this information to ensure the integrity of the investigation by documenting the access we obtained and the systems which may have been affected by this.

a) Evidence worksheets – when given a piece of evidence such as a hard drive,

information about this item should be documented on a new evidence worksheet. For instance, information that should be recorded about a hard drive includes: • Make • Model • Serial number • Evidence tag number • Shape and size • Storage capacity • Jumper settings


b) System worksheets – if evidence is contained within a computer system, information about the system itself should be recorded here: • Make • Model • Serial number • Media evidence tags • Expansion cards • Peripheral connections • Physical location

c) Agent notes worksheet – this should be used throughout the investigation and should include any relevant information about the investigation. One column should list the date and time of the event and the corresponding column will include the event, such as a conference call, shipment tracking number, relevant finding, etc.

d) Chain of Custody Form – this is used to record possession of the evidence

including: • Case number • Evidence tag number(s) • Contents • Acquired by • Date • Source individual • Source location • Destination individual • Destination location • Transfer date

3. Digital Forensics Process

The digital forensics process refers to the sequence of steps carried out to perform the investigation, which may include the preparation, collection, examination, analysis, and reporting phases. These will be discussed as follows:

3a. Preparation

Before beginning the live acquisition process it is first necessary to be well

prepared. This includes gathering the necessary forms to be used during the examination as discussed above, in addition to the proper tools. Since this was to be a live acquisition, the tools we used were not as expansive as would have been if we were confiscating the system and deconstructing it to obtain a hard drive duplication. Instead, we used a

Lerman, Adam 5 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 variety software tools included on boot disks, as will be discussed in the following sections. It was necessary to ensure that these tools were valid and to choose them according to the case.

3b. Collection

The collection phase involves searching for evidence, recognizing useful and potential information and sources, collecting the evidence, and documenting the steps. This is related to the steps taken to secure the system and hard drive, in addition to filling out the necessary paperwork listed in Appendix A. During this and the examination process it was imperative that we pay careful attention to not altering any evidence, as this may have been easy to do and would have invalidated the results.

3c. Examination

This phase is necessary to assist in ensuring the visibility of evidence, in addition to clarifying its origin and significance. The intent is to uncover hidden and obscured information and its relevant documentation. This is where we ran our open source software tools and attempted to reveal the hidden, deleted, and corrupted files including dates, times, logs, etc. When searching for evidence, we mainly focused on the hard drive and the volatile and nonvolatile information stored within. We were interested in obtaining the running processes, currently connected network users, etc. that could only be viewed while the system was powered on, in addition to the stored information that would have been available in a traditional duplication. This phase is detailed in sections four and five of this report.

3d. Analysis

The purpose of this step is to scrutinize the products of the examination to determine their significance and probative value to the case. We manually reviewed the material to help come to conclusions as to whether or not a crime took place and, if so, if Larry Liar was to blame. The details of this step are listed in section six of this report and our formal report and conclusion are in section seven.

3e. Report

This is part of section seven and outlines the relevant information allowing us to come to our conclusion of the case and tell Mr. Begood the news of which he hired us for.

Lerman, Adam 6 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 4. Examination of Volatile Data

Volatile data is information that would be lost when turning off or unplugging a computer that is currently running. This may include processes stored in the computer’s RAM, a list of computers currently connected to the network, open files, etc. and would not be available with traditional forensic duplication methods. Therefore, it is necessary to run a live response to obtain this data before powering down the computer. This type of data helps to determine the “who,” “how,” and hopefully “why” of the incident. The following subheadings provide brief information on the common volatile data topics and the processes used to examine them, in addition to what was found.

4a. The System Date and Time

Determining the correct time and date is essential to establishing a proper timeline

for the sequence of events, and is also needed to study log files. We included the date and time of our investigation here, as well as those when which a file was created or accessed throughout following sections of the report.

Examination Phase: The first step, and a very important one, is to start the

forensic investigation process by determining the current date and time. This is done by issuing the ‘date’ and ‘time’ commands in the command prompt, respectively. The results were as follows:

The current date is: Sat 08/01/2009 The current time is: 15:20:45.09

These instances refer to the date and time that the investigation process commenced.

4b. Current Network Connections This will be needed to observe any patterns of suspicious activity. This

information will be necessary to determine if the machine has been compromised and if so, what impact the network intrusion has on our investigation. Information included will be the various raw IP addresses currently connected to the network, which may be determined by using the netstat command.

Examination Phase: At the command prompt, the ‘netstat –an’ command was

run to determine all of the raw IP addresses connected to the network, as opposed to the Fully Qualified Domain Names (FQDN). The purpose was to help to determine whether an intruder was connected to the server at the time of the live response, in addition to

Lerman, Adam 7 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 whether or not he might be running a program on the Internet from this server. The following is the response that was obtained:

Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING TCP 192.168.163.128:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1035 *:* UDP 0.0.0.0:4500 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1033 *:* UDP 127.0.0.1:1900 *:* UDP 192.168.163.128:123 *:* UDP 192.168.163.128:137 *:* UDP 192.168.163.128:138 *:* UDP 192.168.163.128:1900 *:* There were no active network connections found and the results obtained refer to

open ports which are discussed next.

4c. Open TCP and UDP ports These will be analyzed to discover if any backdoor programs are running on the

network. We will analyze the open ports for any that we cannot identify, determining whether they have been legitimately opened or potentially opened by an attacker, such as Mr. Liar.

Examination Phase: The first two ports, TCP 0.0.0.0:135 and TCP 0.0.0.0:445 are

normal Windows ports that are generally started when IIS and simple TCP/IP services are installed on the machine. The ports 0.0.0.0:445 and 0.0.0.0:1025 are ephemeral ports. Ports that could not be identified may potentially be legitimately open ports or ports with a backdoor attached. Since we cannot determine the intent of these open ports with only the use of netstat, it is necessary to determine which executables opened them, which will be discussed next.

4d. Executables Opening Ports

We will need to run additional tools, such as FPort, to link the .exe files to the associated ports in order to identify the ones that are unknown. This will allow us to see if any rogue programs are running suspiciously on the network.

Lerman, Adam 8 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 Examination Phase: In order to perform this analysis, a tool named ‘FPort’ was run. The following details the results: FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 928 -> 135 TCP 4 System -> 139 TCP 4 System -> 445 TCP 1304 -> 1029 TCP 0 System -> 123 UDP 0 System -> 137 UDP 0 System -> 138 UDP 928 -> 445 UDP 4 System -> 500 UDP 1304 -> 1025 UDP 0 System -> 1033 UDP 4 System -> 1035 UDP 0 System -> 1900 UDP 0 System -> 4500 UDP None of these ports seem suspicious or lead us to any programs.

4e. Cached NetBIOS Name Table

In operating systems prior to and including Windows 2003, the NetBIOS Name Table will be needed to map actual IP addresses for better identification by issuing certain commands such as nbtstat. Examination Phase: The purpose of running the ‘nbtstat –c’ command is to map the NetBIOS name to an IP address in case the attacker was using Windows 2003 or prior and changed the NetBIOS name. This, however, will only show the cache, or fairly recent connections, and not a complete history. When issuing this command we obtained the following: Node IpAddress: [192.168.163.128] Scope Id: [] No names in cache From this, we can see that there are no recent NetBIOS names in the cache.


4f. Users Currently Logged On

Running certain tools, such as PsLoggedOn, will tell us if anyone else is logged in to the system locally or remotely by tracing the connection to the proper port. This will depict the users currently utilizing the system or accessing the resource shares. Examination Phase: Running the ‘PsLoggedOn’ command we obtained the following: loggedon v1.33 - See who's logged on Copyright ⌐ 2000-2006 Mark Russinovich Sysinternals - www.sysinternals.com Users logged on locally: Error: could not retrieve logon time NT AUTHORITY\LOCAL SERVICE Error: could not retrieve logon time NT AUTHORITY\NETWORK SERVICE 8/1/2009 3:03:57 PM INFO-BDEA0E299D\Administrator Error: could not retrieve logon time NT AUTHORITY\SYSTEM No one is logged on via resource shares. The only user shown logged on is the administrator, which is us.

4g. The Internal Routing Table

Analyzing this will help to determine if the route tables are redirecting traffic, potentially allowing the attacker to avoid a security device or capture unauthorized data. This may show the network destination, netmask, gateway, interface, etc. Examination Phase: In order to inspect the routing table, we issued the ‘netstat –rn’ command. The following is our results:

Lerman, Adam 10 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 Route Table ========================================================================= Interface List 0x1 ....................................... MS TCP Loopback interface 0x2 ....00 0c 29 b0 7d d0 ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport ================================================================================================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.163.2 192.168.163.128 10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.163.0 255.255.255.0 192.168.163.128 192.168.163.128 10 192.168.163.128 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.163.255 255.255.255.255 192.168.163.128 192.168.163.128 10 224.0.0.0 240.0.0.0 192.168.163.128 192.168.163.128 10 255.255.255.255 255.255.255.255 192.168.163.128 192.168.163.128 1 Default Gateway: 192.168.163.2 ========================================================================= Persistent Routes: None This looks like a normal routing table with nothing suspicious.

4h. Running Processes

We will need to return the process table to see what a potential intruder is doing on the network. We can separate the system processes and those which were recently initiated, which will isolate the offending processes and provide a time frame.

Examination Phase: We ran the pslist utility to determine if they are any

unfamiliar processes outside of the normal Windows system processes. This will assist us to determine if any rogue programs are running on the system and if any of these processes have placed the obscene images or any other files that may be the cause of the problem. Depending on the processes running this could determine if a rogue program was used to set Mr. Lair up unbeknownst to him. A screen capture of the results can be found in Appendix B.

4i. Running Services

Returning a list of services that are currently running on the computer may help to determine any unauthorized or unfamiliar services. We will attempt to isolate any non-Windows services, in addition to looking for ones without descriptions for further identification to determine if an attacker is potentially hiding any programs.


Examination Phase: The psservice utility returns quite a lengthy response from the system. Since we are not looking for any service in particular it will take some time to review the output. One nice feature of the psservice utility is the description it provides for Windows services. This can be helpful in determining unfamiliar services. A screen capture of the results can be found in Appendix B.

4j. Scheduled Jobs

We will take a look at the scheduled jobs to see if there is anything unusual, potentially allowing an attacker to run commands when he is not physically on the system.

Examination Phase: To determine if any jobs are set to run that the user has not

setup we ran the ‘at’ command. The result of the command was “There are no entries in the list.” For now, we are confident that anyone with the potential of having unauthorized administrator access has not set anything to run that wouldn’t normally be detected by intrusion prevention software. A screen capture of the results can be found in Appendix B.

4k. Open Files

By revealing the open files we can look for words that can be used for mapping purposes if we can obtain the intruder’s machine.

Examination Phase: We ran the psfile utility to determine if there are any files

opened remotely. The command returned the following: ‘No files opened remotely on INFO-BDEA0E299D”. If there were open files we could use this as an opportunity to find out the machine name of the intruder. A screen capture of the results can be found in Appendix B.

4l. Process Memory Dumps

We will attempt to analyze memory space that is utilized by any executing process and determine what may have been running. This assists in acquiring volatile data that may stop if the machine was powered down.

Examination Phase: We downloaded the latest version of userdump from

Microsoft’s website. This version can be run on a Windows XP PC which is the operating system used by Larry Liar. In order to preserve the integrity of the system we would map a network share so the information from our userdump commands won’t be stored on the local system. The process ID information from running the pslist utlity will be needed to run userdump so we can capture the proper information on any rogue service. Since we

Lerman, Adam 12 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 didn’t find any questionable services when we ran the pslist utility we won’t need to run userdump. A screen capture of the results can be found in Appendix B.

4m. Full System Memory Dumps

This will enable the forensic investigator to gather all of the system memory to determine if any remnants from an intruder can be detected.

Examination Phase: To determine overall system memory we downloaded a tool

called DD for Windows. Upon running the tool, no remnants of an intruder were detected due to the Auditing Policy not being turned on. If the Auditing Policy was turned on, however, we would have had incriminating evidence in determining if an intruder compromised the system because it would have went from a known "active" status to "disabled", which would have been due to an intruder covering his tracks. 5. Examination of Nonvolatile Data

Nonvolatile data is that which is useful to have and helps to provide for information in an easily readable format which may not be available once the computer is shut down. This data would still exist in a forensic duplication but would generally be saved as raw binary information once the computer is turned off.

5a. System Version and Patch Level

By determining which system version and security patches have been installed on the machine we will be able to narrow our investigation to the areas of high probability. This is going to enable us to see what vulnerabilities may be present.

Examination Phase: In order to determine the system version and the patch level

we ran ‘psinfo –h –s –d’. The output indicates the PC is running Windows XP Service Pack 2 and has one hotfix installed: Q147222. We can further investigate additional vulnerabilities by researching hotfix Q147222. A screen capture of the results can be found in Appendix B.

5b. File System Time and Date Stamp This will provide the investigation with evidence of creation dates and times that

specific files were created. We can then use this information against building access dates and times to determine who was present.

Examination Phase: A list of files found is attached in the report labeled “File

System Time and Date Stamp” in Appendix B. The files that were found to be relevant

Lerman, Adam 13 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 were “Company ABC Record” and “My Records”. Both of these files were created on 7/9/2009 by Larry Liar.

5c. Registry Data

This will provide detailed access to determine if any programs are running at startup that may be suspicious. The investigator can then do further research to determine what the program launches.

Examination Phase: After running RegDmp to obtain a copy of the systems

registry files there were no signs of any programs running at startup to indicate that this machine was compromised in any way. An alternate check was also performed using the msconfig tool. All services listed were loaded according to company policy and scheduled to run at startup as normal.

5d. The Auditing Policy

By running this command, such as auditpol we can determine Company ABC’s auditing policy and see whether they have security-related logs enabled. This will allow us to see whether or not logins and other security-related events can be found.

Examination Phase: After performing the auditpol command to view security

related events, there were no indications or events generated from logins or other security related events. Due to this information, a suggestion will be made for the company to implement an auditing policy that will capture this information on all machines throughout the organization.

5e. A History of Logins If the auditing policy is enabled, we can see the previous login history to determine whether or not Mr. Liar was using the system and when, in regards to particular events in the timeline. Examination Phase: After performing the NTLast command there were no records found to see which users have logged on to this particular system. This is due to the auditing policy not being implemented and enforced throughout the organization as in 4d.

5f. System Event Logs


Provides details about the security event log (logons/logoffs), application event log (generated from installed applications), and system event logs (device failures, IP conflicts, etc.)

Examination Phase: PsLoglist was used with the –s –x security, -s –x

application, and –s –x system switches. No results were returned for the security list due to the auditing policy not being turned on. There were results for the application and system event logs, however, but since the output of the results was extensive and nothing was of any importance, only a brief excerpt is contained in Appendix B of this report as a sample. No evidence shows non-standard use of the system.

5g. User Accounts After running pwdump [-x] info-bdea0e299d [-o case1] the following results were

returned of all accounts that have been created on this machine: Examination Phase:

Administrator:500:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:Built-in account for administering the computer/domain::

Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:Built-in account for guest access to the computer/domain::

LARRYLIAR$:1000:E318576ED428A1DEF4B21403EFDE40D0:1394CDD8783E60378EFEE40503127253:::

IUSR_LARRYLIAR:1014:582E6943331763A63BEC2B852B24C4D5:CBE9D641E74390AD9C1D0A962CE8C24B:Internet Guest Account, Internet Server Anonymous Access::

The results show no unusual activity.

5h. IIS Logs

This will help to determine if a user gained access to the system through the IIS Web server. It will provide the date of each log, which will then show every activity of the Web server for that day.

Examination Phase: After reviewing the IIS Web Server log there was no report of any unauthorized access to the web server that would indicate that the target machine was attacked or in any way compromised. The output that was reviewed included the time, c-ip, cs-method, cs-uri-stem, and sc-status. Since the output of the results was so extensive and especially since nothing was of any importance, we chose to only include a brief excerpt of the output, which can be found in Appendix B.

5i. Suspicious Files


These files will be similar to startup processes. The investigator can check any processes running through task manager.

Examination Phase: There were no suspicious files running at startup or located

in task manager. There were several email message files that were found and a text file. These files are located in Appendix B. The email files are screen captures and are called Larry Liar Email files.doc. These files were found using FTK 1.8.1 performing a data carve on all .dbx files which are known Outlook Express files.

6. Analysis

This section serves to provide a summary of what was found during the investigation. It includes parts four through five of the topics above and may include data recovered, deleted files, important information discovered, etc. The purpose is to lay out the products of the examination phase to help determine their significance to the case and allow us to present the formal report and conclusion in the next section.

The System Date and Time: The examination took place on Saturday 08/01/2009 at 15:20:45.09. Current Network Connections: There were no active network connections at the time of examination. Open TCP and UDP Ports: The open TCP ports were 0.0.0.0:135, 0.0.0.0:445, and 0.0.0.0:1025. Executables Opening Ports: The System process was found running on ports 139, 445, 123, 137, 138, 500, 1033, 1035, 1900 and 4500. Cached NetBIOS Name Table: At the time of examination no NetBIOS names were found in the cache. Users Currently Logged On: There were no users logged in besides Administrator. The Internal Routing Table: The Network Destination was 192.168.163.0, the Netmask 255.255.255.0, the Default Gateway 192.168.163.2, and the Interface 192.168.163.128. Running Processes: The pslist command determined that the processes running the longest were system, csrss, IEXPLORE, and svchost. In addition, the idle time on the PC was almost 49 hours.

Lerman, Adam 16 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 Running Services: The services running at the time of examination were Telephony, Terminal Services, Distributed Link Tracking Client. The services that were in a stopped state were MS Software Shadow Copy Provider, Performance Logs and Alerts, Telnet, and TP AutoConnect Service. Scheduled Jobs: There were no scheduled jobs at the time of examination. Open Files: There were no open files at the time of examination. Process Memory Dumps: Userdump was not run since we didn’t find any questionable services when we ran the pslist utility command. Full System Memory Dumps: nothing was found due to the Auditing Policy not being activated. System Version and Patch Level: Windows XP Service Pack 2 with one hotfix installed: Q147222. File System Time and Date Stamp: Two files created by Larry Liar and verified on 7/9/2009, “Company ABC Record” and “My Records”. Registry Data: No signs of system compromise. The Auditing Policy: No policy active on system to capture relevant data. A History of Logons: No auditing policy active on system to capture relevant data. System Event Logs: No auditing policy active on system to capture relevant data. User Accounts: Consist of Administrator, Guest, and Larry Liar only. IIS Logs: No unauthorized user access was detected. Suspicious Files: No suspicious files found in startup or task manager. However, incriminating e-mails were found to be sent by Larry Liar. 7. Report of Examination / Conclusion

Upon completing the forensic investigation, a formal report was written and sent to Mr. Begood with respect to our findings, and a copy can be found in Appendix C. The results of our examination demonstrate that there was no intrusion or unauthorized access to the Company ABC computer network, and only the administrators, including Mr. Begood and Mr. Liar had access. We also found

Lerman, Adam 17 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 incriminating evidence against Mr. Liar including company and personal records in addition to personal e-mails. Additionally, we recommend to the company that they turn on the Auditing Policy on the system and also make auditing a scheduled event, which will include a system check for auditing status, and will then turn it on if it has been disabled.


APPENDIX A

Documentation The following pages are copies of important documentation related to the Live Forensic Acquisition. These were filled out at the time of investigation and have subsequently been copied for permanent record.


Cook, Lerman, Mallon, Inc. Date: 6/26/09

Chain of Custody Form

Case # 123456

Description of Item: HP xw8400 Workstation Date Initially Acquired: 6/26/09 Time Initially Acquired: 8:00am est Where Initially Acquired: Company ABC 123 Somewhere Lane City, PA 19122 How Initially Acquired: (personally, shipped?) Live Acquisition From Whom Initially Acquired: Mr Begood Storage Location: Mr. Larry Liar’s Office Printed Name of Person Transferring Item: Mr. Begood Signature and Date of Transferring Person: Mr. Begood’s signature (6/26/2009) Printed Name of Person Receiving Item: Cook, Lerman, Mallon Signature and Date of Person Receiving Item: Our signatures (6/26/2009) Remarks: Perform Live Windows Acquisition of Mr. Larry Liar’s HP xw8400

Workstation, sn: 987654aaa Transfer of Custody: Computer will stay in Mr. Larry Liar’s Office for the completion

of the forensic examination. ________________________________________________________________________ Date and Time of Transfer: 6/26/09, 9:15am est Reason for Transfer: For the Cook, Lerman, Mallon, Inc, group to perform a Live

Windows Acquisition. Location of Transfer: Mr. Larry Liar’s Office Printed Name of Person Transferring Item: Cook, Lerman, Mallon Signature and Date of Transferring Person: Our signatures (6/26/2009)

Lerman, Adam 20 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 Printed Name of Person Receiving Item: Mr. Begood Signature and Date of Person Receiving Item: Mr. Begood’s signature (6/26/2009) Remarks: Returning HP xw8400 Workstation back into Mr. Begood’s possession.



Evidence Worksheet

Case # 123456

Description of Item: Hard drive retaining evidence contained within the computer workstation detailed on the system worksheet (to follow) Make and Model: 160 GB 7200 rpm SATA 3.0-Gb/s NCQ Serial number: 0979NK-13102-06D-D6DM Evidence tag number: CompanyABCTag1 (this evidence has not received an official evidence tag but has been given a tag number for reference) Shape and size: Jumper settings: Notes: Because this was a live acquisition and the computer casing did not have to be opened to access the hard drive, the above information is not complete. We were, however, given certain information by the CFO, Mr. Begood, who obtained the computer records on file kept in the office on our behalf. Examiner (Print Name): Cook, Lerman, Mallon________

Lerman, Adam 22 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 Examiner Signature: Our signatures__________________ Date: 6/26/2009



System Worksheet

Case # 123456

Description of Item: Computer containing forensic evidence acquired during our investigation Make and Model: HP xw8400 Workstation (RB368UT) Serial number: DBSH20B Evidence tag number: CompanyABCTag2 Drive bays, Expansion cards, Ports, etc.: Bays: Internal: 5 - 3.5-in; External: 3 - 5.25-in Slots: 1 PCIe; 3 PCI-X; 1 PCI Ports: Standard: 2 USB 2.0, 1 IEEE 1394, 1 microphone in, 1 audio out; Internal: 1 USB 2.0; Rear: 5 USB 2.0, 1 IEEE 1394, 1 serial, 1 parallel, 2 PS/2, 1 RJ-45, 1 audio in, 1 audio out Network: Integrated Broadcom 5752 Gigabit PCIe NIC Peripheral connections: PS/2 scroll mouse, PS/2 standard keyboard, HP L1955 LCD Flat Panel Monitor Physical location: Mr. Larry Liar’s office, 2nd floor administration Company ABC 123 Somewhere Lane City, PA 19122 Computer is situated on a desk 2.5 ft. high x 4 ft. wide x 2 ft. deep in a single office used solely by Mr. Larry Liar Dimensions: 8.3 x 20.7 x 17.9 in Notes: Examiner (Print Name): Cook, Lerman, Mallon________

Lerman, Adam 24 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 Examiner Signature: Our signatures__________________ Date: 6/26/2009


Cook, Lerman, Mallon, Inc.

Agent Notes Worksheet Case # 123456

Date/Time Event 6/23/2009 3:34pm est Call from Mr. Begood at Company ABC – discussion of potential

incident and agreement to conduct investigation on the company’s behalf

6/24/2009 10:22 am est Call to Mr. Begood to confirm date and time of meeting 6/25/2009 4:53 pm est Checked forensic toolkit to ensure everything is in order for meeting

tomorrow at Company ABC 6/26/2009 7:38am est Met with Mr. Begood, discussed the case and signed paperwork 6/26/2009 8:00am est Performed the live acquisition response 6/26/2009 9:03am est Finished the live acquisition process and returned the computer to

Mr. Begood’s possession


APPENDIX B

Results

4h. Running Processes


4i. Running Services (This is a partial return of the many services):


4j. Scheduled Jobs

4k. Open Files

4l. Process Memory Dumps


5a. System Version and Patch Level

5b. File System Time and Date Stamp

Company ABC Record Contractor Payment Processed

Lerman, Adam 32 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 10/6/2009 DOD 1,000,000.00 Yes 11/6/2009 NASA 2,000,000.00 Yes 12/6/2008 CIA 1,000,000.00 Yes 1/6/2009 NSA 2,000,000.00 Yes 2/6/2009 USAR 1,000,000.00 Yes 3/6/2009 USMC 2,000,000.00 Yes 4/6/2009 USNR 1,000,000.00 Yes 5/6/2009 CDC 2,000,000.00 Yes 6/6/2009 DOD 1,000,000.00 Yes

My Records Contractor Payment Processed 10/6/2009 DOD 1,000,000.00 Yes 11/6/2009 NASA 2,000,000.00 Yes 12/6/2008 CIA 1,000,000.00 Yes 1/6/2009 NSA 2,000,000.00 no 2/6/2009 USAR 1,000,000.00 no 3/6/2009 USMC 2,000,000.00 no 4/6/2009 USNR 1,000,000.00 no 5/6/2009 CDC 2,000,000.00 no 6/6/2009 DOD 1,000,000.00 no

5f. System Event Logs

Application Log Events These results have been cleaned up for easier viewing. No information has been changed but this is only a sample of an extensive output. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Larry Liar>cd c:\ C:\>psloglist -s -x application


PsLoglist v2.70 - local and remote event log viewer Copyright (C) 2000-2009 Mark Russinovich Sysinternals - www.sysinternals.com Application log on \\INFO-BDEA0E299D: 083,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/28/2009 12:54:01 PM,101,None,wuauclt (1052) The database engine stopped. 082,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/28/2009 12:54:01 PM,103,None,wuaueng.dll (1052) SUS20ClientDataStore: The database engine stopped the instance (0). 081,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/28/2009 12:49:00 PM,102,None,wuaueng.dll (1052) SUS20ClientDataStore: The database engine started a new instance (0). 080,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/28/2009 12:49:00 PM,100,None,wuauclt (1052) The database engine 5.01.2600.2180 started. 079,Application,SecurityCenter,INFORMATION,INFO-BDEA0E299D,7/28/2009 12:48:16 PM,1800,None,The Windows Security Center Service has started. 078,Application,VMTools,INFORMATION,INFO-BDEA0E299D,7/28/2009 12:48:14 PM,105,None,The service was started. 077,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/24/2009 9:36:27 AM,102,None,wuaueng.dll (2112) SUS20ClientDataStore: The database engine started a new instance (0). 076,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/24/2009 9:36:27 AM,100,None,wuauclt (2112) The database engine 5.01.2600.2180 started. 075,Application,SecurityCenter,INFORMATION,INFO-BDEA0E299D,7/24/2009 9:35:43 AM,1800,None,The Windows Security Center Service has started. 074,Application,VMTools,INFORMATION,INFO-BDEA0E299D,7/24/2009 9:35:41 AM,105,None,The service was started. 073,Application,MsiInstaller,INFORMATION,INFO-BDEA0E299D,7/14/2009 1:00:16 PM,11707,Larry Liar\INFO-BDEA0E299D,Product: Windows Resource Kit Tools -- Installation operation completed successfully. 072,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/14/2009 12:55:14 PM,101,None,wuauclt (256) The database engine stopped. 071,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/14/2009 12:55:14 PM,103,None,wuaueng.dll (256) SUS20ClientDataStore: The database engine stopped the instance (0).


070,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/14/2009 12:50:13 PM,102,None,wuaueng.dll (256) SUS20ClientDataStore: The database engine started a new instance (0). 069,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/14/2009 12:50:13 PM,100,None,wuauclt (256) The database engine 5.01.2600.2180 started. 068,Application,SecurityCenter,INFORMATION,INFO-BDEA0E299D,7/14/2009 12:49:28 PM,1800,None,The Windows Security Center Service has started. 067,Application,VMTools,INFORMATION,INFO-BDEA0E299D,7/14/2009 12:49:28 PM,105,None,The service was started. 066,Application,Windows Product Activation,INFORMATION,INFO-BDEA0E299D,7/14/2009 11:08:09 AM,1006,None,You have successfully activated your Windows product. Thank you. 065,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/14/2009 11:06:14 AM,102,None,wuaueng.dll (2036) SUS20ClientDataStore: The database engine started a new instance (0). 064,Application,ESENT,INFORMATION,INFO-BDEA0E299D,7/14/2009 11:06:14 AM,100,None,wuauclt (2036) The database engine 5.01.2600.2180 started.

5i. Suspicious Files Windows Task Manager


Larry Liar Email Files

Message0001 Subject: Payments to Contractors

From: "Larry Liar" <[email protected]>

Date: Fri, 10 Jul 2009 13:06:57 -0400

To: <[email protected]>

Message Body Larry, I will be waiting to hear back from you, hopefully with good news. Mr. Begood From: [email protected] Sent: 7/1/09 Mr. Begood, I am still waiting to hear back from the bank about the payments to the contractors. Our records show that the checks were placed to each of them. I am anticipating their call no later than EOB Friday 7/3/09. Thanks,


Larry Liar

Main Message Header

From: "Larry Liar" <[email protected]> To: <[email protected]> Subject: Payments to Contractors Date: Fri, 10 Jul 2009 13:06:57 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0021_01CA015F.4DF47DF0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Sub Header

Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Sub Header

Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Message0001 Subject: Money well spent


Date: Thu, 9 Jul 2009 13:14:25 -0400

To: <Bad guy [email protected]>

Message Body I sent the money that was supposed to go to the first contractor. Should be there soon. Wired through WU acct 12345. Larry Liar

Main Message Header


From: "Larry Liar" <[email protected]> To: <Bad guy [email protected]> Subject: Money well spent Date: Thu, 9 Jul 2009 13:14:25 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0003_01CA0097.2E6F2CA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Sub Header


Sub Header


Message0001 Subject: Money well spent


Date: Thu, 9 Jul 2009 13:20:41 -0400


Message Body LL, got the info, will let you know when I receive it and deposit into our acct at Bank of Bahama, acct 987654. hey, check out the pictures of these ladies when you get time: www.pornographicwebsite.com From: [email protected] om Sent: sometime recently I sent the money that was supposed to go to the first contractor. Should be there soon. Wired through WU acct 12345. Larry Liar

Main Message Header


From: "Larry Liar" <[email protected]> To: <[email protected]> Subject: Money well spent Date: Thu, 9 Jul 2009 13:20:41 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0019_01CA0098.0EE925B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Sub Header


Sub Header


Message0002 Subject: Payments to Contractors


Date: Fri, 10 Jul 2009 13:02:31 -0400


Message Body Mr. Begood, I am still waiting to hear back from the bank about the payments to the contractors. Our records show that the checks were placed to each of them. I am anticipating their call no later than EOB Friday 7/3/09. Thanks, Larry Liar


Main Message Header

From: "Larry Liar" <[email protected]> To: <[email protected]> Subject: Payments to Contractors Date: Fri, 10 Jul 2009 13:02:31 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000B_01CA015E.AF315580" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Sub Header


Sub Header


Message0003 Subject: Book Flight ASAP


Date: Fri, 10 Jul 2009 13:09:28 -0400

To: <bad guy [email protected]>

Message Body BG, book me a flight ASAP. The 5 other checks have been sent but I think Mr. Begood has caught on. Get me out now! Larry Liar


Main Message Header

From: "Larry Liar" <[email protected]> To: <bad guy [email protected]> Subject: Book Flight ASAP Date: Fri, 10 Jul 2009 13:09:28 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0040_01CA015F.A8039B50" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Sub Header


Sub Header


5h. Web Server Logs

This is only a sample of an extensive list of output. No information has been changed. #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2003-09-23 22:50:59 #Fields: time c-ip cs-method cs-uri-stem sc-status 22:50:59 95.16.3.23 GET /iisstart.asp 200 22:50:59 95.16.3.23 GET /pagerror.gif 200 22:51:17 95.16.3.79 GET /iisstart.asp 200 22:51:17 95.16.3.79 GET /Nikto-1.30-Y7hUN21Duija.htm 404 22:51:17 95.16.3.79 GET /iisstart.asp 200 22:51:17 95.16.3.79 GET /cgi.cgi/ 404 22:51:17 95.16.3.79 GET /webcgi/ 404 22:51:17 95.16.3.79 GET /cgi-914/ 404 22:51:17 95.16.3.79 GET /cgi-915/ 404 22:51:17 95.16.3.79 GET /bin/ 404 22:51:17 95.16.3.79 GET /cgi/ 404 22:51:17 95.16.3.79 GET /mpcgi/ 404 22:51:17 95.16.3.79 GET /cgi-bin/ 404 22:51:17 95.16.3.79 GET /cgi-sys/ 404

Lerman, Adam 41 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 22:51:17 95.16.3.79 GET /cgi-local/ 404 22:51:17 95.16.3.79 GET /htbin/ 404 22:51:17 95.16.3.79 GET /cgibin/ 404 22:51:17 95.16.3.79 GET /cgis/ 404 22:51:17 95.16.3.79 GET /scripts/ 403 22:51:17 95.16.3.79 GET /cgi-win/ 404 22:51:17 95.16.3.79 GET /fcgi-bin/ 404 22:51:17 95.16.3.79 GET /iisstart.asp 200 22:51:17 95.16.3.79 GET /junk.php 404 22:51:17 95.16.3.79 GET /iisstart.asp 200 22:51:17 95.16.3.79 GET /robots.txt 404 22:51:18 95.16.3.79 OPTIONS / 200 22:51:18 95.16.3.79 GET /~root 404 22:51:18 95.16.3.79 TRACE / 200 22:51:18 95.16.3.79 GET /iisstart.asp 200 22:51:18 95.16.3.79 GET /iisstart.asp 200 22:51:18 95.16.3.79 GET / <script>alert(\"Vulnerable\")</script>.jsp 404 22:51:18 95.16.3.79 GET /"<script>alert("xss")</script> 404 22:51:18 95.16.3.79 GET /etc/passwd 404 22:51:18 95.16.3.79 GET /windows/win.ini 404 22:51:18 95.16.3.79 GET /</a><script>alert("xss")</script> 404 22:51:18 95.16.3.79 GET /</title><script>alert("xss")</script> 404 22:51:18 95.16.3.79 GET /<script>alert("xss")</script>/index.html 404 22:51:18 95.16.3.79 GET /?.jsp 404 22:51:18 95.16.3.79 GET /?.jsp 404 22:51:18 95.16.3.79 GET /<script>alert('Vulnerable');</script> 404 22:51:18 95.16.3.79 GET /.%2e/.%2e/.%2e/winnt/boot.ini 404 22:51:18 95.16.3.79 GET /..%2f..%2f..%2f..%2f..%2f../windows/repair/sam 404 22:51:18 95.16.3.79 GET /..%2f..%2f..%2f..%2f..%2f../winnt/repair/sam 404 22:51:18 95.16.3.79 GET /..%2f..%2f..%2f..%2f..%2f../winnt/repair/sam._ 404 22:51:18 95.16.3.79 GET /..%5c..%5c..%5c..%5c..%5c../windows/repair/sam 404 22:51:18 95.16.3.79 GET /..%5c..%5c..%5c..%5c..%5c../winnt/repair/sam 404 22:51:18 95.16.3.79 GET /..%5c..%5c..%5c..%5c..%5c../winnt/repair/sam._ 404 22:51:18 95.16.3.79 GET /windows/repair/sam 404 22:51:18 95.16.3.79 GET /winnt/repair/sam 404 22:51:18 95.16.3.79 GET /winnt/repair/sam._ 404 22:51:18 95.16.3.79 GET /................../etc/passwd 404 22:51:18 95.16.3.79 GET /.../.../.../.../.../.../.../.../.../boot.ini 404 22:51:18 95.16.3.79 GET /etc/passwd 404 22:51:18 95.16.3.79 GET /webserver.ini 404 22:51:18 95.16.3.79 GET /temp\temp.class 404 22:51:18 95.16.3.79 GET /iisstart.asp 200 22:51:18 95.16.3.79 GET /.access 404 22:51:18 95.16.3.79 GET /.addressbook 404 22:51:19 95.16.3.79 GET /.bashrc 404 22:51:19 95.16.3.79 GET /.bash_history 404 22:51:19 95.16.3.79 GET /.cobalt/admin/.htaccess 404 22:51:19 95.16.3.79 GET /.forward 404 22:51:19 95.16.3.79 GET /.history 404

Lerman, Adam 42 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 22:51:19 95.16.3.79 GET /.htaccess 404 22:51:19 95.16.3.79 GET /.htpasswd 404


APPENDIX C

Formal Report Letter

Cook, Lerman, Mallon, Inc.

Cook, Lerman, Mallon, Inc. 321 Righthere Way Borough, PA 19213

Mr. Begood Company ABC 123 Somewhere Lane City, PA 19122 To Mr. Begood: Upon your request, we have performed a forensic investigation of Mr. Larry Liar’s computer using a live acquisition technique of the Microsoft Windows operating system. In order to do so, we used a number of reliable software tools which enabled us to view hidden and deleted files unnoticeable to the untrained eye. Our intent was to determine whether or not the system was compromised by an external intruder or if Mr. Liar himself was involved in a corporate scandal with regards to your company. The information we obtained is reliable and accurate and will stand up to jurisdiction should you decide to prosecute in a court of law. Upon our inspection, it was found that there was no intrusion or unauthorized access gained to your computer system. In addition, the only user to access files from the computer located in Mr. Liar’s office was himself. We also discovered two files created by Mr. Liar entitled “Company ABC Record” and “My Records” demonstrating that the company’s financial payments were made, while his personal records showed they were not. This leads us to believe that he has been embezzling that money, and it is our recommendation to involve law enforcement officials for further investigation. Additionally, incriminating e-mails have been found to be sent by Mr. Liar indicating that he sent an accomplice the money that was stated to have been sent to the company’s contractors. To quote Mr. Liar, in one e-mail he states “BG, book me a flight ASAP. The 5 other checks have been sent but I think Mr. Begood has caught on. Get me out now!”

Lerman, Adam 44 Cook, Joseph Mallon, James INFO 710 Term-Project Draft 2 Due: 08/26/2009 As an additional measure that will be beneficial for future investigative purposes, we discovered that the Auditing Policy of the network has not been enabled and it is suggested that your IT department do so. This will provide you with valuable information should an intrusion or destructive event occur. Please do not hesitate to contact us if you have any further questions or concerns. Thank you for allowing us to service you. Sincerely, Cook, Lerman, Mallon, Inc.