low level host examinations
DESCRIPTION
Low Level Host Examinations. Non-Destructive Actions. Fdisk Chkdsk Dir Redirection Type. Normal to have access in past 24 hours Last person on system Normal work hours Need to work outside established hours Work patterns Time of incident System backed up Time with organization - PowerPoint PPT PresentationTRANSCRIPT
Low Level Host Examinations
Non-Destructive Actions
Fdisk
Chkdsk
Dir
Redirection
Type
First responder Concerns
Normal to have access in past 24 hoursLast person on systemNormal work hoursNeed to work outside established hoursWork patternsTime of incidentSystem backed upTime with organizationAny different behaviorAny changes to network or problemsAccess level to systems/applicationsAny changes to work areaNon-US citizenAccess logs into building/garageUser ID and PWAny reprimandsContractor accessWho had access to areaEducational and computer expertise of individualsWhat is work of organizationWho noticed? Who reported?Anything touchedWho knows of incidentCopy of security policies and proceduresWhy is this a problemPurchasing record of system(s) and base configurationDiagram of network architecture
Names and contact info for experts/supervisors
Describe evidence collection procedures
Backups to system
System re-imaged or new versions installed
New applications added to system
Any new rights issued for systems/applications
Any disgruntled employees
Lockard’s Exchange Principle
Anyone, or anything, entering Anyone, or anything, entering a crime scene takes a crime scene takes
something of the crime scene something of the crime scene with them. They also leave with them. They also leave
behind something of behind something of themselves when they depart.themselves when they depart.
Evidence on the Hard DriveEvidence on the Hard DriveHard disk drives
FilesErased filesFile slackHidden partitionsEncrypted filesCompressed data (zip)Windows swap fileWindows temp filesApplication temp filesEncrypted filesHidden files/folders
FBI Investigations
Check records, logs, and documentation
Interview personnel
Conduct surveillance
Prepare a search warrant
Search the suspect’s premises
Seize evidence
Analysis of the EvidenceAnalysis of the EvidenceIdentify & document evidence of criminal violationsIdentify & document evidence of criminal violationsIntelligence gathering from other sourcesIntelligence gathering from other sourcesTie media to computersTie media to computersIdentify email & Internet browsing patterns tied to criminal Identify email & Internet browsing patterns tied to criminal activityactivityIdentify associatesIdentify associatesIdentify time linesIdentify time linesIdentify weaknesses in caseIdentify weaknesses in caseAudit issues regarding violations of corporate policyAudit issues regarding violations of corporate policyDiscover evidence for civil or criminal casesDiscover evidence for civil or criminal casesIdentify source of trade secret thefts & abusesIdentify source of trade secret thefts & abusesMisuse of Internet accessMisuse of Internet accessLocate trade secretsLocate trade secrets
Just "Look"You can just look at a person's workspace--Passwords are too often out in plain view:
- Taped to the monitor- Written on the desktop- In the Rolodex file- On a "Post-It" note
Workstation Policies Perform a physical audit
Tag & inventory all physical computing resourcesPolicies address use of PDAs, storage devices, and laptopsResponsibility for stolen devicesHow hardware/software is used at homeTechnicians & passwordsHelp desk reportsNo downloads or software installsProhibit running executable files received as e-mail attachments
Bitstream back-up entire contents of hard disk(s) when employee leaves/terminated
Preparing a Case
Comments to law enforcement are “on the record” Know your loss Have documentation of the case Gather and deliver physical evidence Use legal counsel that can explain the law Describe the investigation Have only one set of notes Conduct the investigation in secret Time is of the essence
Detection of incidentInitial responseResponse strategy formulationInvestigationIsolate and containRecoveryReportLessons learned
Incident Response Implementation
Why Use a Methodology?A formal methodology allows an investigator to approach and investigate a computer crime rationally and expeditiously, without a loss of thoroughness. More importantly, it establishes a protocol by which electronic evidence (physical and logical) is gathered and handled, to reduce the potential for this evidence to be corrupted or tainted.
Timothy Wright
Low Hanging Fruit
Internet history filesCheck cookies for subscription services passwords
Review of directories & files with simple DOS commands
Check processes
.BAK & .DAT files on PDAsParaben forensics tools for PDAs
ToolsMake sure virus free
NIST certified virus checkerUse same software versions for each investigation (do not change in middle)CHKDSK identifies orphan clustersSYSINFO documents systemFDISK documents # and size of partitionStart up disk (bootable)Use only licensed softwareCopy drivers to start-up disk (Parallel, IDE, SCSI)Config.sys for devicesCheck peer-to-peer access for storage on another mediumGetTime grabs date and timeDisklocking programs (floppylock, writeblock,diskblock)Ribbon cable for hook up to HD
Are There Limits?
All of the computer hardware, software and media that a suspect might have access to at his job, is probably owned by the employer. Seizures do not need to adhere to Fourth Amendment
Approaching a Scene
Permission to process PC
Pictures to document scene
Pull plug from in back not wall (picture first)
Remove all connections & label
Pulling plug does not change state of hard drive but a shut down will!
Preliminary Preparation
1. Accumulate the packaging and materials2. Prepare the log for documentation of the search 3. Ensure IRT is aware of forms of evidence & proper
handling materials 4. Evaluate the current legal ramifications of crime scene
searches 5. Discuss the search with involved personnel before
arrival at the scene6. Identify a person-in-charge prior to arrival at the scene 7. Assess the personnel assignments normally required
to process a crime scene successfully
Reviewing The Surroundings
DesktopsMonitors Next to telephonesIn wallets or pursesElectronic pocket organizersIn a suspect's pocketTrash can Inside of books and manualsTaped underneath keyboards
• Victim theory of access• Corroborating evidence of employee
access New files created during timeline of
theftCode entry (doors, gates, rooms)Telephone records (corroborate login)Placement at scene (eyewitness,
camera)• Obtain court order for trap and trace for
home
Investigation of Computer Intrusion
Employee Suspects• Check personnel file• Signed for receipt of proprietary
information• Check building logs• Cleaned out desk area• Phone records for calls to
competitors• Calls from former employees
requesting information
Procedures
Take photographs of: The computer screen
The front, back and sides of the computer
The cables attached to the computer
Any peripherals attached to the computer
Log whether the computer is on or off
If on, note in the log what it appears to be doing
Log whether or not the computer is on a network
Examination in DOSCreate a DOS diskCopy DOS filesVirus checkPlace boot disk in A: driveBoot to DOSInsert copy disk Backup VerifyDuplicate from copy (place in separate area)Run disksig and CRCMD5 on victim hard drive
Tools
GetTime
Documents the time and date settings of the victim computer
Reads date/time from CMOS
Syntax: GetTime <enter>Creates a file note time on your watch/clock
Tools
Filelist, filecnvt, ExcelFilelist <enter> Catalogs contents of the diskFilelist /m /d a:\DriveC C: <enter>Dir /od a: <enter> creates 2 files (delete 2nd one)Run filecnvt
Enter name of computerRun Excel Column 3 has the filenames of deleted files
Tools
Getfree
Content of unallocated space
Getfree C: provide estimate for amount of freespace
Getfree /f d:\FreeC c:/f excludes non-printed characters
Tools
Getswap
Windows 98 or 95 copy win386.swp or 386spart.par
If NT/2000 you must do this from DOS (not a window)
Locate pagefile.sys (usually c:\winnt\system32\)
Copy file
To read instructions: getswap man | more
Getswap id to find out partitions recognized
Getswap d:\swapdata c: e: f: g:
Getswap /f d:\swapdata C:
Tools
Getslack
Getslack c: to determine how much exists
Getslack /f d:C_slack C:
Temp Files
.tmp extension
Start: Find
Copy
CRCMD5
Calculates a 32 bit checksum
Crcmd5 <options> file1 file2/s current directory /h headerless text
Crcmd5 /s d:
Crcmd5 d:swapdata.f01
Tools
Disksig computes checksum for an entire hard drive (boot sector is excluded)
Disksig d:
To include boot sector use /b
Compressed drives have the signature performed on the raw uncompressed hard drive
Tools
DocDocuments the contents of files and directories and related information
Doc <enter>
Can be redirected to a file for printing
Will be in a file
Searching
Favorites
Bookmarks
Cookies
History file
Internet Options set
Properties for file dates, ownership
Recycle binHidden system folder
Sequence of deletion, files deleted, dates, types of files
Folder in 95 & 98 Recycled or NT/2000 Recycler
Recycle Bin
When files deleted:Moved to recycle bin creates a new entryDeletion of file folder from original locationAddition of information about the file to a hidden file INFO (800) or INFO2 (280)First time use of recycle bin in NT/2000 a subfolder is created with user’s SID—Identifies which user created Date and time recorded in INFO not binOther INFO
Prior file locationOrder in binNew filename in bin (original drive letter, index #, original extension
Empty bin and INFO is deletedUse Quickview Plus to look at deleted file infoIdentify information about other media
Shortcut
ExamineWindows desktopWindows\recent—up to 15 shortcutsWindows start menuWindows send to.lnk filesRefers to target files (applications, folders, data, objects)Existence of shortcuts indicates knowledge of presence of a file
If times differ can point to knowledge to create Icon
Cached Files
IE caches websites
Cached files stored in Windows\Temporary Internet Files folder
INDEX.DAT has all cached files
Registry
Repository for hardware and software configuration information
Windows\system.dat or windows\user.dat
On NT/2000 the registry is comprised of hives located in %systemroot%\system32\config and Ntuser.dat files related to each user account
Regedit or regedt32 or NT Resource Kit has a utility regdmp
Printing
Shadow files created about print jobs .shd
Information on print job: owner, printer, name of file and method
Existence points to knowledge of printing activity
MAC Times
OS records dates and times of files accessed, created modified
Dates can be sorted to reveal a sequence of activities
MFT
Master File Table is a system file created during formating of NTFS volume1 MFT record for every file on a volume including an entry about itself and some metadataMFT records store attributes about a file or folder MFT records store all or some data in a file in the $data attributeContain flag with allocation status (0 if deletion/unallocated)
RecycledDC178 TXT 72 01-24-03 8:54a DC178.TXT
DC179 TXT 96 01-24-03 8:54a DC179.TXT
DC180 TXT 74 01-23-03 12:11p DC180.TXT
DC181 TXT 94 01-23-03 12:09p DC181.TXT
DC182 TXT 110 01-23-03 12:09p DC182.TXT
DC183 TXT 318 01-23-03 12:07p DC183.TXT
DC184 TXT 70 01-23-03 12:07p DC184.TXT
DC185 TXT 104 01-23-03 11:26a DC185.TXT
DC186 TXT 71 01-23-03 11:26a DC186.TXT
DC187 TXT 155 01-23-03 8:39a DC187.TXT
DC188 TXT 175 01-22-03 6:15p DC188.TXT
DC189 TXT 104 01-22-03 6:13p DC189.TXT
DC190 TXT 80 01-22-03 6:12p DC190.TXT
DC191 TXT 94 01-22-03 6:12p DC191.TXT
DC192 TXT 148 01-22-03 6:11p DC192.TXT
DC193 TXT 95 01-22-03 5:54p DC193.TXT
DC194 TXT 95 01-22-03 5:51p DC194.TXT
DC195 TXT 77 01-22-03 5:49p DC195.TXT
DC196 TXT 127 01-22-03 5:47p DC196.TXT
DC197 TXT 163 01-25-03 3:01p DC197.TXT
DC198 TXT 70 02-05-03 8:56a DC198.TXT
198 file(s) 2,723,699 bytes
2 dir(s) 15,511.09 MB free
C:\RECYCLED>