!32309 df notes
DESCRIPTION
DF Notes incomplete? 2014TRANSCRIPT
32309 Digital Forensics
Lecture 1 Types of Forensics
Industrial Actions - employment guidelines
Civil Actions - business operations; divorce
Criminal Actions - using a device to commit a crime; stealing the device
Malware Intrusion Causes of Forensic Incidents
Threats and extortion
Accidents and negligence
Stalking and harassment
Commercial disputes
Disagreements, deceptions, and malpractice
Property rights infringement
Economic crime e.g. fraud, money laundering
Distributing porn
Content abuse
Privacy invasion and theft
Intrusions
Script Kiddies
Black Hat Hackers
Criminals
The Big Boys - governments; employers; military Digital Forensics (3 forms)
Forensic Analysis - evidence is recovered to support or oppose a hypothesis before a criminal court
eDiscovery - related to civil litigation
Intrusion Detection - specialist investigation into nature and extent of an unauthorised network intrusion Branches of DF
Computer - examining comp memory and disks
Network - examining network devices and packets
Database - examining database records
Mobile Device Live Forensics
- device is live and attack is current or very recent - capture live evidence before power down
Disk Forensics - device is powered down, or attack is over - want to examine permanent disk or usb storage for traces of the attack
Trusted Media: media of a known state and
risk to the examination.
Evidence Triage: prioritization of data for
collection and/or analysis
Evidence Preview: initial screening of data
to determine relevance to a case
Regional Internet Registries
APNIC
LAPNIC
ARIN
RIPE NCC
Order of Volatility 1. CPU Registers, CPU Cache 2. Routing Table, Process table, Memory allocation 3. Temporary File Systems, Swap Space 4. Disks 5. Remote logging (such as syslog) 6. Network Topology, Device Hardware 7. Archived data
Forensic Methods
1. Obtain Authority to search 2. Secure and isolate
- locate removable media - secure mobile devices (Faraday bag) - collection methods must not alter evidence
3. Record the scene - document and photograph; store on Read-only media
4. Conduct a systematic search for evidence - order of volatility
5. Collect and package evidence - maintain chain of custody > continuity of possession > handlers to testify → CoC form logs when, where, why evidence was transferred. Minimises loss or contamination. - hash files for digital fingerprint
6. Analyse evidence in a forensic lab – work on copy > image file → raw or in forensic container 7. Prepare forensic report 8. Submit evidence as an expert witness
- expert opinion to court 9. Methods challenged
AUTHENTICATION
Identify source of evidence - Human and digital device
Oral evidence (suspect identifies his laptop) Circumstantial evidence Digital evidence (private encryption key - compelling)
REPEATABILITY
Copy + Paste vs Cloning: Cloning copies everything including metadata, etc. Name and version of all tools used must be documented - second investigator able to follow
Locard's EXCHANGE Principle:
- Contact between two items = an exchange - Between suspect and victim - Between investigator and crime scene - PHYSICAL exchange e.g. fingerprint - DIGITAL exchange e.g. email - In a computer intrusion, attacker may leave evidence in disk space, log files and Win Registry - Act of sending an email may leave traces on the sender's hard disk, complete with time stamps
INTEGRITY
- Confirm evidence has not been altered after collection = hash - Evidence usually kept as disk files > hash files for digital fingerprints once collected - Hash copy of evidence > should match original’s hash ∞ verification hash before analyzation
Data Integrity
FORENSIC ACQUISITION - 3 Methods:
o RAM dump – copies content from system memory o Logical copying of files – network systems to removable media o Physical acquisition of entire system – access to volatile data
- 4 Types – Physical; Logical; Live; Targeted File - Prove any alterations are minor - Work on copy of disk → similar disk | image file → raw | forensic container
EVIDENCE CHARACTERISICS
Traces = - CLASS – apply to many cases e.g. copy of Word 2007 found on suspect’s laptop - INDIVIDUAL – apply to one case e.g. photoshop’s serial number embedded in every image produced
LEVELS OF CERTAINTY
C0 – Evidence contradicts known facts - Incorrect
C1 – Evidence is highly questionable - Highly uncertain
C2 – Only one source of evidence which is not protected against tampering - Somewhat uncertain
C3 – Some tamper protection, some inconsistencies - Possible
C4 – Evidence is tamperproof or there are multiple independent sources of evidence that agree - Probable
C5 – Tamperproof evidence from several independent sources that agree, some minor uncertainties (loss of data, timing uncertainties)
- Almost certain
C6 – Tamperproof evidence with a high statistical probability - Certain
Forensic Soundness requires technique that preserves evidence
Lecture 2 – Reconnaissance
Hackers attack Targets for their Value
Threat = attack develops
An attack violates security; exploits a vulnerability
A secure system minimises the risk of a successful attack
Zero-day attack = unexpected; unknown to vendor/public e.g. heartbleed Data Breaches
Stealing login credentials
Backdoors – local PC or C&C link
SQL Injection – database manipulation
Source of Breach - External - Internal - Business Partner
Principles of Security
Deny by default – not ideal
Defence in depth – Hierarchy
Complex = Insecure
Least privilege principle – need to know – accessibility
Security not obscurity – IIS vs Apache Types of Attack
Operating System - Buffer overflows in faulty code
Man in the Middle - Dns, dhcp, vpn
Web Applications - SQL Injection - XSS (Cross Site Scripting)
Malware - Virus Writer Apps
HACKING PHASES
Reconnaissance - Monitoring and gathering general info about the client
Scanning - Looking for specific network info - ip addresses, ip ports, software versions
Gaining Access - Cracking passwords, hijacking sessions
Maintaining Access - Installing backdoors and root kits
Clearing tracks - Delete files and cleanout log files
RECONNAISSANCE PHASE
AKA Footprinting - Forming an understanding of the target/client business - Physical presence - Internet presence
Usually passive information gathering - Internet searching → different sources
Can be active (with risk) - Social engineering
Network Information
o Domain Names
DNS registers o Address blocks
Used by a target company o Active IP addresses
Part of scanning, done later o IP Access Paths
Use of Autonomous System Numbers (ASNs)
Part of BGP routing protocol
Cyber Attacks
Cyber Crime
Hacktivism
Cyber Warfare
Cyber Espionage
Organisation Information o Employee details o Company websites o ABN Register o Address and phone numbers o News Articles / Press releases o Competitive Intel
INTERCEPTING PROXY
PROXY = Man in the Middle
A form of Transparent proxy
Intercepts web traffic between client and server
Allows inspection of Web Sessions
Burp Suite – common example
An extension of Inspection is to modify traffic → gain access to session Search Techniques
Google hacking – advanced search operators to locate specific strings in text; deleted data in cache o "#-Frontpage-" inurl:administrators.pwd o "#-FrontPage-" inurl:(service | authors | administrators | users) ext:pwd o inurl:"ViewerFrame?Mode=" – live cams
Netcraft Reports
Web crawler robots
Google Earth
People media – Facebook
Competitive Intel – check out a company; bankrupcies DNS: table of name:ip-number pairs
Copies of often used names cached in local dns server
nslookup tool
- Allows talking to dns server like http for a web page name
- Built into windows and linux (dig)
i. select dns name server to query (or default)
ii. set dns record type desired (default is A)
iii. set web name
iv. send query
>nslookup - server; ip address
>set type=RP - primary name server; responsible mail addr
>set type=ns - default server
>set type=A - name; address
Find processes running java : list dlls | grep java
Lecture 3 – Cookies
A web server tracks a web client By IP address HTTP referrer tag Cookie saved on the target
- 3 - http cookie; web cookie; browser cookie
Web pages transferred over Internet via HTTP → Stateless
Cookies save state (viewer choices) on the client device as a file on disk Small, fast/lightweight → resist Denial of Service Attack Save state for session key negotiation (Wireless and VPN) - Personalisation – server remembers last visit - Data Capture – server remembers requests - Sales tracking using a shopping basket - Authentication – no need for password for repeated login
Deleting cookies will disable many websites.
Viewing cookies: Websites visited Actions taken/pages visited Date of first visit Date of last visit
Setting Cookies
Web client asks for a web page using http GET /index.html HTTP/1.1
Web server sets a cookie when replies HTTP1.1 200 OK Set-Cookie: name=value
Cookie is returned each time page is accessed
Server keeps a log of cookies to track viewers viewer=ip address+referrer+cookie
Set-Cookie
Server as code to set the cookie
Browser asks for the server page
Server sets the cookie
Cookie file appears on client PC – date in cookie format
COOKIE TYPES
i. Session Cookie - No expiry date, deleted by browser when session ends
ii. Persistent Cookies (tracking cookies) - Expiry date in future
iii. Secure Cookie - Sent encrypted using https
iv. Third Party Cookies (for marketing) - Set from a different URI domain // InPrivate Filtering to stop - web page tracking used by Advertisers // provide contents → Pay Per Click (PPC) Business Model
Browser Storage: - IE Folder → C:\Users\...\AppData\Roaming\Microsoft\Windows\Cookies
Win +R; ‘Shell:Cookies’ ‘Low’ Folder → UAC activated [Control Panel > Action Centre] Database: Index.dat → Pasco viewer o Another Index.dat is used to index web browser history files
- Mozilla → C:\Users\...\AppData\Roaming\Mozilla Database: sqlite → sqlite manager add-on
Urchin Tracking Modules
UTMA – Visitor Identifier: tracks dates and visits
UTMB – 30 Minute session identifier
UTMC – On exit identifier
UTMV – Custom variable cookie
UTMZ – Visitor segmentation: tracks the user Temporary Internet Files
http allows web browsers to cache recently visited webpages.
When viewer revisits page, http checks date on cached page and decides to show cached copy or refresh page from server.
Caching cuts down web traffic and speeds webpage rendering.
Location chosen by webpage layout engine: IE : Trident Firefox : Gecko Chrome : Blink
Web History
InPrivate Browsing (IE) Protects against local and web attack Hides web history data
Recovery Volatile memory
- System history & Process history Disk
- Temporary files (incl. cached) & swap files Local DNS server cache
Lecture 4a – Network Based Evidence
The Network – All internet packets are available at the edge router. The TCP Session
Setup by three way handshake using flags Uses sequence number to provide resend of lost or
damaged packets Torn down by a three way close
TCP Session Sequence
i. Setup Phase: various options negotiated between server and client
ii. Data Transfer Phase: often encrypted iii. Session Teardown: Either side may initiate process
B/C: indicate session expired
Network Activity Protocols
Device Start-up - dhcp
Device Connection - ssh | telnet
Background noise - switch STP, routing protocols (OSPF), windows AD
User Activity - access website, send/receive email, access work connection (VPN)
Intruder Activity - as above, back-door Attack on a Digital Device can be performed in person or over the digital network. A Network Attack:
Open trapdoor on target device Contact target device from a remote device Exchange network packets to:
- Install snooping software - Then retrieve sensitive information such as passwords
Network Intrusion Detection:
Special Intrusion detection hardware – IDS/IPS Equip firewall with IDS features Have Network based IDS to examine all network packets Have Host based IDS to examine local network activity Record network activity in local log files Use local Firewall/Virus Scanner
Locating Network Evidence:
Suspect’s device – file folders, cache, swap files
Local network – proxies, firewalls, IDS
ISP – proxies, firewalls
Remote website – logs Access Website Sequence
Dns request
http handshake: browser details, server details
html handshake: style sheets, javascript
page display: images, gifs, pngs
SSL: SSL Certificate Exchange – requires authentication, trusted certs issued by Certificate Authority (CA)
Plug-ins: flash
Extras: cookies, hit counters, page tracking, ASP.Net NBE – 4 broad methods
1. Full Content data - examine every packet 2. Session data - examine TCP session data 3. Alert data - examine errors and exceptions 4. Statistical data - examine unusual events
NBE Tools
Best tools run on Linux FreeBSD
TCPDump → full content capture
Winpcap → Windows version of libpcap
Packets analysed using Wireshark or Snort – online or from packet dump
TCPView → session data
Snort → provide alert data in addition to the IPS
Full Content Data o Every bit of every pack o On Ethernet or wireless o Need a packet capture library (libpcap) on device network interface o Wireshark o Usually used only after an intrusion o Extensive disk space used o Excellent Evidence
can detect attack on other systems can expose advanced attacks
o Encrypted packets a problem Session Data
o Derived from TCP sessions o Available during initial intrusion o Indicates time, date and parties involved o Can see intrusion sequence o Look for strange IP addresses o Look for unusual ports in use, e.g. IRC o High traffic could indicate file transfer
Alert Data o When IDS/IPS sees a packet that matches a virus signature or an intrusion rule → alert. o Tune IPS for best results and:
Avoid false positives
An event, incorrectly identified by IDS as intrusion when none has occurred Avoid false negatives
An event IDS fails to identify as intrusion when one has occurred Watch a back door
Statistical Data o Measure health and performance of a network o Need a normal profile o Can show variations
Top ten websites, unusual web addresses and ports, which processes/services transfer most data
o Immune to encryption, but does not affect statistical data Accessing the Wire (2 Methods)
i) Place pcap device on wire between edge router and firewall a. Use a hub; or b. Two interface cards as a bridge
ii) Use a Switch running SPAN Switch Port Analyser – built into cisco switches
WIRESHARK to baseline device NBE
Data Sources Packets can come live from a device – from a pcap on network adaptor Packets can come from a pcap file – wireshark, tcpdump, dumpcap, text2pcap, other capture prog.
Accessing a Web Site Identify web site Start packet capture Access website – may involve website cache Stop capture Analyse results
- Conversations for ip addresses involved - Statistics to identify protocols - Reassembly of webpages visited
Evidence of Accessing a Web Site Browser/server http handshake CSS & JavaScript download Page download – text, gifs, jpegs || some may come from local cache Plug-ins started Cookies downloaded External Page Tracking
Searching a pcap for URLs Use grep or wireshark, pithing script – search words that match a keyword dictionary.
Lecture 4b – CPU and Memory
CPU executes instructions to perform actions on data o Instructions are kept in memory as program segments o Data is also kept in memory as data segments o Memory in RAM is volatile unlike disk storage
Memory o Physical Address Extension (PAE) allows access to more RAM o Memory Management Unit (MMU) handles memory requests o Translation Look aside Buffer (TLB) may hold memory data o Direct Memory Access (DMA) devices like graphic cards.
Data Structures in Memory - Arrays – usually fixed size - Bit Maps – sparse arrays (e.g. tcp ports in use) - Records – name:value pairs - Strings – often 00 terminated - Linked lists - Hash tables - Hierarchical trees
Operating System Modes o Kernel Mode – core OS
Can access most of the RAM Includes many drivers All kernel mode processors can see each other’s RAM
o User Mode – user apps RAM access is restricted Each user mode process runs in own sandbox User mode process cannot access kernel mode RAM
Protocols in Wireshark
SSH – remote site log on
VPN – ISAKMP, ESP, AH
SSL – X.509 Certs / accessing a bank website
802.11 – using Wireless
SIP – using VOIP
Processes o Is a running program launched from an exe o Every task in a PC runs as a process o Forensics examine processes to locate evidence Process Startup
- Task Manager → how start, publisher, when written - Task List (built in Windows) - PsList (SysInternals)
Memory Process Footprint Each process has artifacts that identify in in RAM:
- Open file handles - Recent dlls used - Memory mappings - Network connections (sockets) - Privileges
Task Manager | Linked List
o Keeps track of processes (tasks) o Uses linked list of nodes o Each node in the list has a value and a pointer to next node → last node linked to a terminator
Listing Processes o Task Manager displays list of processes
Starts at PsActiveProcessHead → links to each _EPROCESS structure → actv processes displayed o Executive Process list has more processes
Active, Hidden, Deleted o Some tools can dump all these
A virus can hide an evil process by manipulating the list
Windows DLLs
o Dynamic Link Library - piece of code that can be shared by one or more processes o Stored on disk in windows o Difficult to spot malware introduced dll
Can also alter existing dll → can detect by examining dll hash o View running dlls → Listdlls | Tasklist
Listdlls shows how a process was launched: >listdlls cmd | grep –A2 pid Viewing dll version detail: >listdlls –v > process_detail.txt Viewing with Tasklist: tasklist /m /fi “imagename eq cmd.exe”
/m = list modules
/fi = filters by name or PID
Services o Long running processes o No user interface o Many services start automatically at boot o Similar to daemons in linux o Some used for networking → webclient; Remote Procedure Calls (rpc) o Can be run by Service Host Processes: svchost.exe o See running services, call service controller sc with query ex(tended) option
sc queryex > services.txt
o See processes running Services: Tasklist /svc Windows Memory
o Memory accesses faster than disk accesses o Process opens files → contents into memory → decodes encryption (ssl & vpn) in mem | passwords also
in memory o Memory Data can be: incomplete, randomly organised, partly overwritten, repeated in different
locations, changed by memory managers at any instant o Dump Memory = win32dd.exe → large and may interfere with Memory Managers
Analyse with Volatility (Python add-on) for Windows, Linux, Mac OSX, & Android ARM Volatility can recover → process lists, network connections, passwords and web sessions.
o May also contain: parts of Win Registry, parts of Disk File Table, terminated processes, malware Memory Addressing
i. Request to read virtual address ii. Translate to physical memory address
iii. Translate to file offset, decompress (if necessary) iv. Seek to and read from file offset
Searching Process Memory
Process Memory Dump = Task Manager; cmd tool → dp.exe or Proc Dump
Strings to extract text in binary dump: strings iexplore.dmp > iexplore.txt
Search text file: grep passwd iexplore.txt
Looks for cookies: grep Set-Cookie iexplore.txt Virtual Memory = not enough RAM for CPU to access all its programs in → unused RAM swapped to disk files Memory on Disk → virtual memory page files (25% of RAM); hibernation files (75% of RAM); win8 swap files;
crash files == C:\pagefil.sys ; hiberfil.sys ; swapfile.sys