32309 Digital Forensics

Lecture 1 Types of Forensics

Industrial Actions - employment guidelines

Civil Actions - business operations; divorce

Criminal Actions - using a device to commit a crime; stealing the device

Malware Intrusion Causes of Forensic Incidents

Threats and extortion

Accidents and negligence

Stalking and harassment

Commercial disputes

Disagreements, deceptions, and malpractice

Property rights infringement

Economic crime e.g. fraud, money laundering

Distributing porn

Content abuse

Privacy invasion and theft

Intrusions

Script Kiddies

Black Hat Hackers

Criminals

The Big Boys - governments; employers; military Digital Forensics (3 forms)

Forensic Analysis - evidence is recovered to support or oppose a hypothesis before a criminal court

eDiscovery - related to civil litigation

Intrusion Detection - specialist investigation into nature and extent of an unauthorised network intrusion Branches of DF

Computer - examining comp memory and disks

Network - examining network devices and packets

Database - examining database records

Mobile Device Live Forensics

- device is live and attack is current or very recent - capture live evidence before power down

Disk Forensics - device is powered down, or attack is over - want to examine permanent disk or usb storage for traces of the attack

Trusted Media: media of a known state and

risk to the examination.

Evidence Triage: prioritization of data for

collection and/or analysis

Evidence Preview: initial screening of data

to determine relevance to a case

Regional Internet Registries

APNIC

LAPNIC

ARIN

RIPE NCC

Order of Volatility 1. CPU Registers, CPU Cache 2. Routing Table, Process table, Memory allocation 3. Temporary File Systems, Swap Space 4. Disks 5. Remote logging (such as syslog) 6. Network Topology, Device Hardware 7. Archived data

Forensic Methods

1. Obtain Authority to search 2. Secure and isolate

- locate removable media - secure mobile devices (Faraday bag) - collection methods must not alter evidence

3. Record the scene - document and photograph; store on Read-only media

4. Conduct a systematic search for evidence - order of volatility

5. Collect and package evidence - maintain chain of custody > continuity of possession > handlers to testify → CoC form logs when, where, why evidence was transferred. Minimises loss or contamination. - hash files for digital fingerprint

6. Analyse evidence in a forensic lab – work on copy > image file → raw or in forensic container 7. Prepare forensic report 8. Submit evidence as an expert witness

- expert opinion to court 9. Methods challenged

AUTHENTICATION

Identify source of evidence - Human and digital device

Oral evidence (suspect identifies his laptop) Circumstantial evidence Digital evidence (private encryption key - compelling)

REPEATABILITY

Copy + Paste vs Cloning: Cloning copies everything including metadata, etc. Name and version of all tools used must be documented - second investigator able to follow

Locard's EXCHANGE Principle:

- Contact between two items = an exchange - Between suspect and victim - Between investigator and crime scene - PHYSICAL exchange e.g. fingerprint - DIGITAL exchange e.g. email - In a computer intrusion, attacker may leave evidence in disk space, log files and Win Registry - Act of sending an email may leave traces on the sender's hard disk, complete with time stamps

INTEGRITY

- Confirm evidence has not been altered after collection = hash - Evidence usually kept as disk files > hash files for digital fingerprints once collected - Hash copy of evidence > should match original’s hash ∞ verification hash before analyzation

Data Integrity

FORENSIC ACQUISITION - 3 Methods:

o RAM dump – copies content from system memory o Logical copying of files – network systems to removable media o Physical acquisition of entire system – access to volatile data

- 4 Types – Physical; Logical; Live; Targeted File - Prove any alterations are minor - Work on copy of disk → similar disk | image file → raw | forensic container

EVIDENCE CHARACTERISICS

Traces = - CLASS – apply to many cases e.g. copy of Word 2007 found on suspect’s laptop - INDIVIDUAL – apply to one case e.g. photoshop’s serial number embedded in every image produced

LEVELS OF CERTAINTY

C0 – Evidence contradicts known facts - Incorrect

C1 – Evidence is highly questionable - Highly uncertain

C2 – Only one source of evidence which is not protected against tampering - Somewhat uncertain

C3 – Some tamper protection, some inconsistencies - Possible

C4 – Evidence is tamperproof or there are multiple independent sources of evidence that agree - Probable

C5 – Tamperproof evidence from several independent sources that agree, some minor uncertainties (loss of data, timing uncertainties)

- Almost certain

C6 – Tamperproof evidence with a high statistical probability - Certain

Forensic Soundness requires technique that preserves evidence

Lecture 2 – Reconnaissance

Hackers attack Targets for their Value

Threat = attack develops

An attack violates security; exploits a vulnerability

A secure system minimises the risk of a successful attack

Zero-day attack = unexpected; unknown to vendor/public e.g. heartbleed Data Breaches

Stealing login credentials

Backdoors – local PC or C&C link

SQL Injection – database manipulation

Source of Breach - External - Internal - Business Partner

Principles of Security

Deny by default – not ideal

Defence in depth – Hierarchy

Complex = Insecure

Least privilege principle – need to know – accessibility

Security not obscurity – IIS vs Apache Types of Attack

Operating System - Buffer overflows in faulty code

Man in the Middle - Dns, dhcp, vpn

Web Applications - SQL Injection - XSS (Cross Site Scripting)

Malware - Virus Writer Apps

HACKING PHASES

Reconnaissance - Monitoring and gathering general info about the client

Scanning - Looking for specific network info - ip addresses, ip ports, software versions

Gaining Access - Cracking passwords, hijacking sessions

Maintaining Access - Installing backdoors and root kits

Clearing tracks - Delete files and cleanout log files

RECONNAISSANCE PHASE

AKA Footprinting - Forming an understanding of the target/client business - Physical presence - Internet presence

Usually passive information gathering - Internet searching → different sources

Can be active (with risk) - Social engineering

Network Information

o Domain Names

DNS registers o Address blocks

Used by a target company o Active IP addresses

Part of scanning, done later o IP Access Paths

Use of Autonomous System Numbers (ASNs)

Part of BGP routing protocol

Cyber Attacks

Cyber Crime

Hacktivism

Cyber Warfare

Cyber Espionage

Organisation Information o Employee details o Company websites o ABN Register o Address and phone numbers o News Articles / Press releases o Competitive Intel

INTERCEPTING PROXY

PROXY = Man in the Middle

A form of Transparent proxy

Intercepts web traffic between client and server

Allows inspection of Web Sessions

Burp Suite – common example

An extension of Inspection is to modify traffic → gain access to session Search Techniques

Google hacking – advanced search operators to locate specific strings in text; deleted data in cache o "#-Frontpage-" inurl:administrators.pwd o "#-FrontPage-" inurl:(service | authors | administrators | users) ext:pwd o inurl:"ViewerFrame?Mode=" – live cams

Netcraft Reports

Web crawler robots

Google Earth

People media – Facebook

Competitive Intel – check out a company; bankrupcies DNS: table of name:ip-number pairs

Copies of often used names cached in local dns server

nslookup tool

- Allows talking to dns server like http for a web page name

- Built into windows and linux (dig)

i. select dns name server to query (or default)

ii. set dns record type desired (default is A)

iii. set web name

iv. send query

>nslookup - server; ip address

>set type=RP - primary name server; responsible mail addr

>set type=ns - default server

>set type=A - name; address

Find processes running java : list dlls | grep java

Lecture 3 – Cookies

A web server tracks a web client By IP address HTTP referrer tag Cookie saved on the target

- 3 - http cookie; web cookie; browser cookie

Web pages transferred over Internet via HTTP → Stateless

Cookies save state (viewer choices) on the client device as a file on disk Small, fast/lightweight → resist Denial of Service Attack Save state for session key negotiation (Wireless and VPN) - Personalisation – server remembers last visit - Data Capture – server remembers requests - Sales tracking using a shopping basket - Authentication – no need for password for repeated login

Deleting cookies will disable many websites.

Viewing cookies: Websites visited Actions taken/pages visited Date of first visit Date of last visit

Setting Cookies

Web client asks for a web page using http GET /index.html HTTP/1.1

Web server sets a cookie when replies HTTP1.1 200 OK Set-Cookie: name=value

Cookie is returned each time page is accessed

Server keeps a log of cookies to track viewers viewer=ip address+referrer+cookie

Set-Cookie

Server as code to set the cookie

Browser asks for the server page

Server sets the cookie

Cookie file appears on client PC – date in cookie format

COOKIE TYPES

i. Session Cookie - No expiry date, deleted by browser when session ends

ii. Persistent Cookies (tracking cookies) - Expiry date in future

iii. Secure Cookie - Sent encrypted using https

iv. Third Party Cookies (for marketing) - Set from a different URI domain // InPrivate Filtering to stop - web page tracking used by Advertisers // provide contents → Pay Per Click (PPC) Business Model

Browser Storage: - IE Folder → C:\Users\...\AppData\Roaming\Microsoft\Windows\Cookies

Win +R; ‘Shell:Cookies’ ‘Low’ Folder → UAC activated [Control Panel > Action Centre] Database: Index.dat → Pasco viewer o Another Index.dat is used to index web browser history files

- Mozilla → C:\Users\...\AppData\Roaming\Mozilla Database: sqlite → sqlite manager add-on

Urchin Tracking Modules

UTMA – Visitor Identifier: tracks dates and visits

UTMB – 30 Minute session identifier

UTMC – On exit identifier

UTMV – Custom variable cookie

UTMZ – Visitor segmentation: tracks the user Temporary Internet Files

http allows web browsers to cache recently visited webpages.

When viewer revisits page, http checks date on cached page and decides to show cached copy or refresh page from server.

Caching cuts down web traffic and speeds webpage rendering.

Location chosen by webpage layout engine: IE : Trident Firefox : Gecko Chrome : Blink

Web History

InPrivate Browsing (IE) Protects against local and web attack Hides web history data

Recovery Volatile memory

- System history & Process history Disk

- Temporary files (incl. cached) & swap files Local DNS server cache

Lecture 4a – Network Based Evidence

The Network – All internet packets are available at the edge router. The TCP Session

Setup by three way handshake using flags Uses sequence number to provide resend of lost or

damaged packets Torn down by a three way close

TCP Session Sequence

i. Setup Phase: various options negotiated between server and client

ii. Data Transfer Phase: often encrypted iii. Session Teardown: Either side may initiate process

B/C: indicate session expired

Network Activity Protocols

Device Start-up - dhcp

Device Connection - ssh | telnet

Background noise - switch STP, routing protocols (OSPF), windows AD

User Activity - access website, send/receive email, access work connection (VPN)

Intruder Activity - as above, back-door Attack on a Digital Device can be performed in person or over the digital network. A Network Attack:

Open trapdoor on target device Contact target device from a remote device Exchange network packets to:

- Install snooping software - Then retrieve sensitive information such as passwords

Network Intrusion Detection:

Special Intrusion detection hardware – IDS/IPS Equip firewall with IDS features Have Network based IDS to examine all network packets Have Host based IDS to examine local network activity Record network activity in local log files Use local Firewall/Virus Scanner

Locating Network Evidence:

Suspect’s device – file folders, cache, swap files

Local network – proxies, firewalls, IDS

ISP – proxies, firewalls

Remote website – logs Access Website Sequence

Dns request

http handshake: browser details, server details

html handshake: style sheets, javascript

page display: images, gifs, pngs

SSL: SSL Certificate Exchange – requires authentication, trusted certs issued by Certificate Authority (CA)

Plug-ins: flash

Extras: cookies, hit counters, page tracking, ASP.Net NBE – 4 broad methods

1. Full Content data - examine every packet 2. Session data - examine TCP session data 3. Alert data - examine errors and exceptions 4. Statistical data - examine unusual events

NBE Tools

Best tools run on Linux FreeBSD

TCPDump → full content capture

Winpcap → Windows version of libpcap

Packets analysed using Wireshark or Snort – online or from packet dump

TCPView → session data

Snort → provide alert data in addition to the IPS

Full Content Data o Every bit of every pack o On Ethernet or wireless o Need a packet capture library (libpcap) on device network interface o Wireshark o Usually used only after an intrusion o Extensive disk space used o Excellent Evidence

can detect attack on other systems can expose advanced attacks

o Encrypted packets a problem Session Data

o Derived from TCP sessions o Available during initial intrusion o Indicates time, date and parties involved o Can see intrusion sequence o Look for strange IP addresses o Look for unusual ports in use, e.g. IRC o High traffic could indicate file transfer

Alert Data o When IDS/IPS sees a packet that matches a virus signature or an intrusion rule → alert. o Tune IPS for best results and:

Avoid false positives

An event, incorrectly identified by IDS as intrusion when none has occurred Avoid false negatives

An event IDS fails to identify as intrusion when one has occurred Watch a back door

Statistical Data o Measure health and performance of a network o Need a normal profile o Can show variations

Top ten websites, unusual web addresses and ports, which processes/services transfer most data

o Immune to encryption, but does not affect statistical data Accessing the Wire (2 Methods)

i) Place pcap device on wire between edge router and firewall a. Use a hub; or b. Two interface cards as a bridge

ii) Use a Switch running SPAN Switch Port Analyser – built into cisco switches

WIRESHARK to baseline device NBE

Data Sources Packets can come live from a device – from a pcap on network adaptor Packets can come from a pcap file – wireshark, tcpdump, dumpcap, text2pcap, other capture prog.

Accessing a Web Site Identify web site Start packet capture Access website – may involve website cache Stop capture Analyse results

- Conversations for ip addresses involved - Statistics to identify protocols - Reassembly of webpages visited

Evidence of Accessing a Web Site Browser/server http handshake CSS & JavaScript download Page download – text, gifs, jpegs || some may come from local cache Plug-ins started Cookies downloaded External Page Tracking

Searching a pcap for URLs Use grep or wireshark, pithing script – search words that match a keyword dictionary.

Lecture 4b – CPU and Memory

CPU executes instructions to perform actions on data o Instructions are kept in memory as program segments o Data is also kept in memory as data segments o Memory in RAM is volatile unlike disk storage

Memory o Physical Address Extension (PAE) allows access to more RAM o Memory Management Unit (MMU) handles memory requests o Translation Look aside Buffer (TLB) may hold memory data o Direct Memory Access (DMA) devices like graphic cards.

Data Structures in Memory - Arrays – usually fixed size - Bit Maps – sparse arrays (e.g. tcp ports in use) - Records – name:value pairs - Strings – often 00 terminated - Linked lists - Hash tables - Hierarchical trees

Operating System Modes o Kernel Mode – core OS

Can access most of the RAM Includes many drivers All kernel mode processors can see each other’s RAM

o User Mode – user apps RAM access is restricted Each user mode process runs in own sandbox User mode process cannot access kernel mode RAM

Protocols in Wireshark

SSH – remote site log on

VPN – ISAKMP, ESP, AH

SSL – X.509 Certs / accessing a bank website

802.11 – using Wireless

SIP – using VOIP

Processes o Is a running program launched from an exe o Every task in a PC runs as a process o Forensics examine processes to locate evidence Process Startup

- Task Manager → how start, publisher, when written - Task List (built in Windows) - PsList (SysInternals)

Memory Process Footprint Each process has artifacts that identify in in RAM:

- Open file handles - Recent dlls used - Memory mappings - Network connections (sockets) - Privileges

Task Manager | Linked List

o Keeps track of processes (tasks) o Uses linked list of nodes o Each node in the list has a value and a pointer to next node → last node linked to a terminator

Listing Processes o Task Manager displays list of processes

Starts at PsActiveProcessHead → links to each _EPROCESS structure → actv processes displayed o Executive Process list has more processes

Active, Hidden, Deleted o Some tools can dump all these

A virus can hide an evil process by manipulating the list

Windows DLLs

o Dynamic Link Library - piece of code that can be shared by one or more processes o Stored on disk in windows o Difficult to spot malware introduced dll

Can also alter existing dll → can detect by examining dll hash o View running dlls → Listdlls | Tasklist

Listdlls shows how a process was launched: >listdlls cmd | grep –A2 pid Viewing dll version detail: >listdlls –v > process_detail.txt Viewing with Tasklist: tasklist /m /fi “imagename eq cmd.exe”

/m = list modules

/fi = filters by name or PID

Services o Long running processes o No user interface o Many services start automatically at boot o Similar to daemons in linux o Some used for networking → webclient; Remote Procedure Calls (rpc) o Can be run by Service Host Processes: svchost.exe o See running services, call service controller sc with query ex(tended) option

sc queryex > services.txt

o See processes running Services: Tasklist /svc Windows Memory

o Memory accesses faster than disk accesses o Process opens files → contents into memory → decodes encryption (ssl & vpn) in mem | passwords also

in memory o Memory Data can be: incomplete, randomly organised, partly overwritten, repeated in different

locations, changed by memory managers at any instant o Dump Memory = win32dd.exe → large and may interfere with Memory Managers

Analyse with Volatility (Python add-on) for Windows, Linux, Mac OSX, & Android ARM Volatility can recover → process lists, network connections, passwords and web sessions.

o May also contain: parts of Win Registry, parts of Disk File Table, terminated processes, malware Memory Addressing

i. Request to read virtual address ii. Translate to physical memory address

iii. Translate to file offset, decompress (if necessary) iv. Seek to and read from file offset

Searching Process Memory

Process Memory Dump = Task Manager; cmd tool → dp.exe or Proc Dump

Strings to extract text in binary dump: strings iexplore.dmp > iexplore.txt

Search text file: grep passwd iexplore.txt

Looks for cookies: grep Set-Cookie iexplore.txt Virtual Memory = not enough RAM for CPU to access all its programs in → unused RAM swapped to disk files Memory on Disk → virtual memory page files (25% of RAM); hibernation files (75% of RAM); win8 swap files;

crash files == C:\pagefil.sys ; hiberfil.sys ; swapfile.sys