790 likes | 1.1k Views
Forensics Book 4: Investigating Network Intrusions and Cybercrime. Chapter 1: Network Forensics and Investigating Logs. Objectives. Look for evidence Perform an end-to-end forensic investigation Use log files as evidence Evaluate log file accuracy and authenticity
E N D
Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 1: Network Forensics and Investigating Logs
Objectives • Look for evidence • Perform an end-to-end forensic investigation • Use log files as evidence • Evaluate log file accuracy and authenticity • Understand the importance of audit logs
Objectives (continued) • Understand syslog • Understand Linux process accounting • Configure Windows logging • Understand NTP
Case Example • In August 2005, a Moroccan named Farid Essebar and a Turk named Atilla Ekici were arrested in their respective home countries on the charges of creating and distributing the Zotob, Rbot, and Mytob worms • The Mytob worm affected a wide range of Windows systems, including Windows NT, 2000, XP, and Server 2003 • The Zotob worm affected the systems of corporate giants, such as the New York Times Company, CNN, ABC News, Caterpillar Inc., and General Electric Co • Within 12 days of the release of the worm, the culprits were arrested
Introduction to Network Forensics and Investigating Logs • This module: • Focuses on network forensics and investigating logs • Starts by defining network forensics and describing the tasks associated with a forensic investigation • Covers log files and their use as evidence • Concludes with a discussion about time synchronization
Network Forensics • Network forensics • The capturing, recording, and analysis of network events in order to discover the source of security attacks • Capturing network traffic over a network is simple in theory, but relatively complex in practice • Because recording network traffic involves a lot of resources, it is often not possible to record all of the data flowing through the network
Analyzing Network Data • The most critical and most time-consuming task • There are not enough automated analysis tools that an investigator can use for forensic purposes • There is no foolproof method for discriminating bogus traffic generated by an attacker from genuine traffic • Network forensics can reveal the following: • How an intruder entered the network • The path of intrusion • The intrusion techniques an attacker used • Traces and evidence
The Intrusion Process • Network intruders can enter a system using the following methods: • Enumeration • Vulnerabilities • Viruses • Trojans • E-mail infection • Router attacks • Password cracking
Looking for Evidence • An investigator can find evidence from: • The attack computer and intermediate computers • Firewalls • Internetworking devices • The victim computer
End-to End Forensic Investigation • Involves following basic procedures from beginning to end • Some of the elements of an end-to-end forensic trace: • The end-to-end concept • Locating evidence • Pitfalls of network evidence collection • Event analysis
Log Files as Evidence • Log files • Primary recorders of a user’s activity on a system and of network activities • Provide clues to investigate • Basic problem with logs: they can be altered easily • An investigator must be able to prove in court that logging software is correct • Computer records are not normally admissible as evidence • Must meet certain criteria to be admitted at all
Legality of Using Logs • Legal issues involved with creating and using logs: • Logs must be created reasonably contemporaneously with the event under investigation • Log files cannot be tampered with • Someone with knowledge of the event must record the information • Logs must be kept as a regular business practice • Random compilations of data are not admissible • Logs instituted after an incident has commenced do not qualify under the business records exception • If an organization starts keeping regular logs now, it will be able to use the logs as evidence later
Legality of Using Logs (continued) • Legal issues: (continued) • A custodian or other qualified witness must testify to the accuracy and integrity of the logs • A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used • Including the logging software • A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence • If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspected
Legality of Using Logs (continued) • Legal issues: (continued) • In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization • An organization’s own logging and monitoring software must be made available to the court • So that the defense has an opportunity to examine the credibility of the records • The original copies of any log files are preferred • A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors come equipped with USB or SCSI interfaces
Examining Intrusion and Security Events • Monitoring for intrusion and security breach events is necessary to track down attackers • Examining intrusion and security events includes both passive and active tasks • Post-attack detection or passive intrusion detection • Detection of an intrusion that occurs after an attack has taken place • Inspection of log files is the only medium that can be used to evaluate and rebuild the attack techniques • Usually involve a manual review of event logs and application logs
Examining Intrusion and Security Events (continued) • Active intrusion detection • Detects attack attempts as soon as the attack takes place • Administrator or investigator follows the footsteps of the attacker and looks for known attack patterns or commands • Intrusion detection • Process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data • There are various types of intrusions
Using Multiple Logs as Evidence • Recording the same information in two different devices makes the evidence stronger • Logs from several devices collectively support each other • Firewall logs, IDS logs, and TCPDump output can contain evidence of an Internet user connecting to a specific server at a given time
Maintaining Credible IIS Log Files • Questions before presenting IIS logs in court: • What would happen if the credibility of the IIS logs was challenged in court? • What if the defense claims the logs are not reliable enough to be admissible as evidence? • Investigator must secure the evidence and ensure that it is accurate, authentic, and accessible • In order to prove that the log files are valid: • Investigator needs to present them as acceptable and dependable by providing convincing arguments, which makes them valid evidence
Maintaining Credible IIS Log Files (continued) • Log file accuracy • The accuracy of IIS log files determines their credibility • Accuracy here means that the log files presented before the court of law represent the actual outcome of the activities related to the IIS server being investigated • Logging everything • In order to ensure that a log file is accurate, a network administrator must log everything • IIS logs must record information about Web users
Maintaining Credible IIS Log Files (continued) • Extended logging in IIS server • Limited logging is set globally by default • So any new Web sites created have the same limited logging • An administrator can change the configuration of an IIS server to use extending logging
Keeping Time • With the Windows Time service, a network administrator can synchronize IIS servers by connecting them to an external time source • Using a domain makes the time service synchronous to the domain controller
Maintaining Credible IIS Log Files (continued) • UTC Time • IIS records logs using UTC time, which helps in synchronizing servers in multiple zones • Windows offsets the value of the system clock with the system time zone to calculate UTC time • A network administrator can verify a server’s time zone setting by looking at the first entries in the log file
Maintaining Credible IIS Log Files (continued) • Avoiding missing logs • When an IIS server is offline or powered off, log files are not created • When a log file is missing, it is difficult to know if the server was actually offline or powered off, or if the log file was deleted • To combat this problem, an administrator can schedule a few hits to the server using a scheduling tool
Maintaining Credible IIS Log Files (continued) • Log file authenticity • IIS log files are simple text files that are easy to alter • The date and time stamps on these files are also easy to modify • They cannot be considered authentic in their default state • Logs should be moved to a master server and then moved offline to secondary storage media such as a tape or CD-ROM
Maintaining Credible IIS Log Files (continued) • Working with copies • Investigator should create copies before performing any post-processing or log file analysis • When using log files as evidence in court, an investigator is required to present the original files in their original form • Access control • In order to prove the credibility of logs, an investigator or network administrator needs to ensure that any access to those files is audited • The investigator or administrator can use NTFS permissions to secure and audit the log files
Maintaining Credible IIS Log Files (continued) • Chain of custody • The chain of custody must be maintained for log files • When an investigator or network administrator moves log files from a server, and after that to an offline device, he or she should keep track of where the log file went and what other devices it passed through • IIS centralized binary logging • Process in which many Web sites write binary and unformatted log data to a single log file • A parsing tool is required to view and analyze the data • Decreases the amount of system resources that are consumed during logging
Maintaining Credible IIS Log Files (continued) • ODBC logging • Records a set of data fields in an ODBC-compliant database like Microsoft Access or Microsoft SQL Server • When ODBC logging is enabled, IIS disables the HTTP.sys kernel-mode cache • Tool: IISLogger • Provides additional functionality on top of standard IIS logging • Produces additional log data and sends it using syslog • IISLogger is an ISAPI filter that is packaged as a DLL embedded in the IIS environment
Maintaining Credible IIS Log Files (continued) Figure 1-1 IISLogger provides additional IIS logging functionality.
Importance of Audit Logs • Reasons audit logs are important: • Accountability • Reconstruction • Intrusion detection • Problem detection
Syslog • Syslog • A combined audit mechanism used by the Linux operating system • Permits both local and remote log collection • Allows system administrators to collect and distribute audit data with a single point of management • Controlled on a per machine basis with the file /etc/syslog.conf • The format of configuration lines is: • facility.level <Tab><Tab> action
Syslog (continued) • Primary advantage of syslog • All reported messages are collected in a message file • Logging priorities can be enabled by configuring /var/log/syslog • Remote logging • Centralized log collection makes simpler both day-to-day maintenance and incident response • Causes the logs from multiple machines to be collected in one place • Advantages include more effective auditing, secure log storage, easier log backups, and an increased chance for analysis across multiple platforms
Syslog (continued) • Log replication may also be used to audit logs • Log replication copies the audit data to multiple remote-logging hosts • Preparing the server for remote logging • Central logging server should be set aside to perform only logging tasks • Server should be kept in a secure location behind the firewall • Make sure that no unnecessary services are running on the server • Delete any unnecessary user accounts
Syslog (continued) • Configuring remote logging • Run syslogd with the -r option on the server that is to act as the central logging server • Allows the server to receive messages from remote hosts via UDP • Three files that must be changed: • /etc/rc.d/init.d/syslog • /etc/sysconfig/syslog • /etc/services • A reference should appear in the var/log/messages file indicating that the remote syslog server is running • The syslog server can be added to the /etc/syslogd.conf file in the client
Tool: Syslog-ng • A flexible and scalable audit-processing tool • Offers a centralized and securely stored log for all the devices on a network • Features of Syslog-ng: • Guarantees the availability of logs • Compatible with a wide variety of platforms • Used in heavily firewalled environments • Offers proven robustness • Allows a user to manage audit trails flexibly • Has customizable data mining and analysis capabilities • Allows a user to filter based on message content
Tool: Syslog-ng (continued) Figure 1-2 An administrator can use Syslog-ng to manage logs for all devices on a network.
Tool: Syslog-ng (continued) • Tool: Socklog • Small and secure replacement for syslogd • Runs on Linux (glibc 2.1.0 or higher, or dietlibc), OpenBSD, FreeBSD, Solaris, and NetBSD • Tool: Kiwi Syslog Daemon • Freeware syslog daemon for Windows • Receives logs and displays and forwards syslog messages from routers, switches, UNIX hosts, and any other syslog-enabled device
Tool: Syslog-ng (continued) Figure 1-3 Kiwi Syslog Daemon offers administrators a wealth of customizable options.
Tool: Microsoft Log Parser • A powerful, versatile, robust command-line tool • Offers a SQL interface to various log file formats • Fast enough for log file analysis of many Web sites • Features of Microsoft Log Parser: • Enables a user to run SQL-like queries against log files of any format • Produces the desired information either on the screen, in a file, or in a SQL database • Allows multiple files to be piped in or out as source or target tables • Generates HTML reports and MS Office objects • Supports conversion between SQL and CSV formats
Tool: Microsoft Log Parser (continued) Figure 1-4 Microsoft Log Parser allows a user to analyze log files using SQL-like queries.
Tool: Microsoft Log Parser (continued) • Microsoft Log Parser Architecture • Log Parser provides a global query access to text-based data such as IIS log files, XML files, text files, and CSV files, and key data sources like the Windows Event Log, the registry, the file system, user plug-ins, and Active Directory • Operating systems for Microsoft Log Parser: • Windows 2000 • Windows Server 2003 • Windows XP Professional
Tool: Firewall Analyzer • Web-based firewall monitoring and log analysis tool • Collects, analyzes, and reports information on enterprise-wide firewalls, proxy servers, and RADIUS servers • Features of Firewall Analyzer include: • Bandwidth usage tracking • Intrusion detection • Traffic auditing • Anomaly detection through network behavioral analysis • Web site user access monitoring
Tool: Firewall Analyzer (continued) Figure 1-5 This is the main screen of Firewall Analyzer.
Tool: Adaptive Security Analyzer (ASA) Pro • Security and threat intelligence application • Continuously monitors dynamic, high-volume, heterogeneous security-related data • Recognizes and quantifies the extent of event abnormality • Advises security personnel of the factors that contributed most to the event’s classification • Features of ASA Pro include: • Accelerates threat response • Has improved preemptive capabilities • Expands resource capacity • Maximizes return on security and other IT assets
Tool: Adaptive Security Analyzer (ASA) Pro (continued) Figure 1-6 ASA Pro provides extensive details about security events.
Tool: GFI EventsManager • Collects data from all devices that use Windows event logs, W3C, and syslog • Applies rules and filtering to identify key data • Provides administrators with real-time alerting when critical events arise • Suggests remedial action
Tool: GFI EventsManager (continued) • Features of GFI EventsManager: • Network-wide analysis of event logs • Explanations of cryptic Windows events • Centralized event logging • High-performance scanning engine • Real-time alerts • Advanced event filtering features • Report viewing for key security information happening on the network
Tool: GFI EventsManager (continued) • How does GFI EventsManager work? • GFI EventsManager divides the events management process in two stages: • Event collection • Event processing
Tool: GFI EventsManager (continued) Figure 1-7 GFI EventsManager manages events in two stages.
Tool: Activeworx Security Center • Security information and event management product • Monitors security-related events for a variety of devices from one central console • Allows for the discovery of threats, the correlation of relevant security information, and the analysis of vulnerabilities and attacks • Provides intelligence for security personnel to act upon
Tool: Activeworx Security Center (continued) Figure 1-8 GFI EventsManager manages events in two stages.