410 likes | 507 Views
Low Level Host Examinations. Non-Destructive Actions. Fdisk Chkdsk Dir Redirection Type. Normal to have access in past 24 hours Last person on system Normal work hours Need to work outside established hours Work patterns Time of incident System backed up Time with organization
E N D
Non-Destructive Actions • Fdisk • Chkdsk • Dir • Redirection • Type
Normal to have access in past 24 hours Last person on system Normal work hours Need to work outside established hours Work patterns Time of incident System backed up Time with organization Any different behavior Any changes to network or problems Access level to systems/applications Any changes to work area Non-US citizen Access logs into building/garage User ID and PW Any reprimands Contractor access Who had access to area Educational and computer expertise of individuals What is work of organization Who noticed? Who reported? Anything touched Who knows of incident Copy of security policies and procedures Why is this a problem Purchasing record of system(s) and base configuration Diagram of network architecture Names and contact info for experts/supervisors Describe evidence collection procedures Backups to system System re-imaged or new versions installed New applications added to system Any new rights issued for systems/applications Any disgruntled employees First responder Concerns
Lockard’s Exchange Principle Anyone, or anything, entering a crime scene takes something of the crime scene with them. They also leave behind something of themselves when they depart.
Evidence on the Hard Drive • Hard disk drives • Files • Erased files • File slack • Hidden partitions • Encrypted files • Compressed data (zip) • Windows swap file • Windows temp files • Application temp files • Encrypted files • Hidden files/folders
FBI Investigations • Check records, logs, and documentation • Interview personnel • Conduct surveillance • Prepare a search warrant • Search the suspect’s premises • Seize evidence
Analysis of the Evidence • Identify & document evidence of criminal violations • Intelligence gathering from other sources • Tie media to computers • Identify email & Internet browsing patterns tied to criminal activity • Identify associates • Identify time lines • Identify weaknesses in case • Audit issues regarding violations of corporate policy • Discover evidence for civil or criminal cases • Identify source of trade secret thefts & abuses • Misuse of Internet access • Locate trade secrets
Just "Look" • You can just look at a person's • workspace--Passwords are too • often out in plain view: • - Taped to the monitor • - Written on the desktop • - In the Rolodex file • - On a "Post-It" note
Workstation Policies • Perform a physical audit • Tag & inventory all physical computing resources • Policies address use of PDAs, storage devices, and laptops • Responsibility for stolen devices • How hardware/software is used at home • Technicians & passwords • Help desk reports • No downloads or software installs • Prohibit running executable files received as e-mail attachments • Bitstream back-up entire contents of hard disk(s) when employee leaves/terminated
Preparing a Case • Comments to law enforcement are “on the record” • Know your loss • Have documentation of the case • Gather and deliver physical evidence • Use legal counsel that can explain the law • Describe the investigation • Have only one set of notes • Conduct the investigation in secret • Time is of the essence
Incident Response Implementation Detection of incidentInitial responseResponse strategy formulationInvestigationIsolate and containRecoveryReportLessons learned
Why Use a Methodology? A formal methodology allows an investigator to approach and investigate a computer crime rationally and expeditiously, without a loss of thoroughness. More importantly, it establishes a protocol by which electronic evidence (physical and logical) is gathered and handled, to reduce the potential for this evidence to be corrupted or tainted. Timothy Wright
Low Hanging Fruit • Internet history files • Check cookies for subscription services passwords • Review of directories & files with simple DOS commands • Check processes • .BAK & .DAT files on PDAs • Paraben forensics tools for PDAs
Tools • Make sure virus free • NIST certified virus checker • Use same software versions for each investigation (do not change in middle) • CHKDSK identifies orphan clusters • SYSINFO documents system • FDISK documents # and size of partition • Start up disk (bootable) • Use only licensed software • Copy drivers to start-up disk (Parallel, IDE, SCSI) • Config.sys for devices • Check peer-to-peer access for storage on another medium • GetTime grabs date and time • Disklocking programs (floppylock, writeblock,diskblock) • Ribbon cable for hook up to HD
Are There Limits? All of the computer hardware, software and media that a suspect might have access to at his job, is probably owned by the employer. Seizures do not need to adhere to Fourth Amendment
Approaching a Scene • Permission to process PC • Pictures to document scene • Pull plug from in back not wall (picture first) • Remove all connections & label • Pulling plug does not change state of hard drive but a shut down will!
Preliminary Preparation • Accumulate the packaging and materials • Prepare the log for documentation of the search • Ensure IRT is aware of forms of evidence & proper handling materials • Evaluate the current legal ramifications of crime scene searches • Discuss the search with involved personnel before arrival at the scene • Identify a person-in-charge prior to arrival at the scene • Assess the personnel assignments normally required to process a crime scene successfully
Reviewing The Surroundings • Desktops • Monitors • Next to telephones • In wallets or purses • Electronic pocket organizers • In a suspect's pocket • Trash can • Inside of books and manuals • Taped underneath keyboards
Investigation of Computer Intrusion • Victim theory of access • Corroborating evidence of employee access • New files created during timeline of theft • Code entry (doors, gates, rooms) • Telephone records (corroborate login) • Placement at scene (eyewitness, camera) • Obtain court order for trap and trace for home
Employee Suspects • Check personnel file • Signed for receipt of proprietary information • Check building logs • Cleaned out desk area • Phone records for calls to competitors • Calls from former employees requesting information
Procedures • Take photographs of: • The computer screen • The front, back and sides of the computer • The cables attached to the computer • Any peripherals attached to the computer • Log whether the computer is on or off • If on, note in the log what it appears to be doing • Log whether or not the computer is on a network
Examination in DOS • Create a DOS disk • Copy DOS files • Virus check • Place boot disk in A: drive • Boot to DOS • Insert copy disk • Backup • Verify • Duplicate from copy (place in separate area) • Run disksig and CRCMD5 on victim hard drive
Tools • GetTime • Documents the time and date settings of the victim computer • Reads date/time from CMOS • Syntax: GetTime <enter> • Creates a file note time on your watch/clock
Tools • Filelist, filecnvt, Excel • Filelist <enter> Catalogs contents of the disk • Filelist /m /d a:\DriveC C: <enter> • Dir /od a: <enter> creates 2 files (delete 2nd one) • Run filecnvt • Enter name of computer • Run Excel • Column 3 has the filenames of deleted files
Tools • Getfree • Content of unallocated space • Getfree C: provide estimate for amount of freespace • Getfree /f d:\FreeC c: • /f excludes non-printed characters
Tools • Getswap • Windows 98 or 95 copy win386.swp or 386spart.par • If NT/2000 you must do this from DOS (not a window) • Locate pagefile.sys (usually c:\winnt\system32\) • Copy file • To read instructions: getswap man | more • Getswap id to find out partitions recognized • Getswap d:\swapdata c: e: f: g: • Getswap /f d:\swapdata C:
Tools • Getslack • Getslack c: to determine how much exists • Getslack /f d:C_slack C:
Temp Files • .tmp extension • Start: Find • Copy
CRCMD5 • Calculates a 32 bit checksum • Crcmd5 <options> file1 file2 • /s current directory /h headerless text • Crcmd5 /s d: • Crcmd5 d:swapdata.f01
Tools • Disksig computes checksum for an entire hard drive (boot sector is excluded) • Disksig d: • To include boot sector use /b • Compressed drives have the signature performed on the raw uncompressed hard drive
Tools • Doc • Documents the contents of files and directories and related information • Doc <enter> • Can be redirected to a file for printing • Will be in a file
Searching • Favorites • Bookmarks • Cookies • History file • Internet Options set • Properties for file dates, ownership • Recycle bin • Hidden system folder • Sequence of deletion, files deleted, dates, types of files • Folder in 95 & 98 Recycled or NT/2000 Recycler
Recycle Bin • When files deleted: • Moved to recycle bin creates a new entry • Deletion of file folder from original location • Addition of information about the file to a hidden file INFO (800) or INFO2 (280) • First time use of recycle bin in NT/2000 a subfolder is created with user’s SID—Identifies which user created • Date and time recorded in INFO not bin • Other INFO • Prior file location • Order in bin • New filename in bin (original drive letter, index #, original extension • Empty bin and INFO is deleted • Use Quickview Plus to look at deleted file info • Identify information about other media
Shortcut • Examine • Windows desktop • Windows\recent—up to 15 shortcuts • Windows start menu • Windows send to • .lnk files • Refers to target files (applications, folders, data, objects) • Existence of shortcuts indicates knowledge of presence of a file • If times differ can point to knowledge to create Icon
Cached Files • IE caches websites • Cached files stored in Windows\Temporary Internet Files folder • INDEX.DAT has all cached files
Registry • Repository for hardware and software configuration information • Windows\system.dat or windows\user.dat • On NT/2000 the registry is comprised of hives located in %systemroot%\system32\config and Ntuser.dat files related to each user account • Regedit or regedt32 or NT Resource Kit has a utility regdmp
Printing • Shadow files created about print jobs .shd • Information on print job: owner, printer, name of file and method • Existence points to knowledge of printing activity
MAC Times • OS records dates and times of files accessed, created modified • Dates can be sorted to reveal a sequence of activities
MFT • Master File Table is a system file created during formating of NTFS volume • 1 MFT record for every file on a volume including an entry about itself and some metadata • MFT records store attributes about a file or folder • MFT records store all or some data in a file in the $data attribute • Contain flag with allocation status (0 if deletion/unallocated)
Recycled DC178 TXT 72 01-24-03 8:54a DC178.TXT DC179 TXT 96 01-24-03 8:54a DC179.TXT DC180 TXT 74 01-23-03 12:11p DC180.TXT DC181 TXT 94 01-23-03 12:09p DC181.TXT DC182 TXT 110 01-23-03 12:09p DC182.TXT DC183 TXT 318 01-23-03 12:07p DC183.TXT DC184 TXT 70 01-23-03 12:07p DC184.TXT DC185 TXT 104 01-23-03 11:26a DC185.TXT DC186 TXT 71 01-23-03 11:26a DC186.TXT DC187 TXT 155 01-23-03 8:39a DC187.TXT DC188 TXT 175 01-22-03 6:15p DC188.TXT DC189 TXT 104 01-22-03 6:13p DC189.TXT DC190 TXT 80 01-22-03 6:12p DC190.TXT DC191 TXT 94 01-22-03 6:12p DC191.TXT DC192 TXT 148 01-22-03 6:11p DC192.TXT DC193 TXT 95 01-22-03 5:54p DC193.TXT DC194 TXT 95 01-22-03 5:51p DC194.TXT DC195 TXT 77 01-22-03 5:49p DC195.TXT DC196 TXT 127 01-22-03 5:47p DC196.TXT DC197 TXT 163 01-25-03 3:01p DC197.TXT DC198 TXT 70 02-05-03 8:56a DC198.TXT 198 file(s) 2,723,699 bytes 2 dir(s) 15,511.09 MB free C:\RECYCLED>