![! They are permitted by the 2nd principle of the ACPO
guidelines
! Principle 2 of the Association of Chief Police Officers� Good
Practice Guide for Computer-Based Electronic Evidence states,
�In circumstances where it is necessary to access original data
held on a computer or storage media, that person must be
competent to do so and be able to give evidence explaining the
relevance and the implications of their actions� (ACPO, 2007).
Encryption example 1
! At Senate hearings in September 1997, Jeffery
Herig, special agent with the Florida Department of
Law Enforcement, testified that they were unable to
access protected files within a personal finance
program in an embezzlement case at Florida State
University. He said the files could possibly hold
useful information concerning the location of the
embezzled funds.
Encryption example 2
• [It is] also reported that they had encountered
unbreakable encryption in a US customs case
involving an illegal, world-wide advanced fee
scheme. At least 300 victims were allegedly bilked
out of over $60 million. Herig said they had
encountered three different encryption systems.
Although they were able to defeat the first two, they
were unsuccessful with the third. The vendor told](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-7-320.jpg)
![overcome the problem of lack of user mode access to
the
! .PhysicalMemory object. These allow imaging of the
memory of a Windows Vista machine using a kernel mode
driver to access the .PhysicalMemory object (Schuster,
2008b).
Live memory acquisition
• Tools that use .PhysicalMemory (kernel mode):
– WinEn: This is included with EnCase versions 6.11 onward.
It is also included on the latest version (2.0) of the Helix
Live CD (e-fense, 2008).
– mdd (Stotts, 2008): The Memory DD tool from ManTech is
open source and available on SourceForge (ManTech,
2008).
– win32dd (Suiche, 2008b): This tool is also open source but
uses more kernel mode functions, including writing the
output file, rather than mdd, in which �the [kernel] driver is
only used to get DevicePhysicalMemory handle (Suiche,
2008a).
Live memory acquisition
• Firewire (IEEE 1394): Firewire devices use Direct
Memory Access (DMA)
– Can access the memory of a system without using the CPU
(Carvey,](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-12-320.jpg)
![forensic tools with computational
linguistics, by parsing metadata of tools online
and leveraging machine learning.
10/26/16 Anti-forensics: Furthering digital forensic
science through a new extended, granular
taxonomy 18
Acknowledgments
Sidharth S. Nandury and Mohammad M. Hassan
Douglas White (NIST)
10/26/16 Anti-forensics: Furthering digital forensic
science through a new extended, granular
taxonomy 19
Questions?
Thank you!
[email protected]
Data sets for this research are available at
www.unhcfreg.com
under Data & Tools.
10/26/16 Anti-forensics: Furthering digital forensic
science through a new extended, granular
taxonomy 20](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-110-320.jpg)
![@
symbol
• [email protected]
Ian
Peter:
h2p://www.nethistory.info/History%20of%20the%20Internet/e
mail.html
4
History
of
e-‐mail
• 1974
–
extensive
use
by
military
because
ARPANET
encouraged
it
• Lary
Roberts
invented](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-116-320.jpg)
![1:
Read
from
the
bo2om
up.
• Ex.
E-‐mail
sent
from
[email protected]
to
[email protected]
Delivered-‐To:
[email protected]
Received:
by
10.36.81.3
with
SMTP
id
e3cs239nzb;
Tue,
29
Mar
2005](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-155-320.jpg)
![15:11:47
-‐0800
(PST)
Return-‐Path:
Received:
from
mail.emailprovider.com
(mail.emailprovider.com
[111.111.11.111])
by
mx.gmail.com
with
SMTP
id
h19si826631rnb.
2005.03.29.15.11.46;
Tue,
29
Mar
2005
15:11:47
-‐0800
(PST)
Message-‐ID:
<[email protected]>
Received:
from
[11.11.111.111]](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-156-320.jpg)
![Message-‐ID:
<[email protected]>
Received:
from
[11.11.111.111]
by
mail.emailprovider.com
via
HTTP;
Tue,
29
Mar
2005
15:11:45
PST
h2p://mail.google.com/support/bin/answer.py?
hl=en&answer=29436
39
Understanding
e-‐mail
headers](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-160-320.jpg)
![3.
When
the
message
transfers
from
Mr.
Jones'
email
provider
to
Mr.
Smith's
Gmail
address:
Delivered-‐To:
[email protected]
Received:
by
10.36.81.3
with
SMTP
id
e3cs239nzb;Tue,
29
Mar
2005](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-161-320.jpg)
![15:11:47
-‐0800
(PST)
Return-‐Path:
[email protected]
Received:
from
mail.emailprovider.com
(mail.emailprovider.com
[111.111.11.111])
by
mx.gmail.com
with
SMTP
id
h19si826631rnb;
Tue,
29
Mar
2005
15:11:47
-‐0800
(PST)
h2p://mail.google.com/support/bin/answer.py?
hl=en&answer=29436
40](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-162-320.jpg)
![e-‐mail
headers
Bottom-‐Up
• Sec<on
2:
Received:
from
[11.11.111.111]
by
mail.emailprovider.com
via
HTTP;
Tue,
29
Mar
2005
15:11:45
PST
Mr.
Jones
used
an
email
composi#on
program
to
write](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-165-320.jpg)
![Message-‐ID:
[email protected]
A
unique
number
assigned
by
mail.emailprovider.com
to
iden#fy
the
message.
h2p://mail.google.com/support/bin/answer.py?
hl=en&answer=29436
Does
this
mean
anything?
….
43
Understanding](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-167-320.jpg)
![e-‐mail
headers
Bottom-‐Up
• Sec<on
4:
Received:
from
mail.emailprovider.com
(mail.emailprovider.com
[111.111.11.111])
by
mx.gmail.com
with
SMTP
id
h19si826631rnb.
2005.03.29.15.11.46;
Tue,
29
Mar
2005
15:11:47
-‐0800
(PST)
The
message](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-168-320.jpg)
![Understanding
e-‐mail
headers
Bottom-‐Up
• Sec<on
7
Delivered-‐To:
[email protected]
The
email
address
the
message
will
be
delivered
to.
h2p://mail.google.com/support/bin/answer.py?
hl=en&answer=29436
47
Message](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-172-320.jpg)
![from
macsmtp.zu.ac.ae
(macsmtp.zu.ac.ae
[195.229.146.130])
by
mx.google.com
with
ESMTP
id
10si6828873yxe.4.2010.02.07.04.54.35;
Sun,
07
Feb
2010
04:54:36
-‐0800
(PST)
55
195.229.146.130
56](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-182-320.jpg)
![Received: from 1061exfe03.adpc.purdue.edu
([128.210.63.225]) by exchange.purdue.edu with Microsoft
SMTPSVC(6.0.3790.1830);
Fri, 27 Oct 2006 17:21:22 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Received: from mailhub179.itcs.purdue.edu ([128.210.5.179])
by 1061exfe03.adpc.purdue.edu with Microsoft
SMTPSVC(6.0.3790.211); Fri, 27 Oct 2006 17:21:51 -0400
Received: from mailhub245.itcs.purdue.edu
(mailhub245.itcs.purdue.edu [128.210.5.245]) by
mailhub179.itcs.purdue.edu
(8.13.7/8.13.7/spamscan) with ESMTP id k9RLLMJP026592 for
<[email protected]>; Fri, 27 Oct 2006 17:21:22 -0400
Received: from mout.perfora.net (mout.perfora.net
[217.160.230.41]) by mailhub245.itcs.purdue.edu
(8.13.7/8.13.7/external-
smtp) with ESMTP id k9RLLLMP010217 for
<[email protected]>; Fri, 27 Oct 2006 17:21:22 -0400
Received: from [82.165.253.19] (helo=localhost) by
mrelay.perfora.net (node=mrelayus0) with ESMTP (Nemesis),
id
0MKoyl-1GdZ8i2pbl-0004Ug; Fri, 27 Oct 2006 17:21:21 -0400
Return-Path: <[email protected]>
x-originalarrivaltime: 27 Oct 2006 21:21:51.0517 (UTC)
FILETIME=[EB42A4D0:01C6FA0D]
X-PMX-Version: 5.1.2.240295](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-185-320.jpg)
![X-PerlMx-Virus-Scanned: Yes
X-PerlMx-Spam: Gauge=IIIIIII, Probability=7%,
Report='NO_REAL_NAME 0, __CT 0, __CTE 0,
__CTYPE_CHARSET_QUOTED 0,
__CT_TEXT_PLAIN 0, __HAS_MSGID 0,
__MIME_TEXT_ONLY 0, __MIME_VERSION 0,
__SANE_MSGID 0'
Content-class: urn:content-classes:message
Subject: Hidden
Date: Fri, 27 Oct 2006 17:21:20 -0400
Message-ID: <[email protected]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Hidden
Thread-Index: Acb6DdoeGLplmXeaTbWoQU1Ff7PNbQ==
From: <[email protected]>
To: "Rogers, Marcus K" <[email protected]>
Rogers
(2006)
62
Anonymizers
&
Encrypted
eMail
• Hushmail.com
very
popular](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-186-320.jpg)
![HTTP
Anson & Bunting (2007)
44
Sample
FTP
log
#Sobware:
Microsob
Internet
Informa8on
Services
5.0
#Version:
1.0
#Date:
2008-‐03-‐15
02:43:10
#Fields:
8me
c-‐ipcs-‐method
cs-‐uri-‐stem
sc-‐status
02:43:10
192.168.1.32[11]USER](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-261-320.jpg)
![Administrator
331
02:43:10
192.168.1.10
[11]PASS
-‐230
02:44:11
192.168.1.10
[11]MKD
malaf
257
02:44:12
192.168.1.10
[11]MKD
bob
257
02:44:14
192.168.1.10
[11]MKD
Party
257
02:43:17
192.168.1.10
[11]created
index.htm
226
45
FTP](https://image.slidesharecdn.com/lecture09-memoryforensics-221026125605-4bfca63e/85/Lecture-09-Memory-Forensics-pdfL-E-C-T-U-R-E-9-B-Y-docx-262-320.jpg)
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
- 1. Lecture 09 - Memory Forensics.pdf L E C T U R E 9 B Y : D R . I B R A H I M B A G G I L I Memory Forensic Analysis P A R T 1 RAM overview Volatility overview http://www.bsatroop780.org/skills/images/ComputerMemory.gif Understanding RAM • Two main types of RAM – Static • Not refreshed • Is still volatile – Dynamic • Modern computers • Made up of a collection of cells
- 2. • Each cell contains a transistor and a capacitor • Capacitors charge and discharge (1 and zeros) • Periodically refreshed RAM logical organization • Programs run on computers • Programs are made up of processes – Processes are a set of resources used when executing an instance of a program – Processes do not generally access the physical memory directly – Each process has a �virtual memory space� • Allows operating system to stay in control of allocating memory – Virtual memory space is made up of • Pages (default size 4K) • References (used to map virtual address to physical address) • May also have a reference to data on the disk (Page file) – used to free up RAM memory RAM logical organization ! Each process is represented by an EPROCESS Block:
- 3. Normal memory • Each process is represented by an _EPROCESS block. • Contained within each _EPROCESS block is both a pointer to the next process (fLink – Forward Link) and a pointer to the previous process (bLink – Back Link). • When OS is operating, the _EPROCESS blocks and their pointers come together to resemble a chain, which is known as a doubly-linked list. • Chain is stored in kernel memory and is updated every time a process is launched or terminated. • Windows API walks this list from head to tail when enumerating processes via Task Manager, for example. Not so normal • Hides processes from windows API • Known as Direct Kernel Object Manipulation (DKOM) • Involves manipulating the list of _EPROCESS blocks to �unlink� a given process from the list • By changing the forward link of process 1 to point to the third process, and changing the �bLink� of process 3 to point to process 1, the attacker�s process is no longer part of the list of _EPROCESS blocks. • Since the Windows API uses this list to enumerate processes, the
- 4. malicious process will be hidden from the user but still able to operate normally. P A R T 2 Introduction to Memory forensics Before & Now ! Traditionally ! We have always been told to �pull the plug� on a live system ! This is done so that the reliability of the digital evidence is not questioned ! Now ! People are considering live memory forensics " Data relevant to the investigation may lie in memory " Whole Disk Encryption…. Challenges in traditional method • High volume of data (Aldestein, 2006) – Increases the time in an investigation – Increases storage capacity needed for forensic images
- 5. – Number of machines that could be included in the investigation (Sommer, 2004) • Ubiquity of digital evidence – Many types of digital devices (Mp3, gaming consoles etc.) • Evidence in memory only – Messaging applications (Carvey, 2004) – Malaware in memory (Burdach, 2004) – Privacy mode of browsers (Google, 2008; Zeigler, 2008) • Size of RAM is increasing (Sutherland et al. , 2008) – Potential for more digital evidence • Encryption! Live investigations VS. dead investigations • According to Carrier (2005 p.5), �A dead analysis occurs when you are running trusted applications in a trusted operating system to find evidence� and a live analysis is defined as �when you use the operating system or other resources of the system being investigated to find evidence.� – That is a little contradictory. What if a live CD was used on the suspect machine to perform �dead� analysis? Live investigation VS. dead investigations
- 6. • Mandia et al. (2003 p.27) simply states that �a live response is conducted when a computer system is still powered on and running.� This would suggest that a bootable Linux CD is indeed a live investigation. • Carrier 2nd definition: using the operating system of the system being investigated to acquire, analyze or present digital evidence will be used to describe a live investigation. When is RAM analysis useful? ! Cases where large volumes of data is involved (many computers) ! Mission critical systems ! Relevant digital evidence is stored in memory only ! When machine under investigation is using encryption (finding the decryption key) ! Click here for video Live investigations ! Involve examining a digital system while it is running and using the OS ! Acquire ! Analyze ! Present
- 7. ! They are permitted by the 2nd principle of the ACPO guidelines ! Principle 2 of the Association of Chief Police Officers� Good Practice Guide for Computer-Based Electronic Evidence states, �In circumstances where it is necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions� (ACPO, 2007). Encryption example 1 ! At Senate hearings in September 1997, Jeffery Herig, special agent with the Florida Department of Law Enforcement, testified that they were unable to access protected files within a personal finance program in an embezzlement case at Florida State University. He said the files could possibly hold useful information concerning the location of the embezzled funds. Encryption example 2 • [It is] also reported that they had encountered unbreakable encryption in a US customs case involving an illegal, world-wide advanced fee scheme. At least 300 victims were allegedly bilked out of over $60 million. Herig said they had encountered three different encryption systems. Although they were able to defeat the first two, they were unsuccessful with the third. The vendor told
- 8. them that there were no back doors. Encryption example 3 • An employee of a company copied proprietary software to a floppy disk, took the disk home, and then stored the file on his computer encrypted under PGP. Evidently, his intention was to use the software to offer competing services, which were valued at tens of millions of dollars annually (the software itself cost over $1 million to develop). At the time we heard about the case, the authorities had not determined the passphrase needed to decrypt the files. Information contained in logs had led them to suspect the file was the pilfered software. Example 4..etc ! At one university, the investigation of a professor thought to be trafficking in child pornography was aborted because the campus police could not decrypt his files. ! Many more child pornography cases… Decryption options? • Ask for the key during the interview with the suspect • Locate unencrypted copies of the encrypted data (deleted
- 9. stuff?) • Locate copy of the key on the disk, or surrounding areas – Build a dictionary -- use the dictionary • Intelligent passoword attacks – Uses words from suspect�s personal details • Brute force attack • Vulnerabilities in the implementation of the encryption system • Surveillance (keyloggers etc.) – Hardware and software Live investigation methodology ! Wait (2008) methodology ! Establish a trusted command prompt ! Establish a method for transmitting and storing the collected information ! Running various tools and creating hashes of the output Live investigation tools • cmd.exe'A'trusted'copy'of'the'command'prompt.'This'will'chan ge'for'different'versions'of' Windows.)Built'in.' • PsLoggedOn'A'u?lity'that'shows'all'users'connected'locally'and 'remotely.'www.foundstone.com'
- 10. • Rasusers'A'command'that'shows'which'users'have'remoteaccess 'privileges'on'the'target'system.' NT'Resource'Kit'(NTRK)' • Netstat'A'system'tool'that'enumerates'all'listening'ports'and'all' current'connec?ons'to'those'ports.' Built'in' • Fport'A'u?lity'that'enumerates'all'processes'that'opened'any'TC P/IP'ports'on'a'Windows)NT/2000) system.)www.foundstone.com' • PsList'A'u?lity'that'enumerates'all'running'processes'on'the'tar get'system.'www.foundstone.com' • ListDLLs'A'u?lity'that'lists'all'running'processes,'their'comman d'line'arguments,'and'the' dynamically'linked'libraries'(DLLs)'on'which'each'process'depen ds.'www.foundstone.com' • Nbtstat'A'u?lity'that'lists'the'recent'NetBIOS'connec?ons'for'ap proximately'the'last'10'minutes.' Built'in' • Arp'A'system'tool'that'shows'the'MAC'addresses'of'systems'tha t'the'target'system'has'been' communica?ng'with,'within'the'last'minute.'Built'in' • Kill'A'command'that'terminates'a'process.'NTRKMd5sum'A'u?l ity'that'creates'MD5'hashes'for'a' given'file.'www.cygwin.com' • rmtshare'A'command'that'displays'the'shares'accessible'on'a're mote'machine.'NTRK' P A R T 3 Memory acquisition Live disk acquisition
- 11. ! FTK Imager (now also RAM) ! dd ! Helix Live CD Live memory acquisition • .PhysicalMemory (user mode): Similar to dev memory in Linux, this object – provides access to the physical memory of Windows XP (Vidstrom, 2006a). – Can be accessed and copied using user-mode programs such as a modified version of dd (Carvey, 2007b). – Has the advantage that no software needs to be installed on the system under investigation (Schuster, 2005). – Practical problem: requires administrator privileges on the live suspect machine (Schuster, 2005). User mode access to the . PhysicalMemory object is also not possible unavailable under Windows Server 2003 SP1 onwards, including Windows Vista (Schuster, 2005) Live memory acquisition ! .PhysicalMemory (kernel mode): Recently a number of options have become available that
- 12. overcome the problem of lack of user mode access to the ! .PhysicalMemory object. These allow imaging of the memory of a Windows Vista machine using a kernel mode driver to access the .PhysicalMemory object (Schuster, 2008b). Live memory acquisition • Tools that use .PhysicalMemory (kernel mode): – WinEn: This is included with EnCase versions 6.11 onward. It is also included on the latest version (2.0) of the Helix Live CD (e-fense, 2008). – mdd (Stotts, 2008): The Memory DD tool from ManTech is open source and available on SourceForge (ManTech, 2008). – win32dd (Suiche, 2008b): This tool is also open source but uses more kernel mode functions, including writing the output file, rather than mdd, in which �the [kernel] driver is only used to get DevicePhysicalMemory handle (Suiche, 2008a). Live memory acquisition • Firewire (IEEE 1394): Firewire devices use Direct Memory Access (DMA) – Can access the memory of a system without using the CPU (Carvey,
- 13. 2007b). – Bolieau (undated) describes a way to use this property to obtain an image of a machine�s physical memory. – Images memory, even if a machine is locked. – More difficult to configure and use than the .PhysicalMemory tools – Target system must have a working Firewire port. – Documented problems in Vidstrom (2006b), e.g. dumping the Upper Memory Area (UMA) – Can cause a fatal error and blue screen if non existent memory addresses are accessed (Schuster, 2008a). Live memory acquisition ! Process Memory Acquisition Tools: ! Dump the memory used by a specific process. Examples of such tools include pmdump (Vidstrom, 2002) and userdump (Microsoft, 2007c). Live memory acquisition • Cooling + Reboot (Video)
- 14. – Halderman et al (2008) and explains that even though data in RAM does decay when the power is removed, �retention times can be increased by cooling� (Halderman et al., 2008). – By cooling RAM chips to -50ºC using an inverted can of compressed air and using a warm or cold reboot, the bit deterioration may be reduced sufficiently so that by rebooting the system to a custom operating system with a minimal memory footprint (network based or on USB) the contents of RAM can still be imaged, albeit with some bit errors. – This has the advantage of providing a trusted operating system in which to perform imaging. • At time of writing the tool from Halderman et al (2008) (ram2usb) was not available but an alternative that uses the same principles is available from McGrew (2008). There are also additional problems to the bit errors: it is possible that the machine has been configured not to boot to network or USB, preventing an operating system from being loaded that can perform the memory imaging. It is also possible that the machine may perform a destructive memory test when restarting. Live memory acquisition
- 15. • Crash Dumps: A system can be configured in advance through the Windows Registry or Start-up and Recovery settings to create a full dump of its memory to disk on a key press (on PS2 keyboards) (Microsoft, 2007e). • This has the significant advantage that the entire system is halted when the contents of RAM are being written (Carvey, 2007b), this means that this is a true �image� of memory rather than a �smear�, since the data is not constantly changing as it is being copied. • It is necessary to reboot the system for the Registry change to take effect (Microsoft, 2007e) • Difficult to use in real cases when system is not configures • There is also a further limitation described in Huebner et al. (2007) that �the key sequence used to generate the crash dump is insecure and could be intercepted by an application program�. Live memory acquisition ! Hibernation File: When a Windows system is put into hibernate mode, the system�s state is stored in hiberfil.sys file. ! Using the Sandman Framework the hibernation file can be converted to
- 16. a flat, dd style image (Suiche and Ruff, 2008). ! Advantage: system is completely stopped. " Image is coherent and does not suffer the same �smearing� as other techniques. ! Examined offline, it is not possible for malware to hide from an analysis. ! If the system�s power is disconnected and the hibernation file later imaged, the hibernation file may be significantly out of date ! Intentionally putting the system to sleep will overwrite data in the current hibernation file on the disk. ! Ruff and Suiche (2007) also states that there is �no guarantee that 100% of physical memory has been saved�. ! Hibernation file is not available when certain types of encryption product are in use. Live memory acquisition • Hardware Devices: Carrier and Grand (2004) describes a PCI card that can be fitted to a PC which can dump memory to an external storage device. • Since this approach is hardware based it does not rely on potentially untrusted code.
- 17. • The hardware needs to be installed before an incident occurs (Carvey, 2007b) and as a result this is unlikely to be an option. P A R T 4 Memory analysis techniques Memory analysis techniques • String searches: – Early analyses of memory dumps consisted of simply extracting text strings (Carvey, 2007b p.88). – This is achieved using tools such as strings (Russinovich, 2007), grep (on Linux) or bintext (Foundstone, 2000) and enables searches for passwords, IP and e-mail addresses and other text strings. – The difficulty with evidence obtained in this way is that it is difficult to attribute to a specific process (Carvey, 2007b p.89). Memory analysis techniques • Process Enumeration: – If one EPROCESS block can be found in memory, the Forward Link (FLINK) and Backwards Link (BLINK) pointers can be
- 18. used to enumerate all processes in the memory dump. – Relies on locating an EPROCESS block. – There are a number of methods described for achieving this. • First dump system process (ID4) using a perl script • Then locate the other processes Memory analysis techniques • Process Carving: – Schuster (2006) provides an alternative to the process enumeration approach that is similar to file carving in disk images. – Scans through a memory image testing for valid process and thread structures using a 20 rule criteria. – Implemented in PTFinder.pl. There is also another implementation of this approach in Carvey (2007b p.104), lsproc.pl, which is limited to identifying processes rather than threads. Memory analysis techniques • VAD Tree Based Process Recovery: – Recovery of memory that belongs to a specific process. – VAD tree provides access to areas of memory assigned to a process. – Root of the VAD tree is stored in the process�s EPROCESS
- 19. block at offset 0x11C. – From this pointer the VAD tree can be traversed and the areas of memory assigned to the process can be extracted (Dolan- Gavitt, 2007). – VAD tree offset has changed in Server 2003, and Vista. P A R T 5 Memory analysis toolkits Create your own? ! Understand how memory is stored ! Program your own way of parsing processes out etc. ! Use string searches Responder ! Commercial product, one of the first ones released to analyze memory dumps ! Allows investigators to view both physical and virtual memory dumps
- 20. Volatility framework ! Leading open source toolkit, implemented in python, works on Windows XP SP2 and SP3 dumps (Outdated) ' connec?ons:'Print'list'of'open'connec?ons.' connsca:'Scan'for'connec?on'objects.' date?me:'Get'date/?me'informa?on'for'image.' dlllist:'Print'list'of'loaded'DLLs'for'each'process.' dmp2raw:'Convert'a'crash'dump'to'a'raw'dump.' dmpchk:'Dump'crash'dump'informa?on.' diles:'Print'list'of'open'files'for'each'process.' hibinfo:'Convert'hiberna?on'file'to'linear'raw'image.' ident:'Iden?fy'image'proper?es.' memdmp:'Dump'the'addressable'memory'for'a'process.' memmap:'Print'the'memory'map.' modscan:'Scan'for'modules.' modules:'Print'list'of'loaded'modules.' regobjkeys:'Print'list'of'open'Registry'keys'for'each' process.' ' ' '' procdump:'Dump'a'process'to'an'executable' sample.' pslist:'Print'list'of'running'processes.' psscan:'Scan'for'EPROCESS'objects.' raw2dmp:'Convert'raw'dump'to'a'crash'' dump.' sockets:'Print'list'of'open'sockets.' sockscan:'Scan'for'socket'objects.' thrdscan:'Scan'for'ETHREAD'objects.' vaddump:'Dump'the'VAD'sec?ons'to'files.' vadinfo:'Dump'the'VAD'info.' vadwalk:Walk'the'VAD'tree.'
- 21. Strings:'Match'physical'offsets'to'virtual' addresses.' ' Vola%lity)command)Informa%on)Obtained) P A R T 6 Challenges in live digital investigations Challenge 1: Trusting the results • Mohay et al. (2003) states that �any system being examined live should be considered to be hostile until proven otherwise.� • Carrier (2006) goes as far as saying that �the only difference between live and dead analysis is the reliability of results.� • Extensive use of DLLs in windows • Operating system has to be modified in some way to provide false info – Rootkit/Malware installed on a system, either intentionally or unintentionally – Logic bombs
- 22. Challenge 2: Intrusiveness of techniques ! Contaminating the digital evidence (volatile nature) ! Can�t use write blockers ! Modifying as little as possible (Carvey, 2004) ! Minimally invasive techniques ! No way to avoid making changes ! Amount of change will vary depending on hardware and software used Challenge 3: Verification of results ! Results should be verifiable and repeatable (Pollitt, 1995) ! Evidence gathered represents a live system that cannot be reproduced at a later date ! Image can only be verified against itself, and not the �original� media ! Could prevent it from being admissable Challenge 4: Ensuring a complete set of evidence ! Selective file copying, rather than the complete image ! Some data not captured may have proved
- 23. innocence… ! First responders are used to: Identifying and preserving digital evidence ! Now they have to identify relevant digital evidence The end. Lecture 6 - AntiForensics.pdf Anti-‐Forensics Modified by Dr. Ibrahim Baggili Originally created by Marcus Rogers – Purdue University 1
- 24. Some refreshers • What is Cyber/Digital Forensics? • What are some of the issues with Digital Forensics? • What are the three As? • What is a file system? • What is CHS?
- 25. 2 Lecture Outline • What is anJ-‐forensics? • Taxonomy of AnJ-‐forensics • Countering AnJ-‐forensics • Looking ahead • Summary 3 AnJ-‐forensics • APempts to negaJvely effect the
- 27. • The volaJlity of DE and the reliance on tools makes cyber forensics very vulnerable to AF • Issue for all the Digital Forensics CommuniJes • LE, Private Sector, Military/Intelligence 4
- 31. • Mixed results on idenJfying stego 6 Common Data Hiding Techniques • Rename files/directories • Delete files/directories • Copy files/directories • Print files • Format a disk 7
- 32. Renaming Files • Rename files and/or file extensions • Example: • Rename extorJon_lePer.doc to fuzzy_bunny.jpg • People looking for incriminaJng evidence probably won’t check a picture file called fuzzy_bunny.jpg 8
- 39. • Low level formafng is a different story! 11 APributes • In Windows, set the “hidden” aPribute on a file or directory. • Can sJll view files if the “Show
- 41. file or directory starJng with a “.” • Example: mv important.doc .important.doc • Can sJll be viewed by lisJng all files “ls –a” • Other methods??? • ., …, .,
- 43. filesystem • Example: • mkdir /temp • Create files/directories in /temp • Mount a filesystem at /temp • The files are not visible, and cannot be read/written • The files are accessible again after the filesystem has been unmounted • This might be detectable, but not always. • Example: / is 10 GB, space used is 2 GB, but only 4 GB are free. This could indicate the presence of files hidden under a filesystem 14 Swap space • Swap Space (also
- 55. will search a NTFS filesystem for ADSs • LADS is available from hPp://www.heysoc.de/en/ socware/lads.php?lang=EN 21 ADS • CreaJng an ADS – echo text in default stream > myfile.txt – echo extra text in ADS > myfile.txt:hidden.txt 22
- 56. ADS • C:temp>echo some text > myfile.txt • C:temp>dir myfile.txt • Volume in drive C has no label. • Volume Serial Number is 40AB-8351 • Directory of C:temp • 2003-03-04 03:11p 12 myfile.txt • 1 File(s) 12 bytes • 0 Dir(s) 3,227,021,312 bytes free • C:temp>type bigfile.tgz > myfile.txt:hidden • C:temp>dir myfile.txt • Volume in drive C has no label. • Volume Serial Number is 40AB-8351 • Directory of C:temp • 2003-03-04 03:12p 12 myfile.txt • 1 File(s) 12 bytes • 0 Dir(s) 3,183,009,792 bytes free • C:temp> 23 ADS
- 57. • C:temp>lads • LADS - Freeware version 3.10 • (C) Copyright 1998-2002 Frank Heyne Software (http:// www.heysoft.de) • This program lists files with alternate data streams (ADS) • Use LADS on your own risk! • Scanning directory C:temp • size ADS in file • ---------- --------------------------------- • 44010926 C:tempmyfile.txt:hidden • 44010926 bytes in 1 ADS listed • C:temp> 24 ADS • Running a hidden command in ADS (try this on a NTFS
- 58. file system): – C:>echo some text > c:tempfile.txt – C:>type c:winntsystem32calc.exe > c:temp file.txt:hidden.exe – C:>type c:tempfile.txt – C:>start /b c:tempfile.txt:hidden.exe • This will start the Windows calculator program from a 12 byte file! 25 Summary • There are
- 60. Win2K/XP recycle bin • “Recycled” Folder for FAT: • INFO2 • Place holder(s) • Desktop.ini 27 Win 2K/XP recycle bin • “Recycler” Folder for NTFS
- 61. • SID named subdirectory contains: (For each user there is a security ID (SID)) • Place holder(s) • INFO2 • Desktop.ini • NTFS Recycle Bin 28
- 62. Placeholders • D<original drive lePer><#>.<original extension> • DC1.TXT • DC2.JPG • DC3.BMP • Entry for each deleted item: – Hidden from view in GUI environment – Date & Jme unchanged from original file
- 63. • If a subdirectory is deleted only one placeholder is made 29 INFO 2 File • 800 Byte Entry is made for each Recycled object – Recycled date – Original path
- 64. and filename – Place holder drive lePer and # 30 INFO 2 file Counter Drive Letter Recycled Date and Time (GMT) Offset 260 – 275 of an INFO2 entry 31 INFO 2 File • Recycled date
- 65. and Jme issue – The date and Jme are stored in GMT in hexadecimal format – Recycle Bin tools (IEHistory, Datalicer) will convert the Jme for you! – Something wrong here?
- 66. Hint! HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTi meZoneInformation 32 Desktop.ini • Created when Recycle Bin is created • Only modified if recycle bin is EMPTIED – All Date / Time informaJon updated when bin is empJed
- 67. 33 Recovering from recycle bin • Copy placeholders to separate drive • Copy INFO2 file; use uJlity to parse out date / Jme data – Datalicer – IE History
- 68. 34 Steganography • Hiding informaJon in plain site • Centuries old – Spartans – Greeks • Extremely hard to detect • AcJve research for NaJonal Security reasons
- 69. – StaJsJcal Analysis • DetecJon Algorithms 35 Steganography • Types of Encoding • Least Significant Bit (LSB) • Encode the message in the least significant bit of every
- 72. – Unused areas in a file (end of a song) • SubsJtuJon – Least significant bits • GeneraJon – Creates an new file 37 Steganalysis • DetecJon methods??
- 73. – Remnants of stego socware on system (registry) – Comparison files • (MD5), Visually – size diff?? – LocaJng stego socware on system – StaJsJcal analysis • average bytes • skew, kurtosis
- 76. • Work from the obvious to the less obvious • Go for the low hanging fruit first • When are you done??? 44 References • NW3C Basic Data Recovery & Analysis
- 80. readable memory 46 Trail obfuscaJon • Trail obfuscaJon – Where is the source located – Who is the source • Log cleaners • Spoofing • MisinformaJon
- 83. • Focus area for the computer underground because of its relaJve ease 48 Tools and processes • Evidence PreservaJon & CollecJon • Some novel aPacks discussed but few so far
- 84. have been documented in the “wild” • Bad blocks • Odd disk sectors • Altering the HPA or DCO at the drive level (Host Protected Area, Device ConfiguraJon Overlay) • This CF process
- 85. is very tool centric • EnCase, FTK, DD, or other integrated device • APacks seek to prevent the creaJon of bitstream images or prevent integrity checking • Image appears to be +4 Terabytes
- 86. • Hashes never match • For the most part it is obvious that something is amiss 49 ExaminaJon and Analysis • Can be a much more subtle aPack • Relies on vulnerabiliJes
- 88. EnCase, iLook, WinHex, TCT, Sleuthkit, etc. • Compression bombs • Nested directories • Altering the MFT and inodes • File signature altering, hash fooling • The more automated the tool the more suscepJble it
- 89. is to aPack! 50 AnJ-‐forensics: The soluJon? • AnJ-‐AnJ-‐ Forensics • Understand what the tools are doing or supposed to do • Error logging on tools • Don’t automate
- 90. everything by default • Funded research on AF • Most research is to date is grass roots and ad hoc • Focus research on the Windows world as opposed to *NIX • Majority of
- 92. 51 The future • AnJ-‐forensics is here to stay – We are now in an arms race of sorts – Data wiping tools (free space etc.) will get bePer – APacks
- 93. will get more subtle – Unfortunately tools will get more automated, more levels of abstracJon • Data mining, Expert systems, Evidence aggregaJon tools, AI • Data mining and evidence aggregaJon are needed due to
- 94. the increasing storage capaciJes and thus increase in volume of data 52 Summary • Most anJ-‐forensics techniques are not new • Most are obvious • Increased aPenJon by the
- 95. underground • More research is needed • More informaJon sharing within the community is needed • BePer training for pracJJoners • Vendors need to listen to the community bePer • This issue is here to stay!
- 97. Retrieved Sept 5th, 2005, from www.metasploit.com/projects/ anJforensics/BH2005-‐ • Catch_Me_If_You_Can.ppt • Geiger, M. (2005, August 18th). Evalua&ng commercial counter-‐ foreniscs tools. Paper presented at the DFRWS, New Orleans. • Grugq. (2005). The art of
- 99. O'Reilly. • Peron, C., & Legary, M. (n.d.). Digital anJ-‐forensics: Emerging trends in data transformaJon techniques. Retrieved Sept 1, 2005, from • www.seccuris.com/documents/papers/Seccuris- ‐AnJforensics.pdf 54 Lecture 6.2 - Anti Forensics New Taxonomy.pdf Kevin Conlan MS, Ibrahim Baggili PhD, Frank Breitinger PhD Graduate Researcher & UNHcFREG Member
- 100. Presenting @ DFRWS USA 2016, Seattle Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy Cyber Forensics Research & Education Group 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 1 Anti-forensics: Tools and techniques used to invalidate the digital forensic process. So…would using this tool, Tracks Eraser Pro, be an example of anti-forensics? 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 2 How about this encryption tool? 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 3
- 101. And this popular disk cleaner/registry wiper? 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 4 And this VPN? 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 5 Agenda • Problem statement • Contribution • Related work • Methodology • Results & discussion • Limitations • Conclusions & future work 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 6 Problem statement
- 102. Not enough research on anti-forensics. Baggili et al. (2012): Out of 500 digital forensic research papers, only 2% pertained to anti-forensics. Anti-forensic tools and techniques can be used to: • Remove • Alter • Disrupt Or otherwise interfere with evidence of criminal activities on digital systems. 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 7 Contribution I. A categorical data set of 308 anti- forensic tools. II. An extended version of the Rogers (2006) anti-forensic taxonomy (Figure 1). III. The calculated hash values of 2780 unique installation-related files of the anti-forensic tools, and an analysis of their presence in the newest 2016 NSRL1. 1http://www.nrsrl.nist.gov/(last accessed 2016-02- 10).10/26/16 Anti-forensics: Furthering digital
- 103. forensic science through a new extended, granular taxonomy 8 • Data hiding • Encryption • Steganography • Other forms of data hiding • Artifact Wiping • Disk cleaning utilities • File wiping • Disk degaussing / destruction techniques • Trail obfuscation • Attacks against computer forensic tools and processes Figure 1: Related Work Harris (2006): thereare no general or contemporary frameworks with which to analyze anti-forensics. Harris (2006) notes that while therea few general groupings of anti- forensic methods, thereare no identifiable groupings of anti-forensic software. 10/26/16 Anti-forensics: Furthering digital forensic
- 104. science through a new extended, granular taxonomy 9 Methodology Our methodology included the following overarching steps: I. Data set creation II. Data set organization III. Data set analysis IV. Hashing V. Data set comparison with NSRL VI. Extended taxonomy creation 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 10 Methodology 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 11 Figure 2: Extended Taxonomy of anti- forensics Results and discussion Comparing anti-forensic tools hashes to the NSRL
- 105. Python script was written to acquire 2780 unique MD5 and SHA1 hash values of the anti-forensic tool installation related files,and was compared against the newest 2016 Reference Data Set (RDS). Only 423 hashes were found. The unmatched hashes would be example Presence of anti- forensic tools/files/installation files under the category of Possible indicators of anti-digital forensics. 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 12 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 13 Figure 3: Number of tools found per anti- forensic category 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 14 0 20 40 60 80 100 120 140 160 180
- 106. Windows Phone Windows Unix Symbian SUSE Solaris POSIX OSV OpenSolaris OpenIndiana OpenBSD NetBSD Multi-platform/unspecified Maemo Mac Linux iOS Illuminos distributions HP-UX FreeBSD DragonFly BSD Blackberry Android Figure 4: Instances of operating systems/platforms
- 107. 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 15 0 5 10 15 20 25 30 35 USA Ukraine UK Thailand Switzerland Sweden Spain Singapore Russia Poland New Zealand Moldova Japan Italy Israel India Germany France Finland Denmark Croatia China
- 108. Canada Brazil Austria Australia Figure 5: Tools by identifiable country of origin Limitations A considerable limitation was the number of software tools that may be considered “anti-forensic” in nature is vast and continuously growing. It is difficult to determine the entire scope of the anti- forensics domain. However, this is not as much a “limitation” as it is an opportunity for future research endeavors. 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 16 Conclusions and future work The goals of this work was the following:
- 109. A categorical data set that would be useful to the digital forensic community through the collection and organization of 308 anti-forensic tools. An extended classification of the original anti- forensics taxonomy, to more fully encapsulate the domain of anti- forensics. 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 17 Conclusions and future work Future work: Expanding the scope of the categorical data set to include more tools, of which thereare many. “Internet-of-things”: anti-forensic tools will follow this digital migration. Expand taxonomy to include the forms of digital devices that anti-forensics could exist on. A similar methodology applied to otherfields of the information assurance domain (e.g., hacking/penetration tools). Ways of automating the classification of anti-
- 110. forensic tools with computational linguistics, by parsing metadata of tools online and leveraging machine learning. 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 18 Acknowledgments Sidharth S. Nandury and Mohammad M. Hassan Douglas White (NIST) 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 19 Questions? Thank you! [email protected] Data sets for this research are available at www.unhcfreg.com under Data & Tools. 10/26/16 Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy 20
- 111. Lecture 7 - E-mail Forensics.pdf E-‐mail Forensics By: Dr. Baggili Source: h2p://www.cim.mcgill.ca/~jer/email.html 1 Some other project ideas: • Vola<le memory fingerprints of chat clients • Comparison of soBware/hardware
- 112. imaging solu<ons • Android forensics • Blackberry chat forensics • Network ar<facts – predic<ng the opera<ng system based on network traffic • Detec<ng e-‐mail servers used based on e-‐mail header informa<on • Wri<ng soBware
- 114. E-‐mail Forensics • E-‐mail history • E-‐mail evidence • E-‐mail tracing 3 History of e-‐mail • Older than ARPANET • It was like leaving a note on someone’s desk
- 115. – when a person logged on, they would find the e-‐mail (mul<ple people using the same computer) • MIT – MailBox (1965) • SNDMSG • Ray Tomilson (inventor of e-‐mail 1972) • Chose
- 116. @ symbol • [email protected] Ian Peter: h2p://www.nethistory.info/History%20of%20the%20Internet/e mail.html 4 History of e-‐mail • 1974 – extensive use by military because ARPANET encouraged it • Lary Roberts invented
- 117. e-‐mail folders for his boss • 1975 – John vital invented a way to organize e-‐mail • 1976 – e-‐mail took off (and 75% of all ARPANET traffic was e-‐ mail) • Offline readers
- 118. • SMTP & POP • Euodora – Steve Dorner – 1988 • Web e-‐mail Ian Peter: h2p://www.nethistory.info/History%20of%20the%20Internet/e mail.html 5 E-‐mail usage, a partial look • In April, 2008
- 119. USA Today ar<cle cites ComScore Media Metrix figures for February, 2008: • MicrosoB webmail proper<es: 256.2 million users • Yahoo: 254.6 million users • Google: 91.6 million users • AOL webmail proper<es: 48.9 million users
- 128. 12 1 Week (Now) 13 Evidence can we get from e-‐mails? • Dates/Times • Sender/Receiver • E-‐mail servers • Culpatory evidence • Example case
- 129. • Purchased items, communica<on etc. • Words used • Mood • Personality traits • Authorship a2ribu<on • IP addresses 14 E-‐mail Forensics • Step 1 – Get the e-‐mail header!
- 130. • Get the most accurate <meline possible • Be sure the original e-‐mail is not deleted • Different e-‐mail clients/web clients have different ways of repor<ng the headers. Learn those ways and familiarize yourself
- 132. • It is like a flight <cket: • Who booked it (who sent the email) • Departure informa<on (when the email was sent) • Route (from where it was sent and how did it arrive to
- 140. Viewing e-‐mail headers • MicrosoB Outlook Express 5 & 6 • Right-‐click on the message and select ProperBes. • Select the Details tab. • You should see a sec<on <tled Internet Headers for
- 142. 29 Viewing e-‐mail headers • Pegasus Mail Clients • Double-‐click on the message to open it in a separate window. • Hit the backspace key or type Ctrl-‐h on your keyboard to
- 144. e-‐mail headers • Mozilla Thunderbird • Double-‐click the e-‐mail you want to view the headers on. • Click on the View drop-‐down menu and select Headers and then select All. • This will show
- 146. the Mail drop-‐down menu and select Preferences. • Click on the Viewing icon. • Click on the arrow on the Show header detail and select All. • You will now see the full headers
- 149. forwarding to someone. h2ps://hdc.tamu.edu/reference/documenta<on/index.php?sec<on _id=589 33 Viewing e-‐mail headers • Hotmail • Once you are logged in, click on OpBons • Click on Mail. • Click on Mail Display
- 150. SeSngs. • Change the Message Headers sec<on to Advanced. • Click OK. • Now when you read an e-‐mail, it should show you the full message headers. h2ps://hdc.tamu.edu/reference/documenta<on/index.php?sec<on _id=589 34
- 151. Viewing e-‐mail headers • Yahoo! Mail • Once you are logged in, click on Mail OpBons. • Click on General Preferences. • Under the Messages sec<on, select Show all headers on incoming messages
- 153. • While viewing a message, click on the More opBons arrow in the upper-‐right of your message pane. • Click on Show original. • This will display the headers for that message in a
- 155. 1: Read from the bo2om up. • Ex. E-‐mail sent from [email protected] to [email protected] Delivered-‐To: [email protected] Received: by 10.36.81.3 with SMTP id e3cs239nzb; Tue, 29 Mar 2005
- 173. IDs demystiUied • 2008 Research by Satheesaan Pasupatheeswaran shows interes<ng results. • Sendmail Message IDs Pasupatheeswaran (2008) 48 Message IDs demystiUied • $t • $t macro
- 179. message IDs • No standard algorithm (RFC2822) says every message should have a unique ID but does not say how. • Open source vs closed source e-‐mail • Iden<fying source MTA (Mail Transfer Agent)
- 180. • Versions • Sendmail has the message ID changed thrice! • Host <me • MTA must be synched with a reliable <me reference • Spoofed message Ids • Headers without message-‐ids • Interna<onal
- 184. Visual trace back 60 Challenges to think about • Remailers Rogers (2006) 61 Challenges to think about Remailer Headers x-mimeole: Produced By Microsoft Exchange V6.5
- 185. Received: from 1061exfe03.adpc.purdue.edu ([128.210.63.225]) by exchange.purdue.edu with Microsoft SMTPSVC(6.0.3790.1830); Fri, 27 Oct 2006 17:21:22 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Received: from mailhub179.itcs.purdue.edu ([128.210.5.179]) by 1061exfe03.adpc.purdue.edu with Microsoft SMTPSVC(6.0.3790.211); Fri, 27 Oct 2006 17:21:51 -0400 Received: from mailhub245.itcs.purdue.edu (mailhub245.itcs.purdue.edu [128.210.5.245]) by mailhub179.itcs.purdue.edu (8.13.7/8.13.7/spamscan) with ESMTP id k9RLLMJP026592 for <[email protected]>; Fri, 27 Oct 2006 17:21:22 -0400 Received: from mout.perfora.net (mout.perfora.net [217.160.230.41]) by mailhub245.itcs.purdue.edu (8.13.7/8.13.7/external- smtp) with ESMTP id k9RLLLMP010217 for <[email protected]>; Fri, 27 Oct 2006 17:21:22 -0400 Received: from [82.165.253.19] (helo=localhost) by mrelay.perfora.net (node=mrelayus0) with ESMTP (Nemesis), id 0MKoyl-1GdZ8i2pbl-0004Ug; Fri, 27 Oct 2006 17:21:21 -0400 Return-Path: <[email protected]> x-originalarrivaltime: 27 Oct 2006 21:21:51.0517 (UTC) FILETIME=[EB42A4D0:01C6FA0D] X-PMX-Version: 5.1.2.240295
- 186. X-PerlMx-Virus-Scanned: Yes X-PerlMx-Spam: Gauge=IIIIIII, Probability=7%, Report='NO_REAL_NAME 0, __CT 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0' Content-class: urn:content-classes:message Subject: Hidden Date: Fri, 27 Oct 2006 17:21:20 -0400 Message-ID: <[email protected]> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Hidden Thread-Index: Acb6DdoeGLplmXeaTbWoQU1Ff7PNbQ== From: <[email protected]> To: "Rogers, Marcus K" <[email protected]> Rogers (2006) 62 Anonymizers & Encrypted eMail • Hushmail.com very popular
- 187. • Easy encryp<on • Free account set up • Not really anonymous • Source IP address crea<ng the account is logged! • But ….. Rogers (2006) 63 SpooUing • The
- 188. header can have spoofed informa<on • The SMTP protocol does not require any authen<ca<on • Spoofed default return address • Trace back is a way of determining if the header has been spoofed
- 190. Rogers (2006) 65 In summary • Email is an important source of forensic informa<on • The full header informa<on is required • Source can be spoofed • Time zones and
- 191. offsets are important • Trace back is cri<cal! Rogers (2006) 66 References • Lecture notes: Marcus Rogers (2006) • SpamCop h2p://www.spamcop.net/fom-‐serve/cache/19.html • h2p://mail.google.com/support/bin/answer.py?hl=en&answer=29 436 • h2p://igneous.scis.ecu.edu.au/proceedings/2008/forensics/ Satheesaan%20Email%20Message%20ID.pdf
- 192. • h2ps://hdc.tamu.edu/reference/documenta<on/index.php? sec<on_id=589 • Ian Peter: h2p://www.nethistory.info/History%20of%20the%20Internet/ email.html • h2p://www.emailaddressmanager.com/<ps/header.html • h2p://www.email-‐marke<ng-‐reports.com/metrics/email- ‐sta<s<cs.htm 67 Network Forensics - Lecture 08.pdf Network Forensics By: Dr. Baggili ©
- 195. • Detect intruder aDacks using automated tools and monitoring network logs manually • Track, locate, and iden8fy the intruder and deny further access to the network • Collect evidence for
- 196. civil or criminal li8ga8on against the intruders Bhadran VK (2009) 3 Where does it fit in? • Is there a problem with defining the field? • Is it part
- 200. • Defini8ons keep changing • No common body of knowledge on the subject • No accepted and published ontological model for network forensics (Great research project idea!!) 6 Network Forensics
- 201. VS Computer Forensics • You thought computer forensic data was vola8le! • What about network data? • Computer forensics deals mostly with “dead” systems • Network forensics deal with live systems! • Network forensics
- 203. • Logs may or may not be admissible • Perpetrator may or may not be prosecutable • It is important to know about: • Local laws on computer-‐related crimes • Legal processes and how to build
- 204. a criminal case Bhadran VK (2009) 8 Network traffic • Network forensics can reveal who communicated with whom, when, how, and how oben. • It can uncover the
- 208. in the network traffic. Bhadran VK (2009) 9 Network forensic procedures • We need to follow a methodology! • Iden8fica8on • Report incident (Virus, DOS aDack) • Preserva8on
- 209. • Preserve eviden8ary data like logs, policies, databases) • Acquisi8on • Image data storage devices, Vola8le memory forensics (ports, processes, etc),Open ports and connec8ons, Log files • Analysis • Storage devices • Network
- 210. devices/logs • Suspect iden8fica8on • Presenta8on • Timelines, documenta8on (tools used, suspect interview reports) 10 Today • Due to 8me constraints: • We will dedicate most of our 8me
- 212. administrator what would you do? • Examine the logs! • What if they don’t exist? • Then you are not a good system administrator right? 12 What is
- 216. The Internet
- 219. they are logged with the proper dates and 8mes 16 What types of logs are there? • FTP server logs • Intrusion Detec8on System (IDS) logs • Intrusion Protec8on System (IPS)
- 220. logs • E-‐mail server logs • Router logs • Firewall logs • DHCP logs • HTTP logs • Event logs (windows) • Virus/Malware scanner logs 17 Where are logs stored?
- 221. • Can be stored on the device or other devices • Can be centralized using log servers • In memory? Corporate Network
- 222. The Internet
- 224. Log Server 18 Pros and Cons of log servers • Pros • Easy management • Aids in crea8ng a workflow for managing corporate networks • Cons
- 226. stored in log files • The kind of data stored in log files could vary • For example • Connec8ons made • Connec8on aDempts • Authen8ca8on aDempts • Shutdowns/restarts • Intrusion detec8on • Sobware installed
- 227. • Configura8on changes • Updates 20 Log file types • Is there really one standard type of logs? • Is this a challenge? (you bet!) • This is a cri8cal
- 230. • Applica8on logs • The applica8on log contains events logged by applica8ons or programs. • System logs • The system log contains events logged by system components. RCCF (2010)
- 232. share access, prin8ng, other • Applica8on Log: Nearly everything else RCCF (2010) 23 Important event logs • Local logon a)empt failures • Event IDs 529, 530, 531, 532, 533, 534,
- 233. and 537 • Account Misuse • Events IDs 530, 531, 532, and 533 • Account Lockouts • Event IDs 539 • Domain logon a)empt failures • Event IDs 675 and 677 • Crea8on
- 234. of a user account. • Event IDs 624 and 626 • User account password changed • Event IDs 627 and 628 RCCF (2010) 24 Important event
- 237. account was enabled, used, and then disabled again. RCCF (2010) 25 Important event logs • Modifica8on of Security Groups. • Global group membership modifica8ons • Event IDs 632
- 238. and 633 • Domain local group membership modifica8ons • Event IDs 636 and 637 • Modifica8on of Security Log • Event IDs 612 and 517: to determine which user modified the audit policy
- 240. • Policy Change • Event ID 608: User right assigned • Event ID 609: User right removed RCCF (2010) 27 Terminal services Terminal Services a)acks Terminal Services
- 243. IDS does • Generates an Alert if something is wrong • May capture some network traffic for post-‐analysis aber the alert • When an IDS is included in an inves8ga8on • Find out as
- 244. much informa8on from the system admin • Alerts may be sent to IT personnel • They may be located in more than one place • Get help/Interview IT personnel explaining the logs Anson & Bunting (2007)
- 247. and/or unacceptable connec8on parameters • Connec8on aDempts which do not meet the allowed rules are dropped • Firewall logs show which connec8ons were accepted/rejected Anson & Bunting (2007) 31
- 248. Windows Firewall log #Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ipdst-ipsrc-port dst-port size tcpflagstcpsyntcpacktcpwinicmptypeicmpcodeinfo path 2009-10-23 14:12:49 DROP UDP 192.168.55.100 192.168.55.255 138 138 243 -------RECEIVE 2009-10-23 14:12:50 DROP UDP 192.168.55.100 192.168.55.255 138 138 229 -------RECEIVE 2009-10-23 14:12:51 DROP UDP 192.168.55.102 192.168.55.255 137 137 78 -------RECEIVE 32 HTTP logs • Web servers typically have connec8vity logging features • Every
- 250. the number of users, requests, links from other sites etc. • Most are in ASCII • Most are in W3C extended log format (hDp://www.w3.org/TR/ WD-‐logfile.html) • HTTP logs contain a wealth of inves8ga8ve
- 251. informa8on Anson & Bunting (2007) 33 IIS log file #Sobware: Microsob Internet Informa8on Services 5.0 #Version: 1.0 #Date: 2007-‐04-‐16 00:13:01 #Fields: date 8me c-‐ipcs-‐username s-‐ips-‐port cs-‐ method
- 252. cs-‐uri-‐stem cs-‐uri-‐query sc-‐status cs(User-‐Agent) 2010-‐03-‐17 00:12:01 201.29.243.158 -‐72.149.164.82 80 GET /Abe.jpg -‐200 Mozilla/ 4.0+(compa8ble;+MSIE+6.0;+Windows+NT +5.1;+SV1) 34 Field descrip8ons FIELDNAME DESCRIPTION date Date on which the activity occurred time Time at which the activity occurred, expressed in UTC (GMT) c-ip IP address of client making the request cs-username Username of authenticated user who accessed the server.
- 253. Anonymous users are annotated by a hyphen s-sitename Internet service name & instance number that was serving the request s-computername Name of the server on which the log file entry was generated s-ip IP address of the server on which the log file was generated s-port Server port number that is configured for the service cs-method Requested action, most often GET method cs-uri-stem Target of the action (default.htm, index.htm, etc) cs-uri-query Query, if any, the client was requesting Anson & Bunting (2007) 35 Field descrip8ons cont. FIELDNAME DESCRIPTION sc-status HTTP status code sc-win32-status Windows status code sc-bytes Number of bytes that the server sent to client cs-bytes Number of bytes that the server received from the client time-taken Length of time the requested action took, expressed in milliseconds cs-version Protocol version (HTTP or FTP) that the client used cs-host Host header name, if any cs(User-Agent) Browser type used by client
- 254. cs(Cookie) Content of cookie (sent or received), if any cs(Referrer) Site last visited by user. This site provided a link to this current server. sc-substatus Substatus error code Anson & Bunting (2007) 36 HTTP status codes • Part of the protocol is the status code • The code indicates whether the requests were made successfully or
- 255. not • It is important to understand these status codes because they are typically in the log files • Explana8on of status codes: hDp://www.addedbytes.com/ar8cles/hDp-‐status-‐codes- ‐explained/ Anson & Bunting (2007) 37
- 256. HTTP Logs-‐ General status codes STATUS CODE DESCRIPTION 1xx Informational 2xx Successes 3xx Redirection 4xx Client Errors 5xx Server Errors Anson & Bunting (2007) 38 HTTP logs -‐ Successes STATUSCODE DESCRIPTION 2xx Successes 200 OK 201 Created 202 Accepted 203 Non-authoritative information 204 No content 205 Reset content 206 Partial content 207 Multi-status -used with XML responses
- 257. when a number of actions could have been requested. Details of individual statuses are found in the message body Anson & Bunting (2007) 39 HTTP logs -‐ Redirec8on STATUSCODE DESCRIPTION 3xx Redirection 300 Multiple choices 301 Moved permanently 302 Moved temporarily (HTTP/1.0) or Found (HTTP/1.1) 303 See other (HTTP/1.1) 304 Not modified 305 Use Proxy 306 No longer in use (formerly used for switch proxy) Anson & Bunting (2007) 40 HTTP
- 258. logs – Client errors STATUSCODE DESCRIPTION 4xx Client Errors 400 Bad request 401 Unauthorized (its use is similar to 403, but 401 is specifically used when authentication is possible and has failed or was not provided by client) 402 Payment required (not really used) 403 Forbidden 404 Not found 405 Method not allowed 406 Not acceptable 407 Proxy authentication required 408 Request timeout Anson & Bunting (2007) 41 HTTP Logs -‐ Conflicts STATUSCODE DESCRIPTION 409 Conflict 410 Gone 411 Length required
- 259. 412 Precondition failed 413 Requested entity is too large 414 Requested URI is too long 415 Unsupported media type 416 Requested range is not satisfiable 417 Expectation failed 449 Retry with Anson & Bunting (2007) 42 HTTP Logs – Server errors STATUSCODE DESCRIPTION 5xx Server Errors 500 Internal server error 501 Not implemented 502 Bad gateway 503 Service unavailable 504 Gateway timeout 505 HTTP version is not supported 509 Bandwidth limit exceeded Anson & Bunting (2007) 43
- 260. FTP logs • FTP servers typically create logs • They are usually in ASCII format • They are usually in the W3C extended log format ( hDp://www.w3.org/TR/WD-‐logfile.html) • Have status codes similar to
- 261. HTTP Anson & Bunting (2007) 44 Sample FTP log #Sobware: Microsob Internet Informa8on Services 5.0 #Version: 1.0 #Date: 2008-‐03-‐15 02:43:10 #Fields: 8me c-‐ipcs-‐method cs-‐uri-‐stem sc-‐status 02:43:10 192.168.1.32[11]USER
- 264. Transient Nega8ve Comple8on Replies 5xx Permanent Nega8ve Comple8on Replies Anson & Bunting (2007) 46 FTP
- 271. PATHNAME created Anson & Bunting (2007) 48 FTP logs – Posi8ve intermediate replies STATUSCODE DESCRIPTION 3xx Positive Intermediate Replies 331 Username okay, need password 332 Need account for login 350 Requested file action pending further information Anson & Bunting (2007) 49
- 272. FTP logs – Transient nega8ve comple8on STATUSCODE DESCRIPTION 4xx Transient Negative Completion Replies 421 Service not available—closing control connection 425 Can’t open data connection 426 Connection closed—transfer aborted 450 Requested file action not taken—File unavailable 451 Requested action aborted—local error in processing 452 Requested action not taken - insufficient storage space in system Anson & Bunting (2007) 50 DHCP logs
- 273. • DHCP used to assign variable IPS to clients • DHCP logs are important because one can • Inves8gate what computer was assigned to an IP address • To learn more about DHCP logs, you
- 274. can visit: hDp://technet.microsob.com/en-‐us/library/cc776384(WS. 10).aspx 51 Log handling and management • Always back up logs • Search logs for suspicious behavior • E.g., Logins from outside the domain Failed login
- 275. aDempts • Log everything you need, but not what you do not need • Rotate log files at intervals appropriate for your analysis and archiving requirements • Write logs to a convenient, dis8nct,
- 276. ample and secure loca8on RCCF (2010) 52 Summary • Logs can be proprietary • ASCII is popular, but binary also exists • W3C extended format is popular • It is important
- 277. to talk to system administrators to understand how they are logging, and if they are logging • Logs can be tedious.. • Date and Time synchroniza8on are cri8cal in log files • Centralizing logs
- 280. cri6cal informa6on (Natajan, Allam, Moore, 2009) • Analysis of remnants of visited websites on a disk. • Depends on the browsers being used • IE (Index.dat) • Mozilla (History.dat) • Popular
- 281. free tools • Mandiant web historian • Index.dat analyzer 54 Packet capture & reconstruc8on (PC&R) • Defini8on • Packet sniffer: A sniffer is sobware that collects traffic flowing
- 282. into and out of a computer aDached to a network • Popular tools • Ethereal/Wireshark 55 PC&R – Challenges • Data Capture: • (a) Where should the data be
- 288. can be done in two major ways • Sobware captures (Wireshark, TCPDump) • Hardware capture devices • Whether the capture is hardware/sobware based, the loca8on of the capturing technology is of cri8cal importance
- 290. by capturing only required protocols • Packet filtering 59 PC&R challenges • Some issues that might impact authen8city/integrity of network forensics • TCP relaying/proxying • Onion rou8ng • Anonymous
- 291. remailing • Web anonymizers • IP spoofing • Email spoofing • Compromised third party machines • Session hijacking • DNS cache poisoning • Other man-‐in-‐the-‐middle aDacks (Nikkel, 2005) 60 The
- 292. portable network evidence collector • A PNEC was created by Bruce Nikkel in 2006 • Device created carefully not to inject traffic into the captures • Runs Open BSD 3.8 • Now – many other
- 293. capture devices on the market 61 Network Capture Device – Inves8gator Mode Investigator mode involves an investigator capturing activity during an investigation or evidence collection of remote network services. These services may include remote ftp or web sites, peer-to-peer networks, NS/Whois data collection, etc. The PNFEC is inserted between the investigator's own workstation and the network, collecting all traffic generated by the investigator. Nikkel (2006) 62 Network
- 294. Capture Device – Server Mode Server mode involves capturing activity during an attack, intrusion, or abuse directed against a single server or other network node. The PNFEC is inserted between the server being misused and the network. All traffic coming to/from the server can be collected. Nikkel (2006) 63 Network Capture Device – User Mode User mode involves capturing network activity generated by a single end user or end user machine. The PNFEC is inserted between the end user/machine and the network, and collects evidence of abuse, criminal activity or policy violation originating from the user/machine. In such
- 295. cases, the PNFEC can be discreetly deployed in a wiring closet at the Ethernet hub/switch or patch panel. Nikkel (2006) 64 Captured packets 65 Pcap file 66 Packets reconstructed 67 Packets reconstructed
- 296. 68 Packet reconstruc8on tools • SilentRunner • By Access Data • Live analysis • Live capture (graphical) • Reconstruc8on • EXPENSIVE • NetWitness • Free for the most part • Capture
- 297. • Reconstruc8on • NetIntercept – Download trial version – Reconstruc8on – Capture with Wireshark – Import Pcap file • Networkminer – Free! • NeSA • Network Session Analyzer 69
- 298. E-‐mail forensics • I think we discussed this enough, don’t you think? 70 Network imaging • We discussed this in the prerequisite class • Network dd • Another
- 300. • We’ll talk about this next lecture. • New and exci8ng. • Some regard it as part of network forensics 72 Localiza8on and tracking • Paper to read by Al-‐Kuwari Wolthusen1,
- 303. 2005. • Nikkel, B. J. (2006). A portable network forensic evidence collector. Digital Inves8ga8on, 3(3), 127-‐135. • hDp://www.netwitness.com/ • hDp://www.accessdata.com/ • RAFT, Marc Scanlon and Mohand-‐Taher Kechadi, Interna8onal Conference on Digital
- 305. and Cyber Crime, 2009, Albany, NY • Nikkel, B.J. (2005), "Generalizing Sources of Live Network Evidence," Digital Inves6ga6on, 2(3): 193-‐200 • RCCF Presenta6on 2010, India • Mastering Windows Network Forensics and Inves8ga8on, Steve