Lesson 10 Incident Response Toolkits “Who said there were no free lunches anymore?”

UTSA IS 6353 Security Incident Response Overview Cygwin Data Integrity Tools Drive Tools Viewers Search Tools Forensics Programs UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response CYGWIN A Unix environment for Windows: A DLL (cygwin1.dll) which acts as a UNIX emulation layer providing substantial UNIX API functionality A collection of tools, ported from UNIX, which provide UNIX/Linux look and feel The Cygwin DLL works with all versions of Windows since Windows 95, with the exception of Windows CE UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response CYGWIN Where to get it: http://www.cygwin.com/ What’s included: date time uptime uname –a hostname whoami env ps netstat arp UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Data Integrity Tools Goal: maintain the chain of evidence and integrity of tools Maresware’s Disk_crc http://www.dmares.com MD5 Summer http://sourceforge.net/projects/md5summer UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Network Tool NetCat/Cryptcat Creates a channel of communication between hosts Used during forensics to create a reliable, TCP connection between the target system and the forensic workstation Cryptcat provides for encryption UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Netcat Commands Forensic workstation (192.168.1.1) command E:\>nc –l –p 2222 > yourfilename Translation: execute netcat in listen mode on port 2222 and pipe inbound traffic to “yourfilename” Sending output from target system A:> pslist | nc 192.168.1.1 2222 Translation: execute pslist and pipe output to netcat and netcat will transmit to 192.168.1.1 port 2222 UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Netcat in Action Hacked Machine Forensics Workstation time date loggedon fport pslist Nbtstat - c Run trusted commands on Hacked Machine Send output of commands to forensics workstation using netcat Perform off-line review MD5SUM output files UTSA IS 6353 Security Incident Response

Netcat Command Sequence Forensics Workstation 192.168.1.1 Hacked Machine time date loggedon fport pslist Nbtstat - c A:>time | nc 192.168.1.1 2222 A:>date | nc 192.168.1.1 2222 * A:>Nbtstat – c | nc 192.168.1.1 2222 C:>nc – l – p 2222 > forensics.txt C:>md5sum forensics.txt > ????? UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Drive Tools Goal: allow collection of various hard/floppy/CD forensics Partition Tools fdisk (for Linux, DOS version obsolete) Partinfo (free) PartitionMagic(includes Partinfo but cost $) CD-R Utilities CD-R Diagnostics (http://infinadyne.com/forensicsoftware.html) Unerase Tools Windows: Norton Utilities Diskedit & unerase Unix: e2recover FilesScavenger UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Drive Tools(2) Drive Imagers NTI’s SafeBack SnapBack Ghost--Symantec Dd—the Unix command Disk Wipers DiskScrub from NTI UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response File Viewers Goal: allow investigator to discover, view, and analyze files on all operating systems QuickViewPlus Views over 200 file types Conversion Plus Views Mac files on Windows ThumbsPlus – Catalogs and displays all image files UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Search Tools Goal: find keywords pertinent to investigation NTI’s dtSearch Searches text files including Outlook .pst files Danny Mares StringSearch Hidden Streams SFind (www.foundstone.com) Streams (www.sysinternals.com/ntw2k/source/misc.html) UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Forensics Programs Focus: collect and analyze data SANS Investigative Forensics Tool Kit (SIFT) http://digital-forensics.sans.org/community/downloads/ Forensic Toolkit – www.foundstone.com Focus is on Windows NT systems The Coroners Toolkit (TCT) Investigates a hacked Unix host graverobber mac utility unrm utility lazarus tool UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Forensics Programs(2) ForenSix by Dr. Fred Cohen www.all.net Runs on Linux but can access many different file systems EnCase (www.encase.com) Claims to be the only fully integrated Windows-based forensics application UTSA IS 6353 Security Incident Response

Foundstone Tools http://www.foundstone.com/resources/forensics.htm Pasco 1.0 – IE activity forensic tool Galleta 1.0 – Examine content of cookie files from IE Rifiuti 1.0 – Examine Info2 file in the Recycle Bin Vision 1.0 – Reports open TCP/UDP ports and maps to owning process NTLast 3.0 – Security Log Analyzer ShoWin 2.0 – Show information about Windows BinText 3.0 - Finds strings in a file Patchit 2.0 – Binary file byte patching program UTSA IS 6353 Security Incident Response

Vision System Info

Vision Processes View

Vision Services View

Vision Services View

File Watch

Sysinternals Tools http://www.sysinternals.com/ntw2k/utilities.shtml Monitoring Tools Diskmon 1.1 – monitors disk activity Filemon 1.1 – monitors file activity ListDLLs 2.23 – List all currently loaded DLLs NTFSInfo—Gives size and location of MFT Portmon 3.02—monitors serial and parallel ports Process Explorer 6.03 – find our what files, registry keys, and other objects process which DLLs PSTools 1.82 Regmon 6.06 – monitors registry activity UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Sysinternals Tools(2) Utilities AccessEnum 1.0 – used to find holes in file permissions NTRecover 1.0 – access dead NT disks over a serial connection NTFSDOS 3.02 – Access NTFS drives read-only from DOS Remote Recover 2.0-- access dead NT disks over a network connection UTSA IS 6353 Security Incident Response

pstools

pslist

pslist

Process Explorer-View 1

Process Explorer-View 2

FILEMON

REGMON

TCP/IP Monitor One Sinlge IE Access to One Web Site

UTSA IS 6353 Security Incident Response Other Useful Tools Password Crackers (see pg 145) L0phtCrack – www.atstake.com John the Ripper – www.openwall.com/john Chntpw – home.eunet.no/~pnordahl/ntpasswd Fast ZipCracker – www.netgate.com.uy/~fpapa AccessData – www.accessdata.com Provides entry to a wide range of application encrypted files Elcom – www.elcomsoft.com UTSA IS 6353 Security Incident Response

UTSA IS 6353 Security Incident Response Other Useful Tools(2) Internet References Matching Hardware Types to MAC addresses www.cavebear.com/CaveBear/Ethernet/vendor.html Proxy Servers available to the Public www.proxys4all.com List of Defaced Web sites www.attrition.org List of HTTP status codes www.w3.org/Protocols/HTTP/HTRESP.html File Formats and Header Specifications www.wotsit.org UTSA IS 6353 Security Incident Response

McAfee Visual Trace Hostile Activity From China

UTSA IS 6353 Security Incident Response Summary Lots of free lunches out there when it comes to forensic tools and utilities…do some research! UTSA IS 6353 Security Incident Response