Cosc 4765 Windows Forensics Techniques

A case study First this lecture should not be confused with Computer Forensics for criminal prosecution. –That involves chain of custody and that the system has “unchanged” data for evidence in a trial. We’ll look identifying and detection techniques and tools –using a windows environment for a fake company.

Fake company We’ll use a web hosting company as a bases for the study. –It has a large number of Windows servers –Each has 2 NICs 1 has an inside private ip X.X 1 has an outside public ip –All inside traffic is via ssh, while outside traffic is via http (and https), using apache (not IIS). –And there is a firewall preventing outside to inside access. boxes can only be accessed from the internet via the outside ip address.

Our Network Toolbox For networking tools to detect potential incidents –WireShark, Windump (tcpdump for windows)‏ We can capture and graphically inspect network traffic –EtherApe It builds a “talkers map” for a network segment Allows to characterize normal traffic –tcpreplay We can replay captured traffic and control the speed. –Snort Free IDS, using a gui frontend like base for easy to viewing the traffic. –MRTG Or something like it, can show you a traffic graph of your network –Fscan, nmapwin (nmap for windows)‏ port scanners to determine open ports.

Potential incidents First, there is a general assumption –YOU ALREADY KNOW WHAT NORMAL TRAFFIC IS FOR “FAKE COMPANY”. –Why is this important? –What would we expect to be normal traffic for this company?

Potential incidents (2)‏ So first we think there is “Abnormal traffic” on the network. –maybe from Snort or other network monitoring software. Could just be “gee, the response time is slow today”. –We run wireshark and get the following Traffic from an outside ip to an inside ip –That’s a problem! –Time to check that computer.

Our Windows ToolBox A cdrom containing copies of programs we are using. –A cdrom is best, since it can not be compromised by an infected system. –From a windows system: at.exe, cmd.exe, dir.exe, ifconfig.exe, nbstat.exe net.exe, nestate.exe, nslookup.exe, route.exe, tracert.exe, hostname.exe

Our Windows ToolBox (2)‏ From Foundstone.com and other places –fport.exe Reports all open TCP/IP and UDP ports and maps them to the owning application. –Could use netstat –an, but fport maps to the owning application, so it’s better. –pslist.exe list process on the cmd line –psservices.exe associates services with process ids –psfile.exe similar to lsof, list open files by applications –psloggedon.exe associates users with running processes –listdlls.exe lists which DLL file are being used by running processes.

What to look for? unusual processes –pslist, psinfo, psfile unusual listening ports –netstat, fport, psservice unusual open files –psfile, listdlls, fport logged in users –psloggedon, nbstat process owners –psloggedon examine route tables –netstat, route temp files, suspicious folders –dir, type, explorer

Using the tools e:\hostname (assume e: is the cdrom)‏ –winbox.private.com e:\net session –Computer User name Client Type Opens Idle time – –\\TGT1 ADMINISTRATOR 0 00:00:27 –\\TGT2 ADMINISTRATOR 0 00:00:15 –\\TGT3 ADMINISTRATOR 0 00:00:23 –\\TGT4 ADMINISTRATOR 0 00:00:05 This is very bad! The are 4 file shares connected to this machine

Using the tools (2)‏ E:\Fport.exe Fport v2.0 - TCP/IP Process to Port Mapper Copyright 200 by Foundstone, Inc Pid Process Port Proto Path 420 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 445 TCP 888 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe 8 System -> 1027 TCP 8 System -> 445 UDP 430 svchost -> 80 TCP C:\Program Files\Apache\httpd.exe 1625 servu -> 3215 TCP C:\Client_Data\Inetpub\_vti-bin\ \servu.exe We running apache web servers, but there is something running out of what looks like a IIS directory! Hidden Directory

Using the tools (3)‏ e:\dir /s /a c:\Client_Data\Inetpub\_vti-bin\” “\ /p –recursively listing the hidden directory net use F \\tgt1\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass net use G \\tgt2\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass net use H \\tgt3\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass net use I \\tgt4\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass So now there are at least 4 more system involved with administrator privileges Looking at those, we find the it’s an ftp server, with config’s and a batch file to launch the server.

A note This hasn’t identified the entry point We don’t know how they broke in –could be bad administrator passwords –could an unpatched windows system –virus/worm –or simply a targeted attacked against fake company that succeeded.

Clean Up That’s the hard part –If we decide not to reinstall the machine –Must check the registry, new local accounts, services such as, how does the system mount those directories? –We’ll need to stop that! –Scan and remove any viruses/worms/trojan horses/back doors. Once an attacker gets in, they will work very hard to stay there.

Clean Up (2)‏ Besides cleaning up the systems Fix the firewall –If we are allowing clients to connect to specific ports, then should enforce that on the firewall –Open internet ports 80 (http), 443 (https), Maybe port 25 for –Close output ports as well. harder: because of browsing, patch management, and an other issues, but it can be done normally by trial and error. –Add Vlan if possible to block more traffic

Clean Up (3) add an IDS system –make sure it has rules that “enforce” policies –It will then tell us when traffic is going to the wrong ports. –outside to inside ip connections Attackers may still succeed, but we will know about it quicker.

Lastly The idea here to quickly find and repair the problem. –Have you toolbox ready, KNOW how to use the programs, And always know what “normal” is. We can never be 100% secure and it’s not if we get hacked, it's WHEN we get hacked.

Q A &

References / / / /