Forensic Analysis Torres, Ricardo

It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis using well-defined methodologies and procedures.” Warren G. Kruse II and Jay G. Heiser, Computer Forensics: Incident Response Essentials (2002)

Outside Consideration The Law Internet Crime Complaint Center (IC3) “The Internet Fraud Complaint Center (IFCC) was established as a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) to serve as a means to receive Internet related criminal complaints, research, develop and refer the criminal complaints to law enforcement agencies for any investigation they deem to be appropriate. The IFCC was intended, and continues to emphasize serving the broader law enforcement community, to include federal, as well as state and local agencies, which are combating Internet crime and in many cases participating in Cyber Crime Task Forces.”

Log & Document Incident profile: method of detection, who or what detected it (and contact information), date/time information, hardware & software involved Document each procedure performed. Document each tool used (origin, description, footprint).

Volatile Data First What it is: Resides in system memory. Is lost if the machine is rebooted. Includes: lists of running processes, open connections, and users logged in Don’t trust the compromised system. Statically- Vs Dynamicly-Linked Utilities

lsof (LiSt Open Files) Let’s list all the open socket files. rtorres]# lsof –i (Looks mostly harmless, but look who we happened to catch online) sshd root 3u IPv TCP :ssh->en eas.uccs.edu:3234 (ESTABLISHED) sshd cs301 3u IPv TCP :ssh->en eas.uccs.edu:3234 (ESTABLISHED)

lsof (LiSt Open Files) Let’s see if we can figure out what he’s doing by looking at all open files (without doing a DNS record). rtorres]# lsof –n vim 2035 cs301 4u REG 253, /home/cs301/public_html/java/jdbc/.CookieDB.java.swp Looks like he’s doing some database programming.

last Let’s look at logins in the month of October. rtorres]# last -f /var/log/wtmp.1 rtorres]# last -f /var/log/wtmp.1 We are greeted with 55 entries. 1 is the pseudo-user reboot. After eliminating multiple entries we are left with 15 users (and root).

lastb Now, failed logins in October. rtorres]# lastb –f /var/log/btmp.1 rtorres]# lastb –f /var/log/btmp.1 20,000 lines takes us from October 2 nd to October 29 th (in comparison, it’s only good for the 2 nd to the 8 th of November). So, obviously there’s been a lot of attempts to gain access.

Logs Check all of the logs you have. A careless intruder may have covered his/her tracks in one place only to forget another. The History command shows a list of most recently used commands. Cron logs show scheduled tasks.

Some Other Things The uptime command can be helpful. The top command shows processor usage in real-time. ps –ux also allows viewing of current processes. lsof +L1 lists files set for deletion. chkconfig --list can help identify malware that starts at one of the five run levels. Netstat can be used to help identify suspect IP addresses.

Where to? Persistent data Needle in a haystack: Hopefully your analysis has given you a good place to start looking. Disconnect the compromised system from the network? How critical is the system? Boot from a ‘disk’. Work off of an image rather than the original (mirror image or bit-wise copy).