Expunge REMOVING WINDOWS LOGIN TRACES CHAPTER. Exploit Techniques THE HACK DISSECTED

Transcription

1 CHAPTER Expunge 5 Expunging is the process of destroying information to cover the tracks of the attacker. These steps allow a computer user to remove traces of their activity from a computer so that someone else cannot determine what was done. Every modern computer system features a logging ability that tracks when certain activities take place. These logs could encompass all of the activities taken by users on the system, and they could also log activity from the attacker. This chapter will cover a few of the basic methods to erase information and help obscure an attacker s presence on a computer system. REMOVING WINDOWS LOGIN TRACES THE HACK DISSECTED Pavel took Stepan s laptop from Vlad and blanked the three Windows event log files. Next, he changed the last logged in user registry key so that it would appear that Stepan s account was the last one used. (p. 8) Early in our story, Pavel and Vlad hack into Stepan s computer to gather details on their employer and the job that he has for them. Pavel used a Linux bootable operating system on a Universal Serial Bus (USB) drive to change the password of the Administrator account and gain control of the system. However, when he was done siphoning off the information from the laptop, he went the extra step of cleaning up after himself and removing traces that he was on the computer at that time. Exploit Techniques There are many ways in which an attacker can remove the traces of his or her actions after the attacker s work is done on a hacked system. All modern operating systems have account auditing and logging enabled in some form to log information on when users log in and log off of the system, which can help place a physical person at the 269

2 270 CHAPTER 5 Expunge keyboard during an investigation. In other cases, the computer may log all of the activities that a person performed while he or she had logged in. There may be additional locations in which data is stored, but only if the attacker knows where to look for it. Event Logs Microsoft Windows stores all notable events into a collection of log files called the event logs. These logs store information about events that occur on a regular basis from within the Windows operating system and from the applications that run on it. When viewed through the integrated Windows Event Viewer application, event logs are commonly the first area that a system administrator monitors when something goes amiss. Assuming that Stepan would return to work with the laptop in tow, Pavel expunged the records of his work on the system by completely removing the three event logs on it. Although Windows stores events into a collection of event logs, each log stores a particular type of data. There are three main log files that have been in use since the event logs first appeared in Windows NT: Application, Security, and System. 1 We ll explore the details of these individual logs in the Best Practices section under Event Logs, but suffice it to say at this point that these three logs store many types of information that a hacker would want erased. In the Windows NT and XP environments, these logs are stored in the %SystemRoot%\System32\Config directory or, for most computers, C:\Windows\ System32\Config. Here, they are named as AppEvent.evt, SecEvent.evt, and SysEvent.evt. Although most computer systems have the operating system installed onto the C: volume, there are a rare few that choose another volume; the %SystemRoot% is automatically replaced by the actual drive letter to make it work on all systems. In a Windows Vista or Windows 7 environment, these logs are stored in %SystemRoot\System32\winevt\Logs, normally seen as C:\Windows\System32\ winevt\logs. They have a different naming convention of Application.evtx, Security.evtx, and System.evtx. Typically, these files are locked by an Event Logger service running on the system, preventing a user from simply deleting the file outright. However, in a hurry, their contents can always be cleared from within the Event Viewer application itself. This is done by highlighting the log that you wish to be cleared and selecting from the pull-down menu the Action Clear Log item, as shown in Figure 5.1. This will immediately remove all entries from the specified log, but it will leave a trace event that shows that the log was cleared at the current date and time. Last Logged-In User Key Immediately after cleaning out the event logs, the story notes that Pavel cleared the last logged in user registry key. This is an actual value in the Windows registry that stores which account last logged into the computer. This information is stored in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\DefaultUserName

3 Removing Windows Login Traces 271 FIGURE 5.1 Clearing a Windows Event Log FIGURE 5.2 Windows Last Logged-In User Key This registry key, shown in Figure 5.2, will record the last user name that was manually logged into the system. 2 As Pavel logged into Stepan s laptop as Administrator, that name would show up in this registry entry. To clear his trails, as Stepan would not have been able to log in as Administrator, Pavel changed this entry from Administrator to Stepan s account name. Best Practices When an attacker reviews the logs shown here, he or she finds the information stored directly in Windows by the operating system itself. As this data is needed for system purposes, it may not be possible to either block its usage or modify it. For

4 272 CHAPTER 5 Expunge example, any user who has the administrative rights to the system can open the Registry Editor and change the DefaultUserName field shown earlier. There is nothing to prevent this as long as the attacker has administrative rights to the machine. Your defenses will have to be set well ahead of this point to prevent a hacker from obtaining administrative rights in the first place. Event Logs Unlike protecting against a registry edit, there are steps that you can take to maintain the event logs in your Windows systems, even when they have been deleted or modified. But, first, let s look at what data is contained within these files. The Application log stores events created by applications running on the system. This file normally logs errors and warnings given by applications, such as when they crash or exhibit noticeable errors. An example of this is shown in Figure 5.3, where an entry is shown for a Mozilla Firefox crash. The event records the exact time and date when the application crashed, as well as basic debugging information. This information shows that Firefox crashed because of a faulting module named FOXITR~1.OCX. FIGURE 5.3 Windows Application Event Log

5 Removing Windows Login Traces 273 Tracking down that file leads to the FoxitReaderOCX.ocx plug-in for Firefox, part of Foxit Reader, a free PDF viewer from This event coincided with the Web browser opening a corrupted PDF document and subsequently crashing. The Security log is used by Windows to track security events such as account logins and logoffs, as shown in Figure 5.4. It also notes when accounts attempt to read, modify, or delete protected audit files. On a properly configured system, this log reports any activity that would trigger a security audit for suspicious behavior. The System log deals with system-level errors and warnings, such as those produced by device drivers and system services. This log will detail hardware issues, as well as when services are started and stopped. Additionally, it will display any error messages that appear at the service level, such as the DNS errors shown in Figure 5.5. While the Application, Security, and System logs are the primary source of data for system events, Microsoft has included additional new logs with each recent FIGURE 5.4 Windows Security Event Log

6 274 CHAPTER 5 Expunge FIGURE 5.5 Windows System Event Log release of Windows. Windows Vista and Windows 7 feature dozens of various event logs that cover many aspects of the operating system. For example, recent versions of Windows include one event file named Microsoft-Windows-Application- Experience%4Program-Inventory.evtx. This log, shown in Figure 5.6, will log every time an application is installed onto the computer through official setup scripts. Each entry will include the name of the application installed and its version number. This is a log entry that should be scanned regularly to audit the applications being installed by your users. In earlier versions of Microsoft Windows, the event logs were vulnerable to deletion easily from the command line. By simply stopping the Windows services associated with the event logs, a hacker could then manually delete or rename the entries. However, additional file controls within Windows Vista and Windows 7 have made it difficult for hackers to simply remove or edit the files. In the case that a hacker has cleared event logs, one of the best ways to mitigate the issue is to simply have backups of the event logs already created. The backup process can be completed using the integrated command line tool wevtutil.exe. To create a regular backup using the wevtutil utility, you can create a new scheduled task in the Windows Task Scheduler. Create a new task inside Task Scheduler

7 Removing Windows Login Traces 275 FIGURE 5.6 Windows Application Inventory Log and set the trigger to occur on a daily schedule and to repeat every 5 min indefinitely. For an action, start a batch file similar to the off for /f "tokens=2-4 delims=/" %%a in ('date /t') do (set mydate=%%c-%%a-%%b) for /f "tokens=1-2 delims=/:" %%a in ("%TIME%") do (set mytime=%%a%%b) :Above code takes the current date and time and strips out the illegal :filename characters, from questions/ wevtutil epl Security C:\Users\_Hidden\SecurityBackup- %mydate%_%mytime%.evtx This batch file, which is saved with a.bat extension and placed anywhere on your system, sets a foundation for creating your own customized script. Currently, the script retrieves the current date and time and strips out the illegal colon and slash

8 276 CHAPTER 5 Expunge characters, allowing these values to be placed into the filename. The wevtutil utility is then run to export the Security log into the file C:\Users\_Hidden\SecurityBackup- %mydate%_%mytime%.evtx, although the folder location can be changed to meet your needs. Ensure that the task is configured to run at the highest elevated privileges, to allow the script to access the Security log. After being enabled, the task will then start creating backups of your Security log in 5-min intervals. Naturally, this will eventually fill your hard drive, so you will need to modify the script to place limits or run clean-up routines. However, this is a basic example to show that it can be done. SUMMARY OF REMOVING WINDOWS LOGIN TRACES Performing an exploit is only the first step in attacking a network system. Once an attacker has gained a foothold and stolen the resources needed from a system, the attacker will attempt to clean up his or her traces to throw off any investigative efforts. We saw this through multiple examples throughout our story, and it is a tactic used widely by attackers. It is relatively easy to remove basic traces of a normal login through the Windows Registry Editor, as we discussed in this section. Although removing the basic system logs can prove more difficult, they are targeted by attackers because of the copious details they store on system-wide operations. System administrators can perform basic mitigation to help prevent many of these attacks through proper security and backups of their system logs. With a proper backup strategy, an administrator can still retrieve details of an attack even if the logs are wiped clean. FOR MORE INFORMATION For this chapter, we ve covered the basics on log scrubbing to remove traces of an attack. There are a variety of dedicated tools for this task and additional ways to protect against them. For more information, we refer you to the following Web sites: WinZapper tool: ClearLogs tool: How to Delete Corrupt Event Viewer Log Files: CorruptEventViewerLogFiles.html Back Up Your Event Logs with a Windows PowerShell Script: microsoft.com/en-us/magazine/ heyscriptingguy.aspx

9 Browser Cleanup 277 BROWSER CLEANUP THE HACK DISSECTED The sound of a car door out front announced Vlad s return. Pavel surfed to the Black Hat conference site and then cleared his browser cache before Vlad walked in. (p. 115) In our story, Pavel is just beginning to worry about his working relationship with Vlad. He fears that his life may be in danger and starts creating a contingency plan for escaping the area. At that moment, Vlad returns to their hideout and Pavel quickly cleans up his traces. He switches to the Black Hat Web site, a site that Vlad would expect him to be on, and clears his browser cache. By clearing his browser cache, Pavel removes all traces of his Web surfing history. He hides the airlines and car rental Web sites that he was browsing just minutes before. If Vlad did attempt to view Pavel s history, he would see a blank slate. Exploit Techniques Clearing the history of a Web browser has become a common technique in the daily browsing of many people. It allows for privacy while surfing the Web by removing a user s activity log so that others can t see it at a later point. 3 Additionally, by clearing away the large amount of cached data on your hard drive, clearing the history can improve Web browser performance. The typical Web browser records many aspects of our daily Web-browsing activities. Every individual Web page that you view is stored, as well as copies of every page, image, and movie that you viewed. Additionally, all typed user names and passwords and every file downloaded is also stored. Modern Web browsers give you the ability to clear out this information, as shown by the Delete Browsing History window for Internet Explorer 8 in Figure 5.7. Although these options are normally buried within the multiple pull-down menus of their respective browsers, all modern browsers feature a universal keyboard shortcut to quickly bring up the history deletion function: Ctrl + Shift + Del. Upon pressing these three keys simultaneously, the browser s history deletion window will appear. While each browser has a slightly different style to their functions, they all operate the same way. Internet Explorer 8 s feature is shown in Figure 5.7 while Mozilla Firefox and Google Chrome s are shown, in respective order, in Figure 5.8. Private Browsing Although modern browsers allow for users to clean up their browsing history before signing off, they also offer a feature to prevent the system from logging this information in the first place. Known as private browsing, though with differing names between Web browsers, the feature blocks cookies and Web browsing history from being stored to the local system. It will also not store the information you type into online forms nor cache any of the data to the hard drive.

10 278 CHAPTER 5 Expunge FIGURE 5.7 Internet Explorer 8 Delete Browsing History Window FIGURE 5.8 Mozilla Firefox and Google Chrome s Respective History Delete Windows In Internet Explorer, this feature is known as InPrivate Browsing. Although InPrivate Browsing will not store search entries or Web sites, it does cache data to the hard drive. This cached data is deleted when you close the browser, but it can be recovered through basic forensics. InPrivate Browsing is enabled by selecting Safety InPrivate Browsing from the pull-down menu. Details on Internet Explorer s InPrivate Browsing can be found at Windows7/What-is-InPrivate-Browsing.

11 Summary of Browser Cleanup 279 Mozilla Firefox also offers a Private Browsing feature with many of the same abilities. Its Private Browsing also blocks cookies and browser history from being stored to the local system. It is enabled from the pull-down menu under Tools Start Private Browsing. Greater detail on Firefox s Private Browsing is found at support.mozilla.com/en-us/kb/private+browsing. Google s Chrome browser has the same feature set as the other major Web browsers in a feature they call Incognito Mode. Their implementation of private browsing is slightly different from Internet Explorer and Firefox. Upon selecting Tools (wrench icon) New Incognito Window from the pull-down menu, a new browser window will open in private mode. Google Chrome then allows you to have a simultaneous Incognito window and a normal browsing window. Additionally, while in Incognito mode, Chrome disables all of your browser extensions and add-ons. This prevents your private information from being leaked through third-party applications. Best Practices As these options are controlled by the browser itself, it is difficult to control their use as an administrator. The one exception is Internet Explorer 7 and later versions, for which there is a group policy that allows you to disable the ability to delete browsing history. This setting can be found in the Group Policy editor under Administrative Templates Windows Components Internet Explorer Delete Browser History. Under this final folder is a setting to Turn off Delete Browsing History functionality, along with various other deletion controls. 4 For serious infractions that absolutely require determining the browser history, it may be possible to forensically recover the deleted browser cache files after they ve been erased. This would assist in helping to see what content the user downloaded, and some sites, but may be limited. For instance, in Mozilla Firefox, all history details are now stored in miniature databases that are scrubbed clean after a user has deleted his or her browsing history. SUMMARY OF BROWSER CLEANUP As many attacks are beginning to use the Web browser as an attack vector, criminals have more of a need to clean their tracks on the browser itself. Additionally, even basic research and reconnaissance activities exist within the Web browser cache that can incriminate an attacker or a researcher in the middle of their tasks. The information stored within the browser cache can pinpoint the Web pages that a user browsed, as well as the content that he or she had viewed and downloaded. Not only can this store private data but also potentially embarrassing information for the user. For basic privacy reasons, all of the major Web browsers now support the ability to scrub browser history files and statistics, although this is also taken advantage of by attackers. Although users can easily clear their personal browsing history, an attacker can also scrub the history on their own computers in the event that their equipment is

12 280 CHAPTER 5 Expunge seized by law enforcement. For businesses, your employees are also able to clear their browsing history to remove evidence of activity on unauthorized Web sites. There is little that can be done by a company to protect against this action, though. Forcing users to use a modern version of Internet Explorer, blocking any alternative browser, and disabling the ability to remove the browsing history can maintain the cache on a system that the company controls. Beyond this, the risk is always present. FOR MORE INFORMATION We ve covered much of the ability to scrub a user s history and activities from a Web browser in this chapter, as well as how to enter private browsing mode. There are a few topics that we were not able to cover here, especially in the realm of best practices. The following Web sites cover some of the various aspects of recovering data from a Web browser, as well as some of the ways in which data can still be leaked out even while private browsing is enabled. Web Browser Forensics Part 1: Web Browser Forensics Part 2: Why Private Browsing Isn t : why-private-browsing-isnt/ ENDNOTES 1. How to view and manage event logs in Event Viewer in Windows XP, Microsoft Support, ; 2007 [accessed ]. 2. DefaultUserName, ; 2010 [accessed ]. 3. Rick B. Erase Internet Explorer 8 s Browsing History, The Washington Post, ; 2010 [accessed ]. 4. Prevent users from deleting IE browsing history, Online Tech Tips, iebrowsing-history/; 2009 [accessed ].