April 18th, 2005
1 2 3
Objectives Evidence acquisition Recovery and examination of suspect digital evidence (think Warrick Brown on CSI) Hardware: servers, workstations, laptops, PDAs, mobiles, cameras pagers Software: databases, e-mail, Internet cookies, bookmarks, deleted files, unallocated space Considerations Integrity: must be able to prove data has not been changed to be admissible in court Chain of command: Legal and social responsibilities: Privacy Act (2001), user agreements
Things that can get in the way Encryption: partitions, files, email, instant-messaging communication Anonymity: overlay networks, such as Tor Volatility: memory-resident contents are lost when machine is rebooted Unsupported filesystems: many tools yet to support ReiserFS
Live analysis: Scenario An attack has taken place. You, the investigator have just arrived on the scene. It is expected that the attacker uses encrypted disk volumes In any case, the machine contains memory-resident information that will be lost after a power cycle. Reasoning: Integrity: changes to the suspect host MAY contaminate evidence and WILL not be admissible Volatility: critical data will be lost (or inaccessible) May not afford disruption to service May not litigate but gather info for defence
Forensics 101: Secure the scene 1 Photograph computer screen 2 Record current system time and note this against an accurate time source 3 Begin data acquisition in order of volatility (OOV) 1 Physical memory, open files, open network connections, swap space 2 Encrypted file systems where you do not have key to unlock 3 Temporary file systems (/tmp, /proc) 4 Record current system time (why twice?) 5 Message digests of gathered evidence Now lets look at doing this with Helix!
Helix: Open-Source Forensic Toolkit Knoppix-based bootable CD-ROM Features: Tools: NX server for fast remote session management Can be loaded entirely into RAM (resource permitting) for improved seek times UnionFS (or Klik) for customisations Live dumps of Linux/Windows suspected hosts Sleuthkit, Autopsy PyFLAG, macrobber md5deep, Ethereal and MUCH more URL: http://www.e-fense.com/helix
Set up the scene for data acquisition Investigator: Suspect host (Linux or Windows): 1 Load Helix CD-ROM into drive 2 Ensure that your tools do NOT modify the disk! 3 Use IP addresses instead of hostnames (why?) 4 Used trusted CD-ROM binaries only 5 Send acquired data over encrypted network 1 Boot machine with Helix, loading it into RAM-Disk for faster seek times 2 Start electronic (Unix script ) and paper-based documentation
Live analysis (1) Initialise Client: export safe="/mnt/cdrom" export nc="/mnt/cdrom/ -w 3 192.168.1.253 65534" $safe/bash # trusted shell export PATH=$safe # clear path Initialise Server (for each command): nc -l -p 65534 >> forensics.data.txt Files and Network Connections 1 $safe/lsof -ndr $nc # open files 2 $safe/netstat -nap $nc # network connections 3 $safe/netstat -nr $nc # routes 4 $safe/ils -o /dev/hdan $nc #deleted & open files
Live analysis (2) Processes 1 $safe/ps -leaf $nc # solaris: suspect processes 2 $safe/ps -auxl $nc # linux: suspect processes 3 $safe/pcat <PID> $nc # save PID memory space Users 1 $safe/who -ihl $nc # active users 2 $safe/tar cf - /proc $nc # system info
Live analysis (3) Swap space (already have /proc/kcore) 1 $safe/dd if=/dev/swapdev bs=2k $nc # swap space Encrypted volumes 1 $safe/dd if=/dev/hdan bs=2k $nc # exact copy Temporary partition 1 $safe/dd if=/dev/tmpdev bs=2k $nc # temp partition File access times 1 $safe/ls -alru / $nc # access times 2 $safe/ls -alrc / $nc # modification times 3 $safe/ls -alr / $nc # creation times 4 Why not message digest checksums too?
Automated Helix provides a script (linux-ir.sh) that: Usage: pretty much runs the above commands tools output to STDOUT, allowing easy pipe to netcat server customisable to specific requirements by script editing 1 Insert Helix into CD-ROM of live system 2 /bin/mount /mnt/cdrom 3 /mnt/cdrom/static-binaries/linux-ir.sh $nc A few of Helix s static built binaries are seg-faulting, so a video demonstration of this will have to wait for another day...
Improvements Rename trusted commands: eg rename /mnt/cdrom/pcat to /mnt/cdrom/t-pcat prevents running suspected host binary that may be trojaned preserves MAC times on suspected host files Use Cryptcat in place of Netcat, or pipe through des des -e -c -k pword nc # suspect host nc des -d -c -k pword dd of=out.txt # server GPG gives stronger symmetric key ciphers at a cost of speed and space
Other issues Requires suspected host to have a working NIC Server must start NC receiver for each client NC send request Large volumes slow to copy bit-for-bit over encrypted network More time spent in increases increases risk to modification to physical storage! Attackers using LKM rootkits Privacy: depends on the user s expectation of privacy Privacy: to comply with some legal jurisdictions or personal liberties within multi-user systems: $safe/w <UID> instead of $safe/w $safe/ps -aux <UID> instead of $safe/ps -aux
Secure the evidence 1 Document and label evidence 2 Transport the evidence 3 Shut down the computers Unix: (if root): sync; sync; halt (else) pull out power cable Windows: pull out power cable 4 Begin data analysis of volatile data (already acquired) 5 Begin data aquisition and analyis of non-volatile data (physical disk etc)
Chain of Custody
Dead Analysis Now it is time for in-depth after-the-fact analysis within a laboratory. Don t forget to document chain of command for potential evidence!
Helix setup Server-side 1 Boot up Helix, load contents into RAM (faster seek times) 2 Change passwords for root, helix (default password is blank!) 3 Start FreeNX-server: nxsetup-knoppix 4 Optionally load additional software with UnionFS or wget klik.atekon.de/client/install -O - sh Client-side Start NX-client (Unix, Mac, Windows clients available) Set desktop session type to /usr/bin/startxfce4 to preserve server resources Begin dead-analysis via your remote desktop
Acquisition: What is wrong here? Image cloning: 1 Master boot record dd if=/dev/hdn of=partition.hdn.mbr count=1 bs=512 2 Partitial table sfdisk -d /dev/hdn > partition.hdn.pt 3 Partition x of Disk N partimage -d -b -z1 -o -V700 save /dev/hdnx vol.hdnx.gz Restoration: 1 dd if=partition.hdn.mbr of=/dev/hdn 2 sfdisk /dev/hdn < partition.hdn.pt 3 partimage -e restore /dev/hdnx vol.hdnx.gz.000
Dead analysis Some popular tools Autopsy: graphical front-end to sleuthkit Sleuthkit: update to The Coroner s Toolkit (TCT) PyFLAG: log file analysis for forensics investigations plenty more... Techniques Recover deleted files from unallocated space, slack space,... Search for hidden data (steganalysis) plenty more...
Conclusion Briefly discussed: what Helix is, how it can be used how to perform a live analysis while maintaining integrity of data KEY POINT: Ensure forensics tools DO NOT write to suspected host hard disk Further information Know Your Enemy (2nd Ed). The Honeynet Project, 2004 Incident Response and Computer Forensics. McGraw-Hill. 2003. (Chapter 6) Questions?