• reveal the holes in your webserver: nikto 1.35
  
• reveal the holes in your webserver: nikto 1.35 ciont
  
• securing you box with bastille
  
• securing your box with bastille cont
  
• securing your box with bastille cont 2
  

• forensic process and tricks
  
• forensic process and tricks cont
  
• forensic analysis of malcode - step by step
  
• advanced web-based honeypot techniques
  
• custom web-based honeypots with ghh
  

• smtp relay honeypot
  
• web exploits - don't be a victim
  
• scripting internet connections under windows
  
• credit card security
  
• cross posted sql injection measures
  

• making your windows pc more private and secure
  
• a quick introduction to tcp session hijacking
  
• the definitive guide to chrooting
  
• the definitive guide to chrooting cont
  
• te definitive guide to chrooting cont 2
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials3
  
• securitytutorials4
  

FORENSIC PROCESS AND TRICKS


Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

You can find the original post here:
http://www.antionline.com/showthread.php?s=&threadid=267378

Enjoy

Ahhh, vacations are wonderful things... I can read books I don't have time for under the Jamaican sun with a Pina Colada in hand....

What follows are the notes I made while reading the book "Hacking Exposed - Computer Forensics" ISBN: 0-07-225675-3. It's a very involved book with a heavy emphasis on the legalities of what you do during an investigation as well as the legally acceptable process and some neat tricks to help you find evidence. I thought it would be useful to some here.

Disclaimer: These are my notes on the book. They may be verbatim from the book in places because there is no opportunity to word the information better.

There are three types of investigation

Internal
Civil
Criminal: avoid if possible

Always assume criminal otherwise evidence may be worthless.

Be utterly unbiased - full disclosure.

No assumptions can be made.

The investigator is fiscally or criminally liable if the evidence is bad and the case turns civil or criminal. Call in professionals if the situation changes.

The elements of good process are:-

Cross-validation of findings: Use multiple tools to backup your findings

Proper evidence handling:
Chain of evidence - MD5 SHA1 - record who accessed the evidence, when, why and what they did. Appendix A form

Completeness of investigation:
Search in a complete manner - follow counsel’s direction on what to search for. Use a process that finds every piece of evidence.

Management of archives:
Just because a judge rules on a case doesn't mean its closed. Records must be kept for years. A case can be lost years later because the data is now unavailable or potentially tainted

Technical competency:
Know the details of the tools you use and the details of the processes they carry out. Know their weaknesses and their strengths.

TRAP: Even with a thorough understanding of the OS, processes, technology etc. you will have to defend yourself and your knowledge at every turn as the defense asks obscure questions in order to make you look incompetent.

Explicit definition and justification of the process:
Follow a clear process that you can explain to a judge. It must be repeatable. Never be in a position to be able to be questioned about process or the accuracy of the evidence you gathered.

Legal compliance:
In the arena of the investigation comply fully with the corporate policy and the laws of the jurisdiction the investigation takes place in. Consult counsel and administration - you support them, not the other way around.

Flexibility:
Things change, especially technology. Keep up with changes and modernize your tools and process.

Process Definition:

Assessment:-

1. Determine scope and quantity of data: work with the people requesting the investigation to discover the scope and amount of data required

2. Identify data locations: Where is the data - Do you have the tools and knowledge to properly extract and preserve the data?

3. Protect and Preserve the data. This should be done as soon as possible. Alteration of data through normal business processes can be acceptable up to this point but not once the process begins.

4. Establish a chain of custody: Must begin immediately - if you wait then the investigation may prove to be flawed.

5. Preview the data: the data must not be changed. This allows for preparation for the acquisition phase. Only use forensically approved tools.

Acquisition:-

1. Identify the source media: this may not be as easy as it sounds if the media is very old.

2. Identify the destination media: try to make it identical or as close to the original as possible.

TRAP: if you have to alter the media type be careful to document the reasoning for your decision and to show that the new media did not alter data nor add anything new to the image. This is a common area where the opposing expert will try to bring your case down.

3. Select acquisition parameters: Make sure the tools you use are appropriate

4. Make the image: Metadata is required at this point to be able to validate this phase in the authentication phase.

Authentication:-

The purpose is to ensure that the image is exact. If the hashes don’t match you are wasting your time. MD5 and SHA1 or 2 are acceptable.

Analysis:-

BE COMPLETE. Look at everything - in every corner - be creative - where might data be hidden?

Articulation:-

Often the hardest part - keep it simple!!!

Archival:-

How much should you keep - for how long - and how likely is an appeal.

Software:-

"a forensic tool produces useful, reproduceable and verifiable results"

How do you verify software tools:-

Visit the Scientific Working Group on Digital Evidence, (SWGDE), at http://ncfs.org/swgde/documents.html

Tool categories:-

Acquisition
Data Discovery
Internet History
Image Viewers
E-mail Viewers
Password cracking
Mobile device
Large storage analysis

Case Management:-

This is essential to any investigation - if you haven't properly documented everything, stored everything or, having done so, you can't find it then everything you did was wasted.

Acquisition from a single system:-

You may photograph everything as you find it and after you have acted on it but this is not usually necessary but for them to be admissible in court they are required to conform to certain rules laid down in law.

1. Pull the power cord. DO NOT rely on power switches - they may place the system in standby mode. Note this action in Chain of Custody Log, (CoCL).

2. Remove ALL drives from the system even if they are not currently cabled or powered. CoCL.

3. Note in the CoCL the manufacturer, model, serial number and a description of all drives removed.

4. Check the system for removable media and remove any found. CoCL. Only search surroundings IF you have the authority. Check with counsel/administration if you are unsure - get the authority in writing if you can.

5. Boot the system and note the BIOS settings in the CoCL - specifically note the system date and time in the BIOS. All files recovered should then have their date and time adjusted accordingly to determine when they were created, modified or accessed.

6. Remove any media that could not be removed with the power off and enter them in the CoCL. Remember CDs can often be removed with a paper clip in the small hole in the front of the drive.

7. Wipe the image drive: This is done to show that all data copied to it came from the source drive. The DOD has guidelines at http://www.dss.mil/isec/chapter8.htm .There is an unlicensed/acquisition mode of EnCase that can be used for Windows though it may not be free, (it doesn’t appear to be). If you use Linux you can use the following command:-

dd if=/dev/random of=/dev/<image drive>

8. Imaging the drive.

How ever you do this start by making a cryptographic hash to a safe location.

FAT16/32:- You require an altered boot disk in DOS to prevent alteration of the source media. There are boot disks available for download at http://www.guidancesoftware.com/support/downloads.shtm
under the drivers section.

NTFS:- You require a hardware write blocker for Windows/EnCase because Windows will try to write system information to the drive when it detects it. Fastbloc is a well known and acceptable write blocker.

Using Linux you can issue the following command after booting and identifying the devices since Linux will not even try to determine the file system of attached devices - no write blocker is required.

dd if=/dev/<suspect drive> of=/dev/<some dir>/<imagename>

In all cases this is the point at which you make your second cryptographic hash. Be careful to write them to a safe location. Compare the hashes to ensure they match. In Linux the command is:-

md5sum /dev/<some dir>/<imagename>

9. Secure the evidence: Anti static bags, proper labeling and a secure location are all imperative here. Note everything in the CoCL.

TRAP: Sometimes imaging a drive could provide opposing counsel more information than your counsel would wish - make sure he understands what you will give him and let him decide - sometimes only the relevant files may be needed.

Remote investigation and collection:-

The privacy policy of the organization is critical here - make sure that the user(s) have had access to a well written AUP otherwise the court may uphold an invasion of privacy defense.

Remote investigation involves the actual investigation such as keyword searches and file hashing across the network and would usually precede the remote collection of evidence.

It is absolutely acceptable to retrieve an image before investigation but it is more time consuming and you may find no evidence after the image has been retrieved.

EnCase Enterprise and ProDiscover are tools that can be used for remote investigation and acquisition in a court acceptable fashion.

Frankly, since the only acceptable tools for this seem to be high cost commercial tools and there are so many pitfalls this type of operation should be left to professionals.

Notes on USB's:-

Check HKLM/system/currentcontrolset/enum/USBSTOR to find out what kinds of device have been connected to the system.

Some USB thumb drives have a secure area and will not automatically show you all the data. Check with the manufacturer to find out if the device is a secure device and the security mechanism.

Windows System Analysis:

File systems:-

MSDOS FAT12 max size 8Mb
Win 3.1/95 FAT16 max size 4Gb
Win 98 FAT32 max size 32Gb
NT 3.5/4.0/2K/XP NTFS max size 256Tb

Floppy disks use FAT12 under normal circumstances.

Win95 introduced VFAT which allowed files to be named outside the old 8.3 format.

FAT:-

The Master Boot Record, (MBR), points to the partitions each of which have a partition table that tells the OS of the file system. If the partition table is deleted the partition remains intact.

The FAT table describes the clusters and if they are free or occupied. If occupied it describes which other clusters they are linked to. It contains no file information such as file name, size, created, (MAC), times etc.

Directory entries are stored in the same way as file entries but are noted as a special case. Directories are linked from a parent directory so the structure is not defined in the FAT but it becomes apparent as you traverse the links.

The root directory is defined when the drive is formatted, (the file system creation), and space is set aside for it. By accessing the root directory you can access files and directories linked to it. Directories hold the first cluster of files or directories linked to it and these can be recovered by following the subsequent links.

Directories are written just like files and are similarly recoverable. This is useful since you can recover a directory entry and see what files and directories were in it along with thier MAC times

The FAT always has a backup FAT so if the original is damaged the system can be investigated from the backup

NTFS:

NTFS uses a Master File Table, (MFT), to store information about the partition such as filename, attributes and MAC times to name just a few.

Information about available clusters is held in a special inode called $BITMAP where there is an entry for every cluster on the disk and its value indicates whether it is free or busy.

There is a backup of the MFT that can be used if the original is damaged. In the case of a drive that has been quick formatted the backup MFT should still be in place.

Recovering deleted files:

In FAT partitions the first character of the filename is changed to E5h or "_". Simply replacing this with any valid character will make the file available again.

In NTFS the IN-USE flag is changed to indicate the deletion.

Windows Artifacts:

These are key points in an investigation and often point to evidence you require to complete the investigation.

Recycle Bin: when emptied the data usually ends up in unallocated space. The recoverable data may include the filename or where it was stored on the disk. Information about files placed in the recycle bin are held in INFO records which remain after the deletion, (> Win95). These records include full path, filename and time of deletion. EnCase and SMART can recover them for you but a disk level hex editor set to search for:

05 00 00 00 00 00 00 00 00 00 00 00 20 03

will find the header of each remaining INFO file - one for each deletion.

The Pagefile: The data held here is unstructured and difficult to extract. With practice you can discover the keywords that will help you find email, chat sessions, web pages etc.

Print Spools: documents that were printed from removable media can often be found in the print spool. Depending on the version of Windows the location will vary but a good start will be:

%system%/system32/spool/printers

Win9X: You will find .SPL files and a matching .SHD file. The .SPL file is an image of the print job - usually in .EMF format and can be viewed in any app. that supports it. The .SHD file includes the printer used, the filename and the path to the temporary file containing the image.

Win2K: Search for files at the disk level with the following headers:-

\x01\x00\x00\x00\x18\x17\x00 or

\x01\x00\x00\x00\xC4\x36\x00

WinXP: Search for headers:-

\x01\x00\x00\x00\x5C\x01\x00

NOTE: On NTFS filesystems there may be no evidence because NTFS can generate temporary files on the fly that are never committed to disk.

.LNK files: Every time a document is opened in Win95 and later a .LNK file is created. It contains the filename, path, (including network paths), MAC times and the MAC times for the .LNK file itself. They can be found in unallocated space by searching for:-

4C 00 00 00

This may turn up many FP's so searches for the specific filename in either ASCII or Unicode are more efficient.

For more information on .LNK file formats see:-

http://www.i2s-lab/papers/the_windo...file_format.pdf

Determining the version of Windows:

Since there are many version specific objects in Windows it is important to know the version you are dealing with. This is done by locating the registry.

Win98: windows\system.dat
WinNT: winnt\system32\config\system
WinXP: windows\system32\config\system

Determining when the system was last shut down:

On Win2K\XP checking the last time the hive key $$$PROTO.HIV was written tells you the last shutdown time of the computer.

Determining when the user first logged on:

Check the creation date of the users directory.

Win9X: \windows\profiles

Win2K\XP: \documents and settings\<user login>

Office Document Metadata:

Much information can be gleaned from here including participants in its creation and editing. If you can recover the entire document you can load it into the appropriate Office application to view the properties. If only fragments are available you can load them into the OLE\COM Object Viewer located at:-

http://www.microsoft.com.asp

Original Tutorial Submitted by nokia for TheTAZZone-TAZForum

Originally posted on March 4th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.