Transcript Slide 1
Whodunit? Beginning the cyber investigation Addresses MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is how a packet is delivered on a local network Network (IP) address Logical address Associated with a MAC address Identifies a LOGICAL device MAC address Series of six hexadecimal digits 00-3E-42-A6-51-0E “burned in” by manufacturer In reality, can be changed in many cases IP address “Dotted decimal” or “dotted quad” 32 bits (4 octets) Each octet has a value from 0 thru 255 192.168.0.1 Each IP address has a Prefix Identifies a network Suffix Identifies a host (device) on that network IP addresses IP “prefixes” must be unique on a global basis The suffixes must be unique on the local level IP delivery IP address is used to deliver a message Comparison using subnet mask determines if: Local network A lookup is performed for the MAC address matching the destination IP Remote network Packet is sent to the ‘gateway’ / router Router decides the next hop to send packet to the destination network (determined by prefix) Arrival at remote network A lookup is performed for the MAC address matching the destination IP IP addresses Prefix part identifies a class A,B,C range A B C If the octet identifying the host is “0” Means the entire network uses the last 3 octets to identify a host uses the last 2 octets uses the last octet 192.168.1.0 (means the entire 192.168.1 network) If the suffix octet is 255 (all binary 1’s) Broadcast address for that network 192.168.1.255 net sending to all on the 192.168.1 CIDR Classless Inter-Domain Routing Rationale Class “C” addresses need entries in network routing tables Too many unique entries Affects the performance of the router Develop a different “network identifier” Allocate number of bits to identify the network C class uses 24 bits for the network and remaining 8 bits for the host on the network Routing Network mask needs to determine the network identifier in the IP address Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table Improves scalability of routing system Supernet Arbitrary sized network Create a network from a contiguous block of “C” addresses Criteria Consecutive address ranges Third octet of the first address range must be divisible by 2 192.168.6.0 192.168.7.0 192.168.6.0 New network can have up to 512 unique hosts New netmask is 255.255.254.0 9 bits available for the host address Supernet Combination of more than two class C networks Done in powers of 2 Third octet must be divisible by the number of networks you’re combining 192.168.16.0 192.168.17.0 …… 192.168.24.0 8 networks combined Netmask 255.255.248.0 21 bits used for the host 192.168.19.45/21 IP address, first 21 bits identify the network Ports TCP and UDP Ports identify ‘processes’ running Numbered 1 to 65535 “well known ports” Associated with services 80 20,21 443 110 23 25 HTTP FTP HTTPS POP3 TELNET SMTP Private Network ` 192.168.0.45 ` 192.168.0.5 Switch ` 192.168.0.20 Cable Modem ` 167.209.88.53 COAX Cable Cable Modem SERVER SWITCH Private Network thru Cable Modem ` 192.168.0.45 ` 192.168.0.20 ` 192.168.0.5 Router 192.168.0.1 / 167.209.88.53 Cable Modem COAX Cable Tools Connection properties arp ping ipconfig pathping nslookup Enable/Disable/Repair TCP/IP properties Control Panel Network connections Locate the connection (typically Local Area Network) Right click Find the ‘properties’ tab Client for Microsoft networks File/printer sharing Internet Protocol (TCP/IP) Properties of TCP/IP DHCP Look for my IP address using a DCHP server which assigns it to me Should also retrieve the settings for Gateway (way out of network) DNS (lookup service for URL to IP) Network (subnet) mask Alternative Specify the IP yourself Make sure it’s not already assigned Specify your own netmask, DNS, gateway Properties of TCP/IP Need to talk between local devices No need for gateway in general Unless you’re looking up URLs, no need for DNS Network mask should be consistent with IP address pattern on that network segment ‘mismatch’ will cause the packet to be sent to the router (gateway) Thinks the address is not local ‘mismatch’ may believe that a foreign address is on your local network Will not be routed Toolbox Applying your knowledge Tools ipconfig / ifconfig ping pathping tracert / traceroute arp netstat nslookup dig whois host So many tools… So little time… Live incident or autopsy Volatile information first Disturbing the system Durable / non-volatile information Windows Volatile Information Going, Going…… Volatile Information residing in memory Temporary nature Gone on shutdown Time sensitive Gone before shutdown What do you go for first??? Minimize the footprint you leave as you collect the data Order of Volatility Registers and cache Routing table, arp tables, process table, kernel statistics, connections Temp file systems Hard disk / non-volatile storage systems Remote / offsite logging and monitoring data Physical configuration and network topology Archival media Types of Volatile Information System time Users on system Processes running Connections Status of the network Clipboard Command history Services and drivers Common Errors No documentation on the baseline system Failing to document your collection process Shutdown or reboot of machine Closing down terminal or shell should also not be done Reliance on the suspect machine Methodology Preparation Document the Incident Policy Verification Volatile Data Collection Strategy Volatile Collection Setup Volatile Collection Process Preparation Toolkit Guidelines Policies Documentation Profile Collection Logbook How detected Scenario Time of occurrence Who/what reported Hardware and software involved Contacts for involved personnel How critical is suspicious system Who is collecting History of tools used and executed commands Generated output and reports Timestamp of executed commands Expected system changes as you execute commands Forensics toolkit logbook Usage, output and affects Policy Verification Examine policies for violations of rights by your actions User signed policies Consent Establish your legal boundaries Volatile Data Collection Strategy Types of data to collect Tools to do the job Where is output saved? Administrative vs. user access Media access (USB, floppy, CD) Machine connected to network Volatile Collection Setup Trusted command shell Establish transmission and storage method Ensure integrity of forensic toolkit output MD5 hash Volatile Collection Process Collect uptime, time, date, command history Generate time/date to establish audit trail Begin command history to document your collection Collect all volatile information system and network information End collection with date/time and command history System Time Systeminfo.exe XP and 2003 Uptime Uptime from www.dwam.net/docs/aintx Psinfo from Sysinternals Users Psloggedon (Sysinternals) Netusers.exe (somarsoft) Two switches /l /h local logged on history Net session Users Name / IP of client Client type Processes Identify Executable Command line used How long was it running? Security context Modules or dll it’s accessing Memory used Pslist Sysinternals Task Manager Pslist -t ListDLLs Sysinternals handle Sysinternals Tasklist PS Aintx Cmdline DiamondCS www.diamondcs.com.au Process Memory Current state of processes Passwords Server addresses Remote connections pmdump www.NTSecurity.nu pmdump Option List Lists the PID’s Then… dump the PID pmdump ### <filename> Use another tool then to view the contents (“strings” from sysinternals) Network Info Ipconfig Promiscdetect www.netsecurity.nu Works on the local host Not remote Netstat Lists connections Nbtstat Net Bios connections Fport Foundstone Maps ports to processes using them Requires Administrator! OpenPorts Ports mapped to process www.DiamondCS.com.au Administrator access not required With netstat option With fport option OpenFiles Protected storage Used for storing information Private keys For using SSL and S/MIME Following the Leads Ohio State University