Transcript CS 447/557 Computer Forensics

CSCD 496
Computer Forensics
Lecture 19
Network Forensics
Winter 2010
1
Network Forensics Overview
• Introduction to Network Forensics
• Techniques for Network Forensics
• Sources of Data
– Location of potential data
• Challenges of Network Forensics
• Host Log Files
– Example
2
Your Thoughts
• Do you think Networks and outlying
computers/servers can be an important
source of digital evidence?
• What are some sources of digital evidence
from network sources?
3
Introduction
• Yes. Networks do contain digital evidence
can establish
– Crime committed or
– Provide evidence useful to an investigation
• Evidence on a network is not as welldefined as on a single host
• Network data is more dynamic and volatile
– Difficult to take a snapshot of a network at a
given instant in time
4
Introduction
• Often can’t shut down a network to obtain
evidence
– Need to stay up and running for business
purposes
• Suspect may leave evidence in many
places
– Think about the yellow tape of crime scene
– Much harder to isolate a crime scene when it
includes a network!!
5
Investigative Authorization
• Before conducting on-line investigation law
enforcement and investigators need to
obtain permission
• Difficulty of obtaining authorization to search
e-mail, network communications, and other
data. Depends on
–Situation, type of data and country
–Monitoring network traffic is considered
highly invasive of privacy
–Search of recent or un-read e-mail
considered more invasive than old e-mail
6
Investigative Authorization
• If data exist in two or more places in US
– Need to obtain additional warrants for
each location
• Using passwords obtained during an
investigation to access remote sources of
digital evidence
– Requires additional authorization
7
Authorization Problems
• Examples
– In 2002, legal action was brought against an
investigator for gaining remote access to suspect
computer and collecting evidence over Internet
– In 2000, FBI lured two Russian computer intruders to
the United States for a fictitious job interview and
used Winwhatwhere to capture passwords to
suspects systems in Russia.
• Investigators used passwords to collect
incriminating evidence remotely from suspects
computers
• Russian government initiated criminal proceedings
against one FBI agent for unauthorized access to
computers in Russia
8
Network Data Request
• When drawing up affidavit for a warrant,
important to mention all desired evidence
• Especially if want network records
– Otherwise may miss important evidence
– Also recommended to include explicit
examples of records to be seized
• And form of seizure, digital and paper
9
Network Data Request
• Example of request – John Doe
All records associated with the Subscriber and Account,
including:
• Screen names and/or account names, phone numbers,
addresses, credit card numbers used to establish the
account,
• Connection records, to include logon dates and times,
• IP addresses assigned for each session, origination
information for each call, phone number used for access to
the system,
• Newsgroups logs, e-mail logs ... credit and billing information
for any and all accounts held in the name of John Doe
• and the addresses 192.168.12.14 and 192.168.12.16 and
[email protected]
• for the period of (date and time conform to the period of
suspect criminal activity)
10
Network Data Request
• Comments
– Prior request is example of dispersed nature of
network forensics data
– Did not specify email contents just e-mail logs
• Harder to obtain warrants for email contents
– Some organizations, Ebay – is one
• Do not need court order to provide name and
address
• User agreement permits disclosure to law
enforcement
11
Documentation, Collection and
Preservation of Data
• Advice for Network Forensics data
collection
– Follow standard operating procedure
• Same principles as for single host!!
– Retain log of actions taken during collection
process
• Print screens of important actions
– Document which server contains evidence
• May be multiple servers involved
– Calculate MD5/SHA1 values for all evidence
prior to transfer and after transfer
12
Documentation, Collection and
Preservation of Data
• Example Procedure:
– Several cases, investigators gained remote
access to host that computer intruder was
using to launch attacks
– They e-mailed themselves evidence they had
gathered
• Why shouldn’t they have done that?
13
Documentation, Collection and
Preservation of Data
• Problem with e-mail of data to themselves
– Complicates chain of custody
– More difficult to confirm integrity of evidence
• E-mail can be forged
– What if e-mail were not delivered
– Email is stored on intermediary servers
– Sometimes many servers traversed
14
Investigative Reconstruction
• Fundamentals of Investigative
Reconstruction
– Don’t change when networks are involved
– Just gets harder!!!!
– Criminal can be several places on a network at
any given time
• Example: Network Intruder
– Sharing information with accomplices on IRC
– Same time, breaking into multiple computers
elsewhere
15
Investigative Reconstruction
• Suspect can use Internet to conceal actual
location
• How can they do this?
16
Difficulties with Network Identity
• How to Hide on the Internet
Anonymous Network
Uses encryption and moves data between computers
http://freenetproject.org/
Proxies
http://www.all-nettools.com/toolbox/privacy.htm
http://www.inetprivacy.com/
http://anon.inf.tu-dresden.de/index_en.html
Encryption - email
http://www.hushmail.com
http://www.zixcorp.com/
17
Importance of Log Files
• Log files contain messages about system, including
kernel, services, and applications running on it
• Log files can be very useful when looking for
unauthorized login attempts to the system
• Linux/Unix Example
– Some log files are controlled by daemon syslogd
– List of log messages maintained by syslogd
– Found in the /etc/syslog.conf configuration file
18
Location of Log Files
• Most log files are located in the /var/log directory
• Some applications such as httpd and samba have a
directory within /var/log for their log files
• Notice multiple files in log file directory with same name
but numbers after them
• Created when the log files are rotated
– Log files rotated so their file sizes don’t become too large
– Cron task that automatically rotates log files according to
the /etc/logrotate.conf configuration file and the
configuration files in the /etc/logrotate.d directory
– By default, it is configured to rotate every week and keep
four weeks worth of previous log files
19
Example of Logs Kept
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
...
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
-rw-r----- 1 syslog
adm
adm
adm
adm
adm
adm
859075 2010-03-01 05:26 messages.0
158966 2010-02-22 06:20 messages.1.gz
135613 2010-02-15 10:49 messages.2.gz
142595 2010-02-08 07:11 messages.3.gz
212676 2009-10-07 05:44 messages.4.gz
139323 2009-04-24 11:25 messages.5.gz
adm 89361 2010-03-01 11:32 syslog
adm 159357 2010-03-01 05:26 syslog.0
adm 14253 2010-02-28 08:32 syslog.1.gz
adm 15926 2010-02-27 09:52 syslog.2.gz
adm 28826 2010-02-26 09:11 syslog.3.gz
adm 73396 2010-02-25 10:12 syslog.4.gz
adm 46112 2010-02-24 06:42 syslog.5.gz
adm 97564 2010-02-23 09:48 syslog.6.gz
20
What to Check
• /var/log/messages and /var/log/syslog:
– Messages and syslog files contain all systemlevel and system process logging
– Include services such as NIS, sendmail, and rpc
/var/log/messages also contains failed login and su
attempts to other accounts on your system
• /var/log/sulog:
– The su log is a log of all successful attempts by
somebody using the su function to login as a
different user
21
What to Check
• /var/log/wtmp or utmp:
– wtmp/utmp you parse with the command, last
– /var/adm/wtmp shows you when, where, and how
long a user was logged onto your system
• /var/adm/acct or pact:
– The process accounting logs (started by the acct
command) are logs you parse with the command,
spar
– These logs show you the commands users ran and
how long the processes ran for.
22
What to Check
• What do you look for in the logs
• Unusual activity
– Date-time anomalies – people who should not be
logged in on that date or at that time (1:00 am on
Sat.)
– A lot of activity from users who normally don’t
generate that much activity
– Unusual tasks – messing with network connections or
security features of system
– Failed Su commands – normal user trying to become
root
• Missing Logs – log files are deleted or empty
• Tampered Logs – harder to detect, there are tools that
allow others to mess up your log files so you are less 23
alarmed to their presence
Investigative Reconstruction
• Might need to analyze all available log files
– Logs from routers,
– Firewalls,
– Int. Detection Systems, or other sources
• Might reveal a pattern of compromise
– Example: Intrusion Captured in Log Files
• FTP Server was compromised
• Computer intrusion first detected by Tripwire
• What does Tripwire do?
– It calculates and stores hashes of system files
and notes when file changes
24
Example Investigative
Reconstruction
• Example continued
– Tripwire was first alert
– Several system components were replaced
through a rootkit (/bin/login, /usr/bin/du,
/usr/bin/top, /usr/bin/find, /usr/bin/killall)
– Following entry in /var/log/secure showed a
connection to the FTP server:
Apr 24 22:50:34 ftpserver in.ftpd[2103]: connect
from 62.30.247.138
25
Investigative Reconstruction
• Example continued
• Another entry in /var/log/wtmp
ftp ftp pc-62-3-247-138-do.blueyonder.co.uk [62.30.247.138]
Tue Apr 24 22:50-22:50 (00:00)
Unauthorized connection partially supported by
Entry in /var/log/messages
– Only difference is time stamp
Apr 25 02:50:40 ftpserver in.ftpd[2103]: ANONYMOUS FTP
LOGIN FROM pc-62.30.247.138-do.blueyonder.co.uk
[62.30.247.138], [email protected]
26
Investigative Reconstruction
• Example Continued
Investigators checked Intrusion detection system
logs for a corresponding entry but didn’t find one.
They did find an entry for a different time and source
[**] FTP-site-exec [**]
04/25-02:48:44 04/25-02;49:37 63 62.122.10.221 ->
192.168.2.6S: 4158 D:21
Why might host logs differ from network logs?
27
Investigative Reconstruction
Next, searched Netflow logs (cisco router logs) for
all connections to and from compromised
computer
Found original connection from blueyonder.co.uk
at 22:50:34 was part of a broader scan of FTP
Servers which was not logged by the Intrusion
detection system
Netflow logs also showed actual intrusion occurred
at 02:47:12 from 62-122-10-221.flat.galactica.it
and that intruder downloaded a patch from
RPMfind and fixed vulnerability.
28
Investigative Reconstruction
IDS logs and Netflow logs provided more
reliable evidence than tampered logs of
the compromised host
So, instead of the intrusion coming from
United Kingdom, intrusion actually
originated in Italy!
29
Behavioral Analysis
• When looking at digital evidence on a
network
– Keep in mind looking at effects of human
activities
• Trying to figure out associated behavior and
intent
– Log files can be great sources of behavioral
evidence
• Record a lot of activities
• Can often determine what a person did and was
trying to achieve
30
Behavioral Analysis
• Log file analysis can often reveal patterns
– Can indicate whether it was the same intruder
• Example
– On-line sexual predator
– Have extensive communication with victims
• Trying to gain their trust
• A lot of evidence will have accumulated
31
Behavioral Analysis
• Activities can reveal intruder knowledge and skill
level
– Focused attack
• Only attack certain machines – ones with
sensitive database of financial data
• Reveals intruder knew network and which
machines to target
– Time patterns
• Track how long intruder took to commit the
compromise
– Might even suggest insiders vs. outsider
involvement
32
Conclusion
• More challenging to piece together evidence trail
when it covers multiple machines in distant
locations
• Need to pay attention to authorization in
collecting network data or could be liable for
violating intruder’s rights
• Need to know how networks function, and where
evidence occurs in a networked environment
• Also need to understand network tools that can
assist with collection and preservation of
distributed evidence
33
Resources
Digital Evidence and Computer Crime
by Eoghan Casey
Elsevier Academic Press, 2004
34
End
• Next time
– Lab
– Guest speaker on Wed., Dale Lindekugel,
Criminal Justice
35