Whodunit?

1
Whodunit?

• Beginning the cyber investigation

2
Addresses

• MAC address
• Network card (NIC interface card)
• Identifies a physical device.. The card!!!
• This is how a packet is delivered on a local
  network
• Network (IP) address
• Logical address
• Associated with a MAC address
• Identifies a LOGICAL device

3
MAC address

• Series of six hexadecimal digits
• 00-3E-42-A6-51-0E
• burned in by manufacturer
• In reality, can be changed in many cases

4
IP address

• Dotted decimal or dotted quad
• 32 bits (4 octets)
• Each octet has a value from 0 thru 255
• 192.168.0.1
• Each IP address has a
• Prefix
• Identifies a network
• Suffix
• Identifies a host (device) on that network

5
IP addresses

• IP prefixes must be unique on a global basis
• The suffixes must be unique on the local level

6
IP delivery

• IP address is used to deliver a message
• Comparison using subnet mask determines if
• Local network
• A lookup is performed for the MAC address
  matching the destination IP
• Remote network
• Packet is sent to the gateway / router
• Router decides the next hop to send packet to the
  destination network (determined by prefix)
• Arrival at remote network
• A lookup is performed for the MAC address
  matching the destination IP

7
IP addresses

• Prefix part identifies a class A,B,C range
• A uses the last 3 octets to identify a host
• B uses the last 2 octets
• C uses the last octet
• If the octet identifying the host is 0
• Means the entire network
• 192.168.1.0 (means the entire 192.168.1 network)
• If the suffix octet is 255 (all binary 1s)
• Broadcast address for that network
• 192.168.1.255 sending to all on the 192.168.1 net

8
CIDR

• Classless Inter-Domain Routing

9
Rationale

• Class C addresses need entries in network
  routing tables
• Too many unique entries
• Affects the performance of the router
• Develop a different network identifier
• Allocate number of bits to identify the network
• C class uses 24 bits for the network and
  remaining 8 bits for the host on the network

10
Routing

• Network mask needs to determine the network
  identifier in the IP address
• Routing can be done using contiguous blocks of
  class C addresses represented by a single entry
  in the routing table
• Improves scalability of routing system

11
Supernet

• Arbitrary sized network
• Create a network from a contiguous block of C
  addresses
• Criteria
• Consecutive address ranges
• 192.168.6.0
• 192.168.7.0
• Third octet of the first address range must be
  divisible by 2
• 192.168.6.0
• New network can have up to 512 unique hosts
• New netmask is 255.255.254.0
• 9 bits available for the host address

12
Supernet

• Combination of more than two class C networks
• Done in powers of 2
• Third octet must be divisible by the number of
  networks youre combining
• 192.168.16.0
• 192.168.17.0
• 192.168.24.0
• 8 networks combined
• Netmask 255.255.248.0
• 21 bits used for the host
• 192.168.19.45/21
• IP address, first 21 bits identify the network

13
Ports

• TCP and UDP
• Ports identify processes running
• Numbered 1 to 65535
• well known ports
• Associated with services
• 80 HTTP
• 20,21 FTP
• 443 HTTPS
• 110 POP3
• 23 TELNET
• 25 SMTP

14
Private Network
15
Cable Modem
16
Private Network thru Cable Modem
17
Tools

• Connection properties
• arp
• ping
• ipconfig
• pathping
• nslookup
• Enable/Disable/Repair

18
TCP/IP properties

• Control Panel
• Network connections
• Locate the connection (typically Local Area
  Network)
• Right click
• Find the properties tab
• Client for Microsoft networks
• File/printer sharing
• Internet Protocol (TCP/IP)

19
Properties of TCP/IP

• DHCP
• Look for my IP address using a DCHP server which
  assigns it to me
• Should also retrieve the settings for
• Gateway (way out of network)
• DNS (lookup service for URL to IP)
• Network (subnet) mask
• Alternative
• Specify the IP yourself
• Make sure its not already assigned
• Specify your own netmask, DNS, gateway

20
Properties of TCP/IP

• Need to talk between local devices
• No need for gateway in general
• Unless youre looking up URLs, no need for DNS
• Network mask should be consistent with IP address
  pattern on that network segment
• mismatch will cause the packet to be sent to
  the router (gateway)
• Thinks the address is not local
• mismatch may believe that a foreign address is
  on your local network
• Will not be routed

21
Toolbox

• Applying your knowledge

22
Tools

• ipconfig / ifconfig
• ping
• pathping
• tracert / traceroute
• arp
• netstat
• nslookup
• dig
• whois
• host

23
So many tools

• So little time
• Live incident or autopsy
• Volatile information first
• Disturbing the system
• Durable / non-volatile information

24
Windows Volatile Information

• Going, Going

25
Volatile

• Information residing in memory
• Temporary nature
• Gone on shutdown
• Time sensitive
• Gone before shutdown
• What do you go for first???
• Minimize the footprint you leave as you collect
  the data

26
Order of Volatility

• Registers and cache
• Routing table, arp tables, process table, kernel
  statistics, connections
• Temp file systems
• Hard disk / non-volatile storage systems
• Remote / offsite logging and monitoring data
• Physical configuration and network topology
• Archival media

27
Types of Volatile Information

• System time
• Users on system
• Processes running
• Connections
• Status of the network
• Clipboard
• Command history
• Services and drivers

28
Common Errors

• No documentation on the baseline system
• Failing to document your collection process
• Shutdown or reboot of machine
• Closing down terminal or shell should also not be
  done
• Reliance on the suspect machine

29
Methodology

• Preparation
• Document the Incident
• Policy Verification
• Volatile Data Collection Strategy
• Volatile Collection Setup
• Volatile Collection Process

30
Preparation

• Toolkit
• Guidelines
• Policies

31
Documentation

• Profile
• How detected
• Scenario
• Time of occurrence
• Who/what reported
• Hardware and software involved
• Contacts for involved personnel
• How critical is suspicious system
• Collection Logbook
• Who is collecting
• History of tools used and executed commands
• Generated output and reports
• Timestamp of executed commands
• Expected system changes as you execute commands
• Forensics toolkit logbook
• Usage, output and affects

32
Policy Verification

• Examine policies for violations of rights by your
  actions
• User signed policies
• Consent
• Establish your legal boundaries

33
Volatile Data Collection Strategy

• Types of data to collect
• Tools to do the job
• Where is output saved?
• Administrative vs. user access
• Media access (USB, floppy, CD)
• Machine connected to network

34
Volatile Collection Setup

• Trusted command shell
• Establish transmission and storage method
• Ensure integrity of forensic toolkit output
• MD5 hash

35
Volatile Collection Process

• Collect uptime, time, date, command history
• Generate time/date to establish audit trail
• Begin command history to document your collection
• Collect all volatile information system and
  network information
• End collection with date/time and command history

36
System Time
37
Systeminfo.exe

• XP and 2003

38
Uptime

• Uptime from www.dwam.net/docs/aintx
• Psinfo from Sysinternals

39
Users

• Psloggedon (Sysinternals)
• Netusers.exe (somarsoft)
• Two switches
• /l local logged on
• /h history
• Net session
• Users
• Name / IP of client
• Client type

40
Processes

• Identify
• Executable
• Command line used
• How long was it running?
• Security context
• Modules or dll its accessing
• Memory used

41
Pslist

• Sysinternals

42
Task Manager
43
Pslist -t
44
ListDLLs

• Sysinternals

45
handle

• Sysinternals

46
Tasklist
47
PS

• Aintx

48
Cmdline

• DiamondCS
• www.diamondcs.com.au

49
Process Memory

• Current state of processes
• Passwords
• Server addresses
• Remote connections

50
pmdump

• www.NTSecurity.nu

51
pmdump

• Option
• List
• Lists the PIDs
• Then dump the PID
• pmdump ltfilenamegt
• Use another tool then to view the contents
• (strings from sysinternals)

52
Network Info

• Ipconfig

53
Promiscdetect

• www.netsecurity.nu
• Works on the local host
• Not remote

54
Netstat

• Lists connections

55
Nbtstat

• Net Bios connections

56
Fport

• Foundstone
• Maps ports to processes using them

Requires Administrator!
57
OpenPorts

• Ports mapped to process
• www.DiamondCS.com.au
• Administrator access not required

58
With netstat option
59
With fport option
60
OpenFiles
61
Protected storage

• Used for storing information
• Private keys
• For using SSL and S/MIME

62
Following the Leads
63
(No Transcript)
64
Ohio State University
65
(No Transcript)
66
(No Transcript)