TISC Insight, Volume 2, Issue 7

Welcome to Volume 2, Issue 7 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.

The editorial calendar at this time includes:

• Bill Hancock (Todayís column)
• Eric Schultze/George Kurtz
• Bob Moskowitz
• Chris Klaus
• Diana Kelley/Ian Poynter
• Mike Rothman
• Jeff Cole

For previous Insights issues, click here.

TISC is about sharing clue. So is the newsletter. We promise to provide some- thing useful each issue. If we don't, flame me.

On to today's feature column. Dr. Bill Hancock discusses some of the tools he uses to perform forensics in cyberspace.Ý Dr. Billís had more experience assisting companies and governments in assessing hacking incidents than anyone I know. Iím sure youíll find some tools you may never have considered useful in evaluating a security incident.

Enjoy, and be safe,

Dave

1 fo...ren...sic
Pronunciation: f&-'ren(t)-sik, -'ren-zik
Function: adjective
Etymology: Latin forensis public, forensic, from forum forum
Date: 1659
1 : belonging to, used in, or suitable to courts of judicature or to public discussion and debate
2 : ARGUMENTATIVE, RHETORICAL
3 : relating to or dealing with the application of scientific knowledge to legal problems (forensic medicine) (forensic science) (forensic pathologist) (forensic experts)
- fo...ren...si...cal...ly /-si-k(&-)lE, -zi-/ adverb

From: http://www.m-w.com/cgi-bin/dictionary (Merriam-Webster Dictionary)

The term ìforensicsî is often used to explain a great many things in the security field these days. The problem with the word forensics, like many other words, is that it is grossly misused. The more common usage of the word forensics now revolves of around the investigation of the contents of systems, network components and other technical items that may have been compromised by a hacker or cracker.

Rather than try to correct the proper use of the term forensics, I will yield to the more common use these days. For the purposes of this column today, the term forensics will basically be used to describe the extraction of pertinent information from technical devices by using tools and techniques for the purposes of prosecuting a perpetrator who has broken into the device or system. In todayís column, I will provide some information on basic, inexpensive tools that are very useful in providing basic forensic data from potential systems or entities that have gotten whacked in some fashion.

Depending upon the asset that has been attacked, the tools and techniques necessary to extract information from the asset very dramatically. On an operating system, for instance, the most common forensic tools are centered around extraction of data from files, correlation of time stamps on files with log activities on the system, correlation of external events and to system logs and files, and possibly network logs that are kept on external resources. On network devices, such as routers, there is no local disk drive to store information. Therefore, information directly on the router itself or possibly stored in a log on a remote system contain the bulk of information about the router's activities. Database products keep logs and other access information in yet other and more difficult to access locations, but do not store information the same way an operating system or network device would. There are obviously many more areas of cyber investigating when a cybercrime is suspected or known, but the idea is that forensic investigation tools vary somewhat significantly depending upon what is being searched for a potential breach.

The basic goal of forensics in cyberspace is to identify what happened, potentially identify who do it, collect information that is technically accurate that describes a situation that was found, collate and correlate information from various sources into a picture of "what happened," maintained a chain of evidence, provide a scientific and analytical base of what happened to be able to stop it from happening again and provide proper evidence for law enforcement to prosecute the perpetrator if necessary.

Before any evidence is collected it is important to understand what the government requires as part of the evidentiary chain and what is prosecutable and what is not. The best review of the federal rules of evidence is that the web site: http://www.law.cornell.edu/rules/fre/overview.html. Also of import are the federal rules for searching and seizing computers (http://www.cybercrime.gov/searching.html). What becomes very obvious, very quickly, are the restrictions imposed by the regulations on what a law enforcer can and cannot ìlookî at within the boundaries of warrants or subpoenas issued for a search. No such restrictions are imposed upon the ìownerî of the entity and this gives the forensics investigator a great deal of latitude over how far ranging a search for information may encompass. In my experience in investigating attacks, I find that I am often able to find much more information than any initially issued warrant or subpoena information production requirement. Most of the law enforcers I have dealt with know this as well and usually recommend that the victim do some preliminary analysis on ìownedî systems and entities before any warrants are issued for evidence purposes, if it is appropriate, so that additional information that could be gleaned from the analysis can be used in the investigation. Anymore, I usually do a pretty thorough job of looking through everything before I get law enforcement involved so that I can give them a clear picture of what I think happened and what information is there that is useful in a prosecution and, ultimately, a criminal trial. This method of forensic data gathering prior to warrant issuance has worked very well for me for many years.

The most immediate questions in cyber forensics is ìwhat got whacked, when and, if possible, who did it?

Data collection is always first to start working towards the answers. The best situation is where there is network monitoring software watching for intrusions to figure out which system got hit and, hopefully, some information as to what source entity did it. Common places in most network environments where to start looking for information on potential breaches include firewall logs, router activity logs, network ingress and egress logs on systems on the network, and, in some cases, LAN switch logging if it is available.

In networks where it has been thought out in advance there may be intrusion detection systems that are operational and available on the network. On most intrusion detection systems, there are logging facilities available that can provide a great deal of information about different things that came and went on the network. In some cases, the intrusion detection system can even forward this information to a database where it can be analyzed by using SQL queries. Some intrusion detection systems even have the ability to send SNMP trap data to network monitoring and management stations when intrusion attempt occur on the network. Therefore it is important to understand all the potential locations where trap data and other types of collected event data may be available throughout the network.

Most of these components exist in products that may be deployed throughout the network. The depressing part about this is that many times they are disabled or turned off. It is very difficult to provide forensics data when there is no data being collected.

Real-time protocol forensics are achieved by using devices or software such as protocol analyzers. Most people the right talk to are under the mistaken belief that protocol analyzes are expensive. I tend to prefer high quality software-based protocol analyzers that I can load my laptop and take with me everywhere I go (e.g. EtherPeek from A.G. Group ñ less than $1K). It has been my experience over the last seven years or so, that what little information a software based analyzer might lose (which usually is none) is not necessary in the larger scheme of apprehending a hacker or cracker. In most situations, a hacker or cracker will be active for a continuous period of time and losing one or two packets here and there has no significance on the overall forensic efforts.

Remember that analysis of a security situation is not the same as network analysis for performance or for other problems such as a protocol failure. In network analysis, the capture of all packets in a session might be required to understand any handshaking problems or other issues involving the understanding of how each and every packet operates between two entities. In security analysis of network traffic, most of the time understanding the relationship between two entities and the basic information such as addressing comprises the bulk of what is required to understand a dyadic relationship between an attacker and a victim node.

Other highly useful and inexpensive tools (less than $1K) include an SNMP data collection system (e.g. SNMP-PC), which is totally inappropriate for larger network management and totally appropriate for watching specific security connections between different systems on the network

SNMP and RMON data, which are available from dedicated probes, hubs, specialize network hardware and traditional devices such as routers, can be used to record, capture and release security events back to a central collection point. Through the use of SNMP trap data generated by various entities throughout the network, forwarded to a security centric data collection station and then analyzed by a trained security analyst, a great deal of information may be learned about the comings and goings of the network.

The next very useful component is a proactive effort on the system that got whacked called ìblueprintingî the OS. "Blueprinting" an operating system involves the use of special software that applies cryptographic checksums against all files and directories structures of an operating system on a disk structure. The location of the files and the cryptographic value for a particular file is then stored away on an external database for later use.

Periodically (e.g. as part of a nightly archive run), the blueprinting tool would check the existing running system's checksum values against those stored away in the external database. If the values match, there is no problem with the existing running operating system. If, however, the values seen after the run of the nightly maintenance operations are different than those stored away in the database, then it is known that the operating system has been whacked in some manner. With proper blueprinting, it is possible to note to a very high degree of granularity which component of an operating system may have been attacked. At Exodus Communications, we could not find a tool that met all requirements of a proper blueprinting tool, so we've created one called ftimes. The purpose of the ftimes application is to provide a pro-active way to blueprint an operating system when it is clean to be able to compare it to one when it is not acting correctly.

While not the most scientifically creative solution, keeping track of when files were created, modified and deleted is often very useful even if you do not have all the special tools that are normally required for a cyber forensic analysis. This can be done with a variety of techniques including a simple batch file or PERL script or by professional utilities and packages available on the market.

One of the more tedious aspects of forensics on computer systems, especially in these days were high-density storage is available at very low prices, is wading through the sheer mass of files that are located on most systems, looking for both specific files or entities which contain information which can be used to help prosecute an attacker. To do this, the ability to index the contents of the files and then search of contents of files for specific keywords or specific patterns is essential.

A couple of years ago, what was then Digital Equipment Corp. (now absorbed into Compaq) had a small but interesting group of engineers and California and Boston working on Internet search engine technology. Out of this came the AltaVista search engine, one of the first Internet searching engines. Some time later, the engineers developed a smaller version of the search engine that could be run on a personal computer and called it AltaVista Personal Search. The engine, which was downloadable for free, allowed the user to install it on a Windows system and then it index the entire contents of a hard drive including the contents of the files. Using the web browser on the system, the user could search the files for contents, specific Boolean combinations of information and expanded keyword search. Since then, the product has evolved into something called AltaVista Discovery, which is a free download and available in a roundabout way from http://www.slaughterhouse.com/pick_040199.html.

What is powerful and useful in file analysis forensics about the AltaVista Discovery product is its ability to use of the search engine locally and on network attached disk drives. By setting up the search engineís indexing parameters and letting it run long enough to get the index built (which can take some time with 100GB drives and a lot of files, naturally enough), it is easy enough to use the search engine from your browser and provide it Boolean queries and keyword searches. I also add on the FileView product to my system as it understands over 200 file formats without requiring the associated application(s). This means that if I get an interesting hit from the Discovery search engine, I can usually read the file without having to install all the applications that may have been used to create the files. This is especially useful when analyzing disks that have been taken out of a target system and placed on my analysis machines where most of the target diskís applications are not installed. I can also save the files I open onto other disks for later analysis if desired.

At CompSec in London last year, I was asked what tools I carry around for quick forensics when I am on the road or working with an incident. Since I have carried a ìrealî laptop continuously since 1981, I have some experience (my first one was a Grid Compass with bubble memory and a Tandy 100 as well). On reflection, I noticed that I am asked this question a lot so itís probably not a bad idea to share the list (which is extensive):

1. Base Hardware System: Sony VAIO PCXG9 with office docking station, 18GB drive, 128Mb RAM, CD-ROM/CD-R/CD-RW (allows burning CDís from the laptop), DVD, extra battery, external floppy disk, 10/100mbps Ethernet PCCARD with UTP and internal RJ45 connectors (no dongles), built in 56kbps MODEM, Iomega 250MGB USB ZIP drive, Adaptec SCSI card (get at least a 2630 so that it will work with NT), microphone/headset combination, TUMI computer carrying case (five years old, beat to death and still looks new), international electrical plug adapter (found at Gatwick airport ñ all self contained, about five pounds Sterling), Europe and Asia phone adapters (found in Frankfurt airport at the electronics kiosk near customs exit in terminal 2 for about DM30), longer RJ11 cord to reach across hotel rooms, alligator clips for connecting to unwilling phone systems, Victorinox pocket knife with dual-blades and mini-scissors, Multi-tool that contains pliers and 27 other tools in a very small folding configuration so that I can open walljacks, etc., small 3-connector 3-prong electrical extension cord, serial port ìYî connector for in-line serial connection scanning and analysis capabilities, necessary cables and gender changers, etc.
2. Base Software for the Laptop System:
   • OS: Windows-98SE with patches and Windows-2000 Professional (dual-booted)
   • Microsoft Office 2000 Premium (all products) for reports and business tools. I live in Word and PowerPoint it seems. sigh.
   • Microsoft Visual Designer, Visual C++ and Visual Basic. Sometimes, you have to write some code on the fly to get the results you are after when examining information in the pursuit of the cybercriminal. Visual Basic is especially useful when combining the efforts of Excel functionality for spreadsheet data analysis. I have a subscription on MSDN so that I get all the system tools every year as well as the latest versions. Since I get the distribution on DVD, I only need to carry around 3-4 DVDís for everything (used to be almost 50 CDís).
   • Microsoft Internet Explorer V5.x
   • Microsoft Plus! disk compression with DriveSpace and other niceties
   • Netscape Communicator (useful for most sites)
   • Eudora Pro V4.x (THE e-mail program; allows multiple profiles which is important for me ñ I have at least six e-mail drops for different ISPs I use when traveling the Web looking for hacker items; I never use my corporate account for such activities). It also comes with PGP V6.0.2 (essential for customer communications and on-laptop file encryption/decryption), Versign, McAfee e-mail virus detection, graphics management, etc.
   • ClarisWorks Office (for file translations, Mac compatibility, and graphics creation/management facilities for web pages and HTML). Also has a nice TELNET and regular VT200 terminal emulation capability for serial or networked connections (IP, LAT and others)
   • WinZip, Stuffit and ZipIt for compression, decompression, etc.
   • Hijaak and DataViz utilities for file conversions for almost any format, any OS source
   • Adobe Photoshop for image manipulation and Adobe Acrobat reader for PDF files found on Internet and other documention
   • Norton Utilities, First Aid and Nuts & Bolts for system management and maintenance as well as file repair of customer files and undeleting needed files from target systems
   • NetScanTools by Northwest Performance Software. Extremely useful when doing penetration analysis of a network or ISP. Has a lot of very useful poking and prodding components to find network paths to systems and applications.
   • EtherPeek for Windows by AG Group. This is a protocol analyzer for LANs that has a very nice graphical interface and lots of very useful packet analysis features. It also has the ability to save and import analysis files from Sniffers, etc. for combination analysis of network traffic. I have been using this package for years and while I use almost all the others from time to time, I get more done in less time with this one than any other on the market. Itís pretty easy also to set up recognition filters for different types of traffic profiles like denial of service attacks, password packets, etc. It also has a lot of cool plug-ins for security scanning and monitoring.
   • NetTools by AG Group. A freeware suite that is somewhat similar to NetScanTools, but a better Trace facility and DNS lookup facility. Between the two, you can find out almost anything about a networkís set-up.
   • SNMP-PC by Castle Rock. Extremely useful SMNP management tool that really helps network analysis and WAN router penetration analysis.
   • PC-MacLAN, adds AppleTalk capabilities to Windows-98. W98 comes with IPX, IP and NetBEUI. Sometimes network analysis is required on Mac networks or where NT and other OSís are set-up with AppleTalk. This makes things a lot easier. Also, it has a feature where if the remote server has a GUEST account, a small radio box appears in the bottom with this allowing a very fast analysis of set-up of security (GUEST accounts are always bad juju when considering security penetration attempts).
   • Serial Analysis data acquisition tools from National Instruments and SerialPort Analyzer Corp to analyze serial connections such as MODEM connections, ISDN, T1, etc., and provide stream analysis. They also make a very nice oscilloscope card and add-ons for remote computer-based analysis.
   • Various file cracking programs written over the years to bypass security methods and provide basic decryption of simple algorithms
   • Visio 2000 Professional/Technical ñ for network map drawings and diagrams
   • NetDraw from Network World ñ great little collection of network vendor hardware graphics and iconic representations for reports and presentations
   • ViaVoice by IBM. An extremely valuable continuous speech recognition tool that has dramatically cut down the amount of time it takes to generate reports and answer e-mail (I get between 150 and 400 messages a day, so anything to help answer is beneficial). It is a true continuous speech tool and as long as enunciation is clear, you can speak quite rapidly with this tool and get very, very good voice recognition.
   • Easy Translator, this is a very good little tool for translating English, French, German and Spanish text and HTML back/forth between the various languages. Since I do a lot of international work and donít always have the time to translate something quickly, Easy Translator simplifies the task. I am quite proficient in several languages, but when the computer can do the bulk of the translation for me, my time-to-complete a task in a non-English language improves.
   • Custom programs. Over the years I have written C, C++ and Access DBMS programs to help keep track of forensics items, chronological timeframe analysis, cell phone record autocorrelation and call cluster analysis and many others that are too weird to describe, but extraordinarily useful when needed.

Other tools that I carry around in my briefcase and find useful:

• Olympus D-400Z 1.3 megapixel digital, very small, zoom vewfinder camera. In the security and network analysis business, a picture is still worth a thousand words of explanation when writing reports and when providing group presentations. Use of the camera allows me to take pictures of ugly physical security situations (like hinges with the pins on the outside of a secured room and guard desks 10 feet from open vaults with no guards) and poor network closet/cabinet set-ups that are later downloaded to the PC and placed on CD-ROM. I find that previously when I would complain about bad security items and practices that could be photo-documented (and I didnít at the time), I got lip service or complaints back for lack of documentation or understanding by the customer. Since I started using photography some years ago for documentation, I rarely get challenged on such things. It also helps to insert a picture or two of well-done security or network situations so that there is a ìhere is badî and ìhere is goodî set of pictures for comparison. It also has an extremely good effect if the bad and good are in different locations in the same company ñ basically it means someone knows how to do it right and the rest is wrong, for which there is no excuse. For physical attacks or peripheral social engineering, camera information is great for documenting social engineering opportunities such as help-desk infiltration, potential ìdumpster divingî opportunities and ugly security situations such as critical security document in plain view and non-shredded information seen external to the company perimeter. It is important that the camera be small enough to carry in a pocket and hidden easily while in a building, that it have an integral flash and a zoom lens capability. The D-400Z is additionally useful in that shots can be programmed to have the date/time on the image
• Palm Pilot Vx ñ a very handy personal information manager (PIM) tool. It has a docking station for the serial port on the laptop, address book, to do list, etc. It also has e-mail capabilities and many other features. I find it very useful for taking notes using the Graffiti language on it and then transferring the notes to the laptop for later reference. I also carry a lot of checklists for security and network analysis work so that I donít forget things or leave out steps in analysis. An additional package of business tools also provides advanced calculator capabilities, spreadsheet viewing facilities and other useful utilities to collect data while moving around at a customer facility. I have a REX as well (it IS a PCCARD and plugs right into the card cage on the laptop) for secure items I want to keep very close. I used to carry around a Newton but I killed it when I dropped my briefcase once and replaced it with the Palm Pilot Pro.
• Directional compass ñ As strange as this sounds, sometimes finding North from West in an office building basement or in a control system blockhouse is not trivial. Having a compass helps. In my case, I have a Casio wristwatch, which has a compass, chronometer, pressure analysis and other goodies which has come in handy more than once in figuring out where I am at a site. I have an acquaintance who has a PCCARD implementation of a GPS locator. Itís a little extreme for my purposes, but, hey, whatever works for you.
• Latex gloves in plastic, sealable bags. Occasionally, I get involved with serious criminal problems where fingerprints are important, hence the need for a pair of Latex gloves from time to time. Also, sometimes there are floppies and other items that have been covered in strange fluids that will need to be cleaned for analysis ñ thatís when the bags come in handy as well. Keeping the gloves in bags accomplishes the need to keep the gloves clean and handy as well as having the bags nearby in case of need.
• CDís I have burned with specific documentation on them in a small CD carrying case (I carry 8 different ones right now). Since I have a lot of customer reports and other documentation items useful for report writing and much too large to keep on the laptop all the time, I have burned them on CDís and carry the CDís with me when on the road. In this manner I can keep some of the more esoteric security and network tools with me at all times as well as other documents I use from time to time but do not need on the hard drive at all times. I also carry my Windows-98SE CD-ROM distribution kit with me in case the system decides to freak out on me when I am on the road. Between the W98SE CD and the other CDís, I can completely restore my system when on the road ñ even from a total disk meltdown. Since I am on the road continually and, in many cases, in far away lands, I have to be able to be self-sufficient computationally.
• Small cache of screwdrivers, pens, permanent markers, blank floppies, penlight, etc., for close-up work and for marking/identification of items. Some of this is simply common sense, but for those looking for a checklist itís best to be complete.

Thatís the bulk of it. I have some specific security tools and facilities that I have gotten off of Internet and also items I have written over the years, but the above comprises the major components used for traveling security and network consulting efforts. All-in-all, itís about $10K in parts and pieces, but it is money well spent to get the results needed.

There are a lot of forensics-specific tools from companies like NTI and Exodus (we write items for ourselves to solve forensics issues we cannot find tools to assist us in solving problems). Those are for discussion at another time. For now, commonly available tools for network management, system searching and other easily accessible products, used in a slightly different way, can be very useful in forensics analysis ìon the fly.î