Post on 22-Dec-2015
Whodunit?Whodunit?Beginning the cyber investigationBeginning the cyber investigation
AddressesAddresses
MAC addressNetwork card (NIC interface card)
Identifies a physical device.. The card!!!This is how a packet is delivered on a
local networkNetwork (IP) address
Logical addressAssociated with a MAC addressIdentifies a LOGICAL device
MAC addressNetwork card (NIC interface card)
Identifies a physical device.. The card!!!This is how a packet is delivered on a
local networkNetwork (IP) address
Logical addressAssociated with a MAC addressIdentifies a LOGICAL device
MAC addressMAC address
Series of six hexadecimal digits00-3E-42-A6-51-0E
“burned in” by manufacturerIn reality, can be changed in many
cases
Series of six hexadecimal digits00-3E-42-A6-51-0E
“burned in” by manufacturerIn reality, can be changed in many
cases
IP addressIP address
“Dotted decimal” or “dotted quad”32 bits (4 octets)Each octet has a value from 0 thru
255192.168.0.1
Each IP address has aPrefix
Identifies a networkSuffix
Identifies a host (device) on that network
“Dotted decimal” or “dotted quad”32 bits (4 octets)Each octet has a value from 0 thru
255192.168.0.1
Each IP address has aPrefix
Identifies a networkSuffix
Identifies a host (device) on that network
IP addressesIP addresses
IP “prefixes” must be unique on a global basis
The suffixes must be unique on the local level
IP “prefixes” must be unique on a global basis
The suffixes must be unique on the local level
IP deliveryIP delivery
IP address is used to deliver a message Comparison using subnet mask
determines if: Local network
A lookup is performed for the MAC address matching the destination IP
Remote network Packet is sent to the ‘gateway’ / router
Router decides the next hop to send packet to the destination network (determined by prefix)
Arrival at remote network A lookup is performed for the MAC address matching
the destination IP
IP address is used to deliver a message Comparison using subnet mask
determines if: Local network
A lookup is performed for the MAC address matching the destination IP
Remote network Packet is sent to the ‘gateway’ / router
Router decides the next hop to send packet to the destination network (determined by prefix)
Arrival at remote network A lookup is performed for the MAC address matching
the destination IP
IP addressesIP addresses
Prefix part identifies a class A,B,C range A uses the last 3 octets to identify a host B uses the last 2 octets C uses the last octet
If the octet identifying the host is “0” Means the entire network
192.168.1.0 (means the entire 192.168.1 network)
If the suffix octet is 255 (all binary 1’s) Broadcast address for that network
192.168.1.255 sending to all on the 192.168.1 net
Prefix part identifies a class A,B,C range A uses the last 3 octets to identify a host B uses the last 2 octets C uses the last octet
If the octet identifying the host is “0” Means the entire network
192.168.1.0 (means the entire 192.168.1 network)
If the suffix octet is 255 (all binary 1’s) Broadcast address for that network
192.168.1.255 sending to all on the 192.168.1 net
CIDRCIDRClassless Inter-Domain RoutingClassless Inter-Domain Routing
RationaleRationale
Class “C” addresses need entries in network routing tables
Too many unique entriesAffects the performance of the router
Develop a different “network identifier”Allocate number of bits to identify the
networkC class uses 24 bits for the network and
remaining 8 bits for the host on the network
Class “C” addresses need entries in network routing tables
Too many unique entriesAffects the performance of the router
Develop a different “network identifier”Allocate number of bits to identify the
networkC class uses 24 bits for the network and
remaining 8 bits for the host on the network
RoutingRouting
Network mask needs to determine the network identifier in the IP address
Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table
Improves scalability of routing system
Network mask needs to determine the network identifier in the IP address
Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table
Improves scalability of routing system
SupernetSupernet
Arbitrary sized network Create a network from a contiguous block of “C”
addresses Criteria
Consecutive address ranges 192.168.6.0 192.168.7.0
Third octet of the first address range must be divisible by 2
192.168.6.0 New network can have up to 512 unique hosts New netmask is 255.255.254.0
9 bits available for the host address
Arbitrary sized network Create a network from a contiguous block of “C”
addresses Criteria
Consecutive address ranges 192.168.6.0 192.168.7.0
Third octet of the first address range must be divisible by 2
192.168.6.0 New network can have up to 512 unique hosts New netmask is 255.255.254.0
9 bits available for the host address
SupernetSupernet
Combination of more than two class C networks Done in powers of 2 Third octet must be divisible by the number
of networks you’re combining 192.168.16.0 192.168.17.0 …… 192.168.24.0
8 networks combined Netmask 255.255.248.0
21 bits used for the host 192.168.19.45/21
IP address, first 21 bits identify the network
Combination of more than two class C networks Done in powers of 2 Third octet must be divisible by the number
of networks you’re combining 192.168.16.0 192.168.17.0 …… 192.168.24.0
8 networks combined Netmask 255.255.248.0
21 bits used for the host 192.168.19.45/21
IP address, first 21 bits identify the network
PortsPorts
TCP and UDP Ports identify ‘processes’ running Numbered 1 to 65535
“well known ports” Associated with services
80 HTTP 20,21 FTP 443 HTTPS 110 POP3 23 TELNET 25 SMTP
TCP and UDP Ports identify ‘processes’ running Numbered 1 to 65535
“well known ports” Associated with services
80 HTTP 20,21 FTP 443 HTTPS 110 POP3 23 TELNET 25 SMTP
`
192.168.0.5
`
192.168.0.20
Switch
`
192.168.0.45
Private NetworkPrivate Network
Cable ModemCable Modem
`
167.209.88.53
Cable Modem
COAX Cable
SWITCH
SERVER
`
167.209.88.53
Cable Modem
COAX Cable
SWITCH
SERVER
Private Network thru Cable Modem
Private Network thru Cable Modem
`
192.168.0.5
`
192.168.0.20
`
192.168.0.45
Router192.168.0.1 / 167.209.88.53
Cable Modem
COAX Cable
`
192.168.0.5
`
192.168.0.20
`
192.168.0.45
Router192.168.0.1 / 167.209.88.53
Cable Modem
COAX Cable
ToolsTools
Connection propertiesarpping ipconfigpathpingnslookupEnable/Disable/Repair
Connection propertiesarpping ipconfigpathpingnslookupEnable/Disable/Repair
TCP/IP propertiesTCP/IP properties
Control PanelNetwork connections
Locate the connection (typically Local Area Network)
Right click
Find the ‘properties’ tabClient for Microsoft networksFile/printer sharingInternet Protocol (TCP/IP)
Control PanelNetwork connections
Locate the connection (typically Local Area Network)
Right click
Find the ‘properties’ tabClient for Microsoft networksFile/printer sharingInternet Protocol (TCP/IP)
Properties of TCP/IPProperties of TCP/IP
DHCPLook for my IP address using a DCHP
server which assigns it to meShould also retrieve the settings for
Gateway (way out of network)DNS (lookup service for URL to IP)Network (subnet) mask
AlternativeSpecify the IP yourself
Make sure it’s not already assignedSpecify your own netmask, DNS, gateway
DHCPLook for my IP address using a DCHP
server which assigns it to meShould also retrieve the settings for
Gateway (way out of network)DNS (lookup service for URL to IP)Network (subnet) mask
AlternativeSpecify the IP yourself
Make sure it’s not already assignedSpecify your own netmask, DNS, gateway
Properties of TCP/IPProperties of TCP/IP
Need to talk between local devices No need for gateway in general Unless you’re looking up URLs, no need for
DNS Network mask should be consistent with IP
address pattern on that network segment ‘mismatch’ will cause the packet to be sent to
the router (gateway) Thinks the address is not local
‘mismatch’ may believe that a foreign address is on your local network
Will not be routed
Need to talk between local devices No need for gateway in general Unless you’re looking up URLs, no need for
DNS Network mask should be consistent with IP
address pattern on that network segment ‘mismatch’ will cause the packet to be sent to
the router (gateway) Thinks the address is not local
‘mismatch’ may believe that a foreign address is on your local network
Will not be routed
ToolboxToolboxApplying your knowledgeApplying your knowledge
ToolsTools
ipconfig / ifconfig ping pathping tracert / traceroute arp netstat nslookup dig whois host
ipconfig / ifconfig ping pathping tracert / traceroute arp netstat nslookup dig whois host
So many tools…So many tools…
So little time…Live incident or autopsy
Volatile information firstDisturbing the system
Durable / non-volatile information
So little time…Live incident or autopsy
Volatile information firstDisturbing the system
Durable / non-volatile information
Windows Volatile InformationWindows Volatile InformationGoing, Going……Going, Going……
VolatileVolatile
Information residing in memoryTemporary nature
Gone on shutdownTime sensitive
Gone before shutdown
What do you go for first???Minimize the footprint you leave
as you collect the data
Information residing in memoryTemporary nature
Gone on shutdownTime sensitive
Gone before shutdown
What do you go for first???Minimize the footprint you leave
as you collect the data
Order of VolatilityOrder of Volatility
Registers and cache Routing table, arp tables, process table,
kernel statistics, connections Temp file systems Hard disk / non-volatile storage systems Remote / offsite logging and monitoring
data Physical configuration and network
topology Archival media
Registers and cache Routing table, arp tables, process table,
kernel statistics, connections Temp file systems Hard disk / non-volatile storage systems Remote / offsite logging and monitoring
data Physical configuration and network
topology Archival media
Types of Volatile Information
Types of Volatile Information
System timeUsers on systemProcesses runningConnectionsStatus of the networkClipboardCommand historyServices and drivers
System timeUsers on systemProcesses runningConnectionsStatus of the networkClipboardCommand historyServices and drivers
Common ErrorsCommon Errors
No documentation on the baseline system
Failing to document your collection process
Shutdown or reboot of machineClosing down terminal or shell should
also not be doneReliance on the suspect machine
No documentation on the baseline system
Failing to document your collection process
Shutdown or reboot of machineClosing down terminal or shell should
also not be doneReliance on the suspect machine
MethodologyMethodology
PreparationDocument the IncidentPolicy VerificationVolatile Data Collection StrategyVolatile Collection SetupVolatile Collection Process
PreparationDocument the IncidentPolicy VerificationVolatile Data Collection StrategyVolatile Collection SetupVolatile Collection Process
PreparationPreparation
ToolkitGuidelinesPolicies
ToolkitGuidelinesPolicies
DocumentationDocumentation
Profile How detected Scenario Time of occurrence Who/what reported Hardware and software involved Contacts for involved personnel How critical is suspicious system
Collection Logbook Who is collecting History of tools used and executed commands Generated output and reports Timestamp of executed commands Expected system changes as you execute commands
Forensics toolkit logbook Usage, output and affects
Profile How detected Scenario Time of occurrence Who/what reported Hardware and software involved Contacts for involved personnel How critical is suspicious system
Collection Logbook Who is collecting History of tools used and executed commands Generated output and reports Timestamp of executed commands Expected system changes as you execute commands
Forensics toolkit logbook Usage, output and affects
Policy VerificationPolicy Verification
Examine policies for violations of rights by your actionsUser signed policies
ConsentEstablish your legal boundaries
Examine policies for violations of rights by your actionsUser signed policies
ConsentEstablish your legal boundaries
Volatile Data Collection Strategy
Volatile Data Collection Strategy
Types of data to collectTools to do the jobWhere is output saved?Administrative vs. user accessMedia access (USB, floppy, CD)Machine connected to network
Types of data to collectTools to do the jobWhere is output saved?Administrative vs. user accessMedia access (USB, floppy, CD)Machine connected to network
Volatile Collection SetupVolatile Collection Setup
Trusted command shellEstablish transmission and storage
methodEnsure integrity of forensic toolkit
outputMD5 hash
Trusted command shellEstablish transmission and storage
methodEnsure integrity of forensic toolkit
outputMD5 hash
Volatile Collection ProcessVolatile Collection Process
Collect uptime, time, date, command historyGenerate time/date to establish audit
trailBegin command history to
document your collectionCollect all volatile information
system and network informationEnd collection with date/time and
command history
Collect uptime, time, date, command historyGenerate time/date to establish audit
trailBegin command history to
document your collectionCollect all volatile information
system and network informationEnd collection with date/time and
command history
System TimeSystem Time
Systeminfo.exeSysteminfo.exe
XP and 2003XP and 2003
UptimeUptime
Uptime from www.dwam.net/docs/aintx
Psinfo from Sysinternals
Uptime from www.dwam.net/docs/aintx
Psinfo from Sysinternals
UsersUsers
Psloggedon (Sysinternals)Netusers.exe (somarsoft)
Two switches/l local logged on/h history
Net sessionUsers
Name / IP of clientClient type
Psloggedon (Sysinternals)Netusers.exe (somarsoft)
Two switches/l local logged on/h history
Net sessionUsers
Name / IP of clientClient type
ProcessesProcesses
IdentifyExecutableCommand line usedHow long was it running?Security contextModules or dll it’s accessingMemory used
IdentifyExecutableCommand line usedHow long was it running?Security contextModules or dll it’s accessingMemory used
PslistPslist
SysinternalsSysinternals
Task ManagerTask Manager
Pslist -tPslist -t
ListDLLsListDLLs
SysinternalsSysinternals
handlehandle
SysinternalsSysinternals
TasklistTasklist
PSPS
AintxAintx
CmdlineCmdline
DiamondCSwww.diamondcs.com.au
DiamondCSwww.diamondcs.com.au
Process MemoryProcess Memory
Current state of processesPasswordsServer addressesRemote connections
Current state of processesPasswordsServer addressesRemote connections
pmdumppmdump
www.NTSecurity.nuwww.NTSecurity.nu
pmdumppmdump
OptionList
Lists the PID’s
Then… dump the PIDpmdump ### <filename>Use another tool then to view the
contents(“strings” from sysinternals)
OptionList
Lists the PID’s
Then… dump the PIDpmdump ### <filename>Use another tool then to view the
contents(“strings” from sysinternals)
Network InfoNetwork Info
Ipconfig Ipconfig
PromiscdetectPromiscdetect
www.netsecurity.nuWorks on the local host
Not remote
www.netsecurity.nuWorks on the local host
Not remote
NetstatNetstat
Lists connectionsLists connections
NbtstatNbtstat
Net Bios connectionsNet Bios connections
FportFport
FoundstoneMaps ports to processes using them
FoundstoneMaps ports to processes using them
Requires Administrator!
OpenPortsOpenPorts
Ports mapped to processwww.DiamondCS.com.auAdministrator access not required
Ports mapped to processwww.DiamondCS.com.auAdministrator access not required
With netstat optionWith netstat option
With fport optionWith fport option
OpenFilesOpenFiles
Protected storageProtected storage
Used for storing informationPrivate keys
For using SSL and S/MIME
Used for storing informationPrivate keys
For using SSL and S/MIME
Following the LeadsFollowing the Leads
Ohio State UniversityOhio State University