Search My Blog

Sunday, September 12, 2010

Computer Forensic Analysis - The Series

This posting is not completed yet. Think of it as a preview.

Recently, a friend of mine sent me a job posting for a computer forensics analysis position.  Now, I don’t currently, nor have I ever done this type of work professionally. However,  I have done this type of work “academically” or at home for personal “enrichment”. So, I do have the experience and knowledge to perform these types of activities. The job posting “sparked” an idea in my head, that maybe I should post a blog entry about system analysis and investigation into an attack. I can’t really post it all in one blog entry, so this might be a series or something. (Time permitting in my personal life.)  Today, I figured I would cover the top level kind of stuff.

Now, before I start, I will say that normally I would have used the Backtrack LiveBoot CD or the OWASP toolkit to perform this analysis. This posting isn’t going to use those.....why? Well, the job posting asked for experience with Helix. I’ve never used Helix…. So what better reason to learn about it. Also, I think I’m going to focus on Windows based analysis.


I started my day (for this blog entry) trying to find a copy of Helix. Turns out, in 2008, the publisher of that distribution made it “commercial only” and wants ~$240 for Helix Pro. That’s pretty reasonable, but I’m not going to buy it just to blog about it. So, I did more searching and found the last free distribution ISO Helix2008R1 (https://kinqpinz.info/library/h/#00f87509 ). Ok, the site looks “shady”…so I did do some virus scanning and validation on the ISO.  I should note that my AV system went crazy with this distribution. It claims there are viruses in a number of the components of this ISO.  I have found clean copies of the components that were infected, so I’m pretty sure the virus identifications are correct vice being “false positives”. Secondly, my AV software doesn’t like that a lot of the tools are “Security Assessment Tools” and blocks them….. So, I had to move to a VM just to build a “clean” and updated distribution of the Helix suite. I’m going to refer to my “custom build” as HelixCustom. I've updated a bunch of the SysInternals tools, fixed the "Virus Infected" libraries, and added a few things to the distribution.

Now, since I’m doing this windows-based approach, my VM is a Windows 7 x64 image. It was out of date so I spent like 2 hours installing updates.  With that out of the way, I took a clean snapshot of it and turned off the virus protection……. (oh no!!!!!). Yes, I had to turn of the virus protection to build the “clean” distribution of HelixCustom. I’ll scan my custom ISO after I’m complete on a different system to verify its integrity.

Responding to an Incident

There are defined steps one must take when responding to a “potential” attack. If you are responding in a legal capacity, there are extra steps you must take to protect the evidence chain and make the data admissible in court. I’m not in law enforcement….. I do have a number of friends that are, but I don’t really want to add to the complexity of this blog posting. We are going to focus on just how to solve/investigate your incident.

NOTE: If you are Corporate IT guy and are looking to do some collection before informing Law Enforcement of a known breach…. DON’T! You will corrupt the scene. Call them now and let them respond. You may overwrite data that they can use.

RFC 3227 - Guidelines for Evidence Collection and Archiving defines the “best practices” for general digital evidence collection. Collection is based on the volatility of the data so memory is generally regarded as the first thing to collect. 

Capture Memory
(Preference: WinDD)
First step in responding to an incident would be to dump the physical memory. Computers these days have GB of memory. It is very important to preserve what is currently resident in the memory,  before proceeding. It is possible that as you respond to the situation, that memory will be overwritten or lost, so best to dump the memory as your 1st step.

In Windows, you can use WinDD from (MoonSols Windows Memory Toolkit - http://www.moonsols.com/), if you have a Helix distro use DD.exe or mdd (Mantech Memory Dump),  HBGary FastDump Pro, Nigilant32,  or other means. I will note that WinDD was probably the easiest, especially on Win64 based platforms since they require signed drivers.

Obtain Relevant System Details
Using the Helix3 distro, launch cmdenv1.bat. This will set-up your directory path to use the Helix trusted executables.

 Capture Date and Time
 Standard ways to get that would be date /t  and time /t

11:52:10.59 D:\IR> date /t
Sun 09/12/2010

11:52:13.55 D:\IR> time /t
11:52 AM
 Derive Hostname
 Using the hostname command
11:52:16.78 D:\IR> hostname
CraigLaptop-PC

Derive your current identity
Using the whoami command
11:53:03.93 D:\> whoami
Craig
Derive OS Version
Using the ver command
11:55:10.12 D:\> ver
Microsoft Windows [Version 6.1.7600]
Determine IP Interfaces and their active modes
To get the interface IP addresses in use run iplist
DiamondCS IP Enumerator v1.0 (www.diamondcs.com.au)
#         ADDRESS       BROADCAST       NETMASK
403574956 172.16.14.24  255.255.255.255 255.255.255.0
28682432  192.168.181.1 255.255.255.255 255.255.255.0
25798848  192.168.137.1 255.255.255.255 255.255.255.0
20490432  192.168.56.1  255.255.255.255 255.255.255.0
16777343  127.0.0.1     0.0.0.0         255.0.0.0
5 interfaces found.

12:36:25.73 D:\>

To determine their active modes use promiscdetect

PromiscDetect 1.0 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu) - http://ntsecurity.nu/toolbox/promiscdetect/

Adapter name:

 - PCI-E Gigabit Ethernet Controller

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

Adapter name:

 - VirtualBox Host-Only Ethernet Adapter

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

Adapter name:

 - RemoteControl USB LAN LINK

Warning: Cannot open the adapter

Adapter name:

 - Intel(R) WiFi Adapter

Active filter for the adapter:

 - Directed (capture packets directed to this computer)
 - Multicast (capture multicast packets for groups the computer is a member of)
 - Broadcast (capture broadcast packets)

12:37:05.69 D:\>
 Obtain System Uptime
 I like to use uptime and psinfo. Psinfo provides a better level of granularity and a bit more info.
12:58:27.29 D:\> uptime
Unknown HZ value! (-1868102526) Assume 100.
 12:58:38 up  4:23,0 users,load average: 0.00, 0.00, 0.00

12:58:38.19 D:\> psinfo -h -d

PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\CRAIGLAPTOP-PC:
Uptime:                    0 days 4 hours 23 minutes 38 seconds
Kernel version:            Windows 7 Professional, Multiprocessor Free
Product type:              Professional
Product version:           6.1
Service pack:              0
Kernel build number:       7600
Registered organization:   Microsoft
Registered owner:          Microsoft
IE version:                8.0000
System root:               C:\Windows
Processors:                2
Processor speed:           2.2 GHz
Processor type:            Intel(R) Core(TM)2 Duo CPU     P8400  @
Physical memory:           2940 MB
Video driver:              Mobile Intel(R) 4 Series Express Chipset Family
Volume Type  Format Label Size       Free        Free
C: Fixed     NTFS         290.07 GB  191.63 GB  66.1%
D: CD-ROM    CDFS   HC    701.76 MB              0.0%
E: Removable                                     0.0%

Installed     HotFix
n/a           Internet Explorer - 0

12:58:45.82 D:\IR>
You can also use DumpWin (http://www.niiconsulting.com/innovation/tools.html#sysinfo ) for this; however, DumpWin has a lot of other features and can be better used at other steps.

Determine Active Logged On Sessions
You can do this a bunch of ways. I’m going to use netusers and psloggedon.

13:38:40.59 D:\> netusers /l /h /v

--------------------------------------------------------
History of users logged on locally at CRAIGLAPTOP-PC:    Last Logon:
--------------------------------------------------------
CraigLaptop-PC\Craig                                     2010/09/12 11:10
--------------------------------------------------------
The command completed successfully.

13:38:53.81 D:\> psloggedon
PsLoggedon v1.34 - See who's logged on
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Users logged on locally:
     9/12/2010 8:36:22 AM       CraigLaptop-PC\Craig

Users logged on via resource shares:
     9/12/2010 1:39:21 PM       (null)\Craig

13:39:24.95 D:\>
Also, running logonsessions –p will provide active data about current sessions and processes these session are running. The output of this is a bit long, so I’m not going to show it.

NOT COMPLETE YET
I know..... I still have to complete this posting. as of Sept-30-2010... I haven't found the time to sit down and finish this one up. I really do plan on doing it. Maybe this weekend :-).... It's really interesting stuff.....just the personal/family time stuff takes up my "nerd posting time"....

Saturday, September 4, 2010

You are not as anonymous as you think....

From the Panopticlick Project:
Traditionally, people assume they can prevent a website from identifying them by disabling cookies on their web browser. Unfortunately, this is not the whole story.
When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. Some companies are already using technology to try to identify individual computers. But how effective would this kind of online tracking be?
 Turns out your not really that unique and tracking data you can't really prevent can identify your PC down to 1 in 286,777.... that's like 18.1 bits of entropy....geez

Check out the white paper.

Virtualization to mitigate virus attacks..... or "Mitigate work for Me"

All my friends know that I work on/with computers on a daily basis. They know I have a very solid background in the area, so when their PC is messed up... I get the call. Somehow, the viruses they get are generally all related to web browsing and clicking on pop-ups and other junk from "unscrupulous" sites. Lately, this has become an even bigger problem with the newer Flash based attacks. Also, many of them continue to use Internet Explorer as their primary browser. (Side note: My wife refused to upgrade from IE6 until she was forced with the Windows 7 upgrade. That was a nightmare. She would constantly state: Why is my machine so messed up???...blah..blah...blah.... I learned from her internet usage that LiveJournal is full of viruses, along with pointless other stuff.....).

Since I know I can't change people's browsing behavior and I don't want to be a jerk and not help them out with a fix, I have come up with my new "Fix" approach.
Virtualization

VirtualBox (http://www.virtualbox.org/) is a free and fairly simple, yet powerful, virtualization package. Since it is relatively easy to use (even for a novice computer user), I have created a image (Fedora 13) with virus protection, Firefox plug-ins, Flash player...etc.. all preconfigured. Now, from this point forward, I can install VirtualBox on my friends/family members' PCs..... provide them the image......and showing them how to revert the image back to the "baseline" snapshot. As long as they use the VM to do all web browsing and such, they shouldn't have any issues. If the VM gets "infected", they can solve the problem themselves with 2 clicks.....

Now, I will say, my wife says this is the most convoluted idea ever. My brother-in-law told me "Launching this VM is too many clicks..." Geez, it takes 3 clicks to launch the VM.... and the isolation it provides is great. I guess from my standpoint it's great...from theirs it's "meh.." as they just have me fix their broken PC, so no sweat of their backs....

Silent Ringtone to "Blacklist" nuisance callers

Lately, my wife has been getting calls from two different numbers asking for the same person. My wife repeatedly explains to them they have the wrong number, but to no avail they continue to call. They call everyday....guess the person owes them money or something. So, I looked into how to Blacklist a number on the iPhone. Apparently, you have to download an app...... :-(. This should be a built -in feature... I mean really.....

Anyway, the apps are mostly like $1.99...so no big deal. The most feature filled app seems to be "Blacklist" by CallerDB. It will blacklist numbers of your choosing, as well as, a host of known telemarketing numbers.

If you don't want to actually buy an app ($1.99 is a small price to pay), you could just download or make a silent ringtone, save off nuisance numbers in your contacts list, then assign them this silent ringtone. CallerDB has a SilentRingtone.m4r file available (but really they want you to buy the app then use it) or you can make your own ringtone for nuisance callers.

Friday, September 3, 2010

Force Firefox to reload the page and ignore cache copies of the page

This isn't really a full blog posting. Just a thought. I am frequently using other machines or installing systems. Internet Explorer will allow you, through the GUI,  the ability to "Check for new versions of stored pages" off the General Tab. However, Firefox doesn't seem to offer this function through a GUI. To get to it you have to do the following:

In the address bar if Firefox type:
about:config
It will load a config page. In the filter at the top of the page filter for:
browser.cache.check_doc_frequency
Change the value to: 1

Possible settings are:
3 - only check if it seems outdated (Default Setting)
2 - always use cached version
1 - always check for newer version
0 - check for newer version once per session