Whodunit?Whodunit?Beginning the cyber investigationBeginning the cyber investigation

AddressesAddresses

MAC addressNetwork card (NIC interface card)

Identifies a physical device.. The card!!!This is how a packet is delivered on a

local networkNetwork (IP) address

Logical addressAssociated with a MAC addressIdentifies a LOGICAL device

MAC addressNetwork card (NIC interface card)

Identifies a physical device.. The card!!!This is how a packet is delivered on a

local networkNetwork (IP) address

Logical addressAssociated with a MAC addressIdentifies a LOGICAL device

MAC addressMAC address

Series of six hexadecimal digits00-3E-42-A6-51-0E

“burned in” by manufacturerIn reality, can be changed in many

cases

Series of six hexadecimal digits00-3E-42-A6-51-0E

“burned in” by manufacturerIn reality, can be changed in many

cases

IP addressIP address

“Dotted decimal” or “dotted quad”32 bits (4 octets)Each octet has a value from 0 thru

255192.168.0.1

Each IP address has aPrefix

Identifies a networkSuffix

Identifies a host (device) on that network

“Dotted decimal” or “dotted quad”32 bits (4 octets)Each octet has a value from 0 thru

255192.168.0.1

Each IP address has aPrefix

Identifies a networkSuffix

Identifies a host (device) on that network

IP addressesIP addresses

IP “prefixes” must be unique on a global basis

The suffixes must be unique on the local level

IP “prefixes” must be unique on a global basis

The suffixes must be unique on the local level

IP deliveryIP delivery

IP address is used to deliver a message Comparison using subnet mask

determines if: Local network

A lookup is performed for the MAC address matching the destination IP

Remote network Packet is sent to the ‘gateway’ / router

Router decides the next hop to send packet to the destination network (determined by prefix)

Arrival at remote network A lookup is performed for the MAC address matching

the destination IP

IP address is used to deliver a message Comparison using subnet mask

determines if: Local network

A lookup is performed for the MAC address matching the destination IP

Remote network Packet is sent to the ‘gateway’ / router

Router decides the next hop to send packet to the destination network (determined by prefix)

Arrival at remote network A lookup is performed for the MAC address matching

the destination IP

IP addressesIP addresses

Prefix part identifies a class A,B,C range A uses the last 3 octets to identify a host B uses the last 2 octets C uses the last octet

If the octet identifying the host is “0” Means the entire network

192.168.1.0 (means the entire 192.168.1 network)

If the suffix octet is 255 (all binary 1’s) Broadcast address for that network

192.168.1.255 sending to all on the 192.168.1 net

Prefix part identifies a class A,B,C range A uses the last 3 octets to identify a host B uses the last 2 octets C uses the last octet

If the octet identifying the host is “0” Means the entire network

192.168.1.0 (means the entire 192.168.1 network)

If the suffix octet is 255 (all binary 1’s) Broadcast address for that network

192.168.1.255 sending to all on the 192.168.1 net

CIDRCIDRClassless Inter-Domain RoutingClassless Inter-Domain Routing

RationaleRationale

Class “C” addresses need entries in network routing tables

Too many unique entriesAffects the performance of the router

Develop a different “network identifier”Allocate number of bits to identify the

networkC class uses 24 bits for the network and

remaining 8 bits for the host on the network

Class “C” addresses need entries in network routing tables

Too many unique entriesAffects the performance of the router

Develop a different “network identifier”Allocate number of bits to identify the

networkC class uses 24 bits for the network and

remaining 8 bits for the host on the network

RoutingRouting

Network mask needs to determine the network identifier in the IP address

Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table

Improves scalability of routing system

Network mask needs to determine the network identifier in the IP address

Routing can be done using contiguous blocks of class C addresses represented by a single entry in the routing table

Improves scalability of routing system

SupernetSupernet

Arbitrary sized network Create a network from a contiguous block of “C”

addresses Criteria

Consecutive address ranges 192.168.6.0 192.168.7.0

Third octet of the first address range must be divisible by 2

192.168.6.0 New network can have up to 512 unique hosts New netmask is 255.255.254.0

9 bits available for the host address

Arbitrary sized network Create a network from a contiguous block of “C”

addresses Criteria

Consecutive address ranges 192.168.6.0 192.168.7.0

Third octet of the first address range must be divisible by 2

192.168.6.0 New network can have up to 512 unique hosts New netmask is 255.255.254.0

9 bits available for the host address

SupernetSupernet

Combination of more than two class C networks Done in powers of 2 Third octet must be divisible by the number

of networks you’re combining 192.168.16.0 192.168.17.0 …… 192.168.24.0

8 networks combined Netmask 255.255.248.0

21 bits used for the host 192.168.19.45/21

IP address, first 21 bits identify the network

Combination of more than two class C networks Done in powers of 2 Third octet must be divisible by the number

of networks you’re combining 192.168.16.0 192.168.17.0 …… 192.168.24.0

8 networks combined Netmask 255.255.248.0

21 bits used for the host 192.168.19.45/21

IP address, first 21 bits identify the network

PortsPorts

TCP and UDP Ports identify ‘processes’ running Numbered 1 to 65535

“well known ports” Associated with services

80 HTTP 20,21 FTP 443 HTTPS 110 POP3 23 TELNET 25 SMTP

TCP and UDP Ports identify ‘processes’ running Numbered 1 to 65535

“well known ports” Associated with services

80 HTTP 20,21 FTP 443 HTTPS 110 POP3 23 TELNET 25 SMTP

`

192.168.0.5

`

192.168.0.20

Switch

`

192.168.0.45

Private NetworkPrivate Network

Cable ModemCable Modem

`

167.209.88.53

Cable Modem

COAX Cable

SWITCH

SERVER

`

167.209.88.53

Cable Modem

COAX Cable

SWITCH

SERVER

Private Network thru Cable Modem

Private Network thru Cable Modem

`

192.168.0.5

`

192.168.0.20

`

192.168.0.45

Router192.168.0.1 / 167.209.88.53

Cable Modem

COAX Cable

`

192.168.0.5

`

192.168.0.20

`

192.168.0.45

Router192.168.0.1 / 167.209.88.53

Cable Modem

COAX Cable

ToolsTools

Connection propertiesarpping ipconfigpathpingnslookupEnable/Disable/Repair

Connection propertiesarpping ipconfigpathpingnslookupEnable/Disable/Repair

TCP/IP propertiesTCP/IP properties

Control PanelNetwork connections

Locate the connection (typically Local Area Network)

Right click

Find the ‘properties’ tabClient for Microsoft networksFile/printer sharingInternet Protocol (TCP/IP)

Control PanelNetwork connections

Locate the connection (typically Local Area Network)

Right click

Find the ‘properties’ tabClient for Microsoft networksFile/printer sharingInternet Protocol (TCP/IP)

Properties of TCP/IPProperties of TCP/IP

DHCPLook for my IP address using a DCHP

server which assigns it to meShould also retrieve the settings for

Gateway (way out of network)DNS (lookup service for URL to IP)Network (subnet) mask

AlternativeSpecify the IP yourself

Make sure it’s not already assignedSpecify your own netmask, DNS, gateway

DHCPLook for my IP address using a DCHP

server which assigns it to meShould also retrieve the settings for

Gateway (way out of network)DNS (lookup service for URL to IP)Network (subnet) mask

AlternativeSpecify the IP yourself

Make sure it’s not already assignedSpecify your own netmask, DNS, gateway

Properties of TCP/IPProperties of TCP/IP

Need to talk between local devices No need for gateway in general Unless you’re looking up URLs, no need for

DNS Network mask should be consistent with IP

address pattern on that network segment ‘mismatch’ will cause the packet to be sent to

the router (gateway) Thinks the address is not local

‘mismatch’ may believe that a foreign address is on your local network

Will not be routed

Need to talk between local devices No need for gateway in general Unless you’re looking up URLs, no need for

DNS Network mask should be consistent with IP

address pattern on that network segment ‘mismatch’ will cause the packet to be sent to

the router (gateway) Thinks the address is not local

‘mismatch’ may believe that a foreign address is on your local network

Will not be routed

ToolboxToolboxApplying your knowledgeApplying your knowledge

ToolsTools

ipconfig / ifconfig ping pathping tracert / traceroute arp netstat nslookup dig whois host

ipconfig / ifconfig ping pathping tracert / traceroute arp netstat nslookup dig whois host

So many tools…So many tools…

So little time…Live incident or autopsy

Volatile information firstDisturbing the system

Durable / non-volatile information

So little time…Live incident or autopsy

Volatile information firstDisturbing the system

Durable / non-volatile information

Windows Volatile InformationWindows Volatile InformationGoing, Going……Going, Going……

VolatileVolatile

Information residing in memoryTemporary nature

Gone on shutdownTime sensitive

Gone before shutdown

What do you go for first???Minimize the footprint you leave

as you collect the data

Information residing in memoryTemporary nature

Gone on shutdownTime sensitive

Gone before shutdown

What do you go for first???Minimize the footprint you leave

as you collect the data

Order of VolatilityOrder of Volatility

Registers and cache Routing table, arp tables, process table,

kernel statistics, connections Temp file systems Hard disk / non-volatile storage systems Remote / offsite logging and monitoring

data Physical configuration and network

topology Archival media

Registers and cache Routing table, arp tables, process table,

kernel statistics, connections Temp file systems Hard disk / non-volatile storage systems Remote / offsite logging and monitoring

data Physical configuration and network

topology Archival media

Types of Volatile Information

Types of Volatile Information

System timeUsers on systemProcesses runningConnectionsStatus of the networkClipboardCommand historyServices and drivers

System timeUsers on systemProcesses runningConnectionsStatus of the networkClipboardCommand historyServices and drivers

Common ErrorsCommon Errors

No documentation on the baseline system

Failing to document your collection process

Shutdown or reboot of machineClosing down terminal or shell should

also not be doneReliance on the suspect machine

No documentation on the baseline system

Failing to document your collection process

Shutdown or reboot of machineClosing down terminal or shell should

also not be doneReliance on the suspect machine

MethodologyMethodology

PreparationDocument the IncidentPolicy VerificationVolatile Data Collection StrategyVolatile Collection SetupVolatile Collection Process

PreparationDocument the IncidentPolicy VerificationVolatile Data Collection StrategyVolatile Collection SetupVolatile Collection Process

PreparationPreparation

ToolkitGuidelinesPolicies

ToolkitGuidelinesPolicies

DocumentationDocumentation

Profile How detected Scenario Time of occurrence Who/what reported Hardware and software involved Contacts for involved personnel How critical is suspicious system

Collection Logbook Who is collecting History of tools used and executed commands Generated output and reports Timestamp of executed commands Expected system changes as you execute commands

Forensics toolkit logbook Usage, output and affects

Profile How detected Scenario Time of occurrence Who/what reported Hardware and software involved Contacts for involved personnel How critical is suspicious system

Collection Logbook Who is collecting History of tools used and executed commands Generated output and reports Timestamp of executed commands Expected system changes as you execute commands

Forensics toolkit logbook Usage, output and affects

Policy VerificationPolicy Verification

Examine policies for violations of rights by your actionsUser signed policies

ConsentEstablish your legal boundaries

Examine policies for violations of rights by your actionsUser signed policies

ConsentEstablish your legal boundaries

Volatile Data Collection Strategy

Volatile Data Collection Strategy

Types of data to collectTools to do the jobWhere is output saved?Administrative vs. user accessMedia access (USB, floppy, CD)Machine connected to network

Types of data to collectTools to do the jobWhere is output saved?Administrative vs. user accessMedia access (USB, floppy, CD)Machine connected to network

Volatile Collection SetupVolatile Collection Setup

Trusted command shellEstablish transmission and storage

methodEnsure integrity of forensic toolkit

outputMD5 hash

Trusted command shellEstablish transmission and storage

methodEnsure integrity of forensic toolkit

outputMD5 hash

Volatile Collection ProcessVolatile Collection Process

Collect uptime, time, date, command historyGenerate time/date to establish audit

trailBegin command history to

document your collectionCollect all volatile information

system and network informationEnd collection with date/time and

command history

Collect uptime, time, date, command historyGenerate time/date to establish audit

trailBegin command history to

document your collectionCollect all volatile information

system and network informationEnd collection with date/time and

command history

System TimeSystem Time

Systeminfo.exeSysteminfo.exe

XP and 2003XP and 2003

UptimeUptime

Uptime from www.dwam.net/docs/aintx

Psinfo from Sysinternals

Uptime from www.dwam.net/docs/aintx

Psinfo from Sysinternals

UsersUsers

Psloggedon (Sysinternals)Netusers.exe (somarsoft)

Two switches/l local logged on/h history

Net sessionUsers

Name / IP of clientClient type

Psloggedon (Sysinternals)Netusers.exe (somarsoft)

Two switches/l local logged on/h history

Net sessionUsers

Name / IP of clientClient type

ProcessesProcesses

IdentifyExecutableCommand line usedHow long was it running?Security contextModules or dll it’s accessingMemory used

IdentifyExecutableCommand line usedHow long was it running?Security contextModules or dll it’s accessingMemory used

PslistPslist

SysinternalsSysinternals

Task ManagerTask Manager

Pslist -tPslist -t

ListDLLsListDLLs

SysinternalsSysinternals

handlehandle

SysinternalsSysinternals

TasklistTasklist

PSPS

AintxAintx

CmdlineCmdline

DiamondCSwww.diamondcs.com.au

DiamondCSwww.diamondcs.com.au

Process MemoryProcess Memory

Current state of processesPasswordsServer addressesRemote connections

Current state of processesPasswordsServer addressesRemote connections

pmdumppmdump

www.NTSecurity.nuwww.NTSecurity.nu

pmdumppmdump

OptionList

Lists the PID’s

Then… dump the PIDpmdump ### <filename>Use another tool then to view the

contents(“strings” from sysinternals)

OptionList

Lists the PID’s

Then… dump the PIDpmdump ### <filename>Use another tool then to view the

contents(“strings” from sysinternals)

Network InfoNetwork Info

Ipconfig Ipconfig

PromiscdetectPromiscdetect

www.netsecurity.nuWorks on the local host

Not remote

www.netsecurity.nuWorks on the local host

Not remote

NetstatNetstat

Lists connectionsLists connections

NbtstatNbtstat

Net Bios connectionsNet Bios connections

FportFport

FoundstoneMaps ports to processes using them

FoundstoneMaps ports to processes using them

Requires Administrator!

OpenPortsOpenPorts

Ports mapped to processwww.DiamondCS.com.auAdministrator access not required

Ports mapped to processwww.DiamondCS.com.auAdministrator access not required

With netstat optionWith netstat option

With fport optionWith fport option

OpenFilesOpenFiles

Protected storageProtected storage

Used for storing informationPrivate keys

For using SSL and S/MIME

Used for storing informationPrivate keys

For using SSL and S/MIME

Following the LeadsFollowing the Leads

Ohio State UniversityOhio State University