cosc 4765 windows forensics techniques. a case study first this lecture should not be confused with...

Cosc 4765

Windows Forensics Techniques

A case study

• First this lecture should not be confused with Computer Forensics for criminal prosecution.– That involves chain of custody and that the system

has “unchanged” data for evidence in a trial.

• We’ll look identifying and detection techniques and tools – using a windows environment for a fake company.

Fake company

• We’ll use a web hosting company as a bases for the study.– It has a large number of Windows servers– Each has 2 NICs

• 1 has an inside private ip 10.10.X.X• 1 has an outside public ip

– All inside traffic is via ssh, while outside traffic is via http (and https), using apache (not IIS).

– And there is a firewall preventing outside to inside access. boxes can only be accessed from the internet via the outside ip address.

Our Network Toolbox

• For networking tools to detect potential incidents– WireShark, Windump (tcpdump for windows)

• We can capture and graphically inspect network traffic – EtherApe

• It builds a “talkers map” for a network segment• Allows to characterize normal traffic

– tcpreplay• We can replay captured traffic and control the speed.

– Snort• Free IDS, using a gui frontend like base for easy to viewing the

traffic.– MRTG

• Or something like it, can show you a traffic graph of your network– Fscan, nmapwin (nmap for windows)

• port scanners to determine open ports.

Potential incidents

• First, there is a general assumption

– YOU ALREADY KNOW WHAT NORMAL TRAFFIC IS FOR “FAKE COMPANY”.

– Why is this important?

– What would we expect to be normal traffic for this company?

Potential incidents (2)

• So first we think there is “Abnormal traffic” on the network.– maybe from Snort or other network monitoring

software.• Could just be “gee, the response time is slow

today”.

– We run wireshark and get the following• Traffic from an outside ip to an inside ip

– That’s a problem!– Time to check that computer.

Our Windows ToolBox

• A cdrom containing copies of programs we are using.– A cdrom is best, since it can not be

compromised by an infected system.– From a windows system:

• at.exe, cmd.exe, dir.exe, ifconfig.exe, nbstat.exe net.exe, nestate.exe, nslookup.exe, route.exe, tracert.exe, hostname.exe

Our Windows ToolBox (2)• From Foundstone.com and other places

– fport.exe• Reports all open TCP/IP and UDP ports and maps them to the

owning application. – Could use netstat –an, but fport maps to the owning application, so

it’s better.

– pslist.exe• list process on the cmd line

– psservices.exe • associates services with process ids

– psfile.exe • similar to lsof, list open files by applications

– psloggedon.exe • associates users with running processes

– listdlls.exe • lists which DLL file are being used by running processes.

What to look for?

• unusual processes– pslist, psinfo, psfile

• unusual listening ports– netstat, fport,

psservice

• unusual open files– psfile, listdlls, fport

• logged in users– psloggedon, nbstat

• process owners– psloggedon

• examine route tables– netstat, route

• temp files, suspicious folders– dir, type, explorer

Using the tools

• e:\hostname (assume e: is the cdrom)– winbox.private.com

• e:\net session– Computer User name Client Type Opens Idle time – ---------------------------------------------------------------- – \\TGT1 ADMINISTRATOR 0 00:00:27 – \\TGT2 ADMINISTRATOR 0 00:00:15 – \\TGT3 ADMINISTRATOR 0 00:00:23 – \\TGT4 ADMINISTRATOR 0 00:00:05

This is very bad!

The are 4 file shares connected to this machine

Using the tools (2)

• E:\Fport.exe Fport v2.0 - TCP/IP Process to Port Mapper Copyright 200 by

Foundstone, Inc http://www.foundstone.com Pid Process Port Proto Path 420 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 445 TCP 888 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe 8 System -> 1027 TCP 8 System -> 445 UDP 430 svchost -> 80 TCP C:\Program Files\Apache\httpd.exe 1625 servu -> 3215 TCP C:\Client_Data\Inetpub\_vti-bin\ \servu.exe

We running apache web servers, but there is something running out of what looks like a IIS directory! Hidden

Directory

Using the tools (3)

• e:\dir /s /a c:\Client_Data\Inetpub\_vti-bin\” “\ /p– recursively listing the hidden directory

net use F \\tgt1\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass

net use G \\tgt2\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass

net use H \\tgt3\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass

net use I \\tgt4\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass

• So now there are at least 4 more system involved with administrator privileges

• Looking at those, we find the it’s an ftp server, with config’s and a batch file to launch the server.

A note

• This hasn’t identified the entry point

• We don’t know how they broke in– could be bad administrator passwords– could an unpatched windows system– virus/worm– or simply a targeted attacked against fake

company that succeeded.

Clean Up

• That’s the hard part– If we decide not to reinstall the machine– Must check the registry, new local accounts,

services• such as, how does the system mount those

directories?– We’ll need to stop that!

– Scan and remove any viruses/worms/trojan horses/back doors.

• Once an attacker gets in, they will work very hard to stay there.

Clean Up (2)

• Besides cleaning up the systems• Fix the firewall

– If we are allowing clients to connect to specific ports, then should enforce that on the firewall

– Open internet ports• 80 (http), 443 (https), Maybe port 25 for e-mail

– Close output ports as well.• harder: because of browsing, patch management, and an

other issues, but it can be done normally by trial and error.

– Add Vlan if possible to block more traffic

Clean Up (3)

• add an IDS system– make sure it has rules that “enforce” policies– It will then tell us when traffic is going to the

wrong ports.– outside to inside ip connections

• Attackers may still succeed, but we will know about it quicker.

Lastly

• The idea here to quickly find and repair the problem.– Have you toolbox ready, KNOW how to use

the programs, And always know what “normal” is.

• We can never be 100% secure and it’s not if we get hacked, it's WHEN we get hacked.

QA&

References

• http://www.securityfocus.com/infocus/1653/

• http://www.securityfocus.com/infocus/1672/

• http://www.foundstone.com/