• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Open Source Forensics
 

Open Source Forensics

on

  • 4,166 views

 

Statistics

Views

Total Views
4,166
Views on SlideShare
3,279
Embed Views
887

Actions

Likes
3
Downloads
0
Comments
0

3 Embeds 887

http://www.ctin.org 882
http://thectin.ning.com 4
http://translate.googleusercontent.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Open Source Forensics Open Source Forensics Presentation Transcript

    • Why are there so many tools left at the end of the money?Richard Austin MS, CISSPSouthern Polytechnic State UniversityADVANCED DIGITAL FORENSICSWITH OPEN SOURCE TOOLS
    • IT Elder FlatulenceBio My First Computer Richard is a 30+ year veteran of the IT industry in positions ranging from software developer to security architect. Before beginning a career as an independent cybersecurity consultant and educator, he was focused on technology and processes for successfully protecting the 14PB storage area network infrastructure within the global IT organization of a Fortune 25 company. MS degree with a concentration in information security from Kennesaw State University, a DHS/NSA recognized National Center of Academic Excellence in Information Assurance Education. Active member of SNIAs Security Technical Working Group. Active member of the Cloud Security Alliance’s Trusted Cloud Initiative. Senior Member of both the IEEE and ACM and also a member of the IEEE Computer Society, CTIN, ISC(2) and the Atlanta Chapter of Infragard . Book review columnist for IEEE Cipher, the newsletter of the IEEE Computer Society Technical Committee on Security and Privacy A published author frequently writing and presenting on storage networking security, ethics and digital forensics. Advanced Digital Forensics with Open Source Tools
    • Forensics is ChangingDigital forensics was once solely concerned withjust collecting and analyzing disk images from acold, dead system but much useful information leaves few durable traces on disk Advanced Digital Forensics with Open Source Tools
    • Two New Areas Live memory collection and analysis Registry analysis Though commercial tools are available, Open Source tools provide much of the same functionality Advanced Digital Forensics with Open Source Tools
    • Collecting Live Memory Advanced Digital Forensics with Open Source Tools
    • Why Live Memory? The bad people are very interested in forensic technology and follow quite closely what we do  Contrary to popular opinion, this stuff ain’t secret  They know that we image disks so they do things that don’t leave disk traces  Memory-only malware A lot of information may not leave clearly discernable disk traces  Open network connections  Active encryption – data may only be in plaintext while the system is running Advanced Digital Forensics with Open Source Tools
    • How do you do it? Just like any other forensic task  You collect the data  You extract information from it So what’s all the hub bub, bub?  IAxx architectures don’t have a “DUMP” button  Rely on software to dump main memory (the infamous BSOD and crashdump)  Reading memory dumps is the province of O/S level debuggers  Great tools but you have to be a Windows/*UX internals guru to understand and use them Advanced Digital Forensics with Open Source Tools
    • Remember! When working with a compromised system, remember you’re working with Satan’s computer  You have no clue what the attacker may have done to it Advanced Digital Forensics with Open Source Tools
    • Issues User mode access to the .PhysicalMemory object was removed in Vista/2003 and later  This was a serious security issue – it’s gone; not coming back; get over it!  Many older live memory acquisition tools no longer work For Vista/2003 and later, a utility must load a kernel mode driver to get access to physical memory  Some vendors call this an “agent” Advanced Digital Forensics with Open Source Tools
    • Issues Running a program to collect memory contents does change the state of memory (and maybe disk)  Can’t be helped  If physical memory is full, something may be swapped out when you run the program  Documented, repeatable process is key You are only collecting physical memory  Swapped out pages will not be in the image Advanced Digital Forensics with Open Source Tools
    • Data Triage•Consider the order of volatility •Relevance of the type of information to the case under investigation Advanced Digital Forensics with Open Source Tools
    • Lots of Options Memoryze from Mandiant http://www.mandiant.com/software/memory ze.htm The usual forensic vendors have their tools I’ll be demoing winxxdd (community edition) from http://www.moonsols.com/products/  This free version does have limitations such as not running from a removable device or via a script. Advanced Digital Forensics with Open Source Tools
    • Win32dd Advanced Digital Forensics with Open Source Tools
    • Hash the Image Advanced Digital Forensics with Open Source Tools
    • Points to Remember You must be able to run a program as ADMINISTRATOR on the system  For remote access:  psexec  Remote Desktop  Etc  This does change the state of the system  Students are surprised to see win32dd in the list of running processes Advanced Digital Forensics with Open Source Tools
    • Analyzing the Memory ImageOK, I got it but what do I do with it? Advanced Digital Forensics with Open Source Tools
    • Volatility https://www.volatilesystems.com/default/volatili ty Open Source, written in Python  Python is a well-known scripting language  Download Python from www.activestate.com The 1.3 version only supports XP SP2 and SP3  Version 1.4 in in RC and supports Vista and Windows 7 as well as incorporating many improvements  http://code.google.com/p/volatility/  Already installed on REMnux Advanced Digital Forensics with Open Source Tools
    • Update Volatility 2.0 is now released!!!  Includes a standalone Windows installer Advanced Digital Forensics with Open Source Tools
    • Using Volatility Very simple command-line interface:  python volatility command –f image_file  1.4 adds --profile=profile to identify the O/S Notable commands:  ident – descriptive information about the dump file  datetime – date/time information for the dump file (included in ident)  pslist – list of processes  files – list of files open for each process  connections – open network connections  sockets – open sockets Advanced Digital Forensics with Open Source Tools
    • ident In 1.4, this command becomes imageinfo Advanced Digital Forensics with Open Source Tools
    • pslist Advanced Digital Forensics with Open Source Tools
    • Scan vs List Some commands have two versions – list and scan The difference is that list follows the normal way of doing things  e.g., listing processes by following the EPROCESS list scan scans through memory looking for data structures (e.g., _EPROCESS)  Psscan will find terminated and de-linked processes (one stealth technique used by rootkits)  The scan version is much slower because it is scanning memory contents rather than walking a linked list Advanced Digital Forensics with Open Source Tools
    • psscan Terminated FTP processes Advanced Digital Forensics with Open Source Tools
    • files Advanced Digital Forensics with Open Source Tools
    • connections FTP Advanced Digital Forensics with Open Source Tools
    • Connections vs Connscan2 Advanced Digital Forensics with Open Source Tools
    • sockets Advanced Digital Forensics with Open Source Tools
    • netscan For Vista and later, these are consolidated into netscan Sample output taken from the Volatility 1.4 wiki http://code.google.com/p/volatility/wiki/CommandReference#netscan Advanced Digital Forensics with Open Source Tools
    • Protocol Numbers Advanced Digital Forensics with Open Source Tools
    • And the Registry Locating the Registry -- hivelist Advanced Digital Forensics with Open Source Tools
    • Listing Keys Advanced Digital Forensics with Open Source Tools
    • Examining Values Advanced Digital Forensics with Open Source Tools
    • Services – Where malwarehides Advanced Digital Forensics with Open Source Tools
    • What does it all mean? Working with memory contents does require a bit of knowledge about what it all means These are two good reference books on how Windows really works and what you’re looking at in a memory dump Advanced Digital Forensics with Open Source Tools
    • BUT What About Vista, …? Volatility is nice but it only works on XP. So if you need to look at memory on Vista, Server 2003, etc, you’re back to using strings ….  Of course not:  1.4 is in RC and is installed in the REMnux CD (and virtual appliance)  And other tools are a little more arcane but they work  The Windows Debugging Tools can be used to analyze a Windd dump IFF it’s made in crashdump format (-d option)  http://www.msuiche.net/con/BlackHat_Webcast_New_Fron tiers_in_Forensics.pdf Advanced Digital Forensics with Open Source Tools
    • Active Processes Advanced Digital Forensics with Open Source Tools
    • Don’t get too comfortable …Particularly PartIII on Anti-Forensics “In war the will is directed at an animate object that reacts.” Carl Von Clausewitz, On War Advanced Digital Forensics with Open Source Tools
    • Registry Extraction and Analysis Advanced Digital Forensics with Open Source Tools
    • Windows Registry The Windows registry has been found to contain a treasure trove of information useful to the forensic analyst  The good news is that disk imaging includes the registry New tools are simplifying the process of extracting this information in a useful format Advanced Digital Forensics with Open Source Tools
    • Nomenclature Value Data TypeKeySubkey Advanced Digital Forensics with Open Source Tools
    • Registry File LocationsSystem %WINDIR%system32configSystemSAM %WINDIR%system32configSamSecurity %WINDIR%system32configSecuritySoftware %WINDIR%system32configSoftwareNTUSER.DAT Documents and SettingsUser Simply extract these files from the image  Security on NTUSER.DAT may prevent copying so use the type command to make a copy: type NTUSER.DAT>somewhere else Advanced Digital Forensics with Open Source Tools
    • Note I’m going to be showing some representative samples of the information available and the things they imply about events in the real world. If you get lost in the key-value wilderness, don’t despair – it’s all in the book.  What book? Be patient. Advanced Digital Forensics with Open Source Tools
    • Mounting images You need to extract the registry files out of the disk image  P2Explorer is a very useful tool provided free by Paraben  http://www.paraben.com/p2-explorer.html  It allows you to mount disk images on a Windows system (free edition only works on 32-bit versions)  OSFMount from PassMark software is another option  Works on both 32 and 64 bit Windows Advanced Digital Forensics with Open Source Tools
    • Mounting An Image Advanced Digital Forensics with Open Source Tools
    • Mounting An Image Advanced Digital Forensics with Open Source Tools
    • Accessing Registry Files Advanced Digital Forensics with Open Source Tools
    • Advantages of Mounted Image Mounting the image basically gives you read- only access to the contents of the image as a drive letter  Windows Explorer, anti-malware, etc, can be used  No need to export everything in advance Advanced Digital Forensics with Open Source Tools
    • Other Options FTKImager is a free download from AccessData (developers of The Forensic Toolkit) It can be used to open a disk image and export the registry files Advanced Digital Forensics with Open Source Tools
    • Exporting Registry FilesImager can open most of thecommon image formats (dd,EnCase, etc) Advanced Digital Forensics with Open Source Tools
    • Exporting Registry FilesOnce the image isopened, students see afamiliar directory treeand just have tonavigate to the registryfile locationsFiles are exported byright clicking the fileand selecting “Export”from the menu Advanced Digital Forensics with Open Source Tools
    • Analyzing the Registry Advanced Digital Forensics with Open Source Tools
    • Resource  This is an excellent book that covers many of the registry analysis tasks in detail  RegRipper is the tool used for analyzing the registry after it is collected  http://www.regripper.net/RegRipper/ and also available on the tools CD that accompanies the book  You can read my book review at http://www.ieee- security.org/Cipher/BookReviews (shameless self-promotion) Advanced Digital Forensics with Open Source Tools
    • The Case: Price Software Tom Warner is suspected of industrial espionage  He was upset about being passed over for a VP position  He is alleged to have set up a quid pro quo deal with a competitor  He may have colluded with Leslie Stowle in other actions The forensic analyst has been given an image of Tom’s Windows workstation Let’s see what kinds of information can be found Advanced Digital Forensics with Open Source Tools
    • Plugins RegRipper comes with a wide variety of plugins for examining registry information  Plugins are basically Perl scripts Advanced Digital Forensics with Open Source Tools
    • Running Plugins: winver You have the option to run the Perl scripts directly if you have Perl (and the right libraries) installed or you can use rip.exe rip –r registry file –p plugin Advanced Digital Forensics with Open Source Tools
    • USB DevicesIdentifying use of a thumb drive Advanced Digital Forensics with Open Source Tools
    • Command LineC:DATARegRipper>rip -r ..PSCRegistryntuser.dat -p mp2Launching mp2 v.20080324MountPoints2SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2LastWrite Time Mon Jan 3 21:59:36 2005 (UTC) Drives: A Wed Sep 29 21:00:05 2004 (UTC) D Wed Sep 29 21:00:05 2004 (UTC) C Wed Sep 29 21:00:05 2004 (UTC) E Fri Oct 29 17:46:24 2004 (UTC) Volumes: {3622c883-1069-11d9-b601-806d6172696f} Wed Sep 29 21:02:41 2004 (UTC) {707f5caa-29d2-11d9-99eb-000c291e65ae} Fri Oct 29 18:09:55 2004 (UTC) {3622c880-1069-11d9-b601-806d6172696f} Wed Sep 29 21:02:41 2004 (UTC) {3622c881-1069-11d9-b601-806d6172696f} Wed Sep 29 21:03:24 2004 (UTC) Remote Drives: ##2kadvserver#Users#twarner Wed Sep 29 21:03:22 2004 (UTC) ##psc-ws-03#c$ Fri Oct 1 05:58:52 2004 (UTC) ##2kadvserver#Management Fri Oct 1 05:54:14 2004 (UTC) ##2kadvserver#Software Fri Oct 1 05:54:50 2004 (UTC) ##2kadvserver#Software Development Fri Oct 1 05:54:37 2004 (UTC) Advanced Digital Forensics with Open Source Tools
    • Running Plugins: recentdocs Advanced Digital Forensics with Open Source Tools
    • The GUI  A GUI (rr.exe) is available  It provides access to plugin files that collect commonly used plugins into a single file and run them as a group Advanced Digital Forensics with Open Source Tools
    • Plugin Files Some sets of plugins are so commonly used together they are listed in a plugin file rip –r registryfile -f plugingfile  The plugin file is just a list of plugings to be run Advanced Digital Forensics with Open Source Tools
    • Network Config Excerpt from the SYSTEM plugin report Pretend you didn’t notice “Guidance Software” Advanced Digital Forensics with Open Source Tools
    • The Software Hive The disk image had large blocks of binary 0’s – wonder how that happened? Advanced Digital Forensics with Open Source Tools
    • Sources of ImagesGarfinkel’s Forensic Corpora Advanced Digital Forensics with Open Source Tools
    • Scenarios Simson Garfinkel of the NPS is working under a NSF grant to produce scenarios and associated forensic images for use in teaching digital forensics Two scenarios are currently available at http://domex.nps.edu/corp/scenarios Advanced Digital Forensics with Open Source Tools
    • M572009-M57 "Patents" scenario This scenario involves a small company called M57 which was engaged in prior art searches for patents. The fictional company is contacted by the local police in November 2009 after a person purchases a computer from Craigslist and discovers "kitty porn" on the computer. The police trace the computer back to the M57 company.Includes an instructor’s packet!!! Advanced Digital Forensics with Open Source Tools
    • NitrobaNitroba University Harassment Scenario This scenario involves a harassment case at the fictional Nitroba University. Advanced Digital Forensics with Open Source Tools
    • Summary Digital forensic practice must evolve to keep pace  Live memory analysis for volatile information lost when a system is shutdown or restarted The Windows registry is a rich mine of information Advanced Digital Forensics with Open Source Tools
    • Questions? EMAIL raustin2@spsu.edu if you’d like a PDF of the slides Advanced Digital Forensics with Open Source Tools