Investigating Internet Security

Incidents

A Brief Introduction to
Cyber Forensic Analysis

t e r
Pe s o n
h e n . c om
te p f gro up
S n@ i m
he
Copyright © 1998-1999 Sanda International Corp.
Agenda

❏ Intrusion approaches
❏ Investigative tool kit
❏ Investigative approaches
❏ End-to-end tracing
❏ Evidence collection and preservation
❏ Forensic use of RMON2-based tools
for documenting the path of an attack

Copyright © 1998-1999 Sanda International Corp.

What is Cyber Crime?
❏ Crimes directed against a
computer
❏ Crimes where the computer
contains evidence
❏ Crimes where the computer is
used to commit the crime

Copyright © 1998-1999 Sanda International Corp.

The Nature of Computer Related
Crime in Today’s Organizations
100

80

60
% Reporting
40

20

0
Disgr. Hackers US For. For. Gov.
Empl. Compet. Corp.

45
40
35
30
25
Source: 1998 CSI/FBI Study %
20
15
10
5
0
DoS

Theft of

Fraud
Outside
Unauth.

Sabotage
Access

Pen.

Info

Copyright © 1998-1999 Sanda International Corp.

There Are Only 4 Kinds of Attacks
❏ Denial of service
❏ Social engineering
❏ Technical
❏ Sniffing

Copyright © 1998-1999 Sanda International Corp.

Intrusion Approaches
❏ Target selection, research and background info
● Internet searches
● Whois, nslookup
❏ Preliminary probing - avoid logging - get passwords
● POP probe
● Sniffing
● DNS zone transfer
● SMTP probe
● Other simple probes
❏ Search for back doors
❏ Technical attack or social engineering

Copyright © 1998-1999 Sanda International Corp.

Cleaning Up After an Attack
❏ Delete tools and work files
❏ Modify logs (Unix example)
● Syslog
● messages files (especially the mail log)
● su log
● lastlog (including wtmp and utmp)
● daemon logs
● transfer logs

Copyright © 1998-1999 Sanda International Corp.

 INVESTIGATIVE AXIOM:

Treat every incident as if it will

end up in a criminal
prosecution.

Copyright © 1998-1999 Sanda International Corp.

Your Investigative Tool Kit
❏ Policies
❏ Criminal profiling
❏ Tracing tools
❏ Log analysis
❏ Crime scene (victim computer) analysis
❏ E-mail header analysis
❏ News group header analysis

Copyright © 1998-1999 Sanda International Corp.

The Role of Policies
❏ They define the actions you can take
❏ They must be clear and simple to
understand
❏ The employee must acknowledge that
he or she read them, understands them
and will comply with them
❏ They can’t violate law

Copyright © 1998-1999 Sanda International Corp.

Electronic Communications
Privacy Act - Your Enabling Law
❏ Owner may intercept communications between an
intruder and that owner's computer system
❏ Owner providing others with the ability to use that
computer to communicate with other computer
systems may:
● make routine backups and perform other routine monitoring
● intercept with prior consent of the user
● intercept portions of communications necessary to determine origin and
destination
● intercept where necessary to protect owners rights or property
● disclose to law-enforcement any communications inadvertently
discovered which reveal criminal activity

Copyright © 1998-1999 Sanda International Corp.

Criminal Profiling

❏ Criminal profiling is the process of using

available information about a crime and crime
scene to compose a psychological portrait of the
unknown perpetrator of the crime
❏ Classical profiling goals - to provide:
● a social and psychological assessment of the offender
● a psychological evaluation of relevant possessions found with
suspected offenders
● strategies that should be used when interviewing offenders

Copyright © 1998-1999 Sanda International Corp.

Crime Scene Analysis
❏ Branch of profiling using
standard investigative
techniques to analyze crime
scenes
❏ Investigators are usually most
comfortable with this approach
❏ Very useful in computer incidents

Copyright © 1998-1999 Sanda International Corp.

Developing a Profile of an Intruder
❏ Crime scene analysis
● how was access obtained? What skills
were required?
● how did the intruder behave on the
system? Damage? Clean-up? Theft?
❏ Investigative psychology
● motivation
● personality type

Copyright © 1998-1999 Sanda International Corp.

Goals of an Investigation
❏ To ensure that all applicable logs and evidence are preserved
❏ To understand how the intruder is entering the system
❏ To obtain the information you need to justify a trap and trace of the phone
line the intruder is using or to obtain a subpoena to obtain information from
an ISP
❏ To discover why the intruder has chosen the computer
❏ To gather as much evidence of the intrusion as possible
❏ To obtain information that may narrow your list of suspects
❏ To document the damage caused by the intruder
❏ Gather enough information to decide if law enforcement should be involved.

Copyright © 1998-1999 Sanda International Corp.

Immediate Objective: PRESERVE
THE EVIDENCE !!!
❏ Begin a traceback to identify
possible log locations
❏ Contact system administrators on
intermediate sites to request log
preservation
❏ Contain damage
❏ Collect local logs
❏ Image disks on victim computers

Copyright © 1998-1999 Sanda International Corp.

Building an Incident Hypothesis
❏ Start with witness accounts
❏ Consider how the intruder could
have gained access
● eliminate the obvious
● use logs and other physical evidence
✦ consider the skill level or inside knowledge

required
❏ Create mirrors of affected computers

Copyright © 1998-1999 Sanda International Corp.

Building an Incident Hypothesis
❏ Develop a profile of the intruder
❏ Consider the path into the victim
computer
❏ Recreate the incident in the lab
● use real mirrors whenever possible
❏ Consider alternative explanations
● test alternatives

Copyright © 1998-1999 Sanda International Corp.

Incident Reconstruction
❏ Physical
● use mirrors of the actual involved systems
● useful for single computers
❏ Logical
● use similar systems
● useful for networks where you have access to the
entire network
❏ Theoretical
● hypothesize intermediate computers
● necessary when you can’t access all involved
computers

Copyright © 1998-1999 Sanda International Corp.

Back Tracing
❏ Elements of a back trace
● end points
● intermediate systems
● e-mail and packet headers
● logs
❏ Objective: to get to a dial-in POP
❏ The only messages that can’t be back
traced are those using a true anonymizer
and those where no logs are present

Copyright © 1998-1999 Sanda International Corp.

Enabling Relationships

TELCO LOGS ISP’s LOGS

I n t r u d e r 's
L a p to p DIAL
IS P

INTERNET

In te rn e t
OUR LOGS R o u te r PENETRATE
HOST

V IC T IM
ATTACK VICTIM In te r m e d ia te
H ost

Copyright © 1998-1999 Sanda International Corp.

Obtaining Subpoenas
❏ Notify involved organization that you are
going to subpoena and request that they
preserve evidence - find out who to deliver
the subpoena to
❏ File John/Jane Doe lawsuit with an
emergency order to subpoena appropriate
records
❏ Subpoena the logs you need
● Get everything you can on the first pass
● May need depositions

Copyright © 1998-1999 Sanda International Corp.

Requirements for Logs to be used
as Evidence
❏ Must not be modifiable
● Spool off to protected loghost
● Optical media
● Backups
❏ Must be complete
● All superuser access
● Login and logout
● Attempts to use any controlled services
● Attempts to access critical resources
● E-mail details
❏ Appropriate retention

Copyright © 1998-1999 Sanda International Corp.

Tracing E-Mail Headers
(3) Received: from mailhost.example.com
([XXX.XXX.178.66])
by smtp.exampl.com; Sat, 12 Sep 1998 15:25:54 -0700
(2) Received: from web03.iname.net by mailhost.example.com (AIX
3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep 1998 15:31:55 -0700
(1) Received: (from root@localhost) by web03.iname.net (8.8.8/8.8.0) id
SAA29949; Sat, 12 Sep 1998 18:25:13 -0400 (EDT)
Date: Sat, 12 Sep 1998 18:25:13 -0400 (EDT)
(4) From: fake user name@iname.com
Message-Id: <199809122225.SAA29949@web03.iname.net>
Content-Type: text/plain
Mime-Version: 1.0
To: victim@smtp.example.com
Content-Transfer-Encoding: 7bit
Subject: This is a forged e-mail message

Copyright © 1998-1999 Sanda International Corp.

Performing the Trace

Contact iname’s
Security Officer Connect account name,
time, & message ID to
source IP address

Locate ISP & contact

Get logs from
Security Officer
source IP

Who was connected

at the time of the
E-Mail?
Copyright © 1998-1999 Sanda International Corp.
Evidence Collection &
Preservation
❏ Forensic evidence
● Safeback - creates physical images and mirrors
of affected computers
❏ Forensic analysis
● NTI tools
❏ NEVER work directly on the evidence
● Never contribute to the evidence
❏ Ensure chain of custody

Copyright © 1998-1999 Sanda International Corp.

RMON2 Tracing Tools
❏ Requires RMON2 devices
❏ Use ODS Networks Secure Switch
Investigator
❏ Looks for evidence of alien
conversations served from within
the victim’s perimeter
❏ By moving “outwards” a step at a
time, determine source of attack

Copyright © 1998-1999 Sanda International Corp.

MCI DoSTracker
❏ Attempts to trace source forged packets, starting
at a victim location, and tracing backwards to the
possible source
❏ Attack must be in progress
❏ Process - login to starting edge router
● Deploy access control list in debug mode for victim IP
● Clear victim subnet cache
● Look for forged packets by comparing to route table
● Spawn separate process to log into next hop router and continue

Copyright © 1998-1999 Sanda International Corp.

CMDS - Abuse at the Host
❏ Manager-Agent architecture
❏ Responds to violations of policies
❏ Analyzes usage patterns
● Identifies rogue users
● Identifies masqueraders
❏ Available from ODS Networks

Copyright © 1998-1999 Sanda International Corp.

Summary
❏ Ensure appropriate policies
❏ Preserve the crime scene (victim
computer)
❏ Act immediately to identify and preserve
logs on intermediate systems
❏ Conduct your investigation
❏ Obtain subpoenas or contact law
enforcement

Copyright © 1998-1999 Sanda International Corp.