Cyber Crime I

1
Cyber Crime I

• Host and Server Investigation

Adj. Prof. Peter Stephenson, CISSP, CISM,
FICAF Director Information Assurance CeRNS The
Center for Regional and National
Security peter.stephenson_at_emich.edu
2
Introduction to Platform Analysis

• The operating system is the underlying platform
  that allows programs to execute, users to
  interact and communications to take place on a
  computer
• Many types
• Unix and unix-like
• Windows
• Apple
• Mainframes
• Mid-range such as AS400
• Non-standard such as PDAs

3
What We Need to Consider in Platform Analysis

• Logs
• Configuration files
• Access control lists
• Services enabled
• Rogue code (such as rootkits)
• If you suspect a rootkit, restore your image and
  test using a tool such as chkrootkit
• Beware of trojaned versions of the tool
• Users
• Access rights and privileges

4
Over 40 Different Rootkits/Worms

• lrk3, lrk4, lrk5, lrk6 (and some variants)
• Solaris rootkit
• FreeBSD rootkit
• t0rn (including some variants and t0rn v8)
• Ambient's Rootkit for Linux (ARK)
• Ramen Worm
• rh67-shaper
• RSHA
• Romanian rootkit
• RK17
• Lion Worm
• Adore Worm
• LPD Worm
• kenny-rk
• Adore LKM
• ShitC Worm
• Omega Worm
• Wormkit Worm
• Maniac-RK

• Ducoci rootkit
• x.c Worm
• RST.b trojan
• duarawkz
• knark LKM
• Monkit
• Hidrootkit
• Bobkit
• Pizdakit
• t0rn (v8.0 variant)
• Showtee
• Optickit
• T.R.K
• MithRa's Rootkit
• George
• SucKIT
• Scalper (FreeBSD/Apache chunked encoding worm)
• Slapper (Linux/Apache mod_ssl Worm)
• OpenBSD rk v1

See http//www.chkrootkit.org/ for much more
useful information on rootkits
5
Routers

• Routers are devices that transfer packets based
  upon IP addresses
• Source and destination addresses
• Source and destination ports
• Used to connect organizations to the Internet
• Used to connect organizations to each other
• May be used for packet filtering

6
Router Data Flow
Router
7
Error Logging in Cisco Routers

• The Cisco IOS logging facility allows you to save
  error messages locally or to a remote host.
• When these error messages exceed the capacity of
  the local buffer dedicated to storing them, the
  oldest messages are removed.
• First question to ask Is logging turned on?

8
Router Forensics

• Live system data is the most valuable.
• Immediate shutdown destroys all of this data.
• Persistent (flash) data will likely be unchanged
  and useless
• Never reboot or shut down the router
• Access the router through the console (You need a
  comm program such as HyperTerminal)
• Log in as the administrative user (let the
  sysadmin log in for you)
• Record your entire console session (on your PC
  set capture text)
• Run show commands
• Record the actual time and the routers time
• Access the log host as you would for any log
  analysis

Much of this section is courtesy of the
Southeast Cybercrime Center at Kennesaw State
University as seen at BlackHat Briefings 2002
9
Router Forensics Cisco Commands

• show clock detail
• show version
• show running-config
• show startup-config
• show reload
• show ip route
• show ip arp
• show users
• show logging

• show ip interface
• show interfaces
• show tcp brief all
• show ip sockets
• show ip nat translations verbose
• show ip cache flow
• show ip cef
• show snmp user
• show snmp group
• show clock detail

10
Firewalls

• A firewall is just a specially configured
  computer, usually some flavor of Unix
• Several special characteristics
• Dual-homed (often more than dual-homed)
• Router-like access lists
• High security configuration
• Three types
• Packet filter
• Stateful inspection
• Application gateway or proxy

11
Firewall Data Flow
Firewall
12
Firewall Forensics

• If the firewall has been compromised
• Process forensically as any other computer
• If you dont know, assume that it has
• Most firewalls allow a local connection
• Only use if the firewall is known not to have
  been compromised
• If the firewall uses a log host, process the log
  host for logs as you would any other computer
• Assume that the log host has been compromised

13
Firewall Forensics

• From the local connection collect the logs
• DO NOT PROCESS ON THE FIREWALL!!
• If the logs are in non-text format, run them
  externally against the appropriate translation
  tool
• Telnetting or FTPing to most firewalls leaves a
  log entry if you must, be sure to make a note
  of the time and what you did (allowing these
  connections is a security violation avoid it
  wherever possible some organizations still do
  it, though)
• Review
• Logs
• Firewall logs, firewall platform logs, access
  logs, all logs of whatever kind
• Configuration files both for the firewall and the
  platform
• Rule sets
• Preserve on CD or DVD if possible generally too
  big to print

14
Special Log Types

• Intrusion Detection Systems
• Routers
• Firewalls

15
Intrusion Detection Log Example
16
Windows XP Event Viewer
17
Windows XP Application Log
18
Windows XP Security Event Log
19
Log Analysis and Correlation

• Correlating data from multiple sources
• Normalizing
• Same events may have different names depending
  upon the source
• Translating IDS codes
• Cisco NetRanger 4052
• ISS RealSecure Chargen_Denial_of_Service
• Use to build a chain of evidence

20
Log Analysis and Correlation (2)

• Correlating data from multiple sources
• Deconfliction
• Same event shows up multiple times with same
  names
• Certain types of denial of service attacks
• Some penetration attacks
• Use care not to remove individual steps in an
  attack scenario
• Same event repeated so rapidly that the logging
  device reports a large number of the same event
  in a very short (sometimes sub-second) period of
  time
• Multiple rapid events that make an attack
  scenario such as a port scan
• Deconflicted events are used with normalized data
  to create an event timeline

21
Log Analysis and Correlation (3)

• Correlating data from multiple sources
• Eliminating false positives
• Some benign (from the security perspective)
  events may appear to be attacks
• NT port 139 attacks as an example
• Recall the Internet bank case study
• Packet floods
• The MSN attack
• Normal occurrences
• SNMP activity
• May stretch across multiple data sources

22
Log Analysis and Correlation (4)

• Correlating data from multiple sources
• Creating chain of evidence and event timelines
• Using deconflicted and normalized events on
  multiple data sources, chart the chain of events
  into an event timeline
• Carefully note the timebase of various data
  sources and correct to a common timebase
• Note events and attack scenarios correlate
  connected events into scenarios
• Document every assumption with evidence and, if
  possible, corroboration using both forensic and
  traditional investigation

23
Log Analysis and Correlation (5)

• Forensic handling of deleted or modified logs
• Useful only in certain types of systems
• Recovering deleted logs
• System must support recovery of ambient data
• Recovering altered logs
• Logging source must delete old log and create a
  new one when the log is altered
• System must support recovery of ambient data

24
Log Analysis and Correlation (6)

• Syslogs, messages logs, other Unix host logs

Messages Log Mar 9 175435 nile ftpd1556
lost connection to 231-216.205.122.dellhost.com
216.205.122.231Mar 9 175435 nile
ftpd1556 FTP session closedMar 9 175435
nile inetd502 pid 1556 exit status 255Mar 9
222022 nile pumpd557 renewed lease for
interface eth0Mar 10 040201 nile
anacron1748 Updated timestamp for job
cron.daily' to 2002-03-10Mar 10 040259 nile
PAM_pwdb2399 (su) session opened for user news
by (uid0)Mar 10 040300 nile PAM_pwdb2399
(su) session closed for user newsMar 10 042201
nile anacron2455 Updated timestamp for job
cron.weekly' to 2002-03-10Mar 10 085022 nile
pumpd557 renewed lease for interface eth0Mar
10 161206 nile ftpd8929 ANONYMOUS FTP LOGIN
FROM 200.68.32.185 200.68.32.185, lamer_at_Mar 10
111225 nile inetd502 pid 8929 exit status
141Mar 10 111308 nile ftpd8965 FTP LOGIN
FROM pcp01103425pcs.aubrnh01.mi.comcast.net
68.62.72.193, pstephen
25
Log Analysis and Correlation (7)

• Syslogs, messages logs, other Unix host logs

Security/Auth Log Mar 9 130749 nile
in.telnetd1315 connect from 68.62.72.193Mar
9 130924 nile in.rlogind1321 connect from
68.62.72.193Mar 9 130927 nile in.ftpd1326
connect from 68.62.72.193Mar 9 130928 nile
in.rshd1329 connect from 68.62.72.193Mar 9
130928 nile in.telnetd1333 connect from
68.62.72.193Mar 9 130931 nile
in.fingerd1334 connect from 68.62.72.193Mar
9 131213 nile in.fingerd1352 connect from
68.62.72.193Mar 9 131213 nile
in.rlogind1357 connect from 68.62.72.193Mar
9 131214 nile in.rshd1360 connect from
68.62.72.193Mar 9 131216 nile
in.telnetd1365 connect from 68.62.72.193Mar
9 131218 nile in.ftpd1368 connect from
68.62.72.193Mar 9 131523 nile in.ftpd1382
connect from 68.62.72.193Mar 9 131524 nile
in.telnetd1384 connect from 68.62.72.193Mar
9 131527 nile in.rshd1396 connect from
68.62.72.193Mar 9 131528 nile
in.rlogind1398 connect from 68.62.72.193Mar
9 131529 nile in.fingerd1400 connect from
68.62.72.193Mar 9 132643 nile login ROOT
LOGIN ON tty1Mar 9 133715 nile in.ftpd1447
connect from 68.62.72.193Mar 9 133744 nile
in.fingerd1448 connect from 68.62.72.193Mar
9 171719 nile in.telnetd1521 connect from
12.87.62.43Mar 9 171726 nile login LOGIN ON
0 BY pstephen FROM 43.detroit-16-17rs.mi.dial-acce
ss.att.netMar 9 175013 nile in.ftpd1556
connect from 216.205.122.231Mar 10 111202 nile
in.ftpd8929 connect from 200.68.32.185Mar 10
111307 nile in.ftpd8965 connect from
68.62.72.193
26
Log Analysis and Correlation (8)

• TCPDump logs

113027.181108 eth0 lt pcp01103425pcs.aubrnh01.mi.
comcast.net.17697 gt nile.ftp . 11(0) ack 1 win
4288 (DF)113027.190617 eth0 gt arp who-has
ubr01-a-rtr.aubrnh01.mi.comcast.net tell nile
(008654505b)113027.198369 eth0 lt arp
reply ubr01-a-rtr.aubrnh01.mi.comcast.net is-at
055fe91054 (008654505b)113027.207662
eth0 lt ns02.pntiac01.mi.comcast.net.domain gt
nile.1025 20012 1/2/2 PTR pcp01103425pcs.aubrnh0
1.mi.comcast.net. (174) (DF)113027.218149 eth0
lt ns02.pntiac01.mi.comcast.net.domain gt
nile.1025 20013 1/2/2 A pcp01103425pcs.aubrnh01.
mi.comcast.net (151) (DF)113027.230334 eth0 lt
ns02.pntiac01.mi.comcast.net.domain gt nile.1025
20014 1/2/2 PTR pcp01103425pcs.aubrnh01.mi.comcas
t.net. (174) (DF)113027.231013 eth0 gt nile.ftp
gt pcp01103425pcs.aubrnh01.mi.comcast.net.17697 P
180(79) ack 1 win 32120 (DF) tos 0x10
113027.253084 eth0 lt pcp01103425pcs.aubrnh01.mi
.comcast.net.17697 gt nile.ftp P 116(15) ack 80
win 4209 (DF)113027.253122 eth0 gt nile.ftp gt
pcp01103425pcs.aubrnh01.mi.comcast.net.17697 .
8080(0) ack 16 win 32120 (DF) tos 0x10
27
Log Analysis and Correlation (9)

• Intrusion Detection Log (RealSecure)

28
Log Analysis and Correlation (10)

• Intrusion Detection Log (SNORT Summary)

Apr 16 024537 lisa snort7483
IDS13/portmap-request-mountd 200.190.13.1811372
-gt 172.16.1.107111 Apr 16 071706 lisa
snort7483 IDS128/web-cgi-phf
200.190.8.22055220 -gt 172.16.1.10780 Apr 16
145420 lisa snort7483 IDS171/Ping zeros
24.201.15.148 -gt 172.16.1.101 Apr 16 145420
lisa snort7483 IDS171/Ping zeros
24.201.15.148 -gt 172.16.1.105 Apr 16 145420
lisa snort7483 IDS171/Ping zeros
24.201.15.148 -gt 172.16.1.107 Apr 17 060232
lisa snort8255 IDS198/SYN FIN Scan
195.116.152.1040 -gt 172.16.1.101111 Apr 17
060232 lisa snort8255 IDS198/SYN FIN Scan
195.116.152.1040 -gt 172.16.1.107111 Apr 17
094528 lisa snort8255 IDS198/SYN FIN Scan
195.116.152.1040 -gt 172.16.1.105111 Apr 19
080019 lisa snort3515 IDS/DNS-version-query
212.25.75.1961723 -gt 172.16.1.10153 Apr 20
012600 lisa snort3515 IDS212/dns-zone-transfe
r 24.234.45.604075 -gt 172.16.1.10753 Apr 20
034938 lisa snort3515 IDS/DNS-version-query
216.123.23.54349 -gt 172.16.1.10153 Apr 20
034939 lisa snort3515 IDS/DNS-version-query
216.123.23.54350 -gt 172.16.1.10753 Apr 20
214855 lisa snort12353 IDS246/large-icmp
129.142.224.3 -gt 172.16.1.107 Apr 20 214855
lisa snort12353 IDS246/large-icmp
129.142.224.3 -gt 172.16.1.107 Apr 20 224813
lisa snort12632 IDS159/Ping Microsoft Windows
216.228.4.204 -gt 172.16.1.101 Apr 20 224813
lisa snort12632 IDS159/Ping Microsoft Windows
216.228.4.204 -gt 172.16.1.101 Apr 20 230033
lisa snort12657 IDS171/Ping zeros
216.228.4.133 -gt 172.16.1.101 Apr 21 110127
lisa snort12777 IDS/DNS-version-query
207.236.55.764039 -gt 172.16.1.10153 Apr 21
110128 lisa snort12777 IDS/DNS-version-query
207.236.55.764044 -gt 172.16.1.10753 Apr 22
083629 lisa snort743 IDS/DNS-version-query
212.244.222.1001368 -gt 172.16.1.10153 Apr 22
083629 lisa snort743 IDS/DNS-version-query
212.244.222.1001328 -gt 172.16.1.10753
Courtesy of The Honeynet Project
29
Log Analysis and Correlation (11)
WEB-MISC 403 Forbidden 07/29-235917.75
2579 00C575672C -gt 0AA0B7E956
type0x800 len0x246 209.235.0.17880 -gt
63.222.202.81550 TCP TTL43 TOS0x0 ID22555
IpLen20 DgmLen568 DF AP Seq 0x85B19798
Ack 0x4E439F5C Win 0x7D78 TcpLen 20 48 54 54
50 2F 31 2E 31 20 34 30 33 20 46 6F 72 HTTP/1.1
403 For 62 69 64 64 65 6E 0D 0A 44 61 74 65 3A 20
4D 6F bidden..Date Mo 6E 2C 20 33 30 20 4A 75
6C 20 32 30 30 31 20 30 n, 30 Jul 2001 0 33 3A
35 38 3A 35 38 20 47 4D 54 0D 0A 53 65 72
35858 GMT..Ser 76 65 72 3A 20 41 70 61 63 68 65
2F 31 2E 33 2E ver Apache/1.3. 31 39 20 28 55
6E 69 78 29 20 6D 6F 64 5F 73 73 19 (Unix)
mod_ss 6C 2F 32 2E 38 2E 33 20 4F 70 65 6E 53 53
4C 2F l/2.8.3 OpenSSL/ 30 2E 39 2E 36 61 20 6D
6F 64 5F 70 65 72 6C 2F 0.9.6a mod_perl/ 31 2E
32 35 20 6D 6F 64 5F 67 7A 69 70 2F 31 2E 1.25
mod_gzip/1. 33 2E 31 39 2E 31 61 20 50 48 50 2F
34 2E 30 2E 3.19.1a PHP/4.0. 36 0D 0A 43 6F 6E
6E 65 63 74 69 6F 6E 3A 20 63 6..Connection
c 6C 6F 73 65 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79
lose..Content-Ty 70 65 3A 20 74 65 78 74 2F 68
74 6D 6C 3B 20 63 pe text/html c 68 61 72 73
65 74 3D 69 73 6F 2D 38 38 35 39 2D
harsetiso-8859- 31 0D 0A 0D 0A 3C 21 44 4F 43 54
59 50 45 20 48 1....lt!DOCTYPE H 54 4D 4C 20 50
55 42 4C 49 43 20 22 2D 2F 2F 49 TML PUBLIC
"-//I 45 54 46 2F 2F 44 54 44 20 48 54 4D 4C 20
32 2E ETF//DTD HTML 2. 30 2F 2F 45 4E 22 3E 0A
3C 48 54 4D 4C 3E 3C 48 0//EN"gt.ltHTMLgtltH 45 41
44 3E 0A 3C 54 49 54 4C 45 3E 34 30 33 20
EADgt.ltTITLEgt403 46 6F 72 62 69 64 64 65 6E 3C 2F
54 49 54 4C 45 Forbiddenlt/TITLE 3E 0A 3C 2F 48
45 41 44 3E 3C 42 4F 44 59 3E 0A
gt.lt/HEADgtltBODYgt. 3C 48 31 3E 46 6F 72 62 69 64 64
65 6E 3C 2F 48 ltH1gtForbiddenlt/H 31 3E 0A 59 6F
75 20 64 6F 6E 27 74 20 68 61 76 1gt.You don't
hav 65 20 70 65 72 6D 69 73 73 69 6F 6E 20 74 6F
20 e permission to 61 63 63 65 73 73 20 2F 63
67 69 2D 62 69 6E 2F access /cgi-bin/ 61 64 63
79 63 6C 65 2F 61 64 63 79 63 6C 65 2E
adcycle/adcycle. 63 67 69 0A 6F 6E 20 74 68 69 73
20 73 65 72 76 cgi.on this serv 65 72 2E 3C 50
3E 0A 3C 48 52 3E 0A 3C 41 44 44
er.ltPgt.ltHRgt.ltADD 52 45 53 53 3E 41 70 61 63 68 65
2F 31 2E 33 2E RESSgtApache/1.3. 31 39 20 53 65
72 76 65 72 20 61 74 20 74 68 65 19 Server at
the 62 61 62 79 63 6F 72 6E 65 72 2E 63 6F 6D 20
50 babycorner.com P 6F 72 74 20 38 30 3C 2F 41
44 44 52 45 53 53 3E ort 80lt/ADDRESSgt 0A 3C 2F
42 4F 44 59 3E 3C 2F 48 54 4D 4C 3E 0A
.lt/BODYgtlt/HTMLgt.

• Intrusion Detection Log (SNORT Raw Log)

30
That's it for this week.

• FOR NEXT WEEK
• On-line discussion forum
• Team Project Meetings Nest Week
• http//people.emich.edu/pstephen