UNCOVER HIDDEN EVIDENCE WORKSHOP @IHACK2013

INCIDENT HANDLING & RESPONSE 101

(13-14 APR 2013)

QUICK INTRO
MUHAMMAD MUSLIM BIN MANSOR Forensic Analyst/ Certied Instructor +60136336310/ muslim.mansor@ieee.org MOHD FADZIL BIN MD ARAP IT Subject Matter Expert/ Mozilla Community fadz8L@gmail.com

!! !

WAN SYAZWAN BIN WAN MOKHTAR System Analyst/ Coder syazwan.mokhtar@gmail.com

INCIDENT HANDLING
Mission

1: Incident Response Incident Handling Procedures Dealing with Incident Scenarios 2: Forensic Imaging Anatomy of HDD & File System Recover Deleted Data

Mission

MISSION 1
INTRODUCTION TO INCIDENT RESPONSE

WHAT IS INCIDENT?
Computer

Security Incident: real or suspected adverse event in relation to the security state of computers or network
Port scanning, computer & network intrusions, web defacement Account lockdown, Denial of Service (DoS), virus/ worm outbreak, password leakage, stolen identity Hardware failure (servers/ backup), telecommunication/ network failure Power loss (blackout), force of nature (ood, tsunami, re)

It

is a violation or imminent threat of violation of computer security policies, acceptable use policies & standard security practice

INCIDENT CLASSIFICATIONS
High Level Posses immediate threat to various systems leads to criminal charges, regulatory nes or bad name Should be handled immediately after incident Active computer/ network intrusions Denial of Service attack Incidents which leads to violation of any laws Inactive internal/external unauthorized access to system Theft of personal data relevant to computer Localized virus/worm outbreak

More serious incidents Medium compared to low level Should be handled within the Level same day of incident Low Level

Least severe kind of incidents Loss of personal password Should be handled within one Unsuccessful scans & probes day after the incident occurs Presence of computer virus/ worms

SIX-STEPS INCIDENT HANDLING

SYMPTOMS OF INCIDENTS
Typical indications of computer incidents: Antivirus detects infected les Program take longer time to load than normal System les become inaccessible Computers hard drive & memory constantly runs out of free space Files with strange names which are not recognizable Systems become unstable & often crashes Specic indications of network incidents: Unusual open ports Increase of abnormal network activities (after ofce hours/ weekends)

INSIGHT OF INCIDENT RESPONSE

Dead

machines: if the machine is OFF, leave it OFF

Usually we will try to take the hard disk & acquire it at the lab Dealing with dead machines easier

Live

machines: need to deal with both volatile and non-volatile data

Approach it from the most volatile to the least volatile Common method: Photograph the screen view, acquire the volatile contents (using First Responder Disk) and shut down/ pull-the-plug

FIRST RESPONDER PROCEDURE

Volatile data lost if power yanked, important to preserve

Non-volatile

The system Date and Time Current Network Connections Open TCP and UDP Ports Which executables are opening TCP or UDP Ports Cached NetBIOS name table Users currently logged on Internal routing table Running processes Running services Schedules jobs Open les Memory Dumps

data traditional method of analysis

System Version and Patch Level File System Time & Date Stamps Registry Data Auditing Policy Login History User Account IIS Logs Suspicious Files

DEALING WITH VOLATILE DATA

System Date & Time time and date command in the prompt shell Current Network Connections Command: netstat ano If any suspicious ports found go to www.portsdb.org (any ports above 1024 is customizable) FPORT (www.foundstone.com) used to check for executables and its corresponding ports Cache NetBIOS Name Tables System log up name instead of IP except for Windows 2003 Hence use nbtstat -c to extract netBIOS name accurately

DEALING WITH VOLATILE DATA

User Currently Logged On

Be stealthy while performing investigation on a live machine Use psloggedon from PSTOOLS suite by www.sysinternals.com

Internal Routing Table

One of the most famous hacking methods is routing data is by altering routing table Command: netstat -rn will allow investigator to record current routing table for further analysis later

Running Processes & Services Open les

pslist & psservice tool in PSTOOLS suite by www.sysinternals.com

psle tool in PSTOOLS suite by www.sysinternals.com

DEALING WITH NONVOLATILE DATA

System Version & Patch Level psinfo from pstools suite by www.sysinternals.com Command: psinfo h s d File

System Time & Date

UnxUtils has an utility called nd which provides more information than dir (from www.unxutils.sourceforge.net) Also available from Cygwin File permissions, last access date, last access time, modify date, modify time, created date, created time, user ownership, group ownership, le size and full path of every le nd c:\ -printf %m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G; %s;%p\n

DEALING WITH NONVOLATILE DATA

Auditing Policy auditpol tools from Microsoft Login History NTLast tool from www.foundstone.com System Event Logs 3 types : Security, Application, System Command: psloglist s x security User Accounts Check whether the attacker has created an additional account to hide Use pwdump utility or net user

PRACTICAL TIME
Prepare

for our rst hands-on. GENTLEMEN, START YOUR ENGINE! steps: Perform First Responder Procedure using FRED (better to load it inside a ash drive) Let analyze the result cooked case: Case study I - FRP from simulated bank incident

Next

Ready

AUTOMATED ANALYSIS
Utilize various free resources to perform quick analysis of malware
Online Scanner Virus Total - http://www.virustotal.com Comodo - http://camas.comodo.com/ Jotti - http://virusscan.jotti.org/ Sandboxing GFI ThreatAttack (formerly CWS Sandbox) - http://www.threattrack.com/ Norman Sandbox - http://www.norman.com/security_center/security_tools/

MANUAL ANALYSIS STATIC

Static

analysis - studying a program without actually executing it. Advantage can reveal how a program would behave under unusual conditions, because we can examine parts of a program that normally do not execute. Disadvantage Tedious process and it is impossible to fully predict the behavior. of the analysis process: Packer Detection via PEiD String search Code analysis by reversing - use OllyDBG, IDA Pro,

Some

MANUAL ANALYSIS DYNAMIC

Dynamic

analysis - Studying a program as it executes. Advantage it can be fast and accurate. Disadvantage it is what you see is what you get. of the analysis process: Process monitoring Registry monitoring File monitoring Network snifng using Wireshark

Some

MISSION 2
FORENSIC IMAGING

ANATOMY OF HARD DISK

IMPORTANT COMPONENT

Track Usually numbered starting from 0 (at the outside) and increasing towards center (typically of 1024) Each track can hold many thousands of bytes of data Sector Smallest physical storage unit on disk Normally 512 bytes in size Factory track-positioning data determines labeling of disk sector Cluster Smallest allocation unit of the hard disk (determine during formatting) Minimum size can be of one sector (1 sector/ cluster) Typical NTFS disk allocating 8 sectors/ cluster (4096 bytes each cluster)

ISSUES WITH CLUSTER SIZE

Cluster size can be altered for optimum disk storage. Larger cluster size (greater than one sector) will encounter Minimizes fragmentation problem. Increases the probability for unused space in the cluster. Reduces disk storage area to save information. Reduces unused area on the disk. Introducing to slack space Slack space is the free space on the cluster after writing data on that cluster. DOS and Windows utilize xed size clusters for le system. If the size of stored data is less than the cluster size, the unused area remains reserved for the le resulting in slack space.

FILE SYSTEM

Disk File Systems ext2, ext3 (Popular Linux le system) FAT12 (oppy disk) FAT16, FAT32 (older Windows le system) NTFS (newer Windows le system) HFS, HFS+ (typical Mac OS le system) ISO9660 (Rock Ridge & Joliet are extended to this le system CDROM & DVDROM disk) ZFS (used on Solaris 10)

Network File Systems AFS (Andrew File System) AppleShare NFS SMB (sometimes also called as Samba lesystem) Special Purpose File System acme (Plan 9 - text windows) cfs (caching) ftpfs (ftp access) wikifs (wiki wiki) davfs2 (WebDAV)

WINDOWS OS - FAT
File Allocation Table FAT

(FAT) designed in 1976

stores all the les and resides at the beginning of the volume. creates 2 copies of le allocation table to protect the volume from damage. of FAT typically:

It

Content

WINDOWS OS - NTFS
New Technology

File System (NTFS) to replace FAT several improvements over FAT such as improved support for metadata and the use of advanced data structures to improve performance, reliability and disk space utilization. extensions: security access control lists, le system journaling

Has

Other

LINUX OS

2 most famous le systems for Linux are ext2 and ext3 Extended 3 (ext3) is a enhanced version of ext2 with journaling le system. Both used inode -a basic building block (for each le & directory) inode for each le system block are placed together in an inode table.

DELETED DATA IN WINDOWS OS

When

a le is deleted, the OS marks the les name in MFT with a special character that indicates the le has been deleted (0xE5) clusters in FAT are marked as unused.

Corresponding The

computer always looks at the cluster occupied by that le as being empty & therefore available to store any new le deleted le can be recovered if the space is not allocated to any le.

The

PRACTICAL TIME
Exercise

1: Lets try to see the process of disk imaging. Why we need imaging? 2: Load the disk image in FTK Imager/ FTK. Is it possible to analyze the deleted data? How about deleted partition/ formatted disk? 3: We will try to use automated recovery tools Restoration, Zero Assumption Recovery, Recuva. Is it 100% efcient? 4: Lets try to carve the le based on le signature.

Exercise

Exercise

Exercise

FTK IMAGER
Free

edition (with basic features of Forensic Toolkit - FTK from AccessData) perform GUI-based disk imaging & le manual analysis

Allow

FILE HEADER (MAGIC NUMBER)

http://www.garykessler.net/library/le_sigs.html JPEG with header FF D8 FF E0 trailer FF D9

Viewable using Hex Workshop, FTK Imager, etc Important for le carving, raw editing & le type determination

THANK YOU!