Finding the Hidden

If a hacker managed to compromise a server, it can be used for several things like spreading viruses, sending spam, attacking other hosts or steeling and destroying sensitive information stored on the server.

Restoring a previous copy of the system will not guarantee that the incident do not happens again. That’s why it is now important to learn how to conduct a forensics and determine what really happened.

Forensic investigation will help in solve situation after a breach to help ensure the situation does not occur again, because updating software packages and antivirus definition will not prevent a hacker from using the same method to break into the system one more time.

And it’s very important to determine when the attack occurred, because at some moment it is possible to restore a non-clean copy which could contain a backdoor, but it will look a normal copy.

Collected evidence will also play a big role in identifying where has been the vulnerability (can be a system/ human error or insider breach).

Technology has a good face and at the same time it also has a bad face, as some modern malwares do not leave traces on your hard disk.

As an example, the SQL slammer worm works only on the RAM level and can be detected only on the network activity (port 1434). Encryption is also widely used as a protecting measure (Bitlocker, EFS…) and no key to have access to this information

Forensic tools can help in handling these situations by analyzing and collecting information on the compromised host, this includes:

– Tools for cloning the system and save a copy of partitions
– Tools to create checksums and digital signatures files
– Tools for network activity analyzing and system configuration.
– Tools for analyzing system (processes, libraries…)

Depending on the situation, today we have on the market very few commercial Forensics tools such as ProDiscover from technology pathways, EnCase Forensics and Forensic Toolkit.

Some tools provide a limited versions like ProDiscover Basic Edition Freeware, which is available for download but do not includes network capabilities. On the other hand we can find a special linux distribution where all required tools integrated and configured such as DEFT Linux, FCCU GNU / Linux Forensic Boot CD, Helix3 and others.

Now let’s start browsing some forensics tools.

The first one is TCT (The Coroner’s Toolkit), which allows for both Dead and Live Analysis. The project was replaced by The Sleuth Kit. TSK allows performing analysis on Linux, Mac OS X, Cygwin, FreeBSD, OpenBSD and Solaris for data stored on NTFS, FAT, Ext2, Ext3, UFS1 and UFS2. It includes 24 utilities under following groups:

– File system Layer (f*)- to work with the file system,
– Meta Data Layer (i *) – describes a file or directory
– Data Unit Layer (blk *) – the actual content of blocks, clusters, fragments;
– File System Journal (j *) – log file system;
– Volume System (mm *) – analysis of sections, disk utilities (disk_ *).

For recovering or searching deleted files on partition, we can use fls and icat, to see a list of deleted files using a utility fls:
# Fls-rd / dev/***
-r – makes the program go on all directories; while -d : show only the deleted files.
To find a particular file you can use grep as follows:
# Fls-rd / dev/sda1 | grep-v
‘(Realloc)’ | grep file.doc

For the encrypted volume we can use hfind which looks up hash values in a database using a binary search algorithm. This allows one to easily create a hash database and identify if a file is known or not.

It works with the NIST National Software Reference Library (NSRL) and the output of ’md5sum’.NSRL projects is supported by reputable organization like the National Institute of U.S. Department of Justice (NIJ), National Institute of Standards and Technology (NIST).

For example to create an MD5 index file for NIST NSRL:

# hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
To lookup a value in the NSRL:
# hfind /usr/local/hash/nsrl/NSRLFile.txt 76b1f4de1522c20b67acc132937cf82e
76b1f4de1522c20b67acc132937cf82e Hash Not Found

Steulth Kit contain a large number of utilities, which makes it difficult to manage, but for this there is a on the official website a visualization tool – Autopsy Forensic Browser, it is an HTML-based graphical interface for the command line tools in The Sleuth Kit. This makes it much easier and faster to investigate a system.

Sysinternals is also very important for conducting forensics operation. To have the whole package you should get the Sysinternals Suite. The sysinternal can helps you to get comprehensive information on everything loaded at the system level such as logs and processes. The tool displays all the registry keys, drivers, DLL, codecs…

PsInfo, PsLogList and ProcessExplorer can get complete information on the system and running processes. List of DLL with their versions, as well as where they were launched, look through ListDLLs. Handle Utility shows a list of open files with an indication of what processes they opened.

Learn about different LogonSessions, PendMoves, PSFile, PsLoggedOn, TCPVcon, TCPView, as well as the standard – ipconfig, netstat, arp, openfiles, systeminfo.

Tool are distributed under the Freeware license and it is possible to maintain the state of memory with ManTech Memory DD which supports Microsoft® products (Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008) which gives user non free functionality in EnCase.

These are quick list of free tools to help us in conducting a forensics analyses.

make sure you subscribe to my RSS feed!