Lesson 10

Report
Lesson 10
Incident Response
Toolkits
“Who said there were no free
lunches anymore?”
Overview
• Cygwin
• Data Integrity Tools
• Drive Tools
• Viewers
• Search Tools
• Forensics Programs
UTSA IS 6353 Security Incident Response
CYGWIN
• A Unix environment for Windows:
– A DLL (cygwin1.dll) which acts as a UNIX
emulation layer providing substantial UNIX
API functionality
– A collection of tools, ported from UNIX, which
provide UNIX/Linux look and feel
– The Cygwin DLL works with all versions of
Windows since Windows 95, with the
exception of Windows CE
UTSA IS 6353 Security Incident Response
CYGWIN
• Where to get it:
– www.redhat.com/download/cygwin.html
• What’s included:
– date time uptime
– hostname
whoami
– ps
netstat
arp
UTSA IS 6353 Security Incident Response
uname –a
env
Data Integrity Tools
Goal: maintain the chain of evidence and
integrity of tools
• Maresware’s Disk_crc
– http://www.dmares.com
• New Technologies Incorporated
– DiskSig and CRCMD5
– www.forensics_intl.com
• MD5 Summer
– http://sourceforge.net/projects/md5summer
UTSA IS 6353 Security Incident Response
Network Tool
• NetCat/Cryptcat
– Creates a channel of communication between hosts
– Used during forensics to create a reliable, TCP
connection between the target system and the forensic
workstation
– Cryptcat provides for encryption
http://www.l0pht.com/~weld/netcat
http://farm9.com/content/Free_Tools/Cryptcat
UTSA IS 6353 Security Incident Response
Netcat Commands
• Forensic workstation (192.168.1.1) command
– E:\>nc –l –p 2222 > yourfilename
– Translation: execute netcat in listen mode on port
2222 and pipe inbound traffic to “yourfilename”
• Sending output from target system
– A:> pslist | nc 192.168.1.1 2222
– Translation: execute pslist and pipe output to netcat
and netcat will transmit to 192.168.1.1 port 2222
UTSA IS 6353 Security Incident Response
Netcat in Action
Hacked Machine
time
Forensics Workstation
date
loggedon
fport
pslist
Nbtstat - c
1)
2)
3)
4)
Run trusted commands on Hacked Machine
Send output of commands to forensics workstation using netcat
Perform off-line review
MD5SUM output files
UTSA IS 6353 Security Incident Response
Netcat Command Sequence
Hacked Machine
time
Forensics Workstation
192.168.1.1
date
loggedon
fport
pslist
Nbtstat - c
A:>time | nc 192.168.1.1 2222
A:>date | nc 192.168.1.1 2222
*
*
A:>Nbtstat – c | nc 192.168.1.1 2222
UTSA IS 6353 Security Incident Response
C:>nc – l – p 2222 > forensics.txt
C:>md5sum forensics.txt > ?????
Drive Tools
Goal: allow collection of various hard/floppy/CD
forensics
• Partition Tools
– fdisk (for Linux, DOS version obsolete)
– Partinfo (free ftp://ftp.powerquest.com/pub/utilities)
– PartitionMagic(includes Partinfo but cost $)
• CD-R Utilities
– CD-R Diagnostics (www.cdrom-prod.com/software.html)
• Unerase Tools
– Windows: Norton Utilities Diskedit & unerase
– Unix: e2recover (www.praeclarus.demon.co.uk)
– FilesScavenger (www.quetek.com/)
UTSA IS 6353 Security Incident Response
Drive Tools(2)
• Drive Imagers
–
–
–
–
NTI’s SafeBack (www.forensics-intl.com)
SnapBack (www.cdp.com)
Ghost (www.symantec.com)
Dd—the Unix command
• Disk Wipers
– DiskScrub from NTI
UTSA IS 6353 Security Incident Response
File Viewers
Goal: allow investigator to discover, view,
and analyze files on all operating systems
• QuickViewPlus – (www.jasc.com)
– Views over 200 file types
• Conversion Plus (www.dataviz.com)
– Views Mac files on Windows
• ThumbsPlus – (www.cerious.com)
– Catalogs and displays all image files
UTSA IS 6353 Security Incident Response
Search Tools
Goal: find keywords pertinent to investigation
• NTI;s dtSearch (www.forensics-intl.com)
– Searches text files including Outlook .pst files
• Danny Mares StringSearch
(www.maresware.com)
• Hidden Streams
– SFind (www.foundstone.com)
– Streams (www.sysinternals.com/ntw2k/source/misc.html)
UTSA IS 6353 Security Incident Response
Forensics Programs
• Focus: collect and analyze data
• Forensic Toolkit – www.foundstone.com
– Focus is on Windows NT systems
• The Coroners Toolkit (TCT) – www.fish.com
– Investigates a hacked Unix host
•
•
•
•
graverobber
mac utility
unrm utility
lazarus tool
UTSA IS 6353 Security Incident Response
Forensics Programs(2)
• New Technologies Inc (NTI) – www.forensicsintl.com
–
–
–
–
–
–
–
–
Command-line tools that run very fast
CRCMD5
DiskScrub
DiskSig
FileList—sorts files by last use
GetFree—captures unallocated data
GetSlack—Captures file slack
Net Threat Analyzer—Internet Abuse Analyzer
PTable –analyze/document hard drive partitions
TextSearch Plus
UTSA IS 6353 Security Incident Response
Forensics Programs(3)
• ForenSix by Dr. Fred Cohen
– www.all.net
– Runs on Linux but can access many different file
systems
• EnCase (www.encase.com)
– Claims to be the only fully integrated Windowsbased forensics application
UTSA IS 6353 Security Incident Response
Foundstone Tools
http://www.foundstone.com/resources/forensics.htm
•
•
•
•
•
•
•
•
Pasco 1.0 – IE activity forensic tool
Galleta 1.0 – Examine content of cookie files from IE
Rifiuti 1.0 – Examine Info2 file in the Recycle Bin
Vision 1.0 – Reports open TCP/UDP ports and maps to
owning process
NTLast 3.0 – Security Log Analyzer
ShoWin 2.0 – Show information about Windows
BinText 3.0 - Finds strings in a file
Patchit 2.0 – Binary file byte patching program
UTSA IS 6353 Security Incident Response
Vision System Info
Vision Processes View
Vision Services View
Vision Services View
File Watch
Sysinternals Tools
http://www.sysinternals.com/ntw2k/utilities.shtml
• Monitoring Tools
–
–
–
–
–
–
Diskmon 1.1 – monitors disk activity
Filemon 1.1 – monitors file activity
ListDLLs 2.23 – List all currently loaded DLLs
NTFSInfo—Gives size and location of MFT
Portmon 3.02—monitors serial and parallel ports
Process Explorer 6.03 – find our what files, registry
keys, and other objects process which DLLs
– PSTools 1.82
– Regmon 6.06 – monitors registry activity
UTSA IS 6353 Security Incident Response
Sysinternals Tools(2)
• Utilities
– AccessEnum 1.0 – used to find holes in file
permissions
– NTRecover 1.0 – access dead NT disks over a
serial connection
– NTFSDOS 3.02 – Access NTFS drives readonly from DOS
– Remote Recover 2.0-- access dead NT disks
over a network connection
UTSA IS 6353 Security Incident Response
pstools
pslist
pslist
Process Explorer-View 1
Process Explorer-View 2
FILEMON
REGMON
TCP/IP Monitor
One Sinlge IE Access to One Web Site
Other Useful Tools
• Password Crackers (see pg 145)
–
–
–
–
–
L0phtCrack – www.atstake.com
John the Ripper – www.openwall.com/john
Chntpw – home.eunet.no/~pnordahl/ntpasswd
Fast ZipCracker – www.netgate.com.uy/~fpapa
AccessData – www.accessdata.com
• Provides entry to a wide range of application encrypted
files
– Elcom – www.elcomsoft.com
UTSA IS 6353 Security Incident Response
Other Useful Tools(2)
• Internet References
– Matching Hardware Types to MAC addresses
• www.cavebear.com/CaveBear/Ethernet/vendor.html
– Proxy Servers available to the Public
• www.proxys4all.com
– List of Defaced Web sites
• www.attrition.org
– List of HTTP status codes
• www.w3.org/Protocols/HTTP/HTRESP.html
– File Formats and Header Specifications
• www.wotsit.org
UTSA IS 6353 Security Incident Response
McAfee Visual Trace
Hostile Activity From China
Summary
Lots of free lunches out
there when it comes to
forensic tools and
utilities…do some
research!
UTSA IS 6353 Security Incident Response

similar documents