• ethical disclosure
  
• a tale of two log files part 1
  
• a tale of two log files part 2
  
• a tale of two log files part 3
  
• a tale of two log files final
  

• investigating malware in action
  
• investigating malware in action cont
  
• quick and dirty pgp setup for w32
  
• how to: sign a certificate request with openssl
  
• application fuzzing
  

• central secure logging in a win2k environment
  
• central secure logging in a win2k environment cont
  
• central secure logging in a win2k environment cont 2
  
• central secure logging in a win2k environment cont 3
  
• central secure logging in a win2k environment cont 4
  

• example forensics sop/procedure
  
• example forensics sop/procedure cont
  
• example forensics sop/procedure cont 2
  
• buffer overflows part one
  
• buffer overflows part two
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials3
  
• securitytutorials5
  

EXAMPLE FORENSICS SOP/PROCEDURE CONT...

Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

You can find the original post here:
http://www.antionline.com/showthread.php?s=&threadid=255811

Enjoy

Initial Procedures

These procedures should be carried out prior to any investigative procedures since they make no contact with the suspect machine(s) whatsoever and rely upon totally passive methods or information that already exists.

1. The suspect machine(s) is to be left “as-is” unless, in the opinion of the MIS the damage/risk associated with such action is unacceptable. The machine therefore should remain switched on, connected to the network and no attempts are to be made to glean information from the computer locally. In short - Leave it alone until the IT Response Team leader arrives.
2. A log is to be started to document every action taken with regard to each machine and it’s components. This is especially important should the Agency consider legal action against the perpetrator(s).
3. The COMPANY X Computer Incident Response Team should be notified immediately. Team Members are detailed here.
4. The existing log files are to be secured. They are located on the workstation named XXXXXXXX in COMPANY X’s MIS’ office in the folder E:\Syslog\logs. The file is named with that days date with a .txt extension, (eg. 2003-09-10.txt). Depending upon the time of day this file can be large, (> 50Mb), so it should be copied to a remote computer. Once the copy is complete remove the network cable from the machine that the copy went to. Do not stop the logging process or disconnect the XXXXXXXX computer from the network. It needs to continue to do it’s job. XXXXXXXX’s login is XXXXXXXXX with a password XXXXXXXX where X is the key combination <ALT> and the keypad numbers XXX.
5. In the subfolder of XXXXXXXX’s E:\Syslog\logs folder called Old logs you will find copies of previous days logs. On COMPANY X’ MIS’ workstation in a folder called c:\log analysis\old you will find similar copies of these files. Compare the file sizes of each file on both machines. If they are all the same, XXXXXXX has a CD writer, cut all the files in that folder to CD, label it appropriately and secure it. If the files differ in size the compare the files of the first two copies of the logs to the final copy of the logs on COMPANYXBU in folder h:\Information system\xxxxxxx\Security Archives\firewall logs. If COMPANYXBU’s files and COMPANY X’ MIS’ files are the same size cut either to CD. If all three are different cut all three to CD for future review. Label and secure all CD’s cut.
6. At the appropriate gateway to the network Ethereal is to be started with a filter applied of “host xxx.xxx.xxx.xxx”, (without quotes), where xxx.xxx.xxx.xxx is the address of the internal machine to determine if the machine is communicating with the internet. Gateway monitors are available via computers rm258, (COMPANY X MIS’s PC), and xxxxBU, (Backup Domain Controller in xxxxxxxx). If Ethereal indicates traffic to and from this machine Ethereal is to be left running until such time as deemed fit by the IT response team leader. The data collected is to be kept as forensic evidence.
7. If traffic is detected it may be useful to place a second version of Ethereal running on the local subnet of the target machine to determine if it is communicating with other assets inside the WAN. If it is then this data is also to be kept as forensic evidence. It may not be possible to use Ethereal on the local subnet due to the use of switches. It will be the decision of the IT response team leader whether to quickly rewire the affected machine(s) through a hub so that Ethereal can be used.
8. Secure the computer’s last AIDA32 inventory file if present. This will be found on the X: drive under AidaReports. The filename will be the computer’s name with a .csv extension. This details the exact hardware and much of the computer’s state the last time an audit could successfully be carried out and may even contain the user name the perpetrator logged on as.

Non-Invasive Remote data gathering Procedures

These procedures are those that are carried out from a remote workstation on the network that use tools that are active and either request information from the suspect machine(s) or glean information from it’s responses to probes and scans, (or lack of responses). If possible run these tools from a workstation that can see the target machine and that all traffic can be seen by one of the Ethereal sniffers so that the packets themselves are logged for future reference. Note that the tests could be run from the appropriate Ethereal sniffer set up in the first phase though there is a small risk of packet loss. Better to use a laptop or other machine connected to the same hub as the Ethereal sniffer. Further information on the tools, their use and the command lines to execute can be found in the section “Remote Tools, their purposes, output and use”.

1. NMapWin: This tool is used first in the stealth mode to glean as much information as possible about the computer without making a complete connection. If the computer has been set up with a “kill process” if unauthorized attempts to connect to it take place this should not set the process off. Note: All tools after this point elevate the risk of triggering a “kill process”.
2. FScan: This will run a full connect scan to every port and grab any information it can from open ports. From here on, run the tools, log the output, check the output for items of interest and decide if this process should continue or whether the situation requires an alternative plan of action. Any alternative plan of action may only be authorized by the IT Response Team leader.
3. Cerberus Internet Scanner
4. Currentstate.vbs
5. PSInfo
6. PSList
7. PSLoggedON
8. PSLogList

Non-Invasive Local Information Gathering Procedures.

From this point onwards it is imperative to remember that you can trust nothing on the computer(s) being investigated. Your attitude must be that every existing piece of code on the target machine has been subverted. You can’t even trust the command prompt that you will use for many the following tools. There is a trusted copy of many common applications on the CD, USE THEM.
Use floppy disks to save the data to. If no, or insufficient floppies are available, and a network connection is still operable create a share on a remote computer that you have only write access to and redirect the output there. Preferably use floppies but if using recycled floppies is required, format them on a separate, trusted computer, send the output to them and immediately copy the files to another trusted, (preferably not connected to the network), computer.
Run each tool twice. The first time redirect the output to file and examine it on a different computer. The second time run it without redirection so the output comes to the screen. Run a quick comparison between the output to file and the output to screen to ensure they are consistent. If the output is consistent no further action is necessary. If the output is different then run the same tool three further times redirecting the output to file and number each file appropriately, (for example Netstatarm123-1.txt).
You may also notice that some of these tools may duplicate information that others provide. That is deliberate. Please do not skip steps simply because you think you have the information already….. You don’t.
Finally, many of these tools are not capable of changing the state of the target computer. Others most certainly are. The goal at this stage is to glean as much information as possible about the current state and configuration of the target machine. Run the tools exactly as requested unless authorized by the IT Response Team leader. If you are uncertain whether the tool will change the system or not consult with the team leader prior to executing the tool.

Start by spawning a command prompt by selecting Start-Run and manually typing in “%path%\cmd.exe” where %path% is the location of the trusted tools. Then run the following command lines where %path% is the path to the location of the trusted tools and %path2% is the path to the output resource, (floppy, write only remote share).
NOTE: A “*” indicates a tool that has the functionality to alter the configuration of the target. Make sure the command lines are correct prior to running the tool.

1. %path%\ipconfig /all > %path2%ipconfigrm123.txt
2. %path%\ipxroute.exe > %path2%ipxrouterm123.txt This will determine if IPX has been enabled.
3. (*) %path%\arp -a > %path2%arprm123.txt
4. %path%\hostname > %path2%hostnamerm123.txt
5. %path%\mem /c > %path2%memrm123.txt
6. (*) %path%\net accounts > %path2%netaccountsrm123.txt
7. (*) %path%\net localgroup > %path2%netlocalgroup.txt
8. (*) %path%\net share > %path2%netsharerm123.txt
9. %path%\net statistics server > %path2%netstatsserverrm123.txt
10. %path%\net statistics workstation > %path2%netstatsworkrm123.txt
11. (*) %path%\net time <\\rm123> > %path2%nettimerm123.txt (Substitute the target computer name for \\rm123 in the command line)
12. (*) %path%\net use > %path2%netuserm123.txt
13. (*) %path%\net user > %path2%netuserrm123.txt
14. %path%\net view > %path2%netviewrm123.txt
15. (*) %path%\route print > %path2%routeprintrm123.txt
16. %path%\fport > %path2%fportrm123.txt
17. %path%\listdlls > %path2%\listdllsrm123.txt
18. %path%\promiscdetect > %path2%\promiscrm123.txt
19. (*) %path%\psservice > %path2%\psservicerm123.txt
20. %path%\psgetsid > %path2%\psgetsidrm123.txt
21. dir /s > %path2%\dirXrm123.txt (do for each volume, X = volume letter including mapped drives)
22. (*) date > %path2%\daterm123.txt
23. (*) time > %path2%\timerm123.txt
24. vol > %path2%\volXrm123.txt (do for each volume, X = volume letter including mapped drives)
25. Tree > %path%\treeXrm123.txt (do for each volume, X = volume letter including mapped drives)

Original Tutorial Submitted by nokia for TheTAZZone-TAZForum

Originally posted on March 4th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.