• ethical disclosure
  
• a tale of two log files part 1
  
• a tale of two log files part 2
  
• a tale of two log files part 3
  
• a tale of two log files final
  

• investigating malware in action
  
• investigating malware in action cont
  
• quick and dirty pgp setup for w32
  
• how to: sign a certificate request with openssl
  
• application fuzzing
  

• central secure logging in a win2k environment
  
• central secure logging in a win2k environment cont
  
• central secure logging in a win2k environment cont 2
  
• central secure logging in a win2k environment cont 3
  
• central secure logging in a win2k environment cont 4
  

• example forensics sop/procedure
  
• example forensics sop/procedure cont
  
• example forensics sop/procedure cont 2
  
• buffer overflows part one
  
• buffer overflows part two
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials3
  
• securitytutorials5
  

EXAMPLE FORENSICS SOP/PROCEDURE CONT...

Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

You can find the original post here:
http://www.antionline.com/showthread.php?s=&threadid=255811

Enjoy

Those are the command line tools completed whose output has to be redirected to text files on trusted media. The following tools are more interactive and monitor either highly detailed activity in real time or more detailed configuration. The files can become rather large quite quickly if the activity on the machine is high so a floppy disk may be filled up quite quickly. If at all possible save these files to a remote, write only share, then cut them to CD.

1. %path%\Autoruns: This shows all the programs that are called to start during system start up. It documents the programs and the path to them.
2. %path%\filemon: This program shows file activity in real time. This file can get quite large if a lot of things are running. Run it for 5 minutes or so and save the output to the write only remote folder then cut it to CD.
3. %path%\ntpmon: This monitors the processes and what they are doing, (opening threads, closing them etc.). If nothing is really going on then this may remain pretty much empty. It’s a judgment call as to when to close it. If you are getting a lot of consistent activity from certain processes that looks “abnormal” then saving the data and closing it quite quickly may be fine and it might fit on a floppy. Remember though, it’s better to have more data then less. If you aren’t comfortable with the output or the amount, seek assistance.
4. %path%\procexp: This is a process explorer. It shows what processes are running and what sub-processes they have spawned. Clicking on the individual process or it’s sub-processes will show all the handles or dll’s the item uses. In the view menu select “Show DLL’s”. Create a subfolder on the remote, write only drive called Procexprm123 and then select each process and on the file menu select “save as”. It will put the appropriate file name there for you just make sure you redirect it to the new folder on the write only share. Yes, this could be a long process but it shows all the files being used, their versions etc. and may be helpful later on.
5. %path%\regmon: This is a registry monitor. It monitors all access to the registry by all systems. It fills up quite quickly so again this may be a judgment call as to when to save the data with the rider again that too much is better then too little.
6. %path%\tdimon: This is a network interface monitor that details TCP and UDP activity at a very low level. Like other tools above it can generate a lot of log s on a busy system. Save the data away to the write only share when you feel you have enough.


This completes the formalized data gathering process from the machine(s) itself. At this point the IT Response Ream Leader will make initial review of the data and decide if other or more data of certain types is required. When no other data is required the computer is to literally have the power cord pulled from the back of the machine at the power supply inlet. The computer is not to be shut down, logged off or any other way of closing it down. When computers are closed down cleanly they rewrite two entire hives of the registry and make numerous other “housekeeping” changes that are saved to the drive prior to actual shutdown. Additionally, shutdown routines could be in place to sanitized the machine in the event of a good but unexpected, (by the perpetrator), shutdown. Thus we “kill” the machine without giving it chance to alter information stored on the drive.

The final acts of this phase is to stop all the Ethereal sniffing, save the data and cut it to CD-ROM and saving all the data from any write only shares that were used to CD-ROM and removing, labeling, logging and securing the drive(s) those shares reside on.

Drive Imaging

Once the power has been removed the hard drive(s) are to be removed from the system, labeled to indicate what they are, the act is to be logged and all the relevant details are to be noted. Two Disk images are then to be made of each disk and labeled appropriately. The act is to be logged with the appropriate details. The original drive(s) and one copy are to be secured and when, where and who secured them is to be logged. The second image can then be placed on a machine as a slave. It must not be booted to as this will change the image itself. Should the image be changed in such a way as to compromise the investigation this fact is to be logged and a new image is to be created from the stored image, (avoid using the original disk(s) ever again - that’s why we made two images in the first place). Each time a disk is moved, handed from person to person, secured or brought out of secure storage the logs are to be updated to reflect who, when, where and why the change in situation took place.

From here on it is impossible to lay down any investigative procedures since they will rely entirely upon the evidence gathered in the preceding phases. When checking the evidence you should use the “FINAL CD’s” rather than the media the evidence was originally stored on to ensure that no changes to the evidence are inadvertently made. The original evidence media is to be logged and secured in the same fashion as the hard drive from the investigated machine.


Remote Tools, their purposes, output and use.

COMPANY X’s MIS has access to all these tools. They are either on his person, on his workstation, laptop or on a CD-ROM labeled “Forensic Toolkit” in his office. COMPANY X’s MIS is familiar with the use of these tools. If you are instructed to use a tool that you are unfamiliar with you are to ask for assistance prior to their use. Similarly, if you are tasked with reading the output and are unfamiliar with that you are seeing request assistance. Decisions are made throughout the process as to how to proceed that depend upon the information gained from the different systems used. If the output is misinterpreted or misrepresented an incorrect decision could be made that could render the investigation useless.

Remote, Non-Intrusive Tools

NOTE: Some of these tools require that WinPCap be installed. This is a windows packet capture driver that, at the time of writing is a version 3.2.1 and is available by searching Google for “WinPCap”

NOTE 2: Some of these remote detection tools may create alerts in the WAN’s Intrusion Detection Systems.

NOTE 3: Tools with a “*” after their name can successfully be run against machines where administrative rights are not available. In some cases the information will be complete, in other cases it will show only information that is available without administrative rights, in other circumstances all you may get is “Access Denied” Log it anyway, it’s important to know what can and can’t be done and may show that steps have been taken by the perpetrator to protect the computer from use by people other than himself.

1. Ethereal*: Ethereal is a packet sniffer that is used to sniff all traffic on a network segment. It only functions effectively from a hub or a switch that can be configured to have a “bridging” port so that all traffic can be seen on the local segment. The COMPANY X WAN has two machines set aside with this capability, (rm258 and FortBU), to cover the two gateways to the network. Packets can be captured from all machines of a filter can be set to only capture traffic of certain types. These filters are based on the TCPDump syntax and can be found at <http://home.insight.rr.com/procana/> in the document named Designing Capture Filters for Ethereal. There is a hard copy in the black binder labeled “Security Texts” in the MIS’ office. Under normal circumstances Ethereal captures packets in the background and simply shows a graph of the packets captured. In a forensic investigation it it useful to select the button to “Update the window in real time” to see the nature of the traffic involved as it occurs. When saving the data save it in the default TCPDump format which allows the data be be reloaded into many other analysis tools and even to rerun the entire session if necessary.
2. NMapWin*: NMapWin is the WIN32 port of the venerable NMap by Fyodor. It is the most powerful scanner/OS detection system currently available. For forensic purposes the following settings are advised. Select a SYN Stealth Scan from the Scan tab, “Don’t ping” from the discover tab, “OS Detection” and “Very Verbose” from the Options tab and select Output file and name it as a:\NMaprm123p.txt. Put the IP Address of the target in the Host line and begin the scan.
3. FScan*: FScan is a command line port scanner that has some interesting features. From it’s home directory type “fscan -?” for a list of all it’s parameters. A recommended command line would be fscan -bp 1-65535 -u 1-65535 -o a:\fscanrm123p.txt -s rm123. This would scan all TCP and UDP ports from 1 through to 65535 and grab the available banners of any open ports, show any RST’s returned from the target, (a lack of which may imply there is a “firewall” in place), and write all the results to a file called fscanrm123p.txt on the floppy disk.
4. Cerberus Internet Scanner*: This tool looks at services commonly available and extracts as much information as is available with or without administrative rights. With administrative right a lot can be determined about the general “look” of the target and some useful information comes with only guest rights. The report is written to the home folder’s “Reports” folder and is named using the IP address of the target with an HTML extension. The report file should be moved to an evidence floppy.
5. Currentstate.vbs: This is a script the MIS wrote himself to automatically extract information remotely and in a non-intrusive manner from a computer you have administrative rights over. Run it from it’s home directory using the command line “cscript currentstate.vbs” and you will be prompted for the IP address of the target machine, the full name of the output file, your full name, the administrators login name and the administrators password. This pulls a lot of relevant information regarding the current state of a remote machine right down to which processes belong to which threads and could be very useful in a forensic investigation.
6. PSInfo: PSInfo gives some additional information regarding the makeup of a machine that others above may not. Rights are required to the target machine. Recommended command line is “psinfo \\rm123p > a:\PSInform123p.txt”. Note that the results have to be piped to the output file.
7. PSList: PSlist dumps the running processes, their PID’s, kernel time, user time, idle time etc. Recommended command line is “pslist \\rm123p > a:\SPListrm123p.txt”. It requires rights to the target machine.
8. PSLoggedon*: PSloggedOn can reveal information about locally and remotely logged on users without administrative privileges on the target machine. Recommended command line is “psloggedon \\rm123p > a:\psloggedonrm123p.txt
9. PSLogList: PSlogList can retrieve the entire existing event logs of a remote computer with administrative rights, (it may also be able to with limited rights). Recommended command line is “psloglist \\rm123p > a:\psloglist.txt

=======================
End text

Original Tutorial Submitted by nokia for TheTAZZone-TAZForum

Originally posted on March 4th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.