Thursday, April 12, 2007

Establishing Time-0

One of the things I find most interesting/fascinating is that by studying criminology and criminalistics we can learn a lot about our field, since digital forensic science and computer investigations were founded in real world investigation. I'm constantly amazed at the parallels that can be drawn and the direct connections to investigative techniques can be made. Other forensic sciences can have a great impact on digital forensic science.

In real world investigations, there are several major methods of estimating Time of Death for a victim. Coroners and Crime Scene Investigators refer to lividity(livor mortis), rigor mortis, algor mortis(body temperature) along with other factors like insects, weather, and other evidence to estimate the time of death. Today, I was reading a paper I found on establishing TOD on Pathguy's site. The paper was from the University of Dundee, written by Derrick J. Pounder.

The paper is a good read for those interested (it's the first resource link on the pathguy site above) and contains a lot of relevant but abstract information.

Some good quotes from the paper:
"Repeated experience teaches the investigator to be wary of relying on any single observation for estimating the time of death(or "duration of the post mortem interval"), and he wisely avoids making dogmatic statements based on an isolated observation".(Ref. 12 p. 151)

"Considering the variables which influence the rate of body heat loss, the best one can say about the reliability of algor mortis as a post mortem clock is that it permits a rough approximation of time of death. Errors in over-estimating and under-estimating the post mortem interval based on body cooling are common, even in the face of considerable experience by those making the estimate. Body temperature as an indicator of the post mortem interval should be correlated with all other phenomenon and observations utilised in establishing the time of death".(Ref 12 p. 164)

Pounder states that there are three major sources of evidence when establishing TOD for a body.

1) Corporal evidence, i.e. that present in the body.

2) Environmental and associated evidence, i.e. that present in the vicinity of the body

3) Anamnestic evidence, ie.e that based on the deceased's ordinary habits, movements, and day to day activities.

And he states that there are two methods for estimating time of death:

1) The rate method. Analysis of rigor, algor, livor mortis and degree of putrefaction of the body.

2) The concurrence method - Comparing the occurrence of events which took place at known times with the time of occurrence of the event under investigation, i.e. death.

I hope you can see where I'm headed with this. Time for correlation of sciences. When it comes to digital investigations, I call TOD Time-0 or T-0 for short and it refers to Time of Compromise.

First off, I think it's time we throw out any of the "centric" types of forensics. That is - Host-Centric Forensics, and Network-Centric Forensics. As the first quote states "..avoid dogmatic statements based on isolated observations". The only way to reliably establish T-0 or an accurate conclusion is with a combination of sources.

Let's begin our correlation with sources of evidence. Remember, the purpose here is to establish a preliminary T-0, however the ideas and principles stated should be able carry an investigator all the way through an investigation.

1) Corporal- That within the body. When investigating a compromised system we know there is a mountain of evidence to be searched through. However, since we're establishing T-0, not looking for specific signs that say..sensitive data was accessed(that comes later), we can reduce the amount of evidence we are searching.

This data can be classified as evidence belonging to the system. Follow the Order of Volatility.
The OOV suggests that we need to look at routing tables, arp caches, network connections, process listings, memory and a host of other things.
By parsing out specific subsets of data we can move to the second source of evidence and use the information to inform our decision making. Remember that each source of evidence can exist independently, but each source is best used if correlated, and they should inform and corroborate each other.

To use Corporal evidence to inform our decisions for searching Environmental evidence we should look at the volatile data for IP addresses, MAC addresses, mapped network shares(NFS exports, windows shares etc), hostname or netbios information, and registry key last write times and their contents. Essentially, we are looking at/for established relationships between systems.

Using Corporal evidence on it's own to establish T-0 typically involves the registry, MAC times, process run times, event logs, application logs, prefetch files and continued volatile data analysis.

This is all yet another reason for conducting a digital walkthrough.

2) Environmental and associated - that surrounding the body. This correlates directly to network based evidence and evidence found on other systems. To use environmental evidence to maximum efficiency we need to collect logs from any device related to the victim. That would be Domain Controllers, LDAP servers, mail servers, DHCP servers, DNS servers, firewalls, routers, IDS/IPS, anomaly detection systems and so on.

With Environmental evidence we're looking for data that corroborates what we're finding on the system in question. Again, this evidence stands well enough on its own and can in many cases be a better pointer source of evidence than Corporal evidence. One good example is FTP. Since FTP transactions are cleartext, we can capture the entire session on the wire, whereas by looking at Corporal evidence, all we generally see is that ftp was executed at a specific time and we'll see the end result of the session. How about SAM dumps? When the windows SAM is dumped we can typically(I say typically because encryption is being used more frequently but it's rate is not as high) see it on the network, and we can conclusively prove that it was offloaded, whereas with Corporal evidence we might see that the SAM was accessed and if we're lucky if we find the dumping program.

3) Anamnestic - behavioral. I'd use this as a method of establishing a sense of normalcy for the system. I've said before, that in order to identify abnormal system behavior, we need to establish normal system behavior first. This is commonly called baselining but more information is needed. We should establish what normal behavior is and identify when abnormal behavior began. Pay close attention to helpdesk tickets, interview responses from staff, and otherwise benign indicators. Recall if you will that the story that made Cliff Stoll famous started with a simple accounting anomaly.

Unfortunately in many cases we do not have all or any of the information we need to accurately establish Time-0 so we can only estimate a time. At this point we can look at the methods of estimation as outlined by Pounder and determine if either of them applies. It would seem that the Concurrence method is the best fit for digital forensics. By correlating events that transpired on the system, or systems related to the victim, or on the network we can establish a reasonable estimate of Time-0.

Why is Time-0 so important? Well, in my methodology, Time-0 is important because we can establish what I call a Window of Risk. The Window of Risk is the temporal measurement between Time-0 and Time-C(Time of Containment). Time-C - Time-0 = WoR. Having a Window of Risk allows us to focus the investigation.

Have I gone mad or does this make sense?


Keydet89 said...

I think it does make sense, but I also think that it's not that easy.

Part of the response process that many responders seem to like to use is a form of profiling...taking a look at the type of system involved, but not paying a great deal of attention to what's actually occurred on the system, I've seen many responders profile an intruder based on what they (the responder) would do, or by what *could possibly have been done*, without any real evidence to back any of it up.

How does this apply? Well, what information are you looking at on a system? File MAC times, Event Log generated and written times, timestamps on Registry keys, in syslog entries, in packets, etc. Rather than going with what evidence they have, many responders will fill in gaps with speculation.

I do think that this sort of time estimation is useful, if only for the investigator/responder themselves. However, it's far too subjective for the field as it currently stands.


hogfly said...

Do you think the method is inherently subjective, or that people would use it subjectively? Sounds like it may be the latter, but if it's the former, can you explain?

Keydet89 said...

I don't think that the method itself is inherently subjective...however, after spending time watching and listening as others perform IR, I think that a lot of it becomes subjective. This is often due to gaps in training and knowledge that are filled in with assumption and speculation.

I've seen cases before where there was no evidence whatsoever that the system time was modified, but the analyst kept working from an aspect of "what could have happened" rather than what actually did.