Tuesday, December 30, 2008

Footprints in the snow

A computer intrusion takes approximately 60 seconds (usually far less) from initial entry to setting up a back door with administrative access. If not detected within the golden hour, it tends to be about a month or more before someone notices they've been breached. Imagine you've been called to a crime scene involving a theft. The footprints above are representative of the footprints left by the suspect.

By the time we arrive on scene a lot has happened that affects our ability to accurately investigate the scene. Forces and Factors are at play. Time....it is the constant factor..the one force multiplier that can confound an investigation, above all else. You see, time is not a force in and of itself. It is a constant (as far as those of us who are not full time philosophers are concerned) that never changes. Consider the footprints in the photo above. All things being equal, if the weather did not vary from today's weather, and the temperature did not change; the snow would not melt, there would be no rain, no wind or other elements that would otherwise alter the footprints in the snow. However, as we are aware (again for those of us who are not full time philosophers), though time is a constant, the weather and other elements are not constant; they vary. It could be 60 degrees tomorrow, it could rain, or it could snow. Someone could ski over the footprints, someone could shovel it away...you get the idea.

Regarding digital investigations, time is what allows systems (Antivirus scans, scheduled defragmentation for instance) to impact artifacts left by an intruder, it is what allows the attacker more of an opportunity to find your PII data and cover their tracks. It is what allows the user to modify their files and the system. It is what allows untrained technicians the ability to delete files left by the attacker.

In short, Time is what permits other forces to have an effect on the persistence of data. We must be careful in this thinking so let me restate that it permits other forces to have an effect. It does not guarantee that a change will occur that will impact our ability to investigate the intrusion. So how do we use time in an investigation?

First we must accurately identify the time of intrusion. Once the intrusion is contained, we have what is called temporal proximity or the duration of time between two separate points in time. Our evaluation of artifacts takes place within this time frame. This is fairly well known, however I have seen this evaluation of artifacts squandered by those who suggest that the only evaluation that needs to take place is that of time itself. In practice what I have seen are those that simply evaluate MAC times. The evaluation is simple - any file containing PII data with an Access time that postdates the time of compromise is considered to be notifiable. This is a safe play and I congratulate those that feel morally and socially responsible enough to notify so easily, however it is a knee jerk reaction and indicates laziness. Look at this photo here, of the same location taken a day after the initial footprints were made.

What has happened to the footprints in the snow?

Time moving forward allowed the nights snow to cover the footprints. Are the footprints still present, or has the overnight period completely confounded the investigation? Would you be prone to suggesting that simply because there is fresh snow, the footprint is destroyed? Take a closer look. You can still see the feint outlines of footprints. Applying even the slightest amount of investigative elbow grease what do we see?

Hmmm..an impression of a foot, or footprint is easily visible. Now, we can easily expose the obscured tracks within a certain amount of time, though after enough time passes, the footprints will be indistinguishable from the surrounding area. As time passes the ability to identify accurately explain the source of the original footprints will become more difficult. It is because of this that speed is of the essence. We must close the gap between time of compromise and time of containment.

As seen below I have exposed the tracks but what else do you see?

That's right, you see additional footprints. How were they made, who made them and when? Were they made by another person, the intruder, me, or some other unknown force? Each footprint must now be analyzed individually. Had we casted the footprints after documenting the scene, and taken the casts for immediate analysis, our investigation would be more complete and accurate. Now we will have a slightly more difficult time but it can still be done. However we must be able to explain the changes that occurred in the time that elapsed since the original footprints were made.

You may be starting to see how time can confound the investigation of the original footprints. As time continues forward, the first responder and investigator must be even more careful to preserve the original. This is the reason documentation and a sound approach, especially when dealing with volatile data is critical.

And if time continues, then what? Will time allow more environmental forces to influence the ability to accurately investigate?

We can still see the rough outline of a footprint here, even though the snow is in the process of melting. Time has once again allowed another force to alter the original. Eventually, our ability to see the footprint disappears. After more time passed the footprint looks like this.

Wait. We can no longer accurately establish the location of the footprint. Now, in this case I simulated about 4 months of time, and it is around this point that our ability to accurately investigate an actively used system in an intrusion becomes nearly nil.

Okay..enough meatspace.

Remember I said that time is what permits other forces to have an effect on the data. This applies greatly to MAC times. An Antivirus scan could take place after the time of compromise that updates MAC times, a user could have accessed those files containing PII data; Simply put any force capable of modifying timestamps post compromise could have updated the timestamp. Given this, MAC times for this reason do not provide us with anything other than a point in time, a measurement if you will.

Secondly, time needs to be evaluated as a point or points when change occurs. Our role is to explain the cause of the change. When discussing digital forensics, systems should be evaluated as a world of events running in a steady mechanism of before and after, of cause and effect. When an intrusion has finally been contained and the analysis is underway we must evaluate the changes that took place during that window. Was a key file accessed? Who accessed it? Can we explain the access? Did the intruder gain administrative access? Did they have access to files containing PII data? Did they have access to other systems? Did they use that access? Did they install a backdoor? Did they enumerate your other systems? Did they attempt to cover their tracks? Is malware present? What are its capabilities? These are just some of the evaluations that must take place during the investigation.

Finally when a change occurs at a specific time, there will be several plausible explanations for the change. This is where we must apply a scientific method of testing the most plausible explanation for the change. We can reduce the noise.

For example:
A file had an access time updated during the time an attacker was operating on a computer.

Q: Under what conditions is an access time updated?

A: An access time is updated when a file is opened for reading, specifically a file's attributes.

Q: Does a file access time being updated indicate execution?

A: NO. It simply indicates that the file's attributes were accessed.

Example: the 'touch' command would update an access time, as would an A/V scan and many other utilities.

Conclusion: There are many plausible explanations for a file's access times being modified.

Our job: Determine what is most plausible and present your conclusions with supporting documentation.

Assuming a Windows XP system:
In the case of executable being executed under normal circumstances, what artifacts could we expect to find?
1) A prefetch file would be created
2) Depending upon method of execution we could expect to find artifacts in the registry.
3) Memory analysis would show that it had been executed
4) Other sources yet to be discovered or mentioned.

Variables: (Factors and Forces).
1) Intruder privileges - with full administrative privileges, the attacker effectively has their hand on the clock's dial, and do what they please.
2) System operation - Antivirus scans, backups, other scheduled tasks that have the potential to alter an access time.
3) User activity - a user logged in to the system at the time could have done something to update the access time.
4) Intruder activity - The attacker used ftp.exe or had a tool capable of modifying timestamps on the system.
5) Unknown possibility - something that hasn't been thought of or discovered that has the possibility to modify access times.

So, let's start processing this:

What we know:
- An antivirus scan was being run when the file access time was updated.
- The sysadmin confirmed this.
- There are no artifacts present in the registry suggesting execution.

Given the data presented, what do you believe? More important, what would someone else, a lay person (read: decision maker) in particular, be likely to believe?
That an access time had been updated by:
A) a normal system operation (A/V scan)
B) The attacker had executed the file and exfiltrated data.

Are these the only possibilities? No they are not. However, absent any data to refute that A is the most likely answer, what would someone be likely to believe?

For B to be the more likely answer in this case what must be present?
1) Network or other logs during the time of compromise suggesting ftp connections.
2) Artifacts suggesting execution of ftp.exe

Let me summarize:

1) Speed is of the essence. The gap in temporal proximity must be closed. Others have said this (notably AAron Walters and Harlan Carvey)
2) Time is a force multiplier that allows other forces to impact artifacts.
3) Intrusions must be analyzed in terms of changes that take place between t1 and t2.
4) Strict MAC time analysis is lazy and inaccurate, and should be a last resort investigative method.
5) Changes of probative value should be examined in depth and plausible explanations should be presented along with an opinion and documentation.

Monday, December 29, 2008

A quick analysis helper

I commonly analyze systems that run Symantec Antivirus Corporate Edition. A common question we have to answer is regarding the last date a scan was run and the date of the definition files. I did some quick research and came up with the following. May it also help others in the same situation.

The registry keeps track of symantec definition dates in:

Defwatch_10 is the value and the data contains the path and date of definitions and revision.


Defdate is: 20080902, rev 16.

Log files are located in C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Antivirus Corporation Edition\7.5\Logs

The key to the logfile is here

Files are timedate stamped as follows: mmddyyyy.Log

Pulling out relevant information can be accomplished in many ways.

One simple way is by doing the following:

[root (Logs)]# awk -F, '{print $5" "$6" "$7" "$8" "$35}' 09102008.Log

This returns the following information:

Computer Name, User logged in, Name of the malware identified, File location of the malware, IP Address of the system

A scan starting looks like this:

260A1C0B2618,3,2,9,D98B90D03,Administrator,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1227890305,,0,,,,,0,,,,,,,,,,,{C446AF0D-2434-4C32-99F7-

The key to interpretation are fields 1-3. In this case it's 3,2,9 which indicates a realtime scan started. A realtime scan is obviously different than a manual scan in that a realtime scan is initiated by the system and a manual scan is initiated by the user. A manual scan looks like this:

260B1D142927,3,2,1,D98B90D03,Administrator,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1230601302,,0,,,,,0,,,,,,,,,,,{C446AF0D-2434-4C32-99F7-B41DC042A2DC},,(IP)-,,WORKGROUP,00:0C:29:E6:8C:72,,,,,,,,,,,,,,,,,0,,,,D98B90D03

The key again are fields 1-3 which in this case are 3,2,1. This is a clear indicator that a manual scan was started by Administrator. When someone says "I didn't run an antivirus scan", you now have a quick way to determine whether or not they are telling the truth.

The witness, the perpetrator and the victim Part I

When we investigate a system compromise we are often left with only one portion of the cause->effect equation. It's up to us to take what we are presented with, and reconstruct a crime scene in order to determine what happened and often times determine whether or not PII data was acquired.

Using your imagination, try picturing the following scenario:
You arrive at a crime scene at a jewelry store and are lead to a body laying on the floor in a pool of blood. There is a broken lamp on a table, a large dent in the painted wall at about the 5'6" mark near the victim, a hole farther down on the wall at about the two foot height mark. There's blood spatter on the wall, floor and ceiling. Bloody footprints surround the victim and lead away from the victim out the back door of the store. The jewelry cases are smashed and there's blood on some of the glass. The victim is wearing a blue sweater and grey pants, is female, weighs 120lbs and is 5'6" tall.

So what you have is an apparent homicide with many traditional sources of evidence in play. How would you begin to investigate this scenario?

Now imagine the following. You are lead to the scene of a computer intrusion at a local bank. You arrive at the office of a credit card manager and see the following:

A black dell optiplex 755 sits under a desk and a 19" monitor resides on the tabletop. An external hard drive is plugged in to the computer and resides on the tabletop, and you note a USB key plugged in to the USB hub on the monitor. A small HP MFC unit is plugged in and rests on a small table next to the desk. Some papers litter the desk along with a tabletop calendar, a rolodex and a phone and a blackberry. The computer is on, and has Microsoft Outlook 2003 open on the desktop along with excel, Internet Explorer and one of the banks internal applications for credit card management.

This is pretty typical. So, how do you begin your investigation? What's the major difference in the two scenarios ?

In scenario 1, you have appear to have no one to interview. You must examine the deceased, review tapes, interview acquaintances and so on.

In scenario 2, you have a person to interview. The credit card manager was obviously using the computer and someone decided to call you for one reason or another. You must be able to determine if they are the witness to the intrusion, the perpetrator or the victim. Or if they are all three!

Suppose in scenario 2 you conduct your interview before you touch the computer (which I always recommend). What questions do you ask? Questioning a person can be seen as a bit of an arcane art form. The goal is to get the interviewee to be forthcoming with responses. Many people get embarrassed easily and get defensive, especially if they know they did something they probably shouldn't have. We want them to be calm and accepting of us and our questions. So, set some ground rules with your own team first. A few helpful rules of interviewing could be:

1) Never accuse.
2) Keep your cool. Emotions play a larger role in system compromises than people believe.
3) Be aware of your body language. You must always be aware that your face, posture and hand play, are a huge role in gaining the trust of the interviewee.
4) Ask leading questions.
5) Listen. You can't learn anything if you're talking.
6) Be nice.
7) Get them talking and keep them talking until you have enough information to proceed appropriately.

With the information I provided in scenario 2, you have no way of knowing what has happened yet, however, I am willing to bet you have already made some assumptions and perhaps even made some hypotheses. This is a natural occurrence in the brain and it's not a bad thing, unless you fail to view every angle because you develop tunnel vision.

Assuming the credit card manager told you the following how would you proceed?

  • They arrived at 7:45am
  • They opened Outlook to check email, and read some mail
  • They opened an excel attachment containing this month's stats
  • They plugged in their blackberry to sync it
  • They plugged in their usb key to copy files they were working on at home
  • They opened IE and visited yahoo.com and started researching colleges for their teenage daughter who is looking at schools.

Books to buy

I'm ordering the following books this holiday season. What's on your list?

  • Windows Forensic Analysis Second Edition by Harlan Carvey
This book was awesome the first time around and now there's even more of it.
  • SQL Server Forensic Analysis by Kevvie Fowler
If you haven't heard of Kevvie or read his paper you're missing something special.
Kevvie's book is probably my most anticipated book for this year other than WFA.

  • Oracle Forensics using Quisix by David Litchfield
An oracle forensics book by litchfield..need I say more?

Thursday, December 4, 2008

What your antivirus isn't telling you part II

If my last post on this subject wasn't clear. Here's an illustration:

12/2/08 - The Hallmark/Coke/Mcdonalds postcard/promotions/coupon malware was being sent via email.

12/2/08 - Malware was submitted at 3:30pm

12/2/08 - At 6:15pm the malware was classified as downloader by Symantec.

The definition of downloader?

Downloader connects to the Internet and downloads other Trojan horses or components.

What does that malware actually do?

It spreads in multiple ways:
Reads your address books and emails the malware
Copies itself to USB media

It also:
is a keylogger
opens a backdoor
Phones home over port 80
Injects itself in to explorer.exe


For 24 hours this was detected as "downloader" yet it is clearly more than that. In fact it was given it's own name of W32.ackantta@mm.

24 hours is enough time to do a good amount of damage depending on where this thing is installed.

Monday, December 1, 2008

Let the class action suit begin

It's about time. BNY mellon is now facing a class action lawsuit for "losing" a box of unencrypted backup tapes containing PII data for millions of people. The breachblog has information on this rediculous incident. I sincerely hope that BNY mellon gets nailed on this one. Their actions - negligent, fraudulent, reckless, wrongful, and unlawful is something I just don't get. I'm sure there are a whole host of "reasons" (re: excuses) for this.

The 62 page class action complaint can be found here.

If you received a notice from BNY mellon, check your credit reports and contact the law office listed at the breachblog link above.