Tuesday, December 30, 2008

Footprints in the snow

A computer intrusion takes approximately 60 seconds (usually far less) from initial entry to setting up a back door with administrative access. If not detected within the golden hour, it tends to be about a month or more before someone notices they've been breached. Imagine you've been called to a crime scene involving a theft. The footprints above are representative of the footprints left by the suspect.

By the time we arrive on scene a lot has happened that affects our ability to accurately investigate the scene. Forces and Factors are at play. Time....it is the constant factor..the one force multiplier that can confound an investigation, above all else. You see, time is not a force in and of itself. It is a constant (as far as those of us who are not full time philosophers are concerned) that never changes. Consider the footprints in the photo above. All things being equal, if the weather did not vary from today's weather, and the temperature did not change; the snow would not melt, there would be no rain, no wind or other elements that would otherwise alter the footprints in the snow. However, as we are aware (again for those of us who are not full time philosophers), though time is a constant, the weather and other elements are not constant; they vary. It could be 60 degrees tomorrow, it could rain, or it could snow. Someone could ski over the footprints, someone could shovel it away...you get the idea.

Regarding digital investigations, time is what allows systems (Antivirus scans, scheduled defragmentation for instance) to impact artifacts left by an intruder, it is what allows the attacker more of an opportunity to find your PII data and cover their tracks. It is what allows the user to modify their files and the system. It is what allows untrained technicians the ability to delete files left by the attacker.

In short, Time is what permits other forces to have an effect on the persistence of data. We must be careful in this thinking so let me restate that it permits other forces to have an effect. It does not guarantee that a change will occur that will impact our ability to investigate the intrusion. So how do we use time in an investigation?

First we must accurately identify the time of intrusion. Once the intrusion is contained, we have what is called temporal proximity or the duration of time between two separate points in time. Our evaluation of artifacts takes place within this time frame. This is fairly well known, however I have seen this evaluation of artifacts squandered by those who suggest that the only evaluation that needs to take place is that of time itself. In practice what I have seen are those that simply evaluate MAC times. The evaluation is simple - any file containing PII data with an Access time that postdates the time of compromise is considered to be notifiable. This is a safe play and I congratulate those that feel morally and socially responsible enough to notify so easily, however it is a knee jerk reaction and indicates laziness. Look at this photo here, of the same location taken a day after the initial footprints were made.

What has happened to the footprints in the snow?

Time moving forward allowed the nights snow to cover the footprints. Are the footprints still present, or has the overnight period completely confounded the investigation? Would you be prone to suggesting that simply because there is fresh snow, the footprint is destroyed? Take a closer look. You can still see the feint outlines of footprints. Applying even the slightest amount of investigative elbow grease what do we see?

Hmmm..an impression of a foot, or footprint is easily visible. Now, we can easily expose the obscured tracks within a certain amount of time, though after enough time passes, the footprints will be indistinguishable from the surrounding area. As time passes the ability to identify accurately explain the source of the original footprints will become more difficult. It is because of this that speed is of the essence. We must close the gap between time of compromise and time of containment.

As seen below I have exposed the tracks but what else do you see?

That's right, you see additional footprints. How were they made, who made them and when? Were they made by another person, the intruder, me, or some other unknown force? Each footprint must now be analyzed individually. Had we casted the footprints after documenting the scene, and taken the casts for immediate analysis, our investigation would be more complete and accurate. Now we will have a slightly more difficult time but it can still be done. However we must be able to explain the changes that occurred in the time that elapsed since the original footprints were made.

You may be starting to see how time can confound the investigation of the original footprints. As time continues forward, the first responder and investigator must be even more careful to preserve the original. This is the reason documentation and a sound approach, especially when dealing with volatile data is critical.

And if time continues, then what? Will time allow more environmental forces to influence the ability to accurately investigate?

We can still see the rough outline of a footprint here, even though the snow is in the process of melting. Time has once again allowed another force to alter the original. Eventually, our ability to see the footprint disappears. After more time passed the footprint looks like this.

Wait. We can no longer accurately establish the location of the footprint. Now, in this case I simulated about 4 months of time, and it is around this point that our ability to accurately investigate an actively used system in an intrusion becomes nearly nil.

Okay..enough meatspace.

Remember I said that time is what permits other forces to have an effect on the data. This applies greatly to MAC times. An Antivirus scan could take place after the time of compromise that updates MAC times, a user could have accessed those files containing PII data; Simply put any force capable of modifying timestamps post compromise could have updated the timestamp. Given this, MAC times for this reason do not provide us with anything other than a point in time, a measurement if you will.

Secondly, time needs to be evaluated as a point or points when change occurs. Our role is to explain the cause of the change. When discussing digital forensics, systems should be evaluated as a world of events running in a steady mechanism of before and after, of cause and effect. When an intrusion has finally been contained and the analysis is underway we must evaluate the changes that took place during that window. Was a key file accessed? Who accessed it? Can we explain the access? Did the intruder gain administrative access? Did they have access to files containing PII data? Did they have access to other systems? Did they use that access? Did they install a backdoor? Did they enumerate your other systems? Did they attempt to cover their tracks? Is malware present? What are its capabilities? These are just some of the evaluations that must take place during the investigation.

Finally when a change occurs at a specific time, there will be several plausible explanations for the change. This is where we must apply a scientific method of testing the most plausible explanation for the change. We can reduce the noise.

For example:
A file had an access time updated during the time an attacker was operating on a computer.

Q: Under what conditions is an access time updated?

A: An access time is updated when a file is opened for reading, specifically a file's attributes.

Q: Does a file access time being updated indicate execution?

A: NO. It simply indicates that the file's attributes were accessed.

Example: the 'touch' command would update an access time, as would an A/V scan and many other utilities.

Conclusion: There are many plausible explanations for a file's access times being modified.

Our job: Determine what is most plausible and present your conclusions with supporting documentation.

Assuming a Windows XP system:
In the case of executable being executed under normal circumstances, what artifacts could we expect to find?
1) A prefetch file would be created
2) Depending upon method of execution we could expect to find artifacts in the registry.
3) Memory analysis would show that it had been executed
4) Other sources yet to be discovered or mentioned.

Variables: (Factors and Forces).
1) Intruder privileges - with full administrative privileges, the attacker effectively has their hand on the clock's dial, and do what they please.
2) System operation - Antivirus scans, backups, other scheduled tasks that have the potential to alter an access time.
3) User activity - a user logged in to the system at the time could have done something to update the access time.
4) Intruder activity - The attacker used ftp.exe or had a tool capable of modifying timestamps on the system.
5) Unknown possibility - something that hasn't been thought of or discovered that has the possibility to modify access times.

So, let's start processing this:

What we know:
- An antivirus scan was being run when the file access time was updated.
- The sysadmin confirmed this.
- There are no artifacts present in the registry suggesting execution.

Given the data presented, what do you believe? More important, what would someone else, a lay person (read: decision maker) in particular, be likely to believe?
That an access time had been updated by:
A) a normal system operation (A/V scan)
B) The attacker had executed the file and exfiltrated data.

Are these the only possibilities? No they are not. However, absent any data to refute that A is the most likely answer, what would someone be likely to believe?

For B to be the more likely answer in this case what must be present?
1) Network or other logs during the time of compromise suggesting ftp connections.
2) Artifacts suggesting execution of ftp.exe

Let me summarize:

1) Speed is of the essence. The gap in temporal proximity must be closed. Others have said this (notably AAron Walters and Harlan Carvey)
2) Time is a force multiplier that allows other forces to impact artifacts.
3) Intrusions must be analyzed in terms of changes that take place between t1 and t2.
4) Strict MAC time analysis is lazy and inaccurate, and should be a last resort investigative method.
5) Changes of probative value should be examined in depth and plausible explanations should be presented along with an opinion and documentation.