A common question for the Honeynet team is how does one know what actions a hacker has performed on the honeynet. Aside from recording all the network activity the honeynet project relies on forensic analysis of the systems that have been attacked.
Any activity on a computer system leaves some sort of trace on the system, e.g. entries in the system logs, modified executables, new user accounts, data left in temporary files and even deleted files that can be recovered. Even a skilled hacker cannot avoid leaving some evidence behind even if they have “cleaned up” after themselves. These traces can be uncovered by a trained computer forensics investigator equipped with the right tools.
Computer forensics is the application of investigation and analysis techniques in a computer environment to determine what activities the computer systems has been used for. If the event being investigated could lead to a legal case then it is vital that all potential evidence is preserved intact and can be shown to be free of interference/tampering, i.e. the forensics investigator should ensure that any evidence has not been modified by the investigation itself. Fortunately in the case of honeynets there is no onerous requirement to preserve evidence preservation as our intention is to monitor rather than prosecute the hacker.
Computer Forensics has advanced considerably in the last ten years and computer forensics software now features advanced analysis functions, providing the ability to accurately find, store, search, analyse, and manage large volumes of computer data. This month we will look at some of the more commonly used tools and explain why they are used.
Forensics Tools Used for Data Analysis
IDS, or Intrusion Detection System. For a honeynet an IDS is the primary analysis tool. An IDS is designed to analyse data on a network and compare it with known attack patterns known as signatures. All data in and out of the honeynet goes through our IDS and is automatically compared to known attack signatures.
Network Protocol Analysers are tools that allow an analyst to look into data as it is sent across the network. Common capabilities that are useful in forensics investigations are the ability to replay individual network conversations and summarise specific sets of interesting data.
DD is a command line utility found on Unix Systems. It is used for making duplicates of files or disks in the UNIX environment. Unlike most copying utilities, DD makes an exact byte by byte copy of its input to its output, this makes the DD command useful for performing physical backups of evidence on disks. With some imaginative thinking DD can be turned to a number of other tasks. Modified versions of DD intended specifically for use as a forensic utility are available and there is even a floppy secure disk eraser on a floppy that is just a stripped down version of Linux that boots and then uses DD to overwrite a disk with all zeros.
The Coroner’s Toolkit is a collection of free tools designed to be used in the forensic analysis of a UNIX machine. Whereas the tools mentioned so far can be used in a wide variety of investigations The Coroner’s Toolkit is specifically designed to be of use in the investigation of a computer break-in. The tools included help to reconstruct the activities of an intruder by, amongst other things, examining the recorded times of file accesses and recovering deleted files.
There are a number of other utilities available to the computer forensic investigator which are used during a “live response” to an incident, a situation where an investigator has decided to examine a computer while it is still running. Such situations are common for the Honeynet team. In the “real world”, however, examining a live system will almost certainly modify the system and lead to issues around preservation of evidence. Hence it would be best not to use tools of this nature in an incident that could lead to a court case.
Netstat is a built-in Windows tool that lists details of connections between one computer and another. In cases where there is a suspicion of unauthorised access to data netstat can be an invaluable tool in gathering evidence which might otherwise be lost were the system to be shut down or powered off. Fport allows an investigator to identify, which software applications on a computer system are communicating with or listening for connections from other computers. This can be of great use when an investigator suspects that a rogue program requiring network access may be running on a computer. Fport runs on Windows NT4, 2000 and XP.
The ps program on Unix and the psList program on NT type systems list all processes (i.e. running programs) on a system. This is useful to forensic investigators who need to track down an unauthorised program. Unauthorised programs (programs which should not be running on a system) can be harmless but may also be malicious in nature. Computers which have been infected by a virus or a Trojan Horse (a malicious program masquerading as something useful) will often exhibit unauthorised program activity.
EnCase, from Guidance Software, is a commercial software package, which enables an investigator to image and examine data from hard disks, removable media (such as floppy disks and CDs) and even Palm PDAs (Personal Digital Assistants). The vast majority of law enforcement groups throughout the world use EnCase and has a considerable weight of precedence in its favour when choosing tools for a criminal investigation. It is accepted that this tool does not modify the data being examined. This makes this tool the de facto tool in criminal computer investigations.
The Irish Honeynet, set up by Espion, Deloitte, and Data Electronics, operational since April 2002, is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.
For more information please send an email to firstname.lastname@example.org or email@example.com
Headquartered in Dun Laoghaire, Espion Ltd. is the leading supplier of best-of-breed new security technology products and services including, Security Products, leading edge security products distributed through a network of resellers and partners. Security Training provided to clients to gain knowledge of how hackers work and how best to secure existing systems. Irish Honeynet Project a research project which, monitors and reports on the number of hacking incidents against a number of computers presented anonymously to the internet. This project is an attempt to learn the tools, tactics, and motives of the blackhat community and share those lessons learnt as well as to qualify the hype and provide an Irish perspective with local knowledge and yet participate in a global initiative Security Services & Consultancy including, Security Overview & Assessment, Consultancy, Implementation Services, Security Audit & Penetration Services, Forensic Analysis & Forensic Investigation, Incident Response Planning & Training, Computer Incident Response Team (CIRT)
For more information, please contact:
Jim Lehane Espion 087 234 9286
Jillian Godsil PRG 055 294 55
Tel: 00 353 55 29455
Fax: 00 353 55 29456