1 / 36

Lesson 10 Incident Response Toolkits “Who said there were no free lunches anymore?”

Lesson 10 Incident Response Toolkits “Who said there were no free lunches anymore?”. Overview. Cygwin Data Integrity Tools Drive Tools Viewers Search Tools Forensics Programs. CYGWIN. A Unix environment for Windows:

afya
Download Presentation

Lesson 10 Incident Response Toolkits “Who said there were no free lunches anymore?”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lesson 10Incident Response Toolkits“Who said there were no free lunches anymore?”

  2. Overview • Cygwin • Data Integrity Tools • Drive Tools • Viewers • Search Tools • Forensics Programs UTSA IS 6353 Security Incident Response

  3. CYGWIN • A Unix environment for Windows: • A DLL (cygwin1.dll) which acts as a UNIX emulation layer providing substantial UNIX API functionality • A collection of tools, ported from UNIX, which provide UNIX/Linux look and feel • The Cygwin DLL works with all versions of Windows since Windows 95, with the exception of Windows CE UTSA IS 6353 Security Incident Response

  4. CYGWIN • Where to get it: • www.redhat.com/download/cygwin.html • What’s included: • date time uptime uname –a • hostname whoami env • ps netstat arp UTSA IS 6353 Security Incident Response

  5. Data Integrity Tools Goal: maintain the chain of evidence and integrity of tools • Maresware’s Disk_crc • http://www.dmares.com • New Technologies Incorporated • DiskSig and CRCMD5 • www.forensics_intl.com • MD5 Summer • http://sourceforge.net/projects/md5summer UTSA IS 6353 Security Incident Response

  6. Network Tool • NetCat/Cryptcat • Creates a channel of communication between hosts • Used during forensics to create a reliable, TCP connection between the target system and the forensic workstation • Cryptcat provides for encryption http://www.l0pht.com/~weld/netcat http://farm9.com/content/Free_Tools/Cryptcat UTSA IS 6353 Security Incident Response

  7. Netcat Commands • Forensic workstation (192.168.1.1) command • E:\>nc –l –p 2222 > yourfilename • Translation: execute netcat in listen mode on port 2222 and pipe inbound traffic to “yourfilename” • Sending output from target system • A:> pslist | nc 192.168.1.1 2222 • Translation: execute pslist and pipe output to netcat and netcat will transmit to 192.168.1.1 port 2222 UTSA IS 6353 Security Incident Response

  8. Netcat in Action Forensics Workstation Hacked Machine time date loggedon fport pslist Nbtstat - c • Run trusted commands on Hacked Machine • Send output of commands to forensics workstation using netcat • Perform off-line review • MD5SUM output files UTSA IS 6353 Security Incident Response

  9. Netcat Command Sequence Forensics Workstation 192.168.1.1 Hacked Machine time date loggedon fport pslist Nbtstat - c A:>time | nc 192.168.1.1 2222 A:>date | nc 192.168.1.1 2222 * * A:>Nbtstat – c | nc 192.168.1.1 2222 C:>nc – l – p 2222 > forensics.txt C:>md5sum forensics.txt > ????? UTSA IS 6353 Security Incident Response

  10. Drive Tools Goal: allow collection of various hard/floppy/CD forensics • Partition Tools • fdisk (for Linux, DOS version obsolete) • Partinfo (free ftp://ftp.powerquest.com/pub/utilities) • PartitionMagic(includes Partinfo but cost $) • CD-R Utilities • CD-R Diagnostics (www.cdrom-prod.com/software.html) • Unerase Tools • Windows: Norton Utilities Diskedit & unerase • Unix: e2recover (www.praeclarus.demon.co.uk) • FilesScavenger (www.quetek.com/) UTSA IS 6353 Security Incident Response

  11. Drive Tools(2) • Drive Imagers • NTI’s SafeBack (www.forensics-intl.com) • SnapBack (www.cdp.com) • Ghost (www.symantec.com) • Dd—the Unix command • Disk Wipers • DiskScrub from NTI UTSA IS 6353 Security Incident Response

  12. File Viewers Goal: allow investigator to discover, view, and analyze files on all operating systems • QuickViewPlus – (www.jasc.com) • Views over 200 file types • Conversion Plus (www.dataviz.com) • Views Mac files on Windows • ThumbsPlus – (www.cerious.com) • Catalogs and displays all image files UTSA IS 6353 Security Incident Response

  13. Search Tools Goal: find keywords pertinent to investigation • NTI;s dtSearch (www.forensics-intl.com) • Searches text files including Outlook .pst files • Danny Mares StringSearch (www.maresware.com) • Hidden Streams • SFind (www.foundstone.com) • Streams (www.sysinternals.com/ntw2k/source/misc.html) UTSA IS 6353 Security Incident Response

  14. Forensics Programs • Focus: collect and analyze data • Forensic Toolkit – www.foundstone.com • Focus is on Windows NT systems • The Coroners Toolkit (TCT) – www.fish.com • Investigates a hacked Unix host • graverobber • mac utility • unrm utility • lazarus tool UTSA IS 6353 Security Incident Response

  15. Forensics Programs(2) • New Technologies Inc (NTI) – www.forensics-intl.com • Command-line tools that run very fast • CRCMD5 DiskScrub DiskSig • FileList—sorts files by last use • GetFree—captures unallocated data • GetSlack—Captures file slack • Net Threat Analyzer—Internet Abuse Analyzer • PTable –analyze/document hard drive partitions • TextSearch Plus UTSA IS 6353 Security Incident Response

  16. Forensics Programs(3) • ForenSix by Dr. Fred Cohen • www.all.net • Runs on Linux but can access many different file systems • EnCase (www.encase.com) • Claims to be the only fully integrated Windows-based forensics application UTSA IS 6353 Security Incident Response

  17. Foundstone Toolshttp://www.foundstone.com/resources/forensics.htm • Pasco 1.0 – IE activity forensic tool • Galleta 1.0 – Examine content of cookie files from IE • Rifiuti 1.0 – Examine Info2 file in the Recycle Bin • Vision 1.0 – Reports open TCP/UDP ports and maps to owning process • NTLast 3.0 – Security Log Analyzer • ShoWin 2.0 – Show information about Windows • BinText 3.0 - Finds strings in a file • Patchit 2.0 – Binary file byte patching program UTSA IS 6353 Security Incident Response

  18. Vision System Info

  19. Vision Processes View

  20. Vision Services View

  21. Vision Services View

  22. File Watch

  23. Sysinternals Toolshttp://www.sysinternals.com/ntw2k/utilities.shtml • Monitoring Tools • Diskmon 1.1 – monitors disk activity • Filemon 1.1 – monitors file activity • ListDLLs 2.23 – List all currently loaded DLLs • NTFSInfo—Gives size and location of MFT • Portmon 3.02—monitors serial and parallel ports • Process Explorer 6.03 – find our what files, registry keys, and other objects process which DLLs • PSTools 1.82 • Regmon 6.06 – monitors registry activity UTSA IS 6353 Security Incident Response

  24. Sysinternals Tools(2) • Utilities • AccessEnum 1.0 – used to find holes in file permissions • NTRecover 1.0 – access dead NT disks over a serial connection • NTFSDOS 3.02 – Access NTFS drives read-only from DOS • Remote Recover 2.0-- access dead NT disks over a network connection UTSA IS 6353 Security Incident Response

  25. pstools

  26. pslist

  27. pslist

  28. Process Explorer-View 1

  29. Process Explorer-View 2

  30. FILEMON

  31. REGMON

  32. TCP/IP Monitor One Sinlge IE Access to One Web Site

  33. Other Useful Tools • Password Crackers (see pg 145) • L0phtCrack – www.atstake.com • John the Ripper – www.openwall.com/john • Chntpw – home.eunet.no/~pnordahl/ntpasswd • Fast ZipCracker – www.netgate.com.uy/~fpapa • AccessData – www.accessdata.com • Provides entry to a wide range of application encrypted files • Elcom – www.elcomsoft.com UTSA IS 6353 Security Incident Response

  34. Other Useful Tools(2) • Internet References • Matching Hardware Types to MAC addresses • www.cavebear.com/CaveBear/Ethernet/vendor.html • Proxy Servers available to the Public • www.proxys4all.com • List of Defaced Web sites • www.attrition.org • List of HTTP status codes • www.w3.org/Protocols/HTTP/HTRESP.html • File Formats and Header Specifications • www.wotsit.org UTSA IS 6353 Security Incident Response

  35. McAfee Visual Trace Hostile Activity From China

  36. Summary Lots of free lunches out there when it comes to forensic tools and utilities…do some research! UTSA IS 6353 Security Incident Response

More Related