360 likes | 541 Views
Lesson 10 Incident Response Toolkits “Who said there were no free lunches anymore?”. Overview. Cygwin Data Integrity Tools Drive Tools Viewers Search Tools Forensics Programs. CYGWIN. A Unix environment for Windows:
E N D
Lesson 10Incident Response Toolkits“Who said there were no free lunches anymore?”
Overview • Cygwin • Data Integrity Tools • Drive Tools • Viewers • Search Tools • Forensics Programs UTSA IS 6353 Security Incident Response
CYGWIN • A Unix environment for Windows: • A DLL (cygwin1.dll) which acts as a UNIX emulation layer providing substantial UNIX API functionality • A collection of tools, ported from UNIX, which provide UNIX/Linux look and feel • The Cygwin DLL works with all versions of Windows since Windows 95, with the exception of Windows CE UTSA IS 6353 Security Incident Response
CYGWIN • Where to get it: • www.redhat.com/download/cygwin.html • What’s included: • date time uptime uname –a • hostname whoami env • ps netstat arp UTSA IS 6353 Security Incident Response
Data Integrity Tools Goal: maintain the chain of evidence and integrity of tools • Maresware’s Disk_crc • http://www.dmares.com • New Technologies Incorporated • DiskSig and CRCMD5 • www.forensics_intl.com • MD5 Summer • http://sourceforge.net/projects/md5summer UTSA IS 6353 Security Incident Response
Network Tool • NetCat/Cryptcat • Creates a channel of communication between hosts • Used during forensics to create a reliable, TCP connection between the target system and the forensic workstation • Cryptcat provides for encryption http://www.l0pht.com/~weld/netcat http://farm9.com/content/Free_Tools/Cryptcat UTSA IS 6353 Security Incident Response
Netcat Commands • Forensic workstation (192.168.1.1) command • E:\>nc –l –p 2222 > yourfilename • Translation: execute netcat in listen mode on port 2222 and pipe inbound traffic to “yourfilename” • Sending output from target system • A:> pslist | nc 192.168.1.1 2222 • Translation: execute pslist and pipe output to netcat and netcat will transmit to 192.168.1.1 port 2222 UTSA IS 6353 Security Incident Response
Netcat in Action Forensics Workstation Hacked Machine time date loggedon fport pslist Nbtstat - c • Run trusted commands on Hacked Machine • Send output of commands to forensics workstation using netcat • Perform off-line review • MD5SUM output files UTSA IS 6353 Security Incident Response
Netcat Command Sequence Forensics Workstation 192.168.1.1 Hacked Machine time date loggedon fport pslist Nbtstat - c A:>time | nc 192.168.1.1 2222 A:>date | nc 192.168.1.1 2222 * * A:>Nbtstat – c | nc 192.168.1.1 2222 C:>nc – l – p 2222 > forensics.txt C:>md5sum forensics.txt > ????? UTSA IS 6353 Security Incident Response
Drive Tools Goal: allow collection of various hard/floppy/CD forensics • Partition Tools • fdisk (for Linux, DOS version obsolete) • Partinfo (free ftp://ftp.powerquest.com/pub/utilities) • PartitionMagic(includes Partinfo but cost $) • CD-R Utilities • CD-R Diagnostics (www.cdrom-prod.com/software.html) • Unerase Tools • Windows: Norton Utilities Diskedit & unerase • Unix: e2recover (www.praeclarus.demon.co.uk) • FilesScavenger (www.quetek.com/) UTSA IS 6353 Security Incident Response
Drive Tools(2) • Drive Imagers • NTI’s SafeBack (www.forensics-intl.com) • SnapBack (www.cdp.com) • Ghost (www.symantec.com) • Dd—the Unix command • Disk Wipers • DiskScrub from NTI UTSA IS 6353 Security Incident Response
File Viewers Goal: allow investigator to discover, view, and analyze files on all operating systems • QuickViewPlus – (www.jasc.com) • Views over 200 file types • Conversion Plus (www.dataviz.com) • Views Mac files on Windows • ThumbsPlus – (www.cerious.com) • Catalogs and displays all image files UTSA IS 6353 Security Incident Response
Search Tools Goal: find keywords pertinent to investigation • NTI;s dtSearch (www.forensics-intl.com) • Searches text files including Outlook .pst files • Danny Mares StringSearch (www.maresware.com) • Hidden Streams • SFind (www.foundstone.com) • Streams (www.sysinternals.com/ntw2k/source/misc.html) UTSA IS 6353 Security Incident Response
Forensics Programs • Focus: collect and analyze data • Forensic Toolkit – www.foundstone.com • Focus is on Windows NT systems • The Coroners Toolkit (TCT) – www.fish.com • Investigates a hacked Unix host • graverobber • mac utility • unrm utility • lazarus tool UTSA IS 6353 Security Incident Response
Forensics Programs(2) • New Technologies Inc (NTI) – www.forensics-intl.com • Command-line tools that run very fast • CRCMD5 DiskScrub DiskSig • FileList—sorts files by last use • GetFree—captures unallocated data • GetSlack—Captures file slack • Net Threat Analyzer—Internet Abuse Analyzer • PTable –analyze/document hard drive partitions • TextSearch Plus UTSA IS 6353 Security Incident Response
Forensics Programs(3) • ForenSix by Dr. Fred Cohen • www.all.net • Runs on Linux but can access many different file systems • EnCase (www.encase.com) • Claims to be the only fully integrated Windows-based forensics application UTSA IS 6353 Security Incident Response
Foundstone Toolshttp://www.foundstone.com/resources/forensics.htm • Pasco 1.0 – IE activity forensic tool • Galleta 1.0 – Examine content of cookie files from IE • Rifiuti 1.0 – Examine Info2 file in the Recycle Bin • Vision 1.0 – Reports open TCP/UDP ports and maps to owning process • NTLast 3.0 – Security Log Analyzer • ShoWin 2.0 – Show information about Windows • BinText 3.0 - Finds strings in a file • Patchit 2.0 – Binary file byte patching program UTSA IS 6353 Security Incident Response
Sysinternals Toolshttp://www.sysinternals.com/ntw2k/utilities.shtml • Monitoring Tools • Diskmon 1.1 – monitors disk activity • Filemon 1.1 – monitors file activity • ListDLLs 2.23 – List all currently loaded DLLs • NTFSInfo—Gives size and location of MFT • Portmon 3.02—monitors serial and parallel ports • Process Explorer 6.03 – find our what files, registry keys, and other objects process which DLLs • PSTools 1.82 • Regmon 6.06 – monitors registry activity UTSA IS 6353 Security Incident Response
Sysinternals Tools(2) • Utilities • AccessEnum 1.0 – used to find holes in file permissions • NTRecover 1.0 – access dead NT disks over a serial connection • NTFSDOS 3.02 – Access NTFS drives read-only from DOS • Remote Recover 2.0-- access dead NT disks over a network connection UTSA IS 6353 Security Incident Response
TCP/IP Monitor One Sinlge IE Access to One Web Site
Other Useful Tools • Password Crackers (see pg 145) • L0phtCrack – www.atstake.com • John the Ripper – www.openwall.com/john • Chntpw – home.eunet.no/~pnordahl/ntpasswd • Fast ZipCracker – www.netgate.com.uy/~fpapa • AccessData – www.accessdata.com • Provides entry to a wide range of application encrypted files • Elcom – www.elcomsoft.com UTSA IS 6353 Security Incident Response
Other Useful Tools(2) • Internet References • Matching Hardware Types to MAC addresses • www.cavebear.com/CaveBear/Ethernet/vendor.html • Proxy Servers available to the Public • www.proxys4all.com • List of Defaced Web sites • www.attrition.org • List of HTTP status codes • www.w3.org/Protocols/HTTP/HTRESP.html • File Formats and Header Specifications • www.wotsit.org UTSA IS 6353 Security Incident Response
McAfee Visual Trace Hostile Activity From China
Summary Lots of free lunches out there when it comes to forensic tools and utilities…do some research! UTSA IS 6353 Security Incident Response