What type of records are considered data that the system maintains such as system log files and proxy server logs?

Analyzing What Happened

In collecting volatile evidence from a Cisco router, you are attempting to analyze network activity to discover the source of security policy violations or a data or system breach. The forensic analysis of a Cisco router is straightforward in theory, but complicated in practice due to the volatility of the evidence. Much of the data that you collect will not be of use to the analysis, but without it, you cannot demonstrate a systematic process.

Routers are not a goal in themselves, but act as platforms for other attacks. Routers are used to drill into networks, bypassing firewalls and intrusion detection systems (IDSs), and to attack other organizations or systems.

Your goal is to be able to use the evidence you have collected to analyze behavior and pinpoint any anomalous or harmful behavior. This can aid in reconstructing what occurred. This process adds evidence as to which activities occurred and how these have led to a breach or other incident.

Log Files

Router log files are valuable non-volatile evidence, and in an incident investigation you should handle them like any other evidence:

Make a copy of the original log files. Sign and date the copy.

Create an MD5 hash of the log file to later prove it was not modified.

Never work with the original; work only with the copy.

Of particular interest in router log files are failed authentication attempts that may indicate a brute-force attack on the router's administrative passwords and denied connections, especially those from outside the network as they may indicate potential unauthorized attempts to access network resources.

Are You Owned?

Other areas of concern really depend on the type of incident. Here is a starting point to go by (this is by no means a complete list):

DDoS attack

There are many types of DDoS attacks. Your first clue is higher than normal traffic on any given protocol. In today's world of botnets a DDoS typically uses legitimate-looking traffic, but enormous amounts of it, sent from an army of bots within the botnet. Today, gigabytes of legitimate-looking traffic can be sourced from a botnet and easily take down any intended victim.

Are You Owned?

▪

PI breach

Increased protocol usage indicating large file transfers outside the network

Regular data transfers to an unknown outside host

Unusual increased usage of a protocol. Malicious hackers know you are looking at protocols such as Simple Mail Transport Protocol (SMTP) with your Data Leakage Protection (DLP) mechanisms for outbound PI and often encapsulate their stolen data on obscure protocols (even in DNS lookups).

Sniffing

Traffic forwarded to an unfamiliar network segment.

Unexpected GRE tunnels

A great source of information on identifying incidents using router log files is available at www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html

Other valuable references include:

www.ciscosystems.com/en/US/products/products_applied_mitigation_bulletin09186a0080a01521.html

www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

www.cwu.edu/~networks/intrusion_detection1.html

www.ahtcc.gov.au/faq/incident_response_guidelines.html

http://staff.science.uva.nl/~demch/worksinprogress/sec-inchtools.html

8.6.11.20 Pagers

Order of volatility

It’s a good idea to prioritize the evidence to be collected. Generally, we want to start with the most volatile evidence first. In computer parlance, this is known as the order of volatility. This descending list works from the most volatile (RAM) to the least volatile (archived data). The order of volatility is:

CPU, cache, and register content

Routing table, ARP cache, process table, kernel statistics

Memory

Temporary file system/swap space

Data on hard disk

Remotely logged data

Data contained on archival media

(Henry, 2009)

Planning Against Antiforensics

Investigating high-tech criminals assumes that antiforensic methods are employed on any devices used. Before the common use of whole disk encryption, computer systems were shut down by pulling the plug from the back of the machine and creating a forensic image of the internal hard drive. Using this method today on an adversary would most likely be the best antiforensics method because shutting down the computer will lock the data with whole disk encryption, courtesy of the investigator pulling the plug.

Practically speaking, whole disk encryption is secure enough to prevent forensic analysis without having the decryption key. Additionally, live memory contains volatile evidence, such as passwords, chats, and more pertinent information needed for an investigation which should be captured before the computer is shut down. For these reasons alone, the best counter is to protect the machine when it is on and unprotected, especially when an entire investigation hinges upon a single device.

Hey, Look Over There!

To counter some methods of antiforensics, low-tech means may be the best or only way to defeat high-tech protections such as data wiping and encryption. A good interviewer can sway a suspect to cooperate, confess or admit to crimes, and give up passwords. The better method is gaining access to evidence without relying on the suspect’s cooperation, such as in Ulbricht’s case where his cooperation was not guaranteed and unknowable. The difference between seizing an unencrypted device and an encrypted device is the difference between having all the evidence and no evidence.

Seizing a computer device is not like seizing any other type of evidence item. An encrypted computer is virtually useless as evidence if the data cannot be accessed. Such as in the Silk Road case, where Ulbricht’s laptop was seized when unencrypted, operations to serve warrants must consider the same type of distractions and methods to seize devices when in use or unencrypted. This is certainly easier to do in public than in a private residence. A suspect at the keyboard may have to be physically pulled away from a computer if the computer cannot be pulled from the suspect. An example would be at a desktop computer at a library, hotel lobby, or workplace. Even then, effort must be taken to ensure the computer is currently unencrypted and unlocked by either looking at the monitor or perhaps monitoring the suspect’s activity in a chat forum or other online activity that can be seen online from another location.

Evidence Assessment

The final step in evidence assessment specifically deals with the evidence itself. You should identify the stability of the evidence, and collect the most volatile evidence first before moving to nonvolatile evidence. In doing so, you should prioritize the collection and acquisition of evidence so that the evidence that is most likely to contain what you're searching for is examined first. For example, if a border guard discovered that someone had child pornography as the wallpaper on a laptop, you would obviously want to acquire evidence from the laptop and examine it first, before moving on to any CDs, DVDs, and other media that may also have been collected. Throughout this process, you should document any actions taken, and determine the best methods of relating that information. This may include taking notes, making diagrams, photographing items, or utilizing features available through forensic software.

When evidence needs to be transported, you should evaluate the condition and vulnerability of the items. Certain devices such as PDAs, cell phones, and laptops could simply be packaged in an evidence bag, whereas circuit boards and individual hard disks should first be stored in antistatic bags. In some cases, an investigator may also need to provide continuous electric power to battery-operated devices such as laptops that are low in power so that any volatile evidence isn't lost before it is delivered to you. Once the evidence has been acquired, you should then place the evidence in a secure location that is free of electromagnetic interference.

4.3.1 Volatile data and live forensics

Some evidence is only present while a computer or server is in operation and is lost if the computer is shut down. Evidence that is only present while the computer is running is called volatile evidence and must be collected using live forensic methods. This includes evidence that is in the system’s RAM (Random Access Memory), such as a program that only is present in the computer’s memory. These programs are considered TSRs or Terminate and Stay Resident programs. Many types of malware such as Trojan horse programs, viruses, and worms are designed to be only memory-resident programs, present in the computer’s memory when it is operating, and they disappear when the computer is turned off, in many cases leaving no traces. There are also many types of other volatile evidence that are only available while the computer is running, including certain temporary files, log files, cached files, and passwords. RAM is cleared when the computer is turned off and any data that is present is lost. This can be a critical step if there is suspicion that any kind of data encryption is enabled that prevents the hard drive or portions of the hard drive from being viewed. In many cases the only way to recover the password needed to remove the encryption on a hard drive is to collect the “live memory” before the computer is turned off. Also, if the computer is running, the encrypted portion of the data storage would be accessible, but only until the computer is turned off, making it essential that the hard drive is copied while the computer is still turned on. There are tools available to make copies of RAM and hard drives on running computers and line-of-business servers that cannot be shut down, and still ensure that those copies are forensically sound.

Conducting and Documenting a Live Collection

When interacting with a live machine, its best to always choose the least-invasive approach possible. This will require thinking before clicking. Haste is not helpful in this situation. Collect the most volatile information first, by the order of volatility.

Properly conducting a live collection requires focus and attention detail. Once started, one must work uninterrupted until the process is complete. To do otherwise only invites mistakes. Before getting underway, gather all required tools such as report forms, pens, and memory capture tools. Detailed documentation is essential for a complete record of each and every interaction with the system. These details can be used to determine what if any changes were made to the system during the process. Every interaction with the system (and its response) should be noted.

The Association of Chiefs of Police Officers (ACPO) [7] offers the following advice regarding the capture of live data:

By profiling the forensic footprint of trusted volatile data forensic tools, an investigator will be in a position to understand the impact of using such tools and will therefore consider this during the investigation and when presenting evidence. A risk assessment must be undertaken at the point of seizure, as per normal guidelines, to assess whether it is safe and proportional to capture live data which could significantly influence an investigation.

Considering a potential Trojan defense, investigators should consider collecting volatile evidence. Very often, this volatile data can be used to help an investigator support or refute the presence of an active backdoor.

The recommended approach towards seizing a machine whilst preserving network and other volatile data is to use a sound and predetermined methodology for data collection. It may be worthwhile considering the selected manual closure of various applications, although this is discouraged unless specific expert knowledge is held about the evidential consequences of doing so.

For example, closing Microsoft Internet Explorer will flush data to the hard drive, thus benefiting the investigation and avoiding data loss. However, doing this with certain other software, such as KaZaA, could result in the loss of data.

It is important to realize that the behaviors of specific applications are subject to change at any given time. Just because a specific version of a web browser, for example, will flush data to the drive when closed, does not mean the next version will do the same.

More Advanced Forensic Tools

There are a wide variety of forensic tools available today that can increase the efficiency of the entire forensic process. These tools can come in the form of hardware and software. There are open-source and commercial tools available on the market. There are advantages and disadvantages to both. Cost is one factor. The cost of commercial forensic hardware and software can be quite high. In addition to the purchase price, most tools require an annual license fee for maintenance and support. Open-source fees are attractive from a cost perspective, but the support will likely be less than that provided with commercial tools.

There are general forensic tools that provide a wide range of functionality and there are tools that perform a more specific function. More targeted tools can provide better functionality. General tools can be compared to Swiss Army knives, as they have multiple functions. Two of these most widely used general exam and analysis tools are Guidance Software’s EnCase and AccessData’s Forensic Toolkit (FTK). The SANS Investigative Forensic Toolkit (SIFT) is a widely used open-source tool.

With the wide array of potential evidentiary sources, specialized collection tools are often needed. Cell phones are an excellent example. Specialized commercial hardware is available that greatly enables and enhances the forensic analysis of cellular phones. Cellebrite manufactures one of the most widely used commercial tools for the forensic analysis of cell phones.

Collecting Digital Evidence

A network administrator or another member of the IT staff will often be the first person to become aware of a cybercrime in a corporate setting, and the IT incident response team (if the company has one) will take the initial steps to stop the crime in progress and “freeze” the crime scene before law enforcement personnel take over. Even after the police are called in, the process of collecting digital evidence usually involves several people, who we previously discussed in detail in Chapter 5:

First responders, who are officers or official security personnel who arrive first at the crime scene. These people are responsible for identifying the crime scene, protecting it, and preserving evidence.

Investigators, or an investigative team, who is responsible for establishing a chain of command, conducting a search of the crime scene, and maintaining the integrity of the evidence.

Crime scene technicians and specialists, who are called out to process the evidence, and who are responsible for preserving volatile evidence (which we'll discuss later in this chapter), duplicating disks, and preparing evidence for transport (including shutting down systems, and packaging, tagging, and logging evidence).

It is important that one person be designated in charge of the scene and be given the authority to make final decisions as to how the scene will be secured, how the search will be conducted, and how the evidence will be handled. This is usually the role of the senior investigator. It is equally important that each member of this team understand his or her role and adhere to it. The ability of the team to work together is essential to the successful collection of evidence.

Introduction

Tracking down computer criminals generally requires digital investigators to follow the cybertrail between the crime scene and the offender's computer. The cybertrail can cross multiple networks and geographical boundaries, and can be comprised of many different kinds of digital evidence including proxy and firewall logs, intrusion detection systems, and captured network traffic. Dialup server logs at the suspect's Internet Service Provider (ISP) may show that a specific IP address was assigned to the suspect's user account at the time. The ISP may also have Automatic Number Identification (ANI) logs—effectively Caller-ID—connecting the suspect's home telephone number to the dialup activity. Routers on the ISP network that connect the suspect's computer to the Internet may have associated NetFlow logs containing additional information about the network activities under investigation. Each of these logs would represent steps on the trail.

Ideally, each step in the cybertrail can be reconstructed from one or more records from this evidence, enabling digital investigators to connect the dots between the crime scene and the offender's computer and establish the continuity of offense. If there is more than one type of evidence for a particular step, so much the better for correlation and corroboration purposes. Your reconstruction of events is like a scientific hypothesis. The more evidence you collect that is consistent with the hypothesis, the stronger the case for that hypothesis becomes.

Networks present investigators with a number of challenges. When the networks are involved in a crime, evidence is often distributed on many computers making collection of all hardware or even the entire contents of a network unfeasible. Also, evidence is often present on a network for only a split second—the windows of opportunity for collecting such volatile evidence are very small. Additionally, encryption software is becoming more commonplace, allowing criminals to scramble incriminating evidence using very secure encoding schemes. Furthermore, unlike crime in the physical world, a criminal can be several places on a network at any given time. A solid comprehension of computer networks and the application of forensic science principles to this technology is a prerequisite for anyone who is responsible for identifying, securing, and interpreting evidence on a network. To that end, this chapter provides an overview of network protocols, references to more in-depth materials, and discusses how forensic science is applied to networks. Furthermore, to help investigators interpret and utilize this information in a network-related investigation, this chapter focuses on the most common kinds of digital evidence found on networks, and provides information that can be generalized to other situations. This chapter assumes a basic understanding of network topology and associated technologies, as covered in Casey (2004).

From the Case Files: Following the Cybertrail

It is not uncommon for intruders to maintain a trophy list of the systems they have compromised. In some cases, intruders inadvertently record their unauthorized actions with their own network capture programs. For instance, in one large-scale network intrusion the intruder placed a rootkit on over 40 servers, which included a sniffer that recorded network traffic.

Forensic examination of the compromised servers found sniffer logs created by the intruder's rootkit, showing the intruder gaining unauthorized access via a backdoor. These sniffer logs showed the IP address from which the intruder was connecting, enabling us to track the attacker back to the UUnet ISP. We promptly contacted the ISP and instructed them to preserve logs associated with the intrusion in anticipation of a search warrant for these records. In addition, we started collecting network traffic originating from the network block used by the intruder to gather evidence of ongoing intrusion activities.

Further investigation revealed that the intruder was using a stolen UUnet dialup account. Fortunately, the ISP maintained ANI records and was able to provide the phone number used to dial into the Internet. The FBI determined which house was assigned the phone number, obtained a search warrant, and seized the intruder's computers.

A forensic examination of the intruder's computer revealed substantial linkage with the victim systems. Information about stolen dialup accounts and victim systems were neatly organized in folders and files on the intruder's computer:

Sniffer logs from the compromised systems containing captured usernames and passwords were found on one of the intruder's hard drives. These sniffer files were accompanied by a file created by the intruder that listed the servers and associated usernames and passwords to which he had gained administrative access on various networks around the world. In addition, a tar file on the intruder's hard drive containing the rootkit found on the compromised systems had metadata in the header of the tar files that showed it was created on one of the compromised systems. A keyword search of unallocated space found partial home directory listings from compromised servers, further demonstrating that the intruder's computer was used to gain unauthorized access to those systems. Furthermore, chat logs recovered from the computers showed the intruder exchanging information about compromised servers with his cohorts on Internet Relay Chat (IRC).

Records provided by UUnet, as a result of an FBI subpoena, indicated several dates and times, as well as ranges of times, that the stolen dialup account was used by the intruder to connect to the Internet from the intruder's home when gaining unauthorized access to victim systems. These time ranges correlated with unauthorized activities on the victim systems as well as with IRC chat logs recovered from the intruder's computer.

Although this chapter concentrates on servers, network devices, and network traffic, keep in mind that personal computers often have traces of network activities that can be preserved and examined using the techniques for examining hosts covered in previous chapters. Locard's Exchange Principle states that, when an offender comes in contact with a location or another person, an exchange of evidence occurs (Saferstein, 1998). As a result of this exchange, offenders leave something of themselves behind and take something of that person or place away with them. Locard was talking about the physical world, but his maxim holds for the human-engineered world of information technology as well. Sometimes the evidence transfer is intentionally designed into a system (as with logs). Sometimes, the transfer is an incidental (and perhaps temporary) by-product of the system design. To understand more clearly the application of this principle to forensic investigation of computer networks, suppose an individual uses his home computer to gain unauthorized access to a remote server via a network. Some transfer of digital data occurs. Something as simple as a listing of a directory on the server may remain on the intruder's hard drive for some time, providing a connection between the suspect and the crime scene. Examples of evidence transfer exist for almost every service provided over the Internet.

To provide practical examples of how logs are interpreted and used in digital investigations, data associated with the intrusion investigation scenario introduced in Chapter 4 are examined in further detail.