Dr. I Doctor
Dr. I Doctor's Informational Juggernaut
November 2005
November 14, 2005 8:26 AM
New CERT Guide: First Responders Guide - Advanced Topics
Network intrusion detection is usually under the purview of network administrators. But once an intrusion has been discovered, who is responsible for assessing the damage? In many organizations, that task also falls to the network admin staff. Most network technologists have a good working knowledge of computer systems, so this is not unreasonable. However, few of us write code for a living, so constructing a toolkit for intrusion assessment is not something at which we're likely to excel.
With the Computer Emergency Response Team (CERT) First Responders Guide to Computer Forensics: Advanced Topics, you don't have to be a code wizard. This 169-page tutorial gives you hands-on instruction for analyzing compromised systems using existing tools, and shows you how to safely install additional utilities for deeper analysis.
The document is organized into five chapters, which it calls "modules", covering log file analysis, process characterization, disk image management, process capture, and spoofed e-mail decoding. Each of these chapters represents one step in the system dissection process that is forensic analysis. The authors don't tell you the basics of forensic analysis -- how to isolate, take offline, and safely access an infected system. But that knowledge is widely available. These writers focus on the meat and potatoes of system investigation, which any IT professional needs to know to be a competent network protector.
The first chapter immediately launches into the use of two open source utilities, Swatch and Microsoft Log Parser, as forensic analysis tools. Swatch, or Simple Watcher, analyzes Unix system logs for significant events. While often used for realtime analysis and notification, in its forensic roll it serves to conduct a post-mortem autopsy of stored logs. Swatch's primary value is sifting through logs for interesting events that can lead you more directly to the original point of entry by an intruder. Microsoft Log Parser is a similar tool tailored to processing Windows logs, including event logs, IIS and Apache Web server logs, XML-formatted logs, and Windows NetMon capture files. Log Parser can also perform some analysis on registry entries and Active Directory objects.
The first chapter focuses on post-mortem analysis, but that's not necessarily the starting point for a first responder tracing a network intrusion. Sometimes you're just reacting to a suspected penetration, and need to learn if a particular system has been hit. If a compromised system is still running when the intrusion is detected, the best practice is to isolate that system and then inspect it while it's in operation to learn what hacker processes are active.
The guide's second chapter shows you how to characterize the processes on a system to determine if evil programming is afoot. If it is, you can then proceed to isolate the system and begin vivisection. The authors show how to use intrinsic OS utilities such as grep to search out the alterations in running processes, and then employ the forensic workbench combo First Responder Utility (FRU) and Forensic Server Project (FSP). These tools, written by security researcher Harlan Carvey, are a client/server pair that extract data from compromised systems and archive it safely off-platform.
Chapter three explains the use of the Unix dd (disk-to-disk) utility to slice up hard drive data for transfer en masse to another medium, for later reconstruction in its original byte-for-byte condition. This is an important evidence preservation step, since you'll eventually want to reformat the compromised system's hard drive and put the system back into production. The dd-archived data let you continue analysis in a safe Petri-dish environment.
In Chapter four you learn how to capture potential evidence from a live computer by recording the state of malicious processes. An interesting real-world example of the value of these techniques was the recent uncovering of the Sony Digital Rights Management "root kit" by Mark Russinovich. Here you learn how to use the netcat (nc) utility for Windows and Unix process analysis: finding the owning processes of network sockets, locating their executables on disk, and capturing the data being moved by those processes.
The final chapter is a mini-tutorial on parsing spoofed e-mail headers. This knowledge is important because e-mail is one of the primary vectors for virus and worm infection, and perpetrators almost always try to obscure the path back to them by spoofing message headers. However, careful analysis of headers will always lead you to the machine originating the message, which lets you ultimately cut off one path of future infection. Of course, if you own the offending mail server, you then have to repeat the whole forensic process on that machine.
Despite the word "advanced" in the document title, this report provides minimum-level knowledge that every network administrator should possess. But the information isn't strictly for newbies. Even if you think you understand these procedures, you'll likely find some hidden nuggets of wisdom new to you.
http://www.cert.org/archive/pdf/05hb003.pdf
Posted by mbeckman on November 14, 2005 at 8:26 AM
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 31 |
Blog Policy
We welcome your comments and opinions and encourage lively debate on the issues. However, Penton Media reserves the right to delete or move any content that it may determine, in its sole discretion, violates or may violate its Terms of Use or is otherwise unacceptable. For more information, see Penton Media's Terms of Use.