Copyright 2005 Carnegie Mellon University

Forensic Collection and Analysis of Volatile Data

This lab is an introduction to collecting volatile data from both a compromised Linux and Windows host. In the event that a host in your organization is compromised you may need to perform forensic analysis. When collecting forensic evidence it is important to begin with the most volatile information. This is information that is stored in the memory (RAM), like open ports and connections as well as running processes. This is information that can not be gathered once the machine has been rebooted. Remember to always start with the volatile information first!

The main exercise in this lab details specific means by which to collect forensic evidence. Before starting any forensic collection it is important to have a trusted toolkit from which to work. This should contain trusted versions of commands so that you can be assured that the evidence you collect is valid and uncompromised. Your toolkit can vary depending on the evidence you want to collect and the operating system a host is running, but it should contain basic tools such as netstat, ipconfig, a command shell and others. There are a multitude of available tools for you to choose from.

You will be using the netstat command to collect information about open network connections and listening ports on the compromised hosts. This is not the ideal method for collecting forensic information since you want to collect more information that just the network status. This means that you will need to execute a series of commands in order to collect the entire body of evidence. In collecting evidence it is important to leave the smallest footprint of your activity, so having to type in multiple commands is not the best method.

At the end of each section there is an “Optional Challenge.” The goal in the challenge exercise is to become familiar with the idea of using a .bat and a bash file to collect evidence. A .bat file or bash script is simply a string of commands in a single script. This helps minimize the footprint left behind during the collection phase by allowing you to execute one script instead of having to execute multiple commands from the command line.

Volatile Data Collection Page 1 of 10 Copyright 2005 Carnegie Mellon University

Your lab environment consists of three virtual computer systems.

1. A Windows 2003 Server launchpad system that will allow you to remotely access the machines below. This system’s hostname is: VTE­Launchpad and its IP address is 10.0.254.254.

2. A Linux machine that will serve as a compromised host from which you will gather forensic data. The systems hostname is: Linux Compromised and its IP is 10.0.4.51.

3. A Windows 2003 machine that will serve as the compromised Windows host. This system’s hostname is: Win Compromised and its IP address is 10.0.4.50.

1 Establishing a forensic collection system

You will configure the “VTE­Launchpad” to function as a Netcat Listener (Evidence Collector) for a capture of volatile data from a live Windows system. Two collections will be made: (1) A simple collection of data using one trusted command, and (2) a comprehensive collection using a trusted .bat file of trusted tools.

1. From the VTE­Launchpad, open a trusted command shell by selecting Start > Run and browsing to the trusted forensic CD (i.e. D: drive) that has been pre­loaded. Open the trusted command shell located at “\Tools\Windows\Forensics\t_cmd.exe”.

Volatile Data Collection Page 2 of 10 Copyright 2005 Carnegie Mellon University

2. In the trusted command shell window, type the command ‘t_ipconfig’ to identify the IP Address of the Windows VTE­Launchpad. This will be needed later during the collection phase.

3. It is time to establish a Netcat listener on the “VTE­Launchpad”. This platform will serve as the collection system for the upcoming collection of volatile data. From the command line in the trusted shell type:

t_nc.exe –L –p 443 > C:\Collectiondata.txt

Figure 1

This syntax will activate a Netcat listen on port 443 and direct all received data to the file “Collectiondata.txt” locate on the root of C:\. Notice that the path at the top of the command shell window indicates that it is running from the trusted source, i.e. forensics CD.

2 Collecting Volatile Data from a Windows System

The target system for this exercise will be the “Win Compromised” host. This machine contains information that you will need to collect and analyze to determine if the host has been compromised and to what extent. You will be collecting the data from the compromised host and using Netcat to send the forensic data to your Windows VTE­Launchpad system.

1. From the VTE­Launchpad Desktop, Select the Remote Desktop Connection icon and connect to the “Win Compromised” machine at 10.0.4.50. Press the ‘Options>>’ button and select the ‘Display’ tab. Under ‘Remote desktop size’ drag the bar to the left until it reaches ‘800 by 600 pixels’. Press Connect. Login with: User: jsmith Password: tartans

2. From the “WIN Compromised” console, select Start > Run and browse to the trusted forensic CD that has been pre­ loaded. Open the trusted command shell located at “\Tools\Windows\Forensics\t_cmd.exe”.

Volatile Data Collection Page 3 of 10 Figure 2 Copyright 2005 Carnegie Mellon University

3. From the trusted command shell, type:

t_netstat.exe –an | t_nc.exe 10.0.254.254 443

This syntax will execute the ‘t_netstat.exe’ (trusted) from the CD and send the output from the command to the “Windows VTE­Launchpad”, which will write the data in the “C:\WinCollectiondata.txt” file.

It will take approximately one minute for the netstat command to execute and the data to be transferred to the VTE­Launchpad.

4. You will need to wait approximately one minute for the command to be executed and data to be transferred to the VTE­Launchpad. Now close the open Netcat connections on both the “Win Compromised” and “VTE­ Launchpad” hosts. To do this, from the open trusted command shells press “Ctrl C”. This will close the Netcat connections.

5. The last step is to verify that the volatile data from the remote collection has been sent to the Windows VTE­Launchpad

6. From the “VTE­Launchpad” open and examine the “C:\WinCollectiondata.txt” file. To locate and open this file select, Start > My Computer > Local Disk C: Right­click the ‘WinCollectiondata.txt’ file and select Open With > WordPad to view the contents. WHAT DO YOU SEE?

Volatile Data Collection Page 4 of 10 Copyright 2005 Carnegie Mellon University

Figure 3

Volatile Data Collection Page 5 of 10 Copyright 2005 Carnegie Mellon University

Optional Challenge:

1. Contained on the forensics CD in the Tools\Windows\Forensics\ folder is a .bat file titled “Windows_Response.bat”. This file executes several trusted commands from the CD which collects volatile data. Using the directions above, attempt to utilize this .bat file to conduct a comprehensive collection of volatile data from the “Win Compromised” and report any interesting findings. WHAT DO YOU SEE?

Some of the processes that you should be able to see are:

Host_sensor.exe The ‘host_sensor.exe’ process acts as a host alive checking sensor for the Linux_Compromised machine. Once the Linux_Compromised machine is alive it then connects to an open port. (Port 4444)

Host_sensor.exe The ‘host_sensor.exe’ process acts as a host alive checking sensor for the Linux_Compromised machine. Once the Linux_Compromised machine is alive it then connects to an open port. (Port 23)

Rogueprocess.bat will be executed upon startup which inturn executes the ‘svchost1.exe’ binary passing command line parameters. ccApp4.exe is a masked WinDump.exe (Network Sniffer) spoolsSV.exe is a (Key logger) that will automatically start and capture keystrokes upon startup. tini.exe is a running (Backdoor) that will listen on port 7777 for any connections. If a connection is established to port 7777 a command shell will be spawned. svchost1.exe is a masked (Netcat Listener) that listens on port 80 for any connections. If a connection is established to port 80 a command shell will be spawned. dxxccxymju.exe is a running (Backdoor Trojan i.e. Subseven) that listens on the default port of 27374. Note the filename on this rogue process is randomly picked each time the machine is restarted.

2. Again, remember to close the Netcat connection when the transfer is complete. Keep in mind that Netcat does not report its status.

Volatile Data Collection Page 6 of 10 Copyright 2005 Carnegie Mellon University

3 Collecting Volatile Data from a Linux System

3.1 Remotely Accessing the Linux Host via Secure Shell

The target system for this exercise will be the “Linux Compromised” machine. You will be collecting forensic evidence from this machine and storing it on the “VTE­Launchpad.”

You will need to re­establish the VTE­Launchpad to listen for incoming connections. Using the instructions from section 1 (Establishing a forensic collection system) you will want to save the collected data in a file called C:\LinuxCollectiondata.txt or C:\LinuxCollectiondata.cvs.

1. To connect to the compromised Linux host locate and double­click the ‘Putty.exe icon’ on the desktop of the VTE­Launchpad. Putty is a very popular (and free) SSH client.

2. Type ‘10.0.4.51’ in the Host name (IP Address) box within the Putty application and then click ‘Open’. Select Yes to accept the server key.

3. Login with the following credentials:

Username: root Password: tartans

3.2 Collecting data using a trusted Netstat command

1. From the command line on the “Linux Compromised” host it will be necessary to mount the CDROM containing a trusted forensics toolkit. The CD has been pre­loaded. To do this, type: # mount /dev/cdrom /mnt/cdrom

2. Now that the CDROM is mounted, you will need to load a trusted .bash shell from which to continue working. First, the current working directory needs to be changed to the newly mounted forensics toolkit CD. To do this, type: Figure 4

# cd /mnt/cdrom/Tools/Linux/Forensics/

3. At this point load the trusted .bash shell from the CD. To do this, type:

# ./t_bash

Volatile Data Collection Page 7 of 10 Copyright 2005 Carnegie Mellon University

4. Next, verify that the t_bash shell has been loaded and is the current location from which the collection is occurring. To do this, type:

# ./t_ps

Note the output from the t_ps command should indicate that the t_bash is running inside of bash. The PID #’s should be different in your screen.

5. Now that you are running commands from a trusted bash shell it is time to begin the collection of volatile data. From the trusted command shell, type:

# ./t_netstat –an | ./t_netcat 10.0.254.254 443

This syntax will execute ‘t_netstat’ from the trusted CD and send the output from the command to the “VTE­Launchpad” which will write the data in the “C:\LinuxCollectiondata.txt” file.

6. You will need to wait approximately one minute for the command to be executed and data transferred to the VTE­Launchpad. Now close the open Netcat connections on both the “Linux Compromised” and “VTE­Launchpad”. To do this, from the open trusted command shells press “Ctrl C”. This will close the Netcat connections. You can now close the SSH connection to the compromised Linux host.

Figure 5

It may take Netcat several seconds, possibly a minute or two, to transfer the data to the remote collection system (VTE­Launchpad)

4 Verification of data collection

The last step is to verify that the volatile data from the remote collection has been sent to the Windows VTE­Launchpad.

1. On “VTE­Launchpad” open and examine the “C:\LinuxCollectionData.txt” file. To locate and open this file select Start > My Computer > Local Disk C. Right­click the ‘LinuxCollectiondata.txt’ file, select Open with > WordPad to view the contents. WHAT DO YOU SEE?

In the LinuxCollectiondata.txt data file you will see the output of the netstat command that you ran. This is a list of the open connections to and from the compromised Linux machine as well as any listening ports that are open on the host. This can be useful to determine if there are any illegitimate ports

Volatile Data Collection Page 8 of 10 Copyright 2005 Carnegie Mellon University

open or connections being made by an attacker, malicious application or process.

Figure 6

Volatile Data Collection Page 9 of 10 Copyright 2005 Carnegie Mellon University

Optional Challenge:

1. Contained on the forensics CD in the “\Tools\Linux\Forensics\” folder is a bash script titled “Linuxcollectionscript”. This file executes several trusted commands from the CD which collect volatile data. Using the directions above, attempt to utilize this bash script to conduct a comprehensive collection of volatile data from the “Linux Compromised” host and report any interesting findings. WHAT DO YOU SEE?

You should be able to find several running processes that do not belong. Spend some time looking through the collected data.

Some of the processes that you should be able to see are:

/etc/log.df/jam1 script connects to an open telnet server on Windows_Compromised machine.

/etc/log.df/klogd.a is a masked (Netcat Listener) that listens on port 4444 for any connections. If a connection is established to port 4444 a root bash shell will be spawned.

/etc/log.df/termcap is a masked tcpdump (Network Sniffer).

/etc/log.df/Servers/bindshell is a (Backdoor Trojan i.e. bindshell Backdoor) that listens on port 55555.

/etc/log.df/nccon script executes a masked netcat called ‘netstat’ and connects to an open telnet port on Windows_Compromised machine.

/etc/log.df/ncconb script executes a masked netcat called ‘netstat’ and connects to an open port 80 on the Windows_Compromised machine.

/etc/log.df/lklu process is an active Linux based keylogger.

2. Again, remember to close the Netcat connection when the transfer is complete. Keep in mind that Netcat does not report its status. You will have to watch the file size on the “VTE­Launchpad” to determine when the data transfer is complete.

Volatile Data Collection Page 10 of 10