Copyright 2005 Carnegie Mellon University Forensic Collection and Analysis of Volatile Data This lab is an introduction to collecting volatile data from both a compromised Linux and Windows host. In the event that a host in your organization is compromised you may need to perform forensic analysis. When collecting forensic evidence it is important to begin with the most volatile information. This is information that is stored in the memory (RAM), like open ports and connections as well as running processes. This is information that can not be gathered once the machine has been rebooted. Remember to always start with the volatile information first! The main exercise in this lab details specific means by which to collect forensic evidence. Before starting any forensic collection it is important to have a trusted toolkit from which to work. This should contain trusted versions of commands so that you can be assured that the evidence you collect is valid and uncompromised. Your toolkit can vary depending on the evidence you want to collect and the operating system a host is running, but it should contain basic tools such as netstat, ipconfig, a command shell and others. There are a multitude of available tools for you to choose from. You will be using the netstat command to collect information about open network connections and listening ports on the compromised hosts. This is not the ideal method for collecting forensic information since you want to collect more information that just the network status. This means that you will need to execute a series of commands in order to collect the entire body of evidence. In collecting evidence it is important to leave the smallest footprint of your activity, so having to type in multiple commands is not the best method. At the end of each section there is an “Optional Challenge.” The goal in the challenge exercise is to become familiar with the idea of using a .bat and a bash file to collect evidence. A .bat file or bash script is simply a string of commands in a single script. This helps minimize the footprint left behind during the collection phase by allowing you to execute one script instead of having to execute multiple commands from the command line. Volatile Data Collection Page 1 of 10 Copyright 2005 Carnegie Mellon University Your lab environment consists of three virtual computer systems. 1. A Windows 2003 Server launchpad system that will allow you to remotely access the machines below. This system’s hostname is: VTE­Launchpad and its IP address is 10.0.254.254. 2. A Linux machine that will serve as a compromised host from which you will gather forensic data. The systems hostname is: Linux Compromised and its IP is 10.0.4.51. 3. A Windows 2003 machine that will serve as the compromised Windows host. This system’s hostname is: Win Compromised and its IP address is 10.0.4.50. 1 Establishing a forensic collection system You will configure the “VTE­Launchpad” to function as a Netcat Listener (Evidence Collector) for a capture of volatile data from a live Windows system. Two collections will be made: (1) A simple collection of data using one trusted command, and (2) a comprehensive collection using a trusted .bat file of trusted tools. 1. From the VTE­Launchpad, open a trusted command shell by selecting Start > Run and browsing to the trusted forensic CD (i.e. D: drive) that has been pre­loaded. Open the trusted command shell located at “\Tools\Windows\Forensics\t_cmd.exe”. Volatile Data Collection Page 2 of 10 Copyright 2005 Carnegie Mellon University 2. In the trusted command shell window, type the command ‘t_ipconfig’ to identify the IP Address of the Windows VTE­Launchpad. This will be needed later during the collection phase. 3. It is time to establish a Netcat listener on the “VTE­Launchpad”. This platform will serve as the collection system for the upcoming collection of volatile data. From the command line in the trusted shell type: t_nc.exe –L –p 443 > C:\Collectiondata.txt Figure 1 This syntax will activate a Netcat listen on port 443 and direct all received data to the file “Collectiondata.txt” locate on the root of C:\. Notice that the path at the top of the command shell window indicates that it is running from the trusted source, i.e. forensics CD. 2 Collecting Volatile Data from a Windows System The target system for this exercise will be the “Win Compromised” host. This machine contains information that you will need to collect and analyze to determine if the host has been compromised and to what extent. You will be collecting the data from the compromised host and using Netcat to send the forensic data to your Windows VTE­Launchpad system. 1. From the VTE­Launchpad Desktop, Select the Remote Desktop Connection icon and connect to the “Win Compromised” machine at 10.0.4.50. Press the ‘Options>>’ button and select the ‘Display’ tab. Under ‘Remote desktop size’ drag the bar to the left until it reaches ‘800 by 600 pixels’. Press Connect. Login with: User: jsmith Password: tartans 2. From the “WIN Compromised” console, select Start > Run and browse to the trusted forensic CD that has been pre­ loaded. Open the trusted command shell located at “\Tools\Windows\Forensics\t_cmd.exe”. Volatile Data Collection Page 3 of 10 Figure 2 Copyright 2005 Carnegie Mellon University 3. From the trusted command shell, type: t_netstat.exe –an | t_nc.exe 10.0.254.254 443 This syntax will execute the ‘t_netstat.exe’ (trusted) from the CD and send the output from the command to the “Windows VTE­Launchpad”, which will write the data in the “C:\WinCollectiondata.txt” file. It will take approximately one minute for the netstat command to execute and the data to be transferred to the VTE­Launchpad. 4. You will need to wait approximately one minute for the command to be executed and data to be transferred to the VTE­Launchpad. Now close the open Netcat connections on both the “Win Compromised” and “VTE­ Launchpad” hosts. To do this, from the open trusted command shells press “Ctrl C”. This will close the Netcat connections. 5. The last step is to verify that the volatile data from the remote collection has been sent to the Windows VTE­Launchpad 6. From the “VTE­Launchpad” open and examine the “C:\WinCollectiondata.txt” file. To locate and open this file select, Start > My Computer > Local Disk C: Right­click the ‘WinCollectiondata.txt’ file and select Open With > WordPad to view the contents. WHAT DO YOU SEE? Volatile Data Collection Page 4 of 10 Copyright 2005 Carnegie Mellon University Figure 3 Volatile Data Collection Page 5 of 10 Copyright 2005 Carnegie Mellon University Optional Challenge: 1. Contained on the forensics CD in the Tools\Windows\Forensics\ folder is a .bat file titled “Windows_Response.bat”. This file executes several trusted commands from the CD which collects volatile data. Using the directions above, attempt to utilize this .bat file to conduct a comprehensive collection of volatile data from the “Win Compromised” and report any interesting findings. WHAT DO YOU SEE? Some of the processes that you should be able to see are: Host_sensor.exe The ‘host_sensor.exe’ process acts as a host alive checking sensor for the Linux_Compromised machine. Once the Linux_Compromised machine is alive it then connects to an open port. (Port 4444) Host_sensor.exe The ‘host_sensor.exe’ process acts as a host alive checking sensor for the Linux_Compromised machine. Once the Linux_Compromised machine is alive it then connects to an open port. (Port 23) Rogueprocess.bat will be executed upon startup which inturn executes the ‘svchost1.exe’ binary passing command line parameters. ccApp4.exe is a masked WinDump.exe (Network Sniffer) spoolsSV.exe is a (Key logger) that will automatically start and capture keystrokes upon startup. tini.exe is a running (Backdoor) that will listen on port 7777 for any connections. If a connection is established to port 7777 a command shell will be spawned. svchost1.exe is a masked (Netcat Listener) that listens on port 80 for any connections. If a connection is established to port 80 a command shell will be spawned. dxxccxymju.exe is a running (Backdoor Trojan i.e. Subseven) that listens on the default port of 27374. Note the filename on this rogue process is randomly picked each time the machine is restarted. 2. Again, remember to close the Netcat connection when the transfer is complete. Keep in mind that Netcat does not report its status. Volatile Data Collection Page 6 of 10 Copyright 2005 Carnegie Mellon University 3 Collecting Volatile Data from a Linux System 3.1 Remotely Accessing the Linux Host via Secure Shell The target system for this exercise will be the “Linux Compromised” machine. You will be collecting forensic evidence from this machine and storing it on the “VTE­Launchpad.” You will need to re­establish the VTE­Launchpad to listen for incoming connections. Using the instructions from section 1 (Establishing a forensic collection system) you will want to save the collected data in a file called C:\LinuxCollectiondata.txt or C:\LinuxCollectiondata.cvs. 1. To connect to the compromised Linux host locate and double­click the ‘Putty.exe icon’ on the desktop of the VTE­Launchpad. Putty is a very popular (and free) SSH client. 2. Type ‘10.0.4.51’ in the Host name (IP Address) box within the Putty application and then click ‘Open’. Select Yes to accept the server key. 3. Login with the following credentials: Username: root Password: tartans 3.2 Collecting data using a trusted Netstat command 1.