Week 1 Assignment:

profilestevesallysteve
20180604222732ch_1_reading1.docx

Network Forensics and Investigating Logs

After completing this chapter, you should be able to:

● Look for evidence ● Perform an end-to-end forensic investigation ● Use log files as evidence ● Evaluate log file accuracy and authenticity ● Understand the importance of audit logs ● Understand syslog ● Understand Linux process accounting ● Configure Windows logging ● Understand NTP

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

1

2 Chapter 1

What If?

In August 2005, a Moroccan named Farid Essebar and a Turk named Atilla Ekici were arrested in their respective home countries on the charges of creating and distributing the Zotob, Rbot, and Mytob worms. It is believed that Essebar wrote the worm code, and Ekici offered him financial support.

The Mytob worm affected a wide range of Windows systems, including Windows NT, 2000, XP, and Server 2003. The Zotob worm affected the systems of corporate giants, such as the New York Times Company, CNN, ABC News, Caterpillar Inc., and General Electric Co.

Within 12 days of the release of the worms, the culprits were arrested. This was possible because of extensive cooperation between Microsoft, the FBI, and the Turkish and Moroccan authorities. It is noteworthy that the investigations crossed international boundaries. It is still unclear whether any other individual or organization was involved in this crime. The United States did not seek extradition of the culprits, as the cyber law differs from country to country. The culprits have been prosecuted in their respective home countries.

● How were the creators of the Mytob worm traced? ● Could Time stamps and log files have been used to geographically locate the culprits?

If so, how?

Introduction to Network Forensics and Investigating Logs

This chapter focuses on network forensics and investigating logs. It starts by defining network forensics and describing the tasks associated with a forensic investigation. The chapter then covers log files and their use as evidence. The chapter concludes with a discussion about time synchronization.

Network Forensics

Network forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks. Capturing network traffic over a network is simple in theory, but relatively complex in practice. This is because of the large amount of data that flows through a network and the complex nature of Internet protocols. Because recording net- work traffic involves a lot of resources, it is often not possible to record all of the data flowing through the network. An investigator needs to back up these recorded data to free up record- ing media and to preserve the data for future analysis.

Analyzing Network Data

The analysis of recorded data is the most critical and most time-consuming task. Although there are many automated analysis tools that an investigator can use for forensic purposes, they are not sufficient, as there is no foolproof method for discriminating bogus traffic generated by an attacker from genuine traffic. Human judgment is also critical because with automated traffic analysis tools, there is always a chance of a false positive.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

Network Forensics and Investigating Logs 3

An investigator needs to perform network forensics to determine the type of an attack over a network and to trace out the culprit. The investigator needs to follow proper inves- tigative procedures so that the evidences recovered during investigation can be produced in a court of law.

Network forensics can reveal the following information:

● How an intruder entered the network ● The path of intrusion ● The intrusion techniques an attacker used ● Traces and evidence

Network forensics investigators cannot do the following: ● Solve the case alone ● Link a suspect to an attack

The Intrusion Process

Network intruders can enter a system using the following methods:

● Enumeration: Enumeration is the process of gathering information about a network that may help an intruder attack the network. Enumeration is generally carried out over the Internet. The following information is collected during enumeration:

ﰀ ﰀ ﰀ ﰀ

Topology of the network List of live hosts Network architecture and types of traffic (for example, TCP, UDP, and IPX) Potential vulnerabilities in host systems

● Vulnerabilities: An attacker identifies potential weaknesses in a system, network, and elements of the network and then tries to take advantage of those vulnerabilities. The intruder can find known vulnerabilities using various scanners.

● Viruses: Viruses are a major cause of shutdown of network components. A virus is a software program written to change the behavior of a computer or other device on a network, without the permission or knowledge of the user.

● Trojans: Trojan horses are programs that contain or install malicious programs on targeted systems. These programs serve as back doors and are often used to steal information from systems.

● E-mail infection: The use of e-mail to attack a network is increasing. An attacker can use e-mail spamming and other means to flood a network and cause a denial- of-service attack.

● Router attacks: Routers are the main gateways into a network, through which all traffic passes. A router attack can bring down a whole network.

● Password cracking: Password cracking is a last resort for any kind of attack.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

1

4 Chapter 1 Looking for Evidence

An investigator can find evidence from the following:

● From the attack computer and intermediate computers: This evidence is in the form of logs, files, ambient data, and tools.

● From firewalls: An investigator can look at a firewall’s logs. If the firewall itself was the victim, the investigator treats the firewall like any other device when obtaining evidence.

● From internetworking devices: Evidence exists in logs and buffers as available.

● From the victim computer: An investigator can find evidence in logs, files, ambient data, altered configuration files, remnants of Trojaned files, files that do not match hash sets, tools, Trojans and viruses, stored stolen files, Web defacement remnants, and unknown file extensions.

End-to-End Forensic Investigation

An end-to-end forensic investigation involves following basic procedures from beginning to end. The following are some of the elements of an end-to-end forensic trace:

● The end-to-end concept: An end-to-end investigation tracks all elements of an attack, including how the attack began, what intermediate devices were used during the attack, and who was attacked.

● Locating evidence: Once an investigator knows what devices were used during the attack, he or she can search for evidence on those devices. The investigator can then analyze that evidence to learn more about the attack and the attacker.

● Pitfalls of network evidence collection: Evidence can be lost in a few seconds during log analysis because logs change rapidly. Sometimes, permission is required to obtain evidence from certain sources, such as ISPs. This process can take time, which increases the chances of evidence loss. Other pitfalls include the following:

ﰀ An investigator or network administrator may mistake normal computer or network activity for attack activity.

ﰀ There may be gaps in the chain of evidence.

ﰀ Logs may be ambiguous, incomplete, or missing.

ﰀ Since the Internet spans the globe, other nations may be involved in the investigation. This can create legal and political issues for the investigation.

● Event analysis: After an investigator examines all of the information, he or she correlates all of the events and all of the data from the various sources to get the whole picture.

Log Files as Evidence

Log files are the primary recorders of a user’s activity on a system and of network activities.

An investigator can both recover any services altered and discover the source of illicit activities

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

Network Forensics and Investigating Logs 5 using logs. Logs provide clues to investigate. The basic problem with logs is that they can be

altered easily. An attacker can easily insert false entries into log files.

An investigator must be able to prove in court that logging software is correct. Computer records are not normally admissible as evidence; they must meet certain criteria to be admitted at all. The prosecution must present appropriate testimony to show that logs are accurate, reliable, and fully intact. A witness must authenticate computer records pre- sented as evidence.

Legality of Using Logs

The following are some of the legal issues involved with creating and using logs that organi- zations and investigators must keep in mind:

● Logs must be created reasonably contemporaneously with the event under investigation.

● Log files cannot be tampered with.

● Someone with knowledge of the event must record the information. In this case, a program is doing the recording; the record therefore reflects the a priori knowledge of the programmer and system administrator.

● Logs must be kept as a regular business practice.

● Random compilations of data are not admissible.

● Logs instituted after an incident has commenced do not qualify under the business records exception; they do not reflect the customary practice of an organization.

● If an organization starts keeping regular logs now, it will be able to use the logs as evidence later.

● A custodian or other qualified witness must testify to the accuracy and integrity of the logs. This process is known as authentication. The custodian need not be the pro- grammer who wrote the logging software; however, he or she must be able to offer testimony on what sort of system is used, where the relevant software came from, and how and when the records are produced.

● A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used, including the logging software.

● A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence.

● If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspect.

● In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization.

● An organization’s own logging and monitoring software must be made available to the court so that the defense has an opportunity to examine the credibility of the records. If an organization can show that the relevant programs are trade secrets, the organization may be allowed to keep them secret or to disclose them to the defense only under a confidentiality order.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

1

6 Chapter 1 ● The original copies of any log files are preferred.

● A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors are equipped computers that have USB or SCSI interfaces.

Examining Intrusion and Security Events

As discussed earlier, the inspection of log files can reveal an intrusion or attack on a sys- tem. Therefore, monitoring for intrusion and security breach events is necessary to track down attackers. Examining intrusion and security events includes both passive and active tasks. A detection of an intrusion that occurs after an attack has taken place is called a post-attack detection or passive intrusion detection. In these cases, the inspection of log files is the only medium that can be used to evaluate and rebuild the attack techniques. Passive intrusion detection techniques usually involve a manual review of event logs and application logs. An investigator can inspect and analyze event log data to detect attack patterns.

On the other hand, there are many attack attempts that can be detected as soon as the attack takes place. This type of detection is known as active intrusion detection. Using this method, an administrator or investigator follows the footsteps of the attacker and looks for known attack patterns or commands, and blocks the execution of those commands.

Intrusion detection is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data. There are various types of intrusions, including unauthorized access to files and systems, worms, Trojans, computer viruses, buffer overflow attacks, application redirection, and identity and data spoofing. Intrusion attacks can also appear in the form of denial of service, and DNS, e-mail, content, or data corrup- tion. Intrusions can result in a change of user and file security rights, installation of Trojan files, and improper data access. Administrators use many different intrusion detection techni- ques, including evaluation of system logs and settings, and deploying firewalls, antivirus soft- ware, and specialized intrusion detection systems. Administrators should investigate any unauthorized or malicious entry into a network or host.

Using Multiple Logs as Evidence

Recording the same information in two different devices makes the evidence stronger. Logs from several devices collectively support each other. Firewall logs, IDS logs, and TCPDump output can contain evidence of an Internet user connecting to a specific server at a given time.

Maintaining Credible IIS Log Files

Many network administrators have faced serious Web server attacks that have become legal issues. Web attacks are generally traced using IIS logs. Investigators must ask themselves certain questions before presenting IIS logs in court, including:

● What would happen if the credibility of the IIS logs was challenged in court? ● What if the defense claims the logs are not reliable enough to be admissible as

evidence?

An investigator must secure the evidence and ensure that it is accurate, authentic, and

accessible. In order to prove that the log files are valid, the investigator needs to present

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

Network Forensics and Investigating Logs 7 them as acceptable and dependable by providing convincing arguments, which makes them

valid evidence.

Log File Accuracy The accuracy of IIS log files determines their credibility. Accuracy here means that the log files presented before the court of law represent the actual outcome of the activities related to the IIS server being investigated. Any modification to the logs causes the validity of the entire log file being presented to be suspect.

Logging Everything In order to ensure that a log file is accurate, a network adminis- trator must log everything. Certain fields in IIS log files might seem to be less significant, but every field can make a major contribution as evidence. Therefore, network administra- tors should configure their IIS server logs to record every field available.

IIS logs must record information about Web users so that the logs provide clues about whether an attack came from a logged-in user or from another system.

Consider a defendant who claims a hacker had attacked his system and installed a back- door proxy server on his computer. The attacker then used the back-door proxy to attack other systems. In such a case, how does an investigator prove that the traffic came from a specific user’s Web browser or that it was a proxied attack from someone else?

Extended Logging in IIS Server Limited logging is set globally by default, so any new Web sites created have the same limited logging. An administrator can change the con- figuration of an IIS server to use extended logging.

The following steps explain how to enable extended logging for an IIS Web/FTP server and change the location of log files:

1. Run the Internet Services Manager. 2. Select the properties on the Web/FTP server. 3. Select the Web site or FTP site tab. 4. Check the Enable Logging check box. 5. Select W3C Extended Log File Format from the drop-down list. 6. Go to Properties. 7. Click the Extended Properties tab, and set the following properties accordingly:

● Client IP address ● User name ● Method ● URI stem

● HTTP status ● Win32 status ● User agent ● Server IP address ● Server port

8. Select Daily for New Log Time Period below the general Properties tab. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

1

8

Chapter 1

9. Select Use local time for file naming and overturn. 10. Change the log file directory to the location of logs. 11. Ensure that the NTFS security settings have the following settings:

● Administrators - Full Control ● System - Full Control

Keeping Time

With the Windows time service, a network administrator can synchronize IIS servers by connecting them to an external time source.

Using a domain makes the time service synchronous to the domain controller. A net- work administrator can synchronize a stand-alone server to an external time source by setting certain registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\

REG_SZ Value: NTP

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\

REG_SZ

Value:

Key:

Setting:

Type

Type:

Key:

Setting:

NtpServer

Type:

ntp.xsecurity.com

UTC Time IIS records logs using UTC time, which helps in synchronizing servers in multi- ple zones.

Windows offsets the value of the system clock with the system time zone to calculate UTC time. To check whether the UTC time is correct, a network administrator must ensure that the local time zone setting is accurate. The network administrator must verify that during the process IIS is set to roll over logs using local time.

A network administrator can verify a server’s time zone setting by looking at the first entries in the log file. If the server is set at UTC ﰁ06:00, then the first log entries should appear around 18:00 (00:00 ﰁ 06:00 1⁄4 18:00). Because UTC does not follow daylight savings, the administrator must also consider the date. For example, UTC ﰁ6:00 will actually be ﰁ5:00 half the year.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

Network Forensics and Investigating Logs 9

Avoiding Missing Logs When an IIS server is offline or powered off, log files are not created. When a log file is missing, it is difficult to know if the server was actually offline or powered off, or if the log file was deleted.

To combat this problem, an administrator can schedule a few hits to the server using a scheduling tool. The administrator can keep a log of the outcomes of these hits to determine when the server was active. If the record of hits shows that the server was online and active at the time that log file data is missing, the administrator knows that the missing log file might have been deleted.

Log File Authenticity An investigator can prove that log files are authentic if he or she can prove that the files have not been altered since they were originally recorded.

IIS log files are simple text files that are easy to alter. The date and time stamps on these files are also easy to modify. Hence, they cannot be considered authentic in their default state. If a server has been compromised, the investigator should move the logs off the server. The logs should be moved to a master server and then moved offline to secondary storage media such as a tape or CD-ROM.

Working with Copies As with all forensic investigation, an investigator should never work with the original files when analyzing log files. The investigator should create copies before performing any postprocessing or log file analysis. If the original files are not altered, the investigator can more easily prove that they are authentic and are in their original form. When using log files as evidence in court, an investigator is required to present the original files in their original form.

Access Control In order to prove the credibility of logs, an investigator or network admin- istrator needs to ensure that any access to those files is audited. The investigator or administra- tor can use NTFS permissions to secure and audit the log files. IIS needs to be able to write to log files when the logs are open, but no one else should have access to write to these files. Once a log file is closed, no one should have access to modify the contents of the file.

Chain of Custody As with all forensic evidence, the chain of custody must be main- tained for log files. As long as the chain of custody is maintained, an investigator can prove that the log file has not been altered or modified since its capture. When an investigator or network administrator moves log files from a server, and after that to an offline device, he or she should keep track of where the log file went and what other devices it passed through. This can be done with either technical or nontechnical methods, such as MD5 authentication.

IIS Centralized Binary Logging Centralized binary logging is a process in which many Web sites write binary and unformatted log data to a single log file. An administrator needs to use a parsing tool to view and analyze the data. The files have the extension .ibl, which stands for Internet binary log. It is a server property, so all Web sites on that server write log data to the central log file.

It decreases the amount of system resources that are consumed during logging, therefore increasing performance and scalability.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

1

10 Chapter 1

The following are the fields that are included in the centralized binary log file format: ● Date

● Time ● Client IP address ● User name ● Site ID ● Server name ● Server IP address ● Server port ● Method ● URI stem ● URI query ● Protocol status ● Windows status ● Bytes sent ● Bytes received ● Time taken ● Protocol version ● Protocol substatus

ODBC Logging ODBC logging records a set of data fields in an ODBC-compliant database like Microsoft Access or Microsoft SQL Server. The administrator sets up and specifies the database to receive the data and log files.

When ODBC logging is enabled, IIS disables the HTTP.sys kernel-mode cache. An adminis- trator must be aware that implementing ODBC logging degrades server performance.

Some of the information that is logged includes the IP address of the user, user name, date, time, HTTP status code, bytes received, bytes sent, action carried out, and target file.

Tool: IISLogger IISLogger provides additional functionality on top of standard IIS log- ging. It produces additional log data and sends it using syslog. It even logs data concerning aborted Web requests that were not completely processed by IIS.

IISLogger is an ISAPI filter that is packaged as a DLL embedded in the IIS environment. It starts automatically with IIS. When IIS triggers an ISAPI filter notification, IISLogger pre- pares header information and logs this information to syslog in a certain format. This occurs each time, for every notification IISLogger is configured to handle.

The following are some of the features of IISLogger: ● It generates additional log information beyond what is provided by IIS.

● It recognizes hacker attacks. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

Network Forensics and Investigating Logs 11

● It forwards IIS log data to syslog. ● It provides a GUI for configuration purposes.

Importance of Audit Logs

The following are some of the reasons audit logs are important:

● Accountability: Log data identifies the accounts that are associated with certain events. This data highlights where training and disciplinary actions are needed.

● Reconstruction: Investigators review log data in order of time to determine what happened before and during an event.

● Intrusion detection: Investigators review log data to identify unauthorized or unusual events. These events include failed login attempts, login attempts outside the designated schedules, locked accounts, port sweeps, network activity levels, memory utilization, and key file or data access.

● Problem detection: Investigators and network administrators use log data to identify security events and problems that need to be addressed.

Syslog

Syslog is a combined audit mechanism used by the Linux operating system. It permits both local and remote log collection. Syslog allows system administrators to collect and distrib- ute audit data with a single point of management. Syslog is controlled on a per-machine basis with the file /etc/syslog.conf. This configuration file consists of multiple lines like the following:

mail.info /var/log/maillog

The format of configuration lines is:

facility.level action

The Tab key is used to define white space between the selector on the left side of the line and the action on the right side.

The facility is the operating system component or application that generates a log message, and the level is the severity of the message that has been generated. The action gives the defi- nition of what is done with the message that matches the facility and level. The system administrator can customize messages based on which part of the system is generating data and the severity of the data using the facility and level combination.

The primary advantage of syslog is that all reported messages are collected in a message file. To log all messages to a file, the administrator must replace the selector and action fields with the wildcard (*).

Logging priorities can be enabled by configuring /var/log/syslog. All authorized messages can be logged with priorities such as emerg (highest), alert, crit, err, warning, notice, info, or debug (lowest). Events such as bad login attempts and the user’s last login date are also recorded. If an attacker logs into a Linux server as root using the secure shell service and a guessed password, the attacker’s login information is saved in the syslog file.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202

1

 (EC-Council 1-11)

EC-Council. Computer Forensics: Investigating Network Intrusions and Cybercrime (CHFI),  2nd Edition. Cengage Learning, 20160506. VitalBook file.