Previous Section  < Day Day Up >  Next Section

Forensic Analysis Tools

One issue computer investigators face is that normal file utilities can irrevocably change files, effectively "polluting" the crime scene as well as deleting evidence you need. For example, viewing files with a regular editor changes things like the timestamp. Imagine someone tromping through a real crime scene in dirty boots and moving objects all over the house. This is the same as rummaging through your system without the proper tools. Not only will you have eliminated your chance of being able to take any criminal or civil action, but you may also erase the attacker's digital trail. Hackers often use tools that hide processes and files from normal system utilities, so you need special tools that operate outside of the normal operating system to look beyond what the operating system thinks it sees.

The following sections review tools for both Linux and Windows. First we will look at a few of the investigation tools on operating systems, then at full-featured toolkits for deeper analysis. Keep in mind that using operating system-based tools may return false or bogus data if your OS has truly been compromised.

Fport: A Process Identification Tool for Windows

Fport

Author/primary contact:

Foundstone, Inc.

Web site: www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm

Platforms:

Windows NT, 2000, XP

License:

Freeware

Version reviewed:

2.0



This little system add-on can be useful when investigating a machine for suspicious activity. Often a memory-resident virus or Trojan horse will show up as a process running under a strange name or on an unusual port. Fport looks for open TCP or UDP network ports and prints them out along with the associated process id (PID), process name, and path. It is similar to the native Windows netstat command except that it provides a little more information and allows you to format it different ways for analysis. This can help you track down suspicious programs that are opening up network ports on your machine. This behavior is the hallmark of a Trojan horse.

Of course, every process you don't recognize isn't necessarily an evil program, but you should understand what weird-looking services are doing. The most obvious ones will have nonstandard paths (other than the Windows system directories and such). Also, strange or hacker-like names are a dead giveaway.

The program is designed and offered by Foundstone Corporation, a security software and consulting company. They offer several other free security tools and their Web site is worth a look. While Fport is not purely open source (only the binaries are distributed), it is freeware and there are few limitations on its use for commercial purposes.

Installing Fport

Download the zip file from the Foundstone Web site and unzip it into its own directory. There will be two files, the Fport executable and a short README file.

Using Fport

Fport can help you figure out if a machine has been tampered with and where the intruder is coming from. You need to run Fport on a system that is live, that is, up and running; you can't run Fport on static data.

Running Fport is about as simple as it comes. From the directory the executable is in, type fport. It prints a listing of all the ports open at that moment and their associated applications (see Listing 11.1).

Listing 11.1. Fport Display

Port v2.0 - TCP/IP Process to Port Mapper

Copyright 2000 by Foundstone, Inc.

http://www.foundstone.com



Pid   Process          Port  Proto Path

940   svchost      ->  135   TCP   C:\WINDOWS\system32\svchost.exe



4     System       ->  139   TCP



4     System       ->  445   TCP

1348  WCESCOMM     ->  990   TCP   C:\Program Files\Microsoft

                                     ActiveSync\WCESCOMM.EXE

4072  WCESMgr      ->  999   TCP   C:\Program Files\Microsoft

                                     ActiveSync\WCESMgr.exe



1032  svchost      ->  1025  TCP   C:\WINDOWS\System32\svchost.exe



1032  svchost      ->  1031  TCP   C:\WINDOWS\System32\svchost.exe



1032  svchost      ->  1034  TCP   C:\WINDOWS\System32\svchost.exe



4     System       ->  1042  TCP



4072  WCESMgr      ->  2406  TCP   C:\Program Files\Microsoft

                                     ActiveSync\WCESMgr.exe



2384  websearch    ->  3008  TCP   C:\Program Files\websearch\

                                     websearch.exe



1144               ->  54321 TCP   C:\Temp\cmd.exe



4072  WCESMgr      ->  5678  TCP   C:\Program Files\Microsoft

                                     ActiveSync\WCESMgr.exe



2384  websearch    ->  8755  TCP   C:\Program Files\websearch\

                                     websearch.exe



136   javaw        ->  8765  TCP   C:\WINDOWS\System32\javaw.exe



1348  WCESCOMM     ->  123   UDP   C:\Program Files\Microsoft

                                     ActiveSync\WCESCOMM.EXE



2384  websearch    ->  123   UDP   C:\Program Files\websearch\

                                     websearch.exe



940   svchost      ->  135   UDP   C:\WINDOWS\system32\svchost.exe



1144               ->  137   UDP



1032  svchost      ->  1026  UDP   C:\WINDOWS\System32\svchost.exe


By looking at this listing, you can see what appear to be normal services and programs running, until about half way down where you can see that cmd.exe is running from the temp directory. This is the command prompt binary and it has no business being in a temp directory. Also, the fact that the service has no name should arouse suspicion. Finally, the incoming port number doesn't match any known services. In fact, if you look it up in a database of known Trojan horses on the Internet (www.simovits.com/trojans/trojans.html) , it matches the port number of a documented Trojan horse. There is strong evidence that this system has been exploited. At this point, you have to decide if it is worth taking the system down to do further forensic analysis of the system.

Table 11.1 lists a few options you can run with Fport to sort the output. You can also use the h option to display short help descriptions.

Table 11.1. Fport Sorting Options

Options

Descriptions

-a

Sorts the output by application name.

-ap

Sorts the output by application path.

-i

Sorts the output by Process ID (PID).

-p

Sorts the output by port.


If you have a lot of processes, you can use these switches to look at all the high port numbers running, which is typically where malware runs. You can also sort by application path or name to find nonstandard applications running.

lsof: A Port and Process Identification Tool for UNIX


This tool is similar to the Fport tool for Windows just discussed. The lsof tool (LiSt Open Files) associates open files with processes and users. It is like the netstat command, but in addition it reports the network port the service is using. This is important when trying to track down an active program on the network. Often the only way to find these elusive bugs is to watch for what network ports they open up.

The lsof tool is being preinstalled on some UNIX and Linux distributions and is available in RPM form on the installation disks of others such as Mandrake and RedHat Linux. To see if you have it preinstalled, type lsof and see if you get any response.

Installing lsof

  1. graphics/cd_icon_icon.gif graphics/cd_icon_icon.gif Download the tar file from the book's CD-ROM or the official Web site.

    If the IP address you are downloading from doesn't have a reverse DNS record, the main FTP site will not allow you to connect to it. Try one of the alternate mirror sites listed.

  2. Unzip the tar file.

  3. You will see some text files and another tar file, something like lsof_4.68_src. This file has the sources in it. Untar this file and enter that directory.

  4. Before you start the compilation process, you need to know the abbreviation code for your UNIX dialect. Since the lsof program is designed to be portable to just about any version of UNIX, you must tell it what flavor of UNIX you are running so the configure routine can set it up for your system.

    To find out the codes for the different versions of UNIX, type

    
    
    
    

    
    ./configure h
    
    

    For example, the code for Linux is linux (easy enough, right?).

  5. When you are ready, type the following command:

    
    
    
    

    
    ./Configure unix_dialect_code
    
    

    where you replace unix_dialect_code with the code for your specific system, for example, linux. This configures the program for compilation.

  6. When the configuration is finished, type:

    
    
    
    

    
    make
    
    

  7. This finishes the build process.

You are now ready to start using lsof.

Using lsof

The lsof program has many uses, and has extensive man pages and several README files for the different applications. However, this section concentrates only on a few specific commands that are useful for forensic research.

If you want to see all of the open files on your system at any given moment and the processes associated with them, type:






lsof -n


The -n option tells lsof not to attempt to do a DNS record on any IP addresses connecting to your machine. This speeds up the process considerably. The output will look something like Listing 11.2

Listing 11.2. lsof n output

COMMAND  PID   USER   FD   TYPE   DEVICE     SIZE      NODE

xfs      903    xfs   0r    DIR      3,1     4096         2

atd      918 daemon  rtd    DIR      3,1     4096         2

atd      918 daemon  txt    REG      3,6    14384    273243

/usr/sbin/atd

sshd     962   root  cwd    DIR      3,1     4096         2

sshd     962   root  rtd    DIR      3,1     4096         2

sshd     962   root  txt    REG      3,6   331032    274118

/usr/sbin/sshd

dhcpcd   971   root  cwd    DIR      3,1     4096         2

dhcpcd   971   root  rtd    DIR      3,1     4096         2

dhcpcd   971   root  txt    REG      3,1    31576     78314

/sbin/dhcpcd

xinetd  1007   root  cwd    DIR      3,1     4096         2

5u  IPv4       1723          TCP 127.0.0.1:1024 (LISTEN)

xinetd  1007   root    8u  unix 0xc37a8540             1716

rwhod   1028   root  cwd    DIR      3,1     4096     61671

/var/spool/rwho

rwhod   1028   root  rtd    DIR      3,1     4096     61671

/var/spool/rwho

rwhod   1028   tim   cwd    DIR      3,1     4096     61671

/var/spool/rwho

crond   1112   root  cwd    DIR      3,1     4096        14

/var/spool

crond   1112   root    1w  FIFO      0,5             1826

  1112   root    2w  FIFO        0,5         1827      pipe

nessusd 1166   root  cwd    DIR      3,1     4096         2

nessusd 1166   root  rtd    DIR      3,1     4096         2

nessusd 1166   root  txt    REG      3,6  1424003    323952

init       1   root  cwd    DIR      3,1     4096         2

init       1   root  rtd    DIR      3,1     4096         2

init       1   root  txt    REG      3,1    31384     75197


The connections in this listing look normal. The connection via the rwho service might give you pause. You would want to make sure that a valid user on your system is using this command legitimately. If this account belonged to a nontechnical secretary type, you might want to investigate this further.

You can also use lsof to look for a specific file. If you want to see if anyone was accessing your password file, you could use the following command:






lsof path/filename


Replace path/filename with the specific path and filename you are interested in, in this case, /etc/passwd. You have to give lsof the whole path for it to find the file.

Another way to use lsof is to have it list all the open socket files. This shows if there is a server listening that you don't know about. The format of this command is:






lsof i


This produces output similar to Listing 11.3. You can see all the programs you are running, including sshd and nessusd, which are the daemons for Nessus and SSH. You can even see the individual connections to these services. It looks like someone is using the Nessus server at the moment. Checking the IP address, you can see that it is an internal user. In fact, it is your own machine! So there is nothing to worry about this time.

Listing 11.3. lsof i Output

COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME

portmap  733  rpc    3u  IPv4   1417       UDP *:sunrpc

portmap  733  rpc    4u  IPv4   1426       TCP *:sunrpc (LISTEN)

sshd     962 root    3u  IPv4   1703       TCP *:ssh (LISTEN)

xinetd  1007 root    5u  IPv4   1728       TCP

localhost.localdomain:1024 (LISTEN)

rwhod   1028 root    3u  IPv4   1747       UDP *:who

nessusd 1166 root    4u  IPv4   1971       TCP *:1241 (LISTEN)

nessusd 1564 root    5u  IPv4   1972       TCP 192.168.1.101:1241->192.168.1.2:1994 

graphics/ccc.gif(ESTABLISHED)


You can specify a particular IP address or host to look for by putting an @ (at sign) and the address after the -i switch. For example:






lsof -i@192.168.1.0/24


shows any connections coming from within your network, assuming your internal network is 192.168.1.0/24.

    Previous Section  < Day Day Up >  Next Section