|
Real Digital Forensics
Review by Jim DuWaldt, a member of the North Orange
County Computer Club, California
www.noccc.org editor(at)noccc.org
Obtained from APCUG with the author's permission for
publication by APCUG member groups.
About the authors: Keith L. Jones leads the computer
forensics and electronic evidence discovery practices at Red Cliff Consulting.
Richard Bejtlich is the founder of TaoSecurity, a network security monitoring
consultancy. Curtis W. Rose provides support to criminal investigations and
civil litigation as an executive vice president at Red Cliff Consulting.
This book (with included DVD) intends to teach
Computer Forensics for both Windows and Linux systems, that is, gathering
evidence from infected machines and the network they operate in so that the
intended victim can effectively react to a successful penetration.
Or, to quote the book: "...give new forensic
investigators more than words to learn new skills." "We use the same
tools attackers use... the same methods rouge employees make... [collect] the
same media we typically collect...this book takes a practical, hands-on
approach to solving problems...[with] techniques you can employ
immediately."
The clear implication is that the book is aimed at
the inexperienced practitioner. As
usual, TCP/IP knowledge is a good idea. There is one staring oddity: to use one
of the tools you need to alter your kernel! From pg 208: "Please download
and install the NASA-enhanced kernel..." This takes more than just a
beginner's skill!
The context for the procedures is provided by five
scenarios which are a mix of internal and external threats as seen from the
point of view of admins or law enforcement. As the techniques are presented, it
is explained how they might be applied to these scenarios, as opposed to
stepping through the scenarios and describing the methods.
Richard Bejtlich's books usually focus on evidence
gathered by network monitoring. Instead, Part I ("Live Incidence
Response") begins with host-focused procedures for both Windows and Linux
(one chapter for each). Live Response
techniques invoke a series of programs on the suspect machine in order to
gather "volatile data," that is, system state that will not survive a
reboot or shutdown.
This explanation is
entirely suitable for creating your own Live Response software and procedures.
Networks return to the center of attention in Part II
("Network-Based Forensics"). There is a brief but well-done review of
the types of data (Full Context, Session, Statistical, and Alert Data) that
should be collected and the software to collect them (Tcpdump, Snort, and many
others) as well as the five steps of intrusion (recon, exploitation,
reinforcement, consolidation, and "pillage"). A Cop/Drug Ring analogy
is employed to describe these four data types which, given the popularity of
CSI, might be good for rank beginners but will be less useful to anyone with
more experienced. This section also has separate chapters on analysis of the
information for Windows and *NIX machines.
Part III ("Acquiring a Forensic
Duplication") presents open and closed tools for the forensic cloning of a
suspect disk, regardless of the operating system. Its chapter on legal
paperwork is very efficient but it would be great if the authors had photos or
illustrations of what they use, if only as an example. The material on disk duplication, on the other
hand, had lots of excellent photos and screen shots for both the commercial
(EnCase and FTK) and open source products (DD, DD_resume, DCFLDD and NED).
Part IV (Forensic Analysis Techniques) shows you what
to do with your new disk image. Methods for disk analysis begin with looking
for and recovering deleted files, what to do when that is not possible,
discerning strings of interest from NBE (Network-Based Evidence) and Live
Response findings (like the name of an executable) and searching the disk for
them.
This is followed by techniques for reconstructing
emails (even Outlook and Outlook Express proprietary formats can be analyzed by
open source tools), pages visited while web browsing including reconstructing
emails sent with web clients, and the examination of the Windows Registry (good
for finding recently-accessed documents or evidence of programs subsequently
deleted).
(Currently only commercial applications are available
for analyzing the Registry which is odd, considering that scripting languages,
like Python for example, have Registry access libraries.)
Multiple chapters focus on examining unknown files to
determine their use, with an emphasis on Microsoft-formatted documents and on
the examination of unknown Windows and *NIX executables. This includes static
analysis with tools like strings.exe and hexWorkshop and disassemblers like IDA
to discover system calls or modify a binary file in order to, for example,
bypass password security. Missing are instructions on using a product like
VMware to set up a virtual machine environment for protecting the rest of the
system from the foreign executable; they only mention that you *should* use
something like VMware when in fact it is vitally important to do so or you
could wind up with yet another infected computer!
Part V ("Creating a Complete Forensic
Toolkit") succinctly describes creating CDs for a Live Response toolkit.
(But, why not do this in the first part of the book?) It also describes the use
of a Knoppix disk which allows you to examine a suspect system without having
to boot it from its (possibly) contaminated disk or be concerned about your
'clean' OS being cleverly contaminated by a suspect hard drive.
Part VI ("Mobile Device Forensics")
describes gleaning and examining data from PDAs like Palms and iPaqs (with
additional information about how they manage memory and how to access internal
debugging consoles), USB and CF drives. Forensic examination of USB/CF devices using a
loopback is well illustrated and an example of recovering a deleted file is
shown. The chapters also illustrate that, while some PDAs have good forensic
tools available (like later Palms and iPaqs), the earlier ones do not: sifting
through evidence on a Palm III, for example, is limited to hex and string
searches.
Part VII ("Online-Based Forensics")
presents methods for determining where an email originated from via header
examination, and how determined users could cover their tracks. Finally, they
leverage searching for DNS records into a lesson on manipulating the entire
VeriSign TLD (Top Level Domain) file in a large (100GB+) Postgres database,
allowing them to find all DNS names owned by, in their example, the company
Foundstone.
My only complaints about the book are the sudden
request to change the kernel and a failure to put front and center the
necessity of using a virtual machine environment before executing potentially
hazardous code.
Otherwise it was a typical Bejtlich security book (no
offense to the other authors), containing the basis for immediately creating
Standard Operating Procedures, in particular for Live Response, proper forensic
documentation, and creating forensic-compliant duplicate drives. It definitely
has a place on my security bookshelf, alongside The Tao of Network Security and
Extrusion Detection.
The book is published by Addison-Wesley
(http://www.awprofessional.com/bookstore/product.asp?isbn=0321240693&rl=1),
ISBN 0-321-24069-3, and lists for $55. User group members can get a 30%
discount if their group belongs to the UG program.; it sells for $34.64 at
Amazon.com (new).
This article has been provided to
APCUG by the author solely for publication by APCUG member groups. All other
uses require the permission of the author (see e-mail address above).
|
BGRCC By Harold Buechly