Copyright2005CarnegieMellonUniversity

ForensicCollectionandAnalysisofVolatileData
This lab is an introduction to collecting volatile data from both a compromised Linux and Windows host. In the event that a host in your organization is compromised you may need to perform forensic analysis. When collecting forensic evidence it is important to begin with the most volatileinformation.Thisisinformationthatisstoredinthememory(RAM), like open ports and connections as well as running processes. This is information that can not be gathered once the machine has been rebooted. Remembertoalwaysstartwiththevolatileinformationfirst! The main exercise in this lab details specific means by which to collect forensic evidence. Before starting any forensic collection it is important to have a trusted toolkit from which to work. This should contain trusted versions of commands so that you can be assured that the evidence you collect is valid and uncompromised. Your toolkit can varydepending on the evidenceyouwanttocollectandtheoperatingsystemahostisrunning,but it should contain basic tools suchas netstat, ipconfig,a command shell and others.Thereareamultitudeofavailabletoolsforyoutochoosefrom. You will be using the netstat command to collect information about open network connections and listening ports on the compromised hosts. This is not the ideal method for collecting forensic information since you want to collect more information that just the network status. This means that you willneedtoexecuteaseriesofcommandsinordertocollecttheentirebody of evidence. In collecting evidence it is important to leave the smallest footprintofyouractivity,sohavingtotypeinmultiplecommandsisnotthe bestmethod. At the end of each section there is an Optional Challenge. The goal in the challenge exercise is to become familiar withthe idea of using a .bat and a bash file to collect evidence. A .bat file or bash script is simply a string of commands in a single script. This helps minimize the footprint left behind during the collection phase byallowing youto execute one script instead of havingtoexecutemultiplecommandsfromthecommandline.

VolatileDataCollection

Page1of10

Copyright2005CarnegieMellonUniversity

Yourlabenvironmentconsistsofthreevirtualcomputersystems.

1. AWindows2003Serverlaunchpadsystemthatwillallowyoutoremotely accessthemachinesbelow.Thissystemshostnameis: VTELaunchpad anditsIPaddressis10.0.254.254. 2. ALinuxmachinethatwillserveasacompromisedhostfromwhichyou willgatherforensicdata.Thesystemshostnameis:LinuxCompromised anditsIPis10.0.4.51. 3. A Windows 2003 machine that will serve as the compromised Windows host. This systems hostname is: Win Compromisedand its IP address is10.0.4.50. 1 Establishingaforensiccollectionsystem You will configure the VTELaunchpad to function as a Netcat Listener (Evidence Collector) for a capture of volatile data from a live Windows system. Two collections will be made: (1) A simple collection of data using one trusted command, and (2) a comprehensive collection using a trusted .batfileoftrustedtools. 1. FromtheVTELaunchpad,openatrustedcommandshellbyselectingStart> RunandbrowsingtothetrustedforensicCD(i.e.D:drive)thathasbeen preloaded.Openthetrustedcommandshelllocatedat \Tools\Windows\Forensics\t_cmd.exe.

VolatileDataCollection

Page2of10

Copyright2005CarnegieMellonUniversity

2. In the trusted command shell window, type the command t_ipconfig to identify the IP Address of the Windows VTELaunchpad. This will be needed laterduringthecollectionphase. 3. It is time to establish a Netcat listener on the VTELaunchpad. This platform will serve as the collection system for the upcoming collection of volatiledata.Fromthecommandlineinthetrustedshelltype: t_nc.exeLp443>C:\Collectiondata.txt

Figure1

This syntax will activate a Netcat listen on port 443 and direct all received datatothefileCollectiondata.txtlocateontherootofC:\.Noticethatthe pathatthetopofthecommandshellwindowindicatesthatitisrunningfrom thetrustedsource,i.e.forensicsCD. 2 CollectingVolatileDatafromaWindowsSystem The target system for this exercise will be the Win Compromised host. This machine contains information that you will need to collect and analyze to determine if the host has been compromised and to what extent. You will be collecting the data from the compromised host and using Netcat to send the forensicdatatoyourWindowsVTELaunchpadsystem.

1. From the VTELaunchpad Desktop, Select the Remote Desktop Connection iconandconnecttotheWinCompromisedmachineat10.0.4.50.Pressthe Options>>buttonandselecttheDisplaytab.UnderRemotedesktopsize dragthebartotheleftuntilitreaches800by600pixels.PressConnect. Loginwith: User: jsmith Password: tartans 2. FromtheWINCompromisedconsole, selectStart>Runandbrowsetothe trustedforensicCDthathasbeenpre loaded.Openthetrustedcommand shelllocatedat \Tools\Windows\Forensics\t_cmd.exe.

VolatileDataCollection

Page3of10

Figure2

Copyright2005CarnegieMellonUniversity

3. Fromthetrustedcommandshell,type: t_netstat.exean|t_nc.exe10.0.254.254443 This syntax will execute the t_netstat.exe (trusted) from the CD and send the output from the command to the Windows VTELaunchpad, which will writethedataintheC:\WinCollectiondata.txtfile. It will take approximately one minute for the netstat command to execute andthedatatobetransferredtotheVTELaunchpad. 4. You will need to wait approximately one minute for the command to be executed and data to be transferred to the VTELaunchpad. Now close the open Netcat connections on both the Win Compromised and VTE Launchpad hosts. To do this, from the open trusted command shells press CtrlC.ThiswillclosetheNetcatconnections. 5. Thelaststepistoverifythatthevolatiledatafromtheremotecollectionhas beensenttotheWindowsVTELaunchpad 6. FromtheVTELaunchpadopenandexaminetheC:\WinCollectiondata.txt file.Tolocateandopenthisfileselect,Start>MyComputer>LocalDiskC: RightclicktheWinCollectiondata.txtfileandselectOpenWith>WordPadto viewthecontents.WHATDOYOUSEE?

VolatileDataCollection

Page4of10

Copyright2005CarnegieMellonUniversity

Figure3

VolatileDataCollection

Page5of10

Copyright2005CarnegieMellonUniversity

OptionalChallenge:
1. Contained on the forensics CD in the Tools\Windows\Forensics\ folder is a .bat file titled Windows_Response.bat. This file executes several trusted commands from the CD which collects volatile data. Using the directions above,attempttoutilizethis.batfiletoconductacomprehensivecollection of volatile data from the Win Compromised and report any interesting findings. WHATDOYOUSEE? Someoftheprocessesthatyoushouldbeabletoseeare:
Host_sensor.exeThehost_sensor.exeprocessactsasahostalivecheckingsensorfor theLinux_Compromisedmachine.OncetheLinux_Compromisedmachineisaliveitthen connectstoanopenport.(Port4444) Host_sensor.exeThehost_sensor.exeprocessactsasahostalivecheckingsensorfor theLinux_Compromisedmachine.OncetheLinux_Compromisedmachineisaliveitthen connectstoanopenport.(Port23) Rogueprocess.batwillbeexecuteduponstartupwhichinturnexecutesthesvchost1.exe binarypassingcommandlineparameters. ccApp4.exeisamaskedWinDump.exe(NetworkSniffer) spoolsSV.exeisa(Keylogger)thatwillautomaticallystartandcapturekeystrokesupon startup. tini.exeisarunning(Backdoor)thatwilllistenonport7777foranyconnections.Ifa connectionisestablishedtoport7777acommandshellwillbespawned. svchost1.exeisamasked(NetcatListener)thatlistensonport80foranyconnections. Ifaconnectionisestablishedtoport80acommandshellwillbespawned. dxxccxymju.exeisarunning(BackdoorTrojani.e.Subseven)thatlistensonthe defaultportof27374.Notethefilenameonthisrogueprocessisrandomlypickedeachtime themachineisrestarted.

2. Again, remember to close the Netcat connection when the transfer is complete.KeepinmindthatNetcatdoesnotreportitsstatus.

VolatileDataCollection

Page6of10

Copyright2005CarnegieMellonUniversity

CollectingVolatileDatafromaLinuxSystem 3.1RemotelyAccessingtheLinuxHostviaSecureShell The target system for this exercise will be the Linux Compromised machine. You will be collecting forensic evidence from this machine and storingitontheVTELaunchpad. You will need to reestablish the VTELaunchpad to listen for incoming connections. Using the instructions from section 1 (Establishing a forensic collection system) you will want to save the collected data in a file called C:\LinuxCollectiondata.txtorC:\LinuxCollectiondata.cvs. 1. To connect to the compromised Linux host locate and doubleclick the Putty.exeicononthedesktopoftheVTELaunchpad.Puttyisaverypopular (andfree)SSHclient. 2. Type 10.0.4.51 in the Host name (IP Address) box within the Putty applicationandthenclickOpen.SelectYestoaccepttheserverkey. 3. Loginwiththefollowingcredentials: Username: root Password: tartans 3.2CollectingdatausingatrustedNetstatcommand 1. From the command line on the Linux Compromised host it will be necessary to mount the CDROM containing a trusted forensics toolkit. The CD has beenpreloaded.Todothis,type: #mount/dev/cdrom /mnt/cdrom 2. Now that the CDROM is mounted, you will need to load a trusted .bash shell from which to continue working. First, the current working directory needs to be changed to the newly mounted forensicstoolkitCD.Todothis,type:
Figure4

#cd/mnt/cdrom/Tools/Linux/Forensics/ 3. Atthispointloadthetrusted.bashshellfromtheCD.Todothis,type: #./t_bash

VolatileDataCollection

Page7of10

Copyright2005CarnegieMellonUniversity

4. Next,verifythatthet_bashshellhasbeenloadedandisthecurrentlocation fromwhichthecollectionisoccurring.Todothis,type: #./t_ps Note the output from the t_ps command should indicate that the t_bash is runninginsideofbash.ThePID#sshouldbedifferentinyourscreen. 5. Now that youare running commands from a trustedbashshellit is time to beginthecollectionofvolatiledata.Fromthetrustedcommandshell,type: #./t_netstatan|./t_netcat10.0.254.254443 Thissyntaxwillexecutet_netstatfromthetrustedCDandsendtheoutput from the command to the VTELaunchpad which will write the data in the C:\LinuxCollectiondata.txtfile. 6. You will need to wait approximately one minute for the command to be executed and data transferred to the VTELaunchpad. Now close the open NetcatconnectionsonboththeLinuxCompromisedandVTELaunchpad. To do this, from the open trusted command shells press Ctrl C. This will close the Netcat connections. You can now close the SSH connection to the compromisedLinuxhost.

Figure5

ItmaytakeNetcatseveralseconds,possiblyaminuteortwo,totransferthe datatotheremotecollectionsystem(VTELaunchpad) 4 Verificationofdatacollection Thelaststepistoverifythatthevolatiledatafromtheremotecollectionhas beensenttotheWindowsVTELaunchpad. 1. OnVTELaunchpadopenandexaminetheC:\LinuxCollectionData.txtfile. To locate and open this file select Start > My Computer > Local Disk C. Rightclick the LinuxCollectiondata.txt file, select Open with > WordPad to viewthecontents.WHATDOYOUSEE? IntheLinuxCollectiondata.txtdatafileyouwillseetheoutputofthenetstat commandthatyouran.Thisisalistoftheopenconnectionstoandfromthe compromisedLinux machine aswell as anylistening ports that are open on the host. This can be useful to determine if there are any illegitimate ports

VolatileDataCollection

Page8of10

Copyright2005CarnegieMellonUniversity

open or connections being made by an attacker, malicious application or process.

Figure6

VolatileDataCollection

Page9of10

Copyright2005CarnegieMellonUniversity

OptionalChallenge:
1. Contained on the forensics CD in the \Tools\Linux\Forensics\ folder is a bash script titled Linuxcollectionscript. This file executes several trusted commands from the CD which collect volatile data. Using the directions above, attempt to utilize this bash script to conduct a comprehensive collectionofvolatiledatafromtheLinuxCompromisedhostandreportany interestingfindings.WHATDOYOUSEE? You should be able to find several running processes that do not belong. Spendsometimelookingthroughthecollecteddata. Someoftheprocessesthatyoushouldbeabletoseeare:

/etc/log.df/jam1scriptconnectstoanopentelnetserveronWindows_Compromised machine. /etc/log.df/klogd.aisamasked(NetcatListener)thatlistensonport4444forany connections.Ifaconnectionisestablishedtoport4444arootbashshellwillbespawned. /etc/log.df/termcapisamaskedtcpdump(NetworkSniffer). /etc/log.df/Servers/bindshellisa(BackdoorTrojani.e.bindshellBackdoor)that listensonport55555. /etc/log.df/ncconscriptexecutesamaskednetcatcallednetstatandconnectstoanopen telnetportonWindows_Compromisedmachine. /etc/log.df/ncconbscriptexecutesamaskednetcatcallednetstatandconnectstoan openport80ontheWindows_Compromisedmachine. /etc/log.df/lkluprocessisanactiveLinuxbasedkeylogger.

2. Again, remember to close the Netcat connection when the transfer is complete.KeepinmindthatNetcatdoesnotreportitsstatus.Youwillhave to watch the file size on the VTELaunchpad to determine when the data transferiscomplete.

VolatileDataCollection

Page10of10