RE: Simple Windows incident response methodology

["Security Guy" <securityguy () dslextreme com>]

I'm stepping into the middle of this, so I may have missed this info earlier
in the thread.  What is the "forensics cd?"  Is there an example somewhere
that I can use in setting up one of my own.

- SG 

-----Original Message-----
From: Lachniet, Mark [mailto:mlachniet () sequoianet com] 
Sent: Tuesday, June 08, 2004 5:48 AM
To: incidents () securityfocus com
Subject: Simple Windows incident response methodology

Metaphorical discussion aside, maybe it would be more productive to start
with a basic incident response methodology and kick it around a little bit.
I have one that I have used - it is for Windows only, and its pretty basic,
but maybe it's a starting point.  I'll also say that it only lists the basic
data collection steps, and nothing about how to actually anaylze the data -
I assume that a trained IR engineer will be doing the work.

At risk of some putz flaming or otherwise criticizing me, I'll go ahead and
post it.  At least if everyone who said "help me! help me!" on the list
submitted the data collected below, it would be easier for people to
respond.  

Disclaimer: Use at your own risk, no warranty expressed or implied, IANAL (I
Am Not A Laywer), this is not the best methodology in the world, and is only
a starting point, etc. etc. etc.  There are better tools out there, and this
doesn't really take into account crafty rootkits, but in my experience, most
so called "hacks" aren't much more than pubstros and IRC/FTP servers.

Also, note that this assumes you have already made a bootable forensic CD
with all the software, as well as "known safe" command interpreters, etc.

Mark Lachniet

--------8<-------------

Phase I - Preparation (Update forensics toolkit)

1) Download updated virus signatures for F-prot at
http://www.datafellows.com/download-purchase/updates_manual.shtml#dos

2) Download updated versions of Anti-trojan at
http://www.anti-trojan.net/en/download.aspx

3) Burn a CD-R version of the Forensics CD and label it with date it was
created

4) Obtain as much information as possible ahead of time from the victim
including:

a. Detailed information about the event (email threads, logs, screen
captures, etc.) b. Target system information (IP Address, operating system,
patch level,
hardware)
c. Target system utilization (is it a running server?  Can it be taken down?
Who uses the system, and how can they be contacted?) d. Target network
configuration (network maps, IP plans) e. Target network logging sources
(operating system, routers, firewalls, IDS, etc.) f. Detailed contact
information (phone numbers, cell/pager numbers, email addresses, etc.) g.
Obtain administrator passwords, others as needed to access the target
systems h. If possible, perform a vulnerability assessment on the host ahead
of time i. Do research, as needed, to prepare for the analysis j. Obtain at
least ten (10) blank, formatted, unused floppy disks k. Obtain at least one
pad of paper, pens, etc.

5) Read RFC 3277 "Guidelines for Evidence Collection and Archiving" 

6) Discuss the situation and goals of the analysis with the target's
administrative staff

a. Advise the client that you cannot provide legal advice of any kind, and
that they may wish to involve their legal counsel if they feel it is
appropriate b. What is the server used for?
c. What is the criticality of the data on the server?
d. What is the criticality of data not on the server, but in the environment
(other servers with critical data that could also be hacked) e. When was the
problem discovered?  Who discovered it?
f. What has been done since that time?
g. What type of system backups exist?  What program were they created with?
Have they been tested?  How far back do the backups go?
h. What is the ideal outcome of this process?  Prosecution?  Concerns with
internal employees?  Stopping further attacks?
i. Discuss issues of data preservation (i.e., there are two ways to approach
the analysis - with a foot print or without.  With a foot print has a chance
of altering critical evidence, but is less expensive and can be used on
production servers.  Without foot print means imaging the disk and working
with a forensic disk analysis tool which is outside of the scope of this
service) j. If legal recourse is strongly desired, discuss with the client
the need for an additional set of eyes (and intials) during the process.  If
desired, the client will need to sit with the forensic analyst at all times,
and "sign off" on each task that was performed, as it was performed.  
k. Discuss how the incident will be treated with other employees - is the
analysis a "secret" or is it openly known?
l. Record the highlights of all information discussed with the customer in
steps a-j, and re-state them to the client to confirm that you are in
agreement

Phase II  - Data Collection (Manual Analysis on running server)

1) Perform an external vulnerability assessment a. Full port scan, identify
all running services b. Perform google searches on the DNS name and IP
address c. Also check black-list and open proxy lists for IP address

2) Prepare for analysis of volatile information (Floppy Disk analysis)

a. Insert the CD-ROM in the CD-ROM drive b. Label a floppy disk with the
customer name, date, computer name, IP address, your name, and the title
"Disc#1".  Repeat this labeling format for subsequent discs (#2, #3, etc.)
c. Insert the floppy disk in the floppy drive (if possible, otherwise run
these steps to a shared directory on your laptop) d. Using paper and pen,
start your activity log.  Title the first page with the same information as
the floppy disc (customer name, date, computer name, IP address, your name).
Also create the following
columns:

Date/Time               Description                             Initials

Use this format to record the work that you perform.  If the customer has

3) Perform the analysis of volatile information (Floppy Disk analysis)

a. Run the appropriate command interpreter on the CD-ROM.  For Windows 2000
and 4.0 servers, this will be in 'X:\cmd2k' and on Windows 98 will be
'X:\cmd98\command.com'

b. Capture the date and time of the system i. date /t > a:\datetime.txt ii.
time /t >> a:\datetime.txt

c. Record the date and time of the computer, as well as the "real" date and
time (a reliable clock, etc) in your written notes.  Note the time delta
between system time and "real" time.  Also note the time zone where the
analysis is taking place.

d. Capture information about running processes using pslist:
i. d:\pstools\pslist -t > a:\pslistt.txt ii. d:\pstools\pslist -x >
a:\pslistx.txt

e. Capture information about logged on users using psloggedon:
i. d:\pstools\psloggedon > a:\psloggedon.txt

f. Capture netstat information using netstatp:
i. d:\netstatp\release\netstatp -a -n > a:\netstatp.txt

g. Capture listening ports to program mappings with fportng i.
d:\fportng\fport > a:\fport.txt

h. Capture open file handles, first in brief, then in full (compressed) i.
d:\handle\handle > a:\handle.txt ii. d:\handle\handle -a | d:\unix\gzip >
a:\handle-all.gz

i. Capture file system MAC times:
i. Insert a new, blank floppy disk
ii. d:\perl\perl.exe \sfile\sfile.pl -d c:\ | \unix\gzip > a:\sfile.gz

j. Capture AT (command scheduler) information i. at > a:\at.txt

k. Capture NBTstat information:
i. nbtstat -c > a:\nbtstat.txt

l. Capture 'net' information:
i. echo Net Accounts: > a:\net.txt
ii. net accounts >> a:\net.txt
iii. echo Net File:  >> a:\net.txt
iv. net file >> a:\net.txt
v. echo Net Session:  >> a:\net.txt
vi. net session >> a:\net.txt
vii. echo Net Share: >> a:\net.txt
viii. net share >> a:\net.txt
ix. echo Net Start:  >> a:\net.txt
x. net start >> a:\net.txt
xi. echo Net Use:  >> a:\net.txt
xii. net use >> a:\net.txt
xiii. echo Net User:  >> a:\net.txt
xiv. net user >> a:\net.txt
xv. echo Net View: >> a:\net.txt
xvi. net view >> a:\net.txt

m. Create MD5 hashes of operating system files:
i. C:
ii. Cd\
iii. Echo **** C:\ **** > a:\md5.txt
iv. D:\ircr\md5sum *.*  >> a:\md5.txt
v. Echo **** C:\WINNT **** >> a:\md5.txt vi. Cd\winnt\ vii. D:\ircr\md5sum
*.*  >> a:\md5.txt viii. Echo **** C:\WINNT\SYSTEM **** >> a:\md5.txt ix.
Cd\winnt\system x. D:\ircr\md5sum *.*  >> a:\md5.txt xi. Echo ****
C:\WINNT\SYSTEM32 **** >> a:\md5.txt xii. Cd\winnt\system32 xiii.
D:\ircr\md5sum *.*  >> a:\md5.txt
       
       
4) Back up large files (Network)

a. Create a data directory on your hard drive i. mkdir c:\data

b. Map a network drive FROM the laptop TO the target server's C:
i. net use o: \\<<ipaddress>>\c$ /user:administrator *

c. Copy IIS logs to your laptop:
i. xcopy o:\winnt\system32\LogFiles\*.* c:\data /s/e/v

d. Copy Windows Event logs to your laptop*:
i. xcopy o:\winnt\system32\config\*.evt c:\data /s/e/v

e. Copy any suspicious materials to your laptop.  Items to consider may
include the contents of FTP directories, HTML files, log files, suspicious
application software, etc.

5) Scan the target for viruses and Trojans (if possible, boot to boot CD to
do this)

a. Run F-Prot from the CD-ROM drive:
i. d:\f-prot\f-prot /hard > a:\fprot.txt

b. Install and run Anti-Trojan on the investigator's laptop i. Ensure that
the "Remove found Trojans" check box is UN-checked ii. Run a "filescan" scan
of the mapped O: drive

6) Identify and analyze other sources of information, including e-mail,
firewalls, routers, switches, etc. to locate additional information about
the event

7) Run 'dumpreg' to dump the Windows Registry to disk (optional - to find
installed software by date of registry entry)

8) Run 'filemon' to monitor ongoing file accesses (optional - if you believe
the system is actively being used by hackers, or want to track suspicious
system activity)

9) Run 'regmon' to monitor ongoing registry accesses (optional - if you
believe the system is actively being used by hackers, or want to track
suspicious system activity)

10) Run 'tdimon' to monitor ongoing TCP/IP activity (optional - if you want
to track TCP/IP activity by process)

Phase III  - Data Analysis 

1) Analyze collected data (TBD)
2) Additional follow-up as needed

Phase IV  - Author and Deliver Report

1) Using provided template, author an incident response report
2) Present the report to the client
3) Discuss findings, limitations, next steps