Security Incidents mailing list archives
RE: Simple Windows incident response methodology
From: "Security Guy" <securityguy () dslextreme com>
Date: Tue, 8 Jun 2004 14:46:54 -0700
I'm stepping into the middle of this, so I may have missed this info earlier in the thread. What is the "forensics cd?" Is there an example somewhere that I can use in setting up one of my own. - SG -----Original Message----- From: Lachniet, Mark [mailto:mlachniet () sequoianet com] Sent: Tuesday, June 08, 2004 5:48 AM To: incidents () securityfocus com Subject: Simple Windows incident response methodology Metaphorical discussion aside, maybe it would be more productive to start with a basic incident response methodology and kick it around a little bit. I have one that I have used - it is for Windows only, and its pretty basic, but maybe it's a starting point. I'll also say that it only lists the basic data collection steps, and nothing about how to actually anaylze the data - I assume that a trained IR engineer will be doing the work. At risk of some putz flaming or otherwise criticizing me, I'll go ahead and post it. At least if everyone who said "help me! help me!" on the list submitted the data collected below, it would be easier for people to respond. Disclaimer: Use at your own risk, no warranty expressed or implied, IANAL (I Am Not A Laywer), this is not the best methodology in the world, and is only a starting point, etc. etc. etc. There are better tools out there, and this doesn't really take into account crafty rootkits, but in my experience, most so called "hacks" aren't much more than pubstros and IRC/FTP servers. Also, note that this assumes you have already made a bootable forensic CD with all the software, as well as "known safe" command interpreters, etc. Mark Lachniet --------8<------------- Phase I - Preparation (Update forensics toolkit) 1) Download updated virus signatures for F-prot at http://www.datafellows.com/download-purchase/updates_manual.shtml#dos 2) Download updated versions of Anti-trojan at http://www.anti-trojan.net/en/download.aspx 3) Burn a CD-R version of the Forensics CD and label it with date it was created 4) Obtain as much information as possible ahead of time from the victim including: a. Detailed information about the event (email threads, logs, screen captures, etc.) b. Target system information (IP Address, operating system, patch level, hardware) c. Target system utilization (is it a running server? Can it be taken down? Who uses the system, and how can they be contacted?) d. Target network configuration (network maps, IP plans) e. Target network logging sources (operating system, routers, firewalls, IDS, etc.) f. Detailed contact information (phone numbers, cell/pager numbers, email addresses, etc.) g. Obtain administrator passwords, others as needed to access the target systems h. If possible, perform a vulnerability assessment on the host ahead of time i. Do research, as needed, to prepare for the analysis j. Obtain at least ten (10) blank, formatted, unused floppy disks k. Obtain at least one pad of paper, pens, etc. 5) Read RFC 3277 "Guidelines for Evidence Collection and Archiving" 6) Discuss the situation and goals of the analysis with the target's administrative staff a. Advise the client that you cannot provide legal advice of any kind, and that they may wish to involve their legal counsel if they feel it is appropriate b. What is the server used for? c. What is the criticality of the data on the server? d. What is the criticality of data not on the server, but in the environment (other servers with critical data that could also be hacked) e. When was the problem discovered? Who discovered it? f. What has been done since that time? g. What type of system backups exist? What program were they created with? Have they been tested? How far back do the backups go? h. What is the ideal outcome of this process? Prosecution? Concerns with internal employees? Stopping further attacks? i. Discuss issues of data preservation (i.e., there are two ways to approach the analysis - with a foot print or without. With a foot print has a chance of altering critical evidence, but is less expensive and can be used on production servers. Without foot print means imaging the disk and working with a forensic disk analysis tool which is outside of the scope of this service) j. If legal recourse is strongly desired, discuss with the client the need for an additional set of eyes (and intials) during the process. If desired, the client will need to sit with the forensic analyst at all times, and "sign off" on each task that was performed, as it was performed. k. Discuss how the incident will be treated with other employees - is the analysis a "secret" or is it openly known? l. Record the highlights of all information discussed with the customer in steps a-j, and re-state them to the client to confirm that you are in agreement Phase II - Data Collection (Manual Analysis on running server) 1) Perform an external vulnerability assessment a. Full port scan, identify all running services b. Perform google searches on the DNS name and IP address c. Also check black-list and open proxy lists for IP address 2) Prepare for analysis of volatile information (Floppy Disk analysis) a. Insert the CD-ROM in the CD-ROM drive b. Label a floppy disk with the customer name, date, computer name, IP address, your name, and the title "Disc#1". Repeat this labeling format for subsequent discs (#2, #3, etc.) c. Insert the floppy disk in the floppy drive (if possible, otherwise run these steps to a shared directory on your laptop) d. Using paper and pen, start your activity log. Title the first page with the same information as the floppy disc (customer name, date, computer name, IP address, your name). Also create the following columns: Date/Time Description Initials Use this format to record the work that you perform. If the customer has 3) Perform the analysis of volatile information (Floppy Disk analysis) a. Run the appropriate command interpreter on the CD-ROM. For Windows 2000 and 4.0 servers, this will be in 'X:\cmd2k' and on Windows 98 will be 'X:\cmd98\command.com' b. Capture the date and time of the system i. date /t > a:\datetime.txt ii. time /t >> a:\datetime.txt c. Record the date and time of the computer, as well as the "real" date and time (a reliable clock, etc) in your written notes. Note the time delta between system time and "real" time. Also note the time zone where the analysis is taking place. d. Capture information about running processes using pslist: i. d:\pstools\pslist -t > a:\pslistt.txt ii. d:\pstools\pslist -x > a:\pslistx.txt e. Capture information about logged on users using psloggedon: i. d:\pstools\psloggedon > a:\psloggedon.txt f. Capture netstat information using netstatp: i. d:\netstatp\release\netstatp -a -n > a:\netstatp.txt g. Capture listening ports to program mappings with fportng i. d:\fportng\fport > a:\fport.txt h. Capture open file handles, first in brief, then in full (compressed) i. d:\handle\handle > a:\handle.txt ii. d:\handle\handle -a | d:\unix\gzip > a:\handle-all.gz i. Capture file system MAC times: i. Insert a new, blank floppy disk ii. d:\perl\perl.exe \sfile\sfile.pl -d c:\ | \unix\gzip > a:\sfile.gz j. Capture AT (command scheduler) information i. at > a:\at.txt k. Capture NBTstat information: i. nbtstat -c > a:\nbtstat.txt l. Capture 'net' information: i. echo Net Accounts: > a:\net.txt ii. net accounts >> a:\net.txt iii. echo Net File: >> a:\net.txt iv. net file >> a:\net.txt v. echo Net Session: >> a:\net.txt vi. net session >> a:\net.txt vii. echo Net Share: >> a:\net.txt viii. net share >> a:\net.txt ix. echo Net Start: >> a:\net.txt x. net start >> a:\net.txt xi. echo Net Use: >> a:\net.txt xii. net use >> a:\net.txt xiii. echo Net User: >> a:\net.txt xiv. net user >> a:\net.txt xv. echo Net View: >> a:\net.txt xvi. net view >> a:\net.txt m. Create MD5 hashes of operating system files: i. C: ii. Cd\ iii. Echo **** C:\ **** > a:\md5.txt iv. D:\ircr\md5sum *.* >> a:\md5.txt v. Echo **** C:\WINNT **** >> a:\md5.txt vi. Cd\winnt\ vii. D:\ircr\md5sum *.* >> a:\md5.txt viii. Echo **** C:\WINNT\SYSTEM **** >> a:\md5.txt ix. Cd\winnt\system x. D:\ircr\md5sum *.* >> a:\md5.txt xi. Echo **** C:\WINNT\SYSTEM32 **** >> a:\md5.txt xii. Cd\winnt\system32 xiii. D:\ircr\md5sum *.* >> a:\md5.txt 4) Back up large files (Network) a. Create a data directory on your hard drive i. mkdir c:\data b. Map a network drive FROM the laptop TO the target server's C: i. net use o: \\<<ipaddress>>\c$ /user:administrator * c. Copy IIS logs to your laptop: i. xcopy o:\winnt\system32\LogFiles\*.* c:\data /s/e/v d. Copy Windows Event logs to your laptop*: i. xcopy o:\winnt\system32\config\*.evt c:\data /s/e/v e. Copy any suspicious materials to your laptop. Items to consider may include the contents of FTP directories, HTML files, log files, suspicious application software, etc. 5) Scan the target for viruses and Trojans (if possible, boot to boot CD to do this) a. Run F-Prot from the CD-ROM drive: i. d:\f-prot\f-prot /hard > a:\fprot.txt b. Install and run Anti-Trojan on the investigator's laptop i. Ensure that the "Remove found Trojans" check box is UN-checked ii. Run a "filescan" scan of the mapped O: drive 6) Identify and analyze other sources of information, including e-mail, firewalls, routers, switches, etc. to locate additional information about the event 7) Run 'dumpreg' to dump the Windows Registry to disk (optional - to find installed software by date of registry entry) 8) Run 'filemon' to monitor ongoing file accesses (optional - if you believe the system is actively being used by hackers, or want to track suspicious system activity) 9) Run 'regmon' to monitor ongoing registry accesses (optional - if you believe the system is actively being used by hackers, or want to track suspicious system activity) 10) Run 'tdimon' to monitor ongoing TCP/IP activity (optional - if you want to track TCP/IP activity by process) Phase III - Data Analysis 1) Analyze collected data (TBD) 2) Additional follow-up as needed Phase IV - Author and Deliver Report 1) Using provided template, author an incident response report 2) Present the report to the client 3) Discuss findings, limitations, next steps
Current thread:
- Simple Windows incident response methodology Lachniet, Mark (Jun 08)
- RE: Simple Windows incident response methodology Security Guy (Jun 09)
- RE: [ok] Simple Windows incident response methodology Curt Purdy (Jun 09)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- <Possible follow-ups>
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)