This writing consists of my experience in studying computer forensic. The book that I’ve been using as a guide is “Real Digital Forensics: Computer Security and Incident Response” by Keith J. Jones, Richard Bejtlich and Curtis W. Rose. The publisher of this book is Addison-Wesley.
The first chapter is about conducting forensics on a Windows based machine which is supposed to be still active while the forensics activity is conducted. The Unix version for the same activity is also discussed in the book and my experience on doing that will be put here as well.
Setting Up Connection
Alright, since we are conducting forensics on a live machine, that means all the collected data must go to other machine. We don’t want to compromise the data by adding some rubbish as a result of our activity. So, the first thing to do is to set up a connection from the “victim” machine to our “collector” machine. I used the all powerful netcat to do this.
“collector” : nc -l -k 9999 >> collect.dmp
This means that we open port 9999 in the collector’s machine, which “LISTEN” (-l) to a connection and will keep listening (-k) until this process is terminated (ctrl-c) in the collector’s machine. Any data/text that are is sent to this port will be appended to the file collect.dmp
“victim” : <command> | nc <collector’s IP> 9999
This means any output as the result of executing a command(<command>) in the victim’s machine will be piped (treated as input) to the nc command. This output will then send to the collector’s machine (<collector’s IP>), specifically through the open port (9999).
Knowing The Time
Knowing the time, where the forensics activity is conducted on the victim;s machine, is very crucial. In Linux, we can use the ‘date’ command. Since we want this on our file collect.dmp, that makes the complete command as:
date | nc <collector’s IP> 9999
Identify Active Network Connection
We would like to know whether the security breach was conducted remotely or locally. This activity may reveal some suspicious network connections. The command to execute is: netstat -an. Try to identify which ports are open by design, and which aren’t. Unfortunately, the website http://www.portsdb.org is no longer exist as a port identifier to hel with this activity. However, I think we can just use google search.
Which Application is Responsible
Ports are opened by applications. Hence, it is important to have information on which applications actively open the ports. The command ‘netstat -nab’ may provide the required information. Note that this command must be executed with administrator role. A (free) third party application that can be used to get the same information is ‘fport’ from foundstone.com. However, when I tried this software under Windows 7, it didn’t give me the expected result.
Who is connected (machine)
Windows resource sharing usually accessible to the authorised user and can be identified by its NETBIOS name. The other way around, users who access this resource also can be identified by their NETBIOS name. The command ‘nbtstat -c’ reveals the connected computers (cached). However, note that NETBIOS name can be easily changed, so it may not be reliable by itself.
Caught in The Act
If we’re lucky, we may spot the intruder in the act. Inspect the current logged in user by using the software ‘PsLoggedOn’ which is included in Sysinternals Suite from http://www.sysinternals.com. Now, judging by the number of occurence of sysinternals word in the book, I am certain that this collection of tools in worth to have.
Where Did All My Traffic Go ?
Let’s check if our traffic has been redirected by the intruder. The command ‘netstat -rn’ or ‘route print’ can be used to reveal routing information. Make sure that the outcome is desirable, and take note if there is any anomaly.
What is Running Now ?
Well, I guess it is no secret that we need to identify the current processes. The tool ‘pslist’ from Sysinternal Suite fit the purpose. Watch for the process name, user time, kernel time, and elapsed time. Suspicious activity can be spotted by comparing the elapsed time with others which show the trusted process elapsed time. Trusted processes may run in the same elapsed time since they all started during boot process.