15.5 ClassIndividual Characteristics and Evaluation of Source

15.5 Class/Individual Characteristics and Evaluation of Source

As networks evolve, they contain an ever increasing number of different types of data, making it difficult for any one person to be familiar with all of them. Fortunately, as with other forms of digital evidence, class characteristics can be used to differentiate Web page from e-mail messages and Web server logs from e-mail server logs. Additionally, class characteristics can reveal which program was used to create a given piece of digital evidence and whether it was created on Windows, Mac OS, or UNIX. Furthermore, digital evidence on networks can contain characteristics, such as IP and MAC addresses, which are effectively individual characteristics in some situations. Together, these class and individual characteristics can be used to evaluate the source of digital evidence on a network.

Header lines in e-mail messages demonstrate how class characteristics, individual characteristics, and evaluation of source are useful when dealing with network related data. The following header indicates that the message was sent from a Mandrake (mdk) Linux machine with an Intel 586 processor running X11 and an e-mail client based on Mozilla version 4.75. If the computer that was assigned IP address 192.168.187.18 can be located, these class characteristics can be used to substantiate the connection to the computer.

    Return-Path; <harasser@threat.net>    Received: from attack.threat.net (attack.threat.net [192.168.187.18])        by lsh110.siteprotect.com (8.9.3/8.9.3) with SMTP id MAA21755        for <eco@corpus-delicti.com>; Wed, 29 Jan 2003 12:38:30 -0600    To: eco@corpus-delicti.com    Date: Wed, 29 Jan 2003 13:32:19 -0500    Message-ID: <1043865139.9860@attack.threat.net>    X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.17-21 mdk i586)    From: harasser@threat.net    Subject: Your Worst Nightmare! 

Even when this information is fabricated as detailed in Chapter 18, these characteristics can be used to search the Internet or a suspect's computer for messages with the same characteristics. Furthermore, when one employee targets another employee in their organization, computer systems on the organization's network may contain related digital evidence.

Entries in a Web server access log provide another illustrative example of class characteristics and evaluation of source in network related data. The following log entry indicates that the "project21.html" page was accessed from IP address 172.16.1.19 using a Web browser that is based on Mozilla version 4.75, configured to use English (en), running on a Windows 2000 computer.

2003-01-23 12:52:40 172.16.1.19 - 192.168.1.3 80 GET /documents/ project21.html - 200 Mozilla/4.75+[en]+(Windows+NT+5.0;+U)

Notably, class characteristics such as the Web browser and machine type can be falsified in the Web server request. The following log entries from the same Web server show an intrusion attempt via a well-known vulnerability in Microsoft Internet Information Server (IIS). The variations in Web browser version and computer type (e.g. DigiExt, Compaq) relating to a single source IP address (137.56.97.25) indicate that this information is being fabricated. Although these class characteristics conceal properties of the attacking system, they may reveal which program was used to launch the attack. Comparing these class characteristics with those in various exploit programs may result in a match. The match may be with a certain version of the Nimda worm or, if an individual launched the attack, this information could be used to search the offender's computer to find the tool he/she used.

    2003-01-23 12:59:02 137.56.97.25 - 192.168.1.3 80 HEAD    /winnt/system32/cmd.exe /c+dir+c:/ 403    Mozilla/4.0+(+compatible;+[fr];+Windows+NT5.0;+athome020+)    2003-01-23 12:59:02 137.56.97.25 - 192.168.1.3 80 HEAD /cgi-    bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:/  403    Mozilla/4.7+(+compatible;+MSIE+5.0;+AOL+5.0;+DigiExt+)    2003-01-23 12:59:02 137.56.97.25 - 192.168.1.3 80 HEAD    /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:/  500    Mozilla/4.0+(+compatible;+[fr];+Windows+NT5.0;+DigiExt+)    2003-01-23 12:59:02 137.56.97.25 - 192.168.1.3 80 HEAD    /msadc/.. /€/ /€/ /€/‾../winnt/system32/cmd.exe /c/+dir+c:/  404    Mozilla/4.7+(+compatible;+MSIE+5.0;+Windows+NT5.0;+Compaq+) 

The impressions that buffer overflows leave on a system provide another illustrative example of class characteristics and evaluation of source in network related data. A buffer overflow is a common approach to breaking into computer systems. When a program fails to limit the length of an input value, it may be possible to give the program a larger than expected input value that causes it to write the extraneous information into the computer's memory. By carefully constructing the unexpectedly large input value, this weakness in the program can be exploited to cause the computer to execute commands and give an intruder access to the system. For instance, the following fragment of a log file recovered from a compromised host indicates that the attack was launched from IP address 192.168.1.231 and exploited a vulnerability in the FTP server.

Although intruders can use fake source IP addresses in packets when they do not require a response from the target system, the source IP address in this instance (192.168.1.231) could not be forged because this exploit uses TCP to return a command prompt to the intruder. Searching for this IP address in intrusion detection system logs and other network logs detailed in Chapter 17 may reveal other intrusion attempts. Examining other targeted systems for deleted log fragments similar to the one above may help identify other compromised systems. Additionally, if the intruder's personal computer can be obtained and a program for exploiting FTP servers is found, it can be compared to determine if it is consistent with the above log entry.

In addition to helping evaluate the source of an event, log files can contain class characteristics that are useful for determining which tools were used - similar to toolmark analysis in the physical world. When digital evidence examiners have difficulty determining what tool was used, they may find exemplars for comparison on the Internet, particularly on information security mailing lists. On mailing lists like Bugtraq,^[6] information security professionals submit samples of log files associated with certain tools to help others detect attacks.

Useful class characteristics can also be found in TCP/IP network traffic. In fact, signature-based intrusion detection systems rely on characteristics of network traffic to classify attacks. For instance, Snort^[7] detects successful attacks against IIS Web servers by looking for packets from port 80 containing the term "Volume Serial Number," indicating a successful directory listing via the vulnerable Web server. The resulting intrusion detection system alert shown here contains the date, time, IP addresses, and other information about the packet discussed in Chapter 17.

    [**] [1:1292:1] ATTACK RESPONSES http dir listing [**]    01/23-12:59:02.865832 192.168.1.3:80 -> 137.56.97.25:25587    TCP TTL:127 TOS:0x0 ID:8817 IpLen:20 DgmLen:243 DF    ***AP*** Seq: 0x5E3A36C3 Ack: 0x58C4137F Win: 0x4313 TcpLen: 32    TCP Options (3) => NOP NOP TS: 16339694 242252 

Similarly, Snort detects network traffic that may be associated with the DeepThroat Trojan horse program by looking for packets from port 2140 containing the sentence "Ahhhh My Mouth Is Open." Signature-based intrusion detection systems are flexible enough to be useful in a wide variety of investigations, not just computer intrusions.

CASE EXAMPLE

Someone in the organization was apparently using a shared computer to view pornographic Web sites. The default page displayed by the Web browser on the shared machine was set to a pornographic site that another employee was directed to and found offensive. The offended employee filed a sexual harassment complaint with Human Resources and an investigation was opened. Although an examination of the machine confirmed that it was used to view pornographic Web sites regularly, it was not clear who was responsible. In an effort to catch the person responsible in the act of viewing pornography from that machine, the organization's main intrusion detection system was reconfigured to alert the investigator when specific sites were accessed from that machine. That afternoon, the intrusion detection system sent several alert messages to the investigator and he was able to walk over to the responsible individual and resolve the problem with the assistance of Human Resources and the individual's supervisor.

In addition to detecting specific words in a packet, intrusion detection systems can be configured to look for other kinds of class characteristics, including items in the TCP/IP header and sequences of bytes in the payload. For instance, Snort uses the following internal rule to detect possible buffer overflow attempts targeting UNIX printer daemons, examining all packets to port 515 for a pattern of bytes that is associated with a known exploitation of this vulnerability shown in bold.

    alert tcp $EXTERNAL NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng    overflow"; flow:to_server,established; content: "|43 07 89 5B 08 8D 4B 08 89 43    0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 FF FF FF 2F 62 69 6E 2F 73 68 0A|";    reference:cve,CVE-2000-0917; reference:bugtraq,1712; classtype:    attempted-admin; sid:301; rev:4;) 

Notably, this intrusion detection system alert only indicates an intrusion attempt via the LPRng printer daemon - the target system may have a newer version of the software that is not vulnerable to this attack. In fact, any of these intrusion detection system alerts may be a false alarm (a.k.a. false positive), triggered by an innocent packet that coincidentally contains the class characteristics that Snort is looking for. Therefore, further investigation is required to confirm that an attack actually occurred and that the attack was successful at gaining unauthorized access to the target host.

The popular port scanner called nmap also uses class characteristics in TCP/IP packets returned by a host to determine its operating system (Fyodor 1998).

    C:\> nmap -sS -PT -PI -O -T 3 192.168.0.2    Starting nmap V. 3.00 ( www.insecure.org/nmap )    Interesting ports on HOST101 (192.168.0.2):    (The 1600 ports scanned but not shown below are in state: closed)    Port       State     Service    139/tcp    open      netbios-ssn    Remote operating system guess: Windows Millennium Edition (Me), Win 2000,    or WinXP    Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds 

The class characteristics of network traffic for different TCP/IP stacks that are usually associated with particular operating systems (a.k.a. OS fingerprints) are contained in the nmap-os-fingerprints file that is installed with the nmap software. If the meaning or significance of a class characteristic is not clear, it may be necessary to experiment.

Investigators can also use class characteristics to better understand unusual packets that were specifically created to cause computers to crash. Determining how these packets differ from regular ones can help investigators to understand what is happening. The characteristics of these packets can also be used to determine which tool was used. If the same type of uniquely fabricated packet is used to crash several Web servers in an organization - the likelihood is that the same individual is responsible for all of the incidents. Knowing that a single individual is targeting certain Web servers may provide some insight into the motivation of the offender that would not have been possible without the linkage.

^[6]http://www.securityforcus.com

^[7]http://www.snort.org