Book Two- Chapter Five-Forensics II Flashcards
Describe the structure of the event log header
Whenever an event, such as user logging on or off, occurs, the OS logs the event. An Event can be any occurrance that the OS or a programs wants to keep track of or alert the user about. Some events are recorded by default; others are recorded based on the audit configuration maintained in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlsSet\Services\EventLog\
Systems that are configured as domain controllers also have File Replication and Directory Servers event logs, and systems configured as domain name servers (DNS) also have DNS event logs. study page 129
Event Log File Format:
The Windows event log is stored in a binary format with distinct, recognizable features that can assist an investigator in recognizing and interpreting event log files or simply event records on a system, either in files or located in unallocated space. Each event log consists of a header section and a seriers of event records. The event log is maintained as a circular buffer, so as new event records are added to the file, older event records are cycled out of the file,
Event Log Header:
Contained in the first 48 bytes of a valid event log file. The event log header consists of 12 distinct Dword values
The magic number, which appears as “eLfL” in ASCH, is unique to the Windows event log (for Windows 2000, XP, and 2003) and is associated with event records. Microsoft refers to this value as the ELF_LOG_SIGNATURE
Event Record Structure
The basic header for an event record is 56 bytes, slighly larger than the event log header. Although the record size provided in the event record is larger than 56 bytes, the first 56 bytes of the event record constitute an event record header. This event log magic number appears in the second DWORD value of the event record, just as it does for the header.
Having the event record structure definition also makes it possible to reassemble partial event records found in unallocated space. Using the magic number as a guide, an analyst can search through unallocated space. Even if the entire event record is not available, the first 56 bytes provide a road map for reconstruction portions of an event record.
Windows Event Logs:
Windows Vista and newer versions use an Extensible Markup Languarge (XML) format for storing events, and it supports central collection of event records. SML is a genral purpose specification for markup programming languages that allow the user to define specific elments to aid in sharing structured data among different types of computers with different OS and applications. Windows has a wide range of categories under which different events can by logged. Tools have been developed for parsing through vista event logs, and incident responders and forensics analysts use those tools.
On a live Windows 10 system, the WEVTUTIL command retrieves info about the Windows event log that is not readily apparent via the Event Viewer.
WEVTUTIL EL
An investigator can use the the below command to list configuration info about a specific event log, including the file name and path to the file:
WEVTUTIL GL
Information displayed by this command is also available in the following registry key on a Windows 10 system:
HKEY_LOCAL_MACHINE\System\ControlSet00x\Services\EventLog\log name
Which fields are included in the IIS logs for a Web site but not for an FTP site?
IIS Logs:
Microsoft’s Internet Information Server (IIS) is a popular Web Server Platform. One of the best ways to uncover attempts to compromise an IIS Web server or to view the details of a successful expoit is to evamine the logs generated by the Web server. The IIS Web server logs are the most often maintained on the:
%WinDir%\System32\LogFiles directory
Each virtual server has its own subdirectory for log files, and for the server itself. The location of the logs is configurable by the administrator an can be modified to point to any loation, even a shared drive. By default, the log files are in ASCII format, meaning they they are easily viewed and searchable.
IIS Web server logs saved in SCII format have a simple format, so it i a fairly simple task to use a scripting languarge to open the file, read each log entry in, one line at a time, and perform processing. IIS logs will generally have column headers located at the top of the file, or that information might be somewhere else in the file if the Web server was restarted. Using the column headers as a key, an investigator can parse each entry for relevant inforamation, such as the request verb (GET, HEAD, or POST), the page requested, and the status or response code that was returned.
Parsing IIS Logs
Managing and configuring IIS throught the IIS Management Console is possible only on a system that has IIS installed and running. At the RUN window (Start->RUN), and investigator can type in either:
IIS.MSC or INETMGR to see the IIS console.
Alternatively, the IIS console can be accessed through choosing START->CONTROL PANEL->ADMINISTRATIVE TOOLS->INTERNET SERVICES MANAGER
There is a tab for the logging feature in the IIS management Console. B’y default, logging is enabled and is configured to use the W3C Extended Log File Format setting. The logs can be optionally written in Microsoft IIS Log File Format or in a database format (ODBC Logging) and therefore managed in a database. In the General Properties tab, there is an option to set the time period for each log file. The default iss one file per day.
The logs are stored in the format
EXYYMMDD.LOG
the W3C Extended Log file Format setting will always create a log file that begins with a header that describes the version of IIS that created it, along with the date and time the log started Greenwich Mean Time (GMT) and the fields included in the log. Each field name is prefixed with letters that have the following meanings:
c = client actions s = server actions cs = client-to=-server actions sc = server-to-client actions
Parsing IIS FTP Logs: At FTP (File Transfer Protocol) server sends and receives files using FTP. FTP servers keep detailed logs. FTP logs record the same files that IIS Web logs do, except for the following:
CS-URI-QUERY CS-HOST CS(USER-AGENT) CS(COOKIE) CS(REFERRER) SC - SUBSTATUS
FTP server logging properties are available under the PROPERTIES button at the bottom of the default FTP Site properties dialog. FTP logs are stored in the following location:
%WinDir%\System\LogFiles\MSFTPSVC\EXYYMMDD.LOG
What does an evvent ID 612 mean in regards to audit policy?
Evaluating Accounting Management Events:
The account amangement category of events is used to record changes to accounts and group memberships. This includes: creation, deletion, and disabling of accounts; modifying which accounts belong to which groups; and account lockouts and reactivations. Various event IDs are associated with changes to accounts. An account can be can domain account or a local account, and can represent a user, computer, or servce. Domain account events are recorded on domain controllers, and event related to local accounts are recorded on the local computer that holds the account. When an account is created, event ID 624 is recorded. this event shows the name of the newly created acct, along with the name or the account that was used to create it. Another event ID, 642, gives information about the changes to an account.
The description for an account creation of deletion event includes the following info:
- The first line of the description summarizes the type of action
- The acct that performed the action is listed in the Caller User Name field
- the acct added or removed is shown in the Member ID field
- The group affected is listed as the Target Account Name
Interpreting File and Other Object-Access Events:
The object-access audit category allows administrators to configure the event logs to record access to various objects on the system. Once auditing is configured, access attempts are recorded in the event logs using 3 different event IDs: 560, 567, and 562.
When a process needs access to some object, it first opens a handle to that object. handle is simply a shorthand way of referring to an object, much like the handles used by CB radio operators. In the case of Windows objects, handles are simply numeric identifiers assigned to object and used by a process to refer to those objects. If a user requirests access to a file, some process will open a handle to that file. The file will receive a handle ID, and the process will refer to that file by its handle ID.
Examining Audit-Policy Change Events:
When a system is compromised, attackers will freuqently attept to disable auditing. modifications to the audit policy are recorded as event 612 entries. In the audit policy , the + indicate which events are being audited, and the - symbols show which events are not being audited. An investigator can deduce what changes were made by looking at e ent ID 612 entries and comparing the old policy to the new policy.
The audit policy of the domain controller takes precedence over changes made to the local audit policy on an individual computer; because of this, attackers may not be able to completely disable auditing. If an attacker disables auditing on a computer that is a member of a domain, the domain’s Group Policy audit setting may override that change during the next policy update.
Describe the Kerberos authentication method
Exploring Windows Authentication Mechcanisms:
When a user logs on to a local computer, the local security subsystem asks the user for a user-name and password, and the user can enter that info directly into the local computer via the keyboard. When a user is accessing a remote sytem from across a network connection, the user must have some other mechanism to provde the username and password to the remote computer. The challenge in doing so is to find a way to send that data across the network while minimizing the change that an attacker who is monitoring the network communication (via a sniffer) would be able to learn the username/password combination. Windows systems use one of 3 main types of authentication mechanisms to access remote computers: LM authentication, NFLM authentication, and Kerberos.
Kerberos
The kerberos authentication mechanism is a secure option avialable to Windows computers. The MS implementation of Kerberos will uses the NTLM hash as a starting point for identifying that a user knows the correct passwork, but the Kerberos process is much more robust than LM, NTLM, or NTLMv2.
Kerberos relies on a system of security, or access, tickets that are issued by computers designated as ticket-ranting authorities. When a user wishes to access a particualar remote resource, the user’s computer must obtain an appropieate access ticket form the ticket-granting authority (in Windows, this is typically a domain controller). Before the ticket-granting authority will issue the ticket, a Kereros authentication must take place in which the requesting client provides appropriate proof that it knows the correct username/password combination. Once the authentication exchange is complete, an access ticket for the requested resource is issued. This ticket contains info about the computer that made the request, the account that is authorized access, the specific resource that may be accessed, any limitations on the access that should be granted to that resource, and the time duration during which the ticket is valid. Once the ticket is obtained, it can be presented to the desired remote resource, and access will be granted accordingly.
In Kerberos, verification o the user’s identity takes place between the domain controller and the client. The file server abdicates any reponsibility and makes its authentication decision based soley on the service ticket. Kerberos uses a series of time stamps and cryptographic keys to verify the authenticity of security tickets, resulting in a secure system. The Kerberos system is far more robust and more complex than the LM and NTLM systems.
While Kerberos authentication exchanges are subject to attack, thse attacks are much less likely to be succcessful in a reasonable period of time that attacks against LM or even NTLM authentication.
Describe the functions of the Cain and Abel tools:
When authentication is carried out between two Windows systems, an authentication takes place whenever a process on one system attmpts to access a resource on another system. Ex: when a user attepts to map a network drive to another sytem, or to access hard files on another system. In the same way, if a program attepts to make such an access without an overt request for a user (such as an automated backup routine attenpting to place backups of files onto a remote file server), then the program’s process must authenticate to the remote system. This involves provided both an account anme and its associated password through one of the authentication mechanisms described in the prev section. When a process needs to access a remote system, it will attempt to authenticate to the remote system by providing the credentials for the account whose security context it is using. No overt action (such as manually typing in a username or password) is needed.
When the user selects share existing on another styste, his/her computer will automatically attempt to authenticate to the remote system by using the current user’s account name and password information to perform a LN, NTLM, or Kerberos authentication. This happens imediately and without a prompt to the user.
Sniffing:
Although this feature ensures quick and easy access to remote resources, it does have the potential to provide sensitive inormation to attackers. If a user can be tricked into performing an action that causes his/her computer to attempt to access a remote resource, then the client computer will automatically attempt to authenticate to that remote system. If an attacker controls that remote system, or if the attacker is able to monitor communication between the victim system and the remote system, then the attacker can potentially sniff the authentication attempt and use it to crack the user’s password. Armed with the username and password, the attacker can then return to the victim’s computer at a later date then successfully log on to it using the victims’ account. Since a currently logged-on user does not needs to manually enter the username and password for subsequent remote authentication attempts, the victim may be totally unaware of the attack.
Cain and Abel:
One tool that is useful for an attacker in the scenario described previously is Cain along with its companion product, Abel. Cain has many different capabilities; among them is a network sniffer that is designed to look for passwords exchanged during various types of authentication exchanges. Cain also has a built-in password cracker that is capable of craking many different types of passwords and can use rainbow tables to facilitate rapid precomputered hash attacks. Cain’s sniffer is even able to use ARP cache-poining techniques to defeat the segregation of traffic normally found within a switched network to set up a man-in-the-middle attack and allow sniffing of traffic that the compromised host would not normally receive.
Abel acts as a remote sensor for Cain. By installing Abel on a compromised computer, an attacker can use that computer to: sniff traffic, sending the results back to a different computer for cracking. This allows the attacker to remotely control the Abel sensor while analyzing the sniffed data from his/her own workstation.
Investigators must throughly analyze compromised machines for evidence of what type of malicious software (malware) may have been installed on them and analyze logs to determine what actions may have been taken by that computer to further compromise the security of the network.
What is password cracking?
Refers to the process of taking a password hash and attemtping to determine the assocated password that gernerate that password hash. The attacker simply guesses what the password may have been. he/she then runs that guess through whatever password-hashing algorithm is used by the target system. The attacker compared the password hash generated by hashing the guess to the password hash that he/she is trying to crack. If the two match, then the guess was correct. If the two do not match, then the guess was incorrect. The more guesses the attacker makes, the greater his/her odds of correctly guessing the password. The process therefore consists of multiple iterations of the following:
- Guess a possible password
- Generate a password hash of the guess using the same hashing algorithm used by the target system
- Compare the hash of the guess to the hash of the target account password
- If the two match, the guess was the original password. If the two do not match, start over.
Attackers will utilize a dictionary of possible passwords to facilitate the password-cracking process. The attacker will hash each entry in the dictionary, comparing the resulting hash of each entry to the hash of the password the attacker is trying to crack.
What types of event logs do domain controllers have that other systems do not?
The audit policy of the domain controller takes precedence over changes made to the local audit policy on an individual computer; because of this, attackers may not be able to completely disable auditing. If an attacker disables auditing on a computer that is a member of a domain, the domain’s Group Policy audit setting may override that change during the next policy update.
What is the function of Word Extractor, and why would an attacker use this tool?
Cracking Offline Passwords:
To: Word Extractor
A hacking tool that extracts human-understandable words from binary computer files. A hacker could use this tool to try to find hidden text or passwords in a file.
The following are some of the features of Word Extractor:
- Replaces nonhuman words with spaces or dots for better visibility
- Supports drag and drop and text wrapping
- Saves results as text or RTF files
