Investigation / Reporting

Investigation strategy

• Take good notes of everything you do
• Power off the system (we have chosen not to worry about disc corruption or losing system memory in this case)
• Take possession of disc and document who handles it and when (maintain chain of custody & integrity - VERY IMPORTANT)
• Install drive in analysis system
• Determine partitioning
• Generate MD5 checksums of partition contents
• Get dd bit image copies of each partition (compress only if absolutely necessary)
• Generate MD5 checksum of tapes and compare with original
• Copy partition to analysis disc (make sure partition is >= size of original)
• Mount partition read-only before doing any analysis (alter nothing)
• Run bin/grave-robber -m on partition
• Run bin/mactime from date prior to suspected intrusion
• Run bin/unrm to recover unused/deleted file blocks
• Run strings on deleted file space to try to recover system logs (use host name pattern matching)
• Or use bin/lazarus for more thorough file recovery (beyond the scope of this class)
• Identify files placed on the system and trace them to login sessions
• Identify probable method of intrusion, when, and from where
• Analyze all files you identify that were placed on the system by the intruder(s) to determine if you have:
  • IRC bots
  • Sniffers
  • Remote scanning/exploit software
  • Denial of service tools
  • Trojan horses (rootkits)
  • Logs of vulnerable/compromised hosts
  • Porn, warez, hacking tools
• Follow login sessions backwards, trying to get system owner(s) to perform similar forensic steps (reference material on how to do it to make it easy for them)
• IRC bot logs
  • Identify owner
  • Identify channels, channel members
  • Identify "bots" (likely stolen accounts)
• Sniffer logs (gold mine)
  • Find intruder login sessions
  • Identify intruder's file caches, intermediary systems (and passwords!)
  • Correlate times from logins to systems with known logs and clock settings/skews
  • Sniffer == wiretap (federal felony)

Reporting Strategy

• Note your (default) timezone and offset from GMT
• Note and/or convert ALL times from other timezones when building a timeline or correlating events
• State all known facts
• State all unknowns (may answer later)
• State all assumptions/conclusions, and what evidence supports them
• Note every contact by name, organization, email address, and phone number(s)
• Try to associate times with all major events (including email/phone contacts)
• Save all email associated with the investigation
• Assemble an "evidence" file in rough cronological order and keep it as your central knowledge base
• Produce a summary for use in explaining the incident to others (keep updating as things change)
• Assemble a timeline of central events
• If suspects can be identified, carefully trace and document their identity/origin
• When to report to law enforcement, and which ones
• What to hand over to law enforcement, and when

Putting it all together

[End] | [Prev]