Forensics Blog

Casos Forenses

Análisis y comentarios de casos reales.

Malware

Reversing, QuickScan, Análisis dinámico y estático.

Cybercrimen Digital

Actividades delictivas realizadas con la ayuda de herramientas informáticas.

Análisis forense dispositivos móviles

Se involucran la identificación, preservación, obtención, documentación y análisis de información de dispositivos móviles.

iT Forensics, Hacking, Crimen digital

Enfoque en artículos y documentación relacionada a cibercrimen.

Posts recientes

27 mar 2014

Microsoft Fundamental Computer Investigation Guide for Windows

Templates y Guía de investigación para Windows oficial Ms. para reportes Forenses


Best Practices and Tools for Computer Investigations
Microsoft customers are facing a rising tide of illegal or improper activity on their
computers and networks. Unfortunately, most IT Professionals in these organizations
don’t have the expertise to respond successfully to this growing problem. They’re
unsure about when to turn the case over to law enforcement if evidence indicates a
crime has taken place. In cases in which company policy appears to have been
violated, many organizations don’t have the right methods or tools at hand to uncover
 key evidence while protecting their organization should the case end up in civil court.

The Fundamental Computer Investigation Guide for Windows provides  IT Professionals
with information about the best practices and tools they need to investigate suspicious
use of their organizations' computers and networks. The guide helps customers determine
when to turn an investigation over to law enforcement. It provides guidance on how to collect, preserve, analyze, and report on key data they uncover in their investigations—using
methods that will stand up in a court of law.

Developed by Microsoft security experts, partners, and customers, the guide presents
 a reliable, 4‑step investigative process based on best practices and proven tools used
 by the computer investigation community.

Key Customer Questions Answered by the Guide
·      Should I contact law enforcement?  If so, which agency?
·      How do I look for evidence on a hard disk image that has hundreds of thousands of files?
·      How can I collect data remotely without tipping my hand?
·      What investigative methods and tools should I use to protect my organization, if I expect this case to end up in court?
SA2

Link: http://www.microsoft.com/en-us/download/details.aspx?id=23378

21 mar 2014

Solid State Drives Destroy Forensic & Data Recovery Jobs

DEFCON 16

18 mar 2014

Cisco Router Forensics

The basics of router forensics are collecting data from the device that can act as evidence. The standard process involves using issuing the "show" commands and collecting data such as logs and network activity data. Some of this information is detailed below.
Show Commands
Most of the required information to be collected from the router will be obtained using the Cisco "show" commands. The main commands that you need to become familiar with are:

  • show clock detail
  • show version
  • show running-config
  • show startup-config
  • show reload
  • show ip route
  • show ip arp
  • show users
  • show logging
  • show ip interface
  • show interfaces
  • show tcp brief all
  • show ip sockets
  • show ip nat translations verbose
  • show ip cache flow
  • show ip cef
  • show snmp user
  • show snmp group
  • show clock detail
Show audit
The Router Security Audit Logs feature allows for the creation of audit trails. If these are configured, they may be used to track changes that have been made to a router that is running Cisco IOS software.
The "show audit" command displays the contents of an audit file. The syntax of the command is:
show audit [filestat]
The option, "filestat" is used to displays the rollover counter for the circular buffer and the number of messages that are received. The rollover counter, which indicates the number of times circular buffer has been overwritten, is reset when the audit filesize is changed (via the audit filesize command). This command runs from the privileged exec mode. This command will create a hash of the information from the "show version" command.
Show Clock Detail
Timeline entanglement is import to forensic investigations. This command is used to display the time of day and the status of the SNTP server (if one is configured) that is used by the router.

Figure 1 Router Times are often not configured correctly.
Show Version
The "show version" command is a powerful tool. It can display:

  • the version of the IOS on the router
  • the version of the ROM bootstrap
  • the version of the boot loader
  • how the router was last powered on (i.e. warm reboot or a system panic.)
  • the time and date when the system was last started
  • the "uptime" (i.e. how long the router has been running from the last power-on)
  • the image file that the device last started

  • how much RAM the device has and other hardware information such as:
    • the processor board ID can be used to determine the version of the router's motherboard
    • the number and type of each interface on the router
    • the number of terminal lines on the router and if asynchronous serial lines are used
    • the amount of nonvolatile RAM (NVRAM) used to hold the SAVED version of the configuration file or startup-config
    • The size and type of Flash memory on the router
  • The configuration register on the device
  • The hostname of the device
Show Access Lists
This command displays the content of all access lists (or one specified access list) on the router.
show access-lists [access-list-name] [applied]
The access-list-name keyword is used to display a specified access list and the show access-lists applied command is used to show the ACLs that are currently being applied to an interface and the configured behavior per interface.
Show Users
This command will Show or list which users are logged into a Cisco router.
Show Routing Table
This command will display the routing table used by the router. This will aid in determining if an attacker has:

  • Injected routing information (e.g. RIP poisoning attacks)
  • Deleted routes (i.e. to remove the path to a logging server)
Show Banners
This will display any banners that are configured on the router.
Show ARP & Show IP Arp
This command displays ARP statistics associated with the router interfaces. It can be set to display a specified interface, a specified host, a specified IP address, or a specified MAC hardware address. This command will aid in determining hardware address information (the MAC Address) of locally connected hosts and if MAC spoofing has occurred.
Show TCP
The commands show ip sockets, show udp and show tcp are used to display traffic passing through the router, display statistics about the protocols and to see which ports the router is listening on.
Show tech-support
As of Cisco IOS Software Release 11.2, the command "show tech-support" has allowed for the collection of multiple sources of information concerning the router in a single command. This one command will output the same as running all of the following commands:
  • show version
  • show running-config
  • show stacks
  • show interface
  • show controller
  • show process cpu
  • show process memory
  • show buffers
By limiting the number of commands run, we can limit the changes to the system.
Show Stacks
The "show stacks" command EXEC command is used to monitor the stack usage of processes and interrupt routines. The show stacks output is one of the most indispensable sources of information to collect when the router crashes. It is also one of the most detailed commands for the analysis of the routers memory and is useful in analyzing router compromises.
Advanced Data Collection
The most effective way to capture and analyze the router involves the creation of a core dump. A core dump will contain the complete memory image of the router at the time it was created.
Cisco has included an IOS command to test or trigger a core dump:
#write core
Use this command in privileged exec mode (enable mode). This command will cause a crash, and the content of the memory will be dumped accordingly. When a core dump is generated, the entire setup and config can be reviewed forensically.
A core dump can be saved to:


  • An FTP server
    • ip ftp usename username
    • ip ftp password password
    • exception protocol ftp
    • exception dump a.b.c.d
  • A TFTP server (exception dump a.b.c.d)

  • Using RCP
    • exception protocol rcp
    • exception dump a.b.c.d
  • To a Flash disk (exception flash <procmem|iomem|all> <device_name[:partition_number]> <erase | no_erase>)
The best option will depend on the individual device and situation.
Core Analysis
The analysis of a Cisco router core dump is not a simple task. It has been made easier with the introduction of a free service from CIR (http://cir.recurity.com/cir/). In the event that loading a file to the Internet is not an option, there is a commercial product as well.
Figure 2 CIR Online allows network engineers and digital forensics experts to analyze Cisco IOS memory dumps
Cisco routers are essentially one single ELF binary that runs as a large, statically linked UNIX Program that is loaded by ROMMON. Written in C, the IOS dump can be reversed in order to analyze the system. A Cisco IOS core dump contains a complete image of the router's:

  • main memory,
  • IO memory, and
  • the PCI memory (if used).
Core dumps are useful as they contain the complete image of the Cisco device at an instant. They can even be used to extract network traffic from IO memory into a PCAP file for analysis.


Fuente: http://digital-forensics.sans.org/blog/2008/11/24/cisco-router-forensics/

17 mar 2014

Forensic Analysis of Routers and Switches