COMPRENSIÓN E INTERPRETACIÓN: UN CAMINO HACIA LA

Log examination is probably the single most productive part of your investigation if the logs are kept properly. It is also very tedious, especially when the logs are from multiple machines and are thousands of lines long. We earlier talked a bit about logs; now here are some tools that can help you.

First, I never look at logs on paper. It’s too easy to miss something. Also, I use tools that require the logs in “soft” form, usually ASCII. There are many tools that can help, from simple word processors or spreadsheets, to log parsing languages, like ASAX. Generally, I opt for speed in my first pass. For that I use the NTI text search tool. It can help me reduce 100,000 lines of ASCII logs to smaller files that contain only the lines with the keywords I’m searching for.

For example, I might be looking for instances of a user ID — who knows, there might be a password nearby, too. So, I’ll run the NTI tool against the log file and search for the ID. I’ll pipe all hits into a separate file. The tool saves a single line and the line consists of the characters that surround the target. What I’ll see in the new file is my target word, ID, or phrase in the center of the line, with the other characters (the ones that precede and follow) surrounding. That gives me a bit of the context. If I see something that really looks interesting, I can use a standard word processor to search on the whole phrase or set of characters on the line. Because they are unique (or close to it), I’ll have very few hits to analyze.

I can do the same thing with dates and times, machine IDs, and other keywords and keyword phrases, such as su failed for. This approach is the fastest way I know of to do a quick, one-time (or a couple of times) pass through a huge log, most of which I have no interest in. There are some drawbacks, though. First, the log must be ASCII. Some logs, like the logs that make up the lastlog, are in special formats.

Second, it is still tedious to perform this on multiple logs when we are tracking an event through several computers. The bottom line is that log analysis is a time- consuming task, even with the right tools.

Other tools you might add to your kit are ASAX (a freeware, log parsing language for Unix that works well, but requires a masochist to use); ACL (Audit Control Language — a commercial product that works very well); and chklstlog (check last log), a freeware utility that checks the logs that make up the lastlog for inconsistencies in a Unix environment. This is important since utilities exist (such as MARRY) that allow intruders to remove traces of their presence from the logs that produce output from the last command.

The bottom line in log analysis: get rid of the junk before you start your analysis. Then, all you’ll be working with are “possibles.” Don’t forget to look for data that shows no incident occurred in this early stage of your investigation. You could save yourself a lot of grief and work later on.

Investigating Non-Crime Abuses of Corporate Policy

In today’s corporate environment there are “crimes that are not crimes.” These include abuse of Internet access, use of company e-mail for nonbusiness purposes or for personal use, and acts that are, potentially, violations of law. Most companies do not wish to involve law enforcement, unless it is absolutely necessary. They prefer to investigate these internal incidents and take appropriate action. There are some potential difficulties associated with this approach.

First, if your corporate policies don’t allow you to collect the evidence needed to pursue an incident properly, your hands will be tied. Violating an employee’s right of privacy, when there is an expectation of privacy, is a very bad thing. At the least, it will get any disciplinary action you take nullified. At the worst, it will subject you and your organization to a lawsuit that your employee will probably win.

Second, investigating these types of abuse and fraud is touchy from a technical standpoint. When you get into a civil court or before an arbitration panel with your evidence, you need to be sure that it is pristine, has been properly collected with proper chains of custody maintained, and that you can establish to the finder of the fact that you did everything correctly. Just because you are in a civil proceeding doesn’t mean that your evidence won’t be scrutinized as minutely as it would be in a criminal action.

Some of the most common Internet abuses experienced by today’s corporations involve pornography and, potentially, child pornography. Child pornography is a federal offense. Companies whose employees visit “kiddy porn” sites on the Internet must act to terminate the practice or be seen to be in complicity with the employee. Companies are expected to make a best faith effort to ensure that such abuse is detected, investigated, and appropriate action is taken.

The problems here are the same, however, as those we’ve just discussed. If there is no policy allowing search and seizure of the employee’s company PC, there really are few ways to pursue a policy of acceptable Internet use. While it’s true that companies can monitor access to the Internet and log the sites visited, or limit access to certain known sites, it is easy for the employee to deny guilt based upon the fact

that tracking stops at the PC. Placing the employee at the PC, connected to a porn site, can be very tricky.

One solution is to force a second login to the Internet gateway. However, compromised passwords are not uncommon. A dedicated Internet abuser may have the skills to use a sniffer, readily available on the Internet, to capture passwords. Or, he or she (usually he) may be able to social engineer passwords out of colleagues. The best solution to the investigative issues is to have both a policy and the technical skills to establish guilt or innocence. So, for the technical portion of our discussion, let’s assume that you have your policies in place and can investigate with full freedom.

To establish that a computer has been used to visit inappropriate sites, you’ll need SafeBack, a disk/drive such as a Jaz drive to hold the image, a PC on which to reconstruct the image, copies of the NTI GETSLACK, GETFREE, IPFilter (with DM), FILTER_I, and the text search tool. Begin by impounding the PC, as we discussed in an earlier chapter. Booting from a DOS bootable floppy, run SafeBack and collect your image. Take the image to your test PC and restore it. You now have a mirror of the suspected abuser’s PC.

Using your DOS floppy, boot the mirror machine and make sure that the mirror can see the Jaz (or similar) drive. You’ll need a new disk in the Jaz drive because you are going to collect evidence from the mirror. Experience has shown me that the evidence from a serious pornography abuser is likely to be substantial. So, you’ll need plenty of space to put it. I suggest that you work on a clean Jaz disk and make no subdirectories. Place copies of all tools you will use on the disk. That includes the three NTI tools mentioned above, plus the NTI tool for cataloging the contents of a disk and the NTI CRCMD5 MD5 hashing tool. If you are encrypting, put your encryption program there also.

The purpose of collecting copies of all tools you will use onto a single disk is that you will always be able to demonstrate exactly what you did to analyze the evidence. All release levels will be correct, you’ll have everything you need in one place, and you’ll avoid the embarrassment of not being able to reproduce your activities because you didn’t have the same tools or releases you originally used.

Now, use GETSLACK and GETFREE to make copies of the slack and unallo- cated space on the mirror. Save the files onto your test disk (the Jaz disk). Use the disk cataloging tool to make a complete catalog, with MD5 values, of every file on the mirror. MD5 hash the resulting file itself (you’ll now have a hashed directory file containing a listing of every file on the mirror with its hash). Encrypt the listing and the file with the hash number into a single file, and put it aside in case you need to prove chain of custody.

Next perform hashes on the files resulting from GETSLACK and GETFREE and encrypt the resulting hash file. Use the dir command to see if there is a Windows swap file on the mirror. If there is, copy it off onto your Jaz disk, hash it, encrypt the hash file, and get ready to perform your analysis.

We are going to use IPFilter from NTI to analyze the mirror and the files we have collected. IPFilter, used with a freeware program called DM, will tell us every e-mail or URL address appearing on the hard drive, whether in the active area, slack, unallocated, or swap space. Using DM, we can also see the frequency with which

the addresses were visited. These two programs will do the same for all graphics file names as well. IPFilter was developed by NTI for law enforcement in support of investigating child pornography. It is an awesome utility!

Start by running IPFilter against the mirror and saving the resulting database on your Jaz disk. You probably won’t get much, but you can always try. If you get some addresses, use DM to analyze their frequency. DM is very straightforward to use, as is IPFilter — we’ll leave the mechanics of operation to the manuals, help, and readme files. After you have run the utility, be sure to hash the resulting file, encrypt, and save the hash. Run IPFilter and DM on each of the remaining files (the ones you got from GETSLACK, GETFREE, and the Windows swap file, if there is one). This should prove much more productive.

At this point, you will need to examine the output of DM to decide if your suspect actually did what you thought he or she did. If you find no evidence of repeated abuse (the frequency is important because it limits the argument that the site was visited in error), you don’t have the right person. If, on the other hand, you harvested multiple addresses and visits to inappropriate addresses, as well as evi- dence of inappropriate graphics files on the computer, you probably have caught your suspect red-handed. But, there may be one more test you should perform.

Many suspects will complain that they were “framed” by someone else using their IP address. This is a plausible defense in some cases. On systems that use Windows95 or some TCP/IP third-party programs, changing the IP address of the PC is very easy. There are some limits, of course. There can’t be two instances of the same IP address active on a subnet at the same time in Windows95. So, if the real user is online, the masquerader can’t use that address. Also, systems that assign addresses dynamically are nearly impossible to spoof. However, they’re also very hard to perform traces on.

The way to get around this defense (or to use it to establish true innocence) is to locate evidence on the suspect’s PC that points to the suspect and nobody else. Some of the things you can look for are IDs, passwords, and credit card numbers that are unique to the suspect. That requires a text search of the mirror, including its slack, unallocated, and swap spaces. You can use the NTI text search tool and FILTER_I for this task. Try to associate these unique identifiers with the inappro- priate addresses you harvested earlier. Package everything up on the single Jaz disk, make a backup copy of all of your hash files (a single floppy should be fine for that), and put the evidence into safe keeping until you need it.