ITEC 6322 Secure Enterprise Computing
Incident Response and Computer Forensics
By Rob Hiltbrand – April 15, 2006
Part Two- Project
Prepare a brief written abstract that describes your planned demonstration. Be prepared to explain your demonstration goals to the class.
Possibility 1: Knowledge Area – Developing a methodology. Exercise – Students will have a final exercise that requires substantiation of an investigative methodology. This is the one that I’d most like to do because it involves elements of the other two possibilities. Specifically, I’ll demonstrate the methodology that I’ve come up with for checking host integrity as part of my project work for TEPM 6391 & TEPM 6395.
Possibility 2: Knowledge Area – Ability to review cookies, running processes, recycle bin, MS Office for revisions, backups, and auto-complete. Exercise – Student will identify places where evidence can be correlated to prove a violation or crime.
Possibility 3: Knowledge Area – Identifying and documenting evidence from logs. Exercise – Students will use a variety of intrusion detection products and examine log output for evidence of violations or crimes.
Part Three - Questions
Answer each of the following questions from the readings. The group of questions should take about one page to answer. Bring a hard copy of your answers to class and be prepared to post them to your web site.
1. What is a rootkit?
ANSWER: Rootkits are collections of commonly trojaned system processes and scripts that automate many of the actions attackers take when they compromise a system. They typically operate in stealth mode, thus the operator doesn’t know the system has been compromised.
2. In Helix, what does the Protected Storage Viewer (IR Tools, page 3) reveal?
ANSWER: Protected Storage Viewer is a small utility that reveals the passwords stored on your computer by Internet Explorer, Outlook Express and MSN Explorer. The passwords are revealed by reading the information from the Protected Storage.
3. What other way can you access this information?
ANSWER: The Helix LiveCD offers tools with capabilities similar to that of the Protected Storage Viewer. Tools such as Network Password Viewer (login passwords for remote computers on the LAN) and Asterisk Logger (reveals asterisk passwords).
4. Briefly discuss the pros & cons of doing corporate forensic work from a GUI rather than a CLI?
ANSWER: Utilizing computer forensic tools that feature a Graphical User Interface (GUI) enable less technically proficient investigators to use sophisticated tools. A prime example is EnCase, the most widely used computer forensic investigation technology utilized by the law enforcement community. A drawback to such a tool is that the GUI itself might alter the target workstation and thus compromise the integrity of the investigation. On the other side of the debate are many open source computer forensic tools that can only be used with a Command Line Interface (CLI). These tools require a high level of technical prowess but also yield significant results and there isn’t the stigma of a GUI that might compromise the host computer and thus poison the investigation. It is a delicate balance.
5. In computer forensics, for what is the dd command used?
ANSWER: The dd command is used to create a forensic duplicate of a host. A forensic duplicate is a file that contains every bit of information from the source, in a raw bitstream format. An example would be a 5 GB hard drive resulting in a 5 GB forensic duplicate. The dd utility has obvious benefits when performing an investigation that requires an exact duplicate of a suspected host system.
6. What is NetCat? And for what would you use it?
ANSWER: NetCat makes and accepts Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections. It writes and reads data over those connections until they are closed. It provides a basic TCP/UDP networking subsystem that allows users to interact manually or via script with network applications and services on the application layer (Layer 7 of the OSI model).