1.Module XXVI Network Forensics and Investigating Logs

2. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Accused SF Network Hacker Facing Felony Charges Source: http://www.foxreno.com/ 3. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective Network Forensics Network Attacks Where to Look for Evidence Investigating Logs Handling Logs as Evidence Log Injection Attacks This module will familiarize you with: 4. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Network Forensics Investigating Logs Where to Look for Evidence Handling Logs as Evidence Network Attacks Log Injection Attacks 5. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Forensics Source of security incidents and network attacks Path of the attack Intrusion techniques used by attackers Network forensics can reveal: Network forensics can be defined as sniffing, recording, acquisition and analysis of the network traffic, and event logs in order to investigate a network security incident 6. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Intrusion Process Internet Laptop CORPORATE NETWORK Mainframe Server Computer Laptop Printer Server Server Firewall Router Firewall Server Hub Hub Router Intermediate "Owned" Computer Intermediate "Owned" Computer Intermediate "Owned" Computer Intermediate "Owned" Computer ISP Router ISP Router ISP Router ISP Router ISP Router 7. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Vulnerabilities These vulnerabilities occur due to the overextension of bandwidth and bottlenecks Internal network vulnerabilities: These vulnerabilities occur due to the threats such as DoS/DDoS attacks and network data interception External network vulnerabilities: 8. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Attacks IP Spoofing Router attacks Eavesdropping Denial-of-Service Man-in-the-Middle Attack Sniffer Attack Data Modification Attacks Enumeration Virus Trojan E-mail Infection Password Cracking Malware attacks 9. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Where to Look for Evidence Log files from following devices and applications can be used as evidence for network security incidents: Firewalls Routers and switches Intrusion Detection Systems Intrusion Prevention Systems Servers, desktops, and mainframes Business applications Databases Anti-virus VPNs 10. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Logs 11. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Postmortem and Real-Time Analysis Forensic examination of logs are divided into two categories : Postmortem of logs are done for the investigation of something that has already happened Postmortem Real-Time analysis are done for the ongoing process Real-Time Analysis Practically, IDS is the real-time analysis where as the forensic examination is postmortem 12. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling Logs as Evidence It is hard to refute one log entry if two separate devices record the same information Firewall logs, IDS logs, and TCPDump can help to prove that an IP address hits a specific server at a specific time Use Multiple Logs as Evidence When no log files exist, there is no way of knowing if the server got no hits (say it was offline for a day) or if the log file was actually deleted Avoid Missing Logs 13. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log File Authenticity Log files can be said to be authentic if it can be proven that they have not been modified since they were originally recorded Move the Logs - If a server has been compromised, you must consider that the log files also could have been compromised Move the logs to a master server and then move them offline to a tape, CD 14. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use Signatures, Encryption, and Checksums To ensure that the log file is not modified, encrypt the log by using some public- key encryption scheme File signature makes the log file more secure Use Fsum tool, MD5 to generate the hash code Store the signature and hashes with the log Store secure copy in a separate location 15. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Work with Copies Do not use original log files for analysis; always work on copies Ensure that the original logs are never touched to maintain the authenticity of the original log files If you use log files as court evidence, you must present original files in their original form 16. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ensure Systems Integrity Always maintain up-to-date on service packs and hotfixes that assures that the systems file is valid Audit all changes to binary files in WINNT directory If an intruder modifies the system files that record log files then the usability of the log files as evidence is not valid 17. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Once a log file is created, it is important to prevent the file from being accessed and audit any authorized and unauthorized access If you properly secure and audit a log file using NTFS permissions, you will have documented evidence to establish its credibility 18. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody As you move log files from the server and later to an offline device, you should keep track of where the file goes This can be done either through technical or non-technical methods such as MD5 authentication 19. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Condensing Log File Log files can be sorted by using a syslog but the output of the syslog contains large log file It is difficult for the forensic team to look for the important log entry Log entries need to be filtered as per the requirement Tools that can be used: Swatch Logcheck 20. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log Injection Attacks 21. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack In this attack, the attacker injects plaintext into the log files The attacker tries to divert the attention of the investigator towards other person The log files application relates the user to the action performed The log file before attack: 22. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack (contd) The attacker changes the log file source code by inserting [LINEBREAK] and changing the user name Tester01 to say Manager01 The log file after attack: Figure: New lines inserted by attackers 23. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack Countermeasure Remove all the new line characters such as carriage return (0x0D) and line feed (0x0A) characters The resulting log file would be as shown below: Figure: Removing new lines 24. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack In this attack, the attacker injects a single pipe character or multiple pipe characters into the log files Some systems contain log files which has several data columns; these log files contain single line of text file and data field separated by a pipe character The sample log file is as shown: 25. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack (contd) When the attacker injects single or multiple pipe characters the previous values are replaced and shifted from one column to the next Consider the example and if the value in the value field is replaced as 9.99 | WRITE The values are shifted from one column to the next as shown: Figure: Replaced value field 26. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack (contd) Shifting log columns causes inconsistency in a log file The attack damages the log file integrity It shows that the attack is performed on a pipe character Though the shifting of values is uncovered, it is difficult to find the defender 27. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Separator Injection Attack Sanitize the inputs by morphing incoming data to a different representation URL encoding and slash () encoding techniques can be used to sanitize the inputs In URL encoding technique the pipe character is encoded to a percentage sign followed by the hexadecimal representation of its ASCII value The log file after implementing URL encoding is as shown: Figure: URL encoding 28. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack This attack uses combination of the New Lines and Separator injection The log maintains the action that was taken, by whom it was initiated, and when it occurred Consider a stock trading system that stores all trade information in a log file as shown: Figure: Log of all trade information 29. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack (contd) The new line input injection may look like: AccountY[LINEBREAK] 21-05-2010 : 1002 : Trader1 has retracted sell order The log output is as follows: Figure: New line input injection 30. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack (contd) The attacker must know the date and time of the logging component The entries cannot be injected in a chronological order The time stamp should lie between the surrounding time stamps It is easy to find out region of uncertainty if limited number of lines are injected These scenarios create doubts in the legal case 31. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Timestamp Injection Attack Use sequence numbering, it is similar to time stamping and helps in overcoming the predictable entry creation problems The following figure illustrates that line 3 is out of sequence Figure: Example with sequence numbering 32. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Wrap Abuse Attack In word wrap abuse attack, unusual log entries are created by using white space padding The line may wrap and cause an attack similar to new line injection attack 33. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Wrap Abuse Attack (contd) Instead of new line removal technique, the attacker may use the following input: Tester01. __________________Failed to delete all files for Manager01.________Failed to move all files for Manager01.__________Failed to remove user Manager01 for Manager01.___Failed to logon for Tester01 The log file looks like: Figure: Word wrap abuse attack 34. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Word Wrap Abuse Attack The solution for this type of attack is entry splitting Log is split into multiple lines after a specific length Insert a marker to indicate that splitting has occurred This technique provides generalized protection forms of injection as they depend on long inputs being undetectable 35. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Word Wrap Abuse Attack (contd) The log file entry after splitting looks like: Here [CR] indicates that login software has inserted a carriage return The disadvantage of this method is integrity of entries may be compromised 36. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack In this attack, the attacker injects HTML tags into a log This will control the display of the subsequent entries Consider a HTML log file which is potentially not secure The browser under normal condition displays a list of all the invalid session identifiers along with a timestamp 37. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (contd) The HTML log file looks like: Figure: HTML injection attack 38. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (contd) Line7 in the example shows the potentially malicious Session ID which is under the attackers control The attacker can disable logging to perform other attacks changing the Session ID to: A345EFF345987435 A new table will start closing the current row of the table with background color as font color Due to this, the session IDs will be logged in white font color which makes it difficult to identify them against the background color 39. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (contd) The log file is changed to: Figure: Changed log file 40. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending HTML Injection Attack Token removal is the solution for this kind of attack Identify the inputs given by the attacker and remove the tokens so that they are not interpreted upon display Remove < and > characters wherever you find that a malicious input is given The secured log file is written as: Figure: Token removal 41. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Terminal Injection Attack It is an attack on log viewing interface In this attack, terminal emulation is used to interpret character sequence as the special action directives to the terminal Terminal injection can be used on a FTP client log file on a Linux system As an example, a bash shell command is used as a backdoor by an attacker to display all the users passwords 42. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Terminal Injection Attack (contd) Finally, FTP client leaves the log file with passwords If attacker knows that the administrator of the system inspects the log file via a cat command that displays its output in a terminal window, he can abuse its use of ANSI terminal sequences to clear the screen and make the log file appear empty The log file viewed by the attacker is: 43. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Terminal Injection Attack These attacks can be defended using a raw viewer such as hex editor Using hex editor, the file contents can be viewed without any interpretation It provides an hexadecimal output which is difficult to identify as shown: Figure: Hex output of a terminal injection attack 44. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Kinds of Log File Attacks The other forms of attacks that to be known before developing a logging system are: Buffer overflows in log files may corrupt the records and damage the log file integrity Buffer Overflows: These are mostly popular in Unix based logging systems and dangerous in unproven components Format Strings: This is the threat caused to the user data stored in relational database SQL Injection: 45. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Kinds of Log File Attacks (Contd) Attackers may use special characters to navigate unauthorized directories or drives to overwrite important files Directory Traversal: XML stores the different types of information including log data; external and internal entity references and excessive recursion in XML may change the functionality of log writing and reading XML Attacks: This attack causes overflow of entries, individual logs and storage can be filled to capacity, and log file infrastructure is appended with a noise which makes it difficult to identify real entries Denial of Services: 46. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Log files can be sorted by using a syslog but the output of the syslog contains a large log file Log entries need to be filtered Postmortem of logs are done for the investigation of something which has already happened By combining logs from several devices, you strengthen the value of each Investigate the logs for different log injection attacks 47. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 48. EC-Council Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited