Next Week’s Registration: https://networkdefense.clickmeeting.com/cuckoos-egg-2
This week, we reviewed chapters 1-3.
We met Cliff Stoll, an astronomer turned computer wizard at Lawrence Berkeley Lab in California. Once of Cliff’s first tasks is to figure out an accounting error that amounted to $0.75 of CPU time. He investigates and finds the error is tied to a mysterious user account named Hunter. He can’t find the source of the account so he deletes it.
Locard’s Exchange Principle
We use this opportunity to discuss Locard’s Exchange Principle. Edmund Locard is considered by many to be the father of modern forensic science. His principle states, “The perpetrator of a crime will bring something into the crime scene and leave with something from it.” This is the basis for all forensic investigations. Locard has a particularly nice quote on the subject:
“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”
In class, we discussed the principle as the basis for computer forensic investigations as well. We did a couple activities to exercise our minds and think about things taken and left behind. One in relation to a physical theft, another in relation to the 2017 Equifax breach.
More Reading:
- http://www.forensichandbook.com/locards-exchange-principle/
- https://www.forensicmag.com/article/2011/12/digital-forensics-cyber-exchange-principle
- https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/
Dig Deeper Exercises:
- Level 1: Pick a crime in your local newspaper and break down what could have been left behind.
- Level 2: Pick an attack time from this list: https://attack.mitre.org/wiki/Main_Page. Consider your network or make up a fictional network. Research the attack and determine what might be left behind and how you might gain visibility into it.
Cliff gets a weird e-mail from a system called DOCKMASTER. The system owner claims that someone from LBL tried to break into his computer. Eventually, Cliff figures out this system belongs to a Naval Shipyard. He correlates timestamps provided by DOCKMASTER and finds the user Sventek was active at this time. He also discovers two logging systems reporting different timestamps for the activity. While odd at first, this turns out to be related to time drift between two system clocks.
Timestamps
The investigation work Cliff is conducting is contingent on logs that contain timestamps, which he uses to perform time-based correlation. It’s easy to think of timestamps as a trivial thing, but they are far from it. Most investigations require examination of multiple data sources to build a clear picture of what events have transpired. To properly query data and sequence events, we need accurate timestamps.
There are multiple challenges between an investigator and reliable, consistent timestamps. We discussed syncing timestamps, time sources, network time protocol (NTP), W32Time, and how Windows domain members sync time. We also discussed the challenges associated with timezones and daylight savings time with plenty of confusing examples (Seriously, Samoa?)
I showed multiple examples of timestamps, and also showed a log collection pipeline and Logstash configuration files used to adjust timing and define timestamps. Finally, I listed a few best practices for dealing with timestamps that include: syncing all systems to the same source, utilizing UTC time in your investigation tools, and using ISO 8601 compliant timestamps.
More Reading:
- Syncing a Domain Controller to an External Time Source: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
- NTP in Real Life: https://pthree.org/2013/11/05/real-life-ntp/
- How the Windows Time Service Works: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/windows-time-service/how-the-windows-time-service-works
- ISO 8601: https://en.wikipedia.org/wiki/ISO_8601
- A hilarious overview of issues with timezones: https://www.youtube.com/watch?v=-5wpm-gesOY
- NTP packet data: https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=NTP_sync.pcap
- Installing an NTP server on Ubuntu: https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-16-04
Dig Deeper Exercises:
- Level 1: Determine where your system is syncing time from and change it to another source.
- Level 2: Setup your own NTP server and configure your system to sync from it.
- Level 3: Capture network traffic while syncing with your own NTP server. Examine each field, and try to determine the function of each one.
Cliff eventually learns that the Sventek user is not on campus and is unlikely to be using his account. Considering the anomalies encountered with the Hunter and Sventek accounts and the report from DOCKMASTER, Cliff begins to suspect someone has broken into his network. He takes matters into his own hands and builds a monitoring system. He writes a program to log keystrokes on his systems and connects them in between the system and the external modems. He connects physical printers to these systems to print out commands as people are entering them while dialed in remotely. He sleeps in his office all weekend to monitoring these connections and awakens one night to find something very interesting…
Next Week
November 16th 7:30PM ET
Read Chapters 4-8
Register/Attend Here: https://networkdefense.clickmeeting.com/cuckoos-egg-2