Understand Network Information for Forensic Investigation in this Sometimes when intruders gain remote access to a system, they try to find the other systems connected to the network and visible to the compromised system. To achieve this, the intruders create and execute batch files in the system and launch net view commands via SQL injection (by using a browser to send commands to the system through the web and database servers).
When the users establish connections with other systems using NetBIOS Networking, the systems maintain a list of other visible systems. By viewing the contents of the cached name table, the investigator might be able to determine other affected systems.
An Investigator should collect different kinds of network information to find evidences of the suspected incident.
The network information useful for the investigation includes:
- Data content, like header information, text etc.
- Session information revealing particular data concerned to the investigation
- IDS/IPS log data
- Other network information like secure file transfers
Network data captured from various network areas includes information about:
- IDS/IPS or firewall logs
- Network protocols
- Server or application logs
- Tracing network packets
- Port scan results
- Live data capture
The NetBlOS name table cache maintains a list of connections made to other systems using NetBlOS Networking. It contains the remote system’s name and IP address. You can use the Windows built-in command line utility Nbtstat to view the NetB105 name table cache.
Related Product : Computer Hacking Forensic Investigator | CHFI
Nbtstat
Source: http://technet.microsoft.com
Nbtstat helps to troubleshoot NetB105 name resolution problems. When a network is functioning normally, NetBlOS over TCP/IP (NetBT) resolves NetBlOS names to IP addresses.
The syntax of the Nbtstat command is:
Nbtstat [ [-a RemoteName]] [-A IP address] [-c] [-n] [-r] [-R] [- RR] [-s] [- S] [interval] ] Nbtstat with the —c switch shows the NetBIOS name table cache.
- nbtstat -c: This option shows the contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings.
- nbtstat -n: This displays the names that have been registered locally on the system by NetBIOS applications such as the server and redirector.
- nbtstat -r: This command displays the count of all NetBIOS names resolved by broadcast and by querying a WINS server.
- nbtstat -S: This option is used to list the current NetBIOS sessions and their statuses.
Network Connections
The investigator should collect information regarding network connections to and from the affected system, immediately after the report of any incident. If not done so, the information may expire over time.
The investigators should thoroughly observe the system and determine if the attacker has logged out, or is still accessing the system. It is also important to find out whether the attacker has installed any worm or IRCbot for communicating the data out of the system, and immediately search for other infected systems, updating itself, or logging into a command and control server. This information can provide important clues and add context to other information that the investigator has already collected.
Netstat
Netstat tool helps in collecting information about network connections operative in a Windows system. This CLI tool provides a simple view of TCP and UDP connections, their state and network traffic statistics. Net.stat.exe comes as a built-in tool with the Windows operating system. The most common way to run Netstat is with the -aria switches. These switches tell the program to display the TCP and UDP network connections, listening ports, and the identifiers of the processes (PIDs).
Using Netstat with the -r switch will display the routing table and show, if any persistent routes are enabled in the system. This could provide some useful information to an investigator or even simply to an administrator to troubleshoot a system.
Also Read : Other Important Information of Forensic Investigation
Process Information
Syntax netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [interval]
Parameters:
- -a: Displays all active TCP connections as well as the TCP and UDP ports on which the computer is listening.
- -e: Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
- -n: Displays active TCP connections However, the addresses and port numbers are expressed numerically with no specified names.
- -0: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task This parameter can be combined with -a, -n, and -p.
- -p Protocol: Shows connections for the protocol specified. In this case, the Protocol can be TCP, UDP, ICMP, IP, ICIV1Pv6, IPv6 TCPv6, or UDN6. Using this parameter with -s will display protocol based statistics.
- –s: Displays statistics by protocol. By default, this will show the statistics for the TCP, UDP, ICMP, and IP protocols. In case of installed IPv6 protocol, the tool displays statistics for the TCP over lPv6, UDP over IPv6, ICMPv6, and IPv6 The use of -p parameter can specify a set of protocols.
- -r: Displays the contents of the IP routing table. This is equivalent to the route print command.
- Interval: Redisplays the selected information after the interval of defined number of Press CTRL+C to stop the redisplay. Omitting this parameter, will enable Netstat to print the selected information.
Using Netstat with the —r parameter will display the routing table and also show if the system has any persistent routes enabled. This provides some useful information for investigators and also administrators for troubleshooting the system.
The investigators should gather information about all the processes running on the system. Use the Task Manager to view information about each process. However, the Task Manager does not display all the required information then and there.
The investigator can retrieve the full process information by specifying few parameters listed below:
- The full path to the executable image (.exe file)
- The command line used to launch the process, if any
- The amount of time that the process has been running
- The security/user context that the process is running in
- The modules the process has loaded
- The memory contents of the process
Therefore, the investigators should learn to adopt certain other sources or tools and commands to collect the complete details of the process information.
Tools and commands used to collect detailed process information include:
- Tasklist
- Pslist
- Listdlls
- Handle
Tasklist
Tasklist.exe, is a native utility included in Windows XP Pro and later versions, as a replacement for tlistexe. The differences in the two tools are yew fine, mostly being the name and the implementation of the switches. Tasklist.exe provides options for output formatting, with choices between table, CSV, and list formats. The investigator can use the /svc switch to list the service information for each process.
The Tasklist tool displays the list of applications and services along with the Process IDs (PID) for all tasks that running on either a local or a remotely connected computer.
Syntax: tasklist[.exe] [/s computer] [/u domain\user [/p password]] [/fo {TABLE | LIST|CSV}] [/nh] [/fi. FilterName [/fi FileName2 [ …]]] [/m [ModuleName] /svc | /v]
- /s computer; Specifies the name or IP address of a remote computer (do not use backslashes).
- /u Domain \ user: Runs the command with the account permissions of the user specified by User or Domain\User.
- /p password: Specifies the password of the user account that is specified in the /u parameter.
- /fi FilterName: Specifies the types of process (es) to include in or exclude from the query.
- /m [moduleName]: Specifies to show module information for each process.
- /svc: Lists all the service information for each process without truncation.
- /v: Specifies that verbose task information be displayed in the output. Should not be used with the /svc or the /m parameter
- / ?: Displays help at the command prompt
The /v (or verbose) switch provides the most information about the listed processes, including the image name (but not the full path), PID, name and number of the session for the process, the status of the process, the user name of the context in which the process runs, and the title of the window, if the process has a GUI.
Process Information (Cont’d)
Pslist.exe displays basic information about the already running processes on a system, including the amount of time each process has been running (in both kernel and user modes).
Parameters:
- -d: Shows thread detail
- -m: Shows memory detail
- -x: Shows processes, memory information and threads
- -t: Show process tree
- -s [n]: Runs in task-manager mode, for optional seconds specified
- -r n: Task-manager mode refresh rate in seconds (default is 1)
- \\computer: Shows information for the NT/Win2K system as specified\
- Add a username with parameter -u and password with —p to provide username and password of a remote system to log into it.
- –e: Exact match of the process name
- Pid: Instead of listing all the running processes in the system, this parameter narrows PsList scan for the specified PID
ListDLLs
ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all the processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can also scan processes for unsigned DLLs.
Syntax: listdlls [-r] f-v | -u] [processname|pid] listdlls [-r] [-v] [-d dllname]
Parameters:
- Processname: Dump DLLs loaded by process (partial name accepted)
- Pid: Dump DLLs associated with the specified process id
- Dllname: Shows only processes that have loaded the specified DLL
- -r: Flags DLLs that relocated because they are not loaded at their base address
- -u: Lists unsigned DLLs
- -v: Shows DLL version information rootkits use a technique called DLL injection to load them into the memory space of a running process.
Handle
Handle is a utility that displays information about the open handles for any process in the system. You can use it to see the programs that have an open file or to see the object types and names of all the handles of a program. Other object types include ports, registry keys, synchronization primitives, threads, and processes. This information is useful to determine the resources accessed by a process while it is running
Handle helps in searching open file references, and find out whether the user has specified any command-line parameters; it will then list the values of all the handles in the system.
Syntax: handle [[-a] [-u] | [-c <handle> [-I] [-y]] [-s]] [-p <processname>| <pid>> [name]
- -a Dump information about all types of handles, not just those that refer to files.
- -c Closes the specified handle
- –I Dump the sizes of page file-backed sections.
- –y Don’t prompt for close handle confirmation.
- -s Print count of each type of handle open.
- -u Show the owning user name when searching for handles.
- -p Instead of examining all the handles in the system, this parameter narrows
Handle’s scan to those processes that begin with the name process.
Process-to-Port Mapping
When there is a network connection open on a system, then some processes must be using that connection, which means that every network connection and open port is associated with a process, Several tools are available, which the investigator can use to retrieve this process-to-port mapping.
Use the following Netstat command to retrieve the process-to-port mapping.
Netstat command
Netstat.exe offers the -o switch, which can display the process IDs for the processes responsible for the establishment of network connection. Once information is collected it needs to be correlated with the output of a tool such as tlist.exe or Tasklist.exe to determine the name of the processes using that particular network connection.
Process Memory
Process Explorer
Process Explorer shows the information about the handles and DLLs of the processes, which have been opened or loaded. The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in. If it is in handle mode, you will see the handles that are opened by the process selected in the top window; if the Process Explorer is in DLL mode, you will see the DLLs and memory-mapped files that the process has loaded.
PMDump
PM Dump is a tool that lets you dump the memory contents of a process to a file without stopping the process. This tool is highly useful in forensic investigations.
ProcDump
ProcDump is a command-line utility. Its primary purpose is to monitor applications for CPU spikes and generating crash dumps during a spike so that an administrator or developer can determine the cause of the spike. ProcDump also includes hung window monitoring, unhandled exception monitoring, and generating dumps based on the values of system performance counters.
Process Dumper (PD)
Process Dumper forensically dumps the memory of a running process. It is a command line interface tool that dumps the whole process space, uses meta-information to describe the different mappings, states, and saves the process environment.
Network Status
The investigators should extract information about the status of the network interface cards (NICs) that connect a system with the available network. Currently, many laptops and desktops come with built-in wireless NICs, so that the information regarding the type of connection a device is using or the IP address it is using stays hidden. Gather the information about the status of NICs prior to acquiring the system in order to have better insight of the investigation results.
Ipconfig command
Ipconfig.exe is a command line utility, which the investigator can use to find out information about NICs and the current Transmission Control Protocol/Internet Protocol (TCP/IP) configuration. Ipconfig also accepts various Dynamic Host Configuration Protocol (DH P) commands, thereby allowing a system to update or release its TCP/IP network configuration.
Investigators should use the ipeonf ig Jail command to view all the current TCP/IP configuration values including the IP address, subnet mask, default gateway and Windows Internet Naming Service (WINS) and DNS configuration. The information generated by this command also includes the state of the MC and DI-ICP. This information will help the investigators to examine the network traffic logs and the IP address of the systems involved.
Network Status (Cont’d)
Attackers install sniffer on the compromised systems in order to capture network traffic information such as login credentials, or to map the services other systems connected to the network are running. NICs can capture network traffic data only when they are in promiscuous mode.
An administrator or investigator will not be able to directly find out whether the NIC is in promiscuous mode or not, because the systems have no special button or icon to indicate the NIC mode. Furthermore, the systems do not have any tray icon or Control Panel setting that can directly indicate if someone is sniffing the network traffic.
Therefore, investigators need to use special tools to detect such incidents and programs that may be running on a system. Tools such as PromiscDetect and Promgry can help in analyzing the NIC status of the system.
PromiscDetect
PromiscDetect checks if the network adapter(s) is running in promiscuous mode, which may be a sign that there is a sniffer running on the computer.
Promgry
Promqry can determine if a Windows system has network interfaces in promiscuous mode. If a system has network interfaces in promiscuous mode, it may indicate the presence of a network sniffer running on the system. It has command line and GUI versions. Users can run the tool using any of the versions and dump its output to a text file. It cannot detect standalone sniffers or sniffers running on non-Windows operating systems.
Print Spool File (Cont’d)
Print spool refers to a software program, which manages all print jobs in a Windows system. It stores the data that the user wants to print in a temporary manner, until the printer completes it jobs. it helps the users to manage the print job during processing or otherwise manage incomplete print jobs.
Print spool files are the temporary files that the software program stores in the system, before completing the print task or to start printing at a scheduled time. Windows stores the file in print spooler directory before printing, while the local print provider (Localspl.dll) writes the contents to a spool file (.spl) and creates a separate graphics file (.emf) for each page. Localspl.dll also maintains the detailed data on a print job in a shadow file (.shd) like the username, filename, etc.
By default, in Windows operating system the .PL and .SHD files are stored in the spool folder driver in C:/Windows\System32\spool\PRINTERS folder. Based on the printer configuration, the print jobs can also be spooled in Windows virtual memory. The system deletes the .spl, .shd and .emf files after completion of the task.
These files help the investigators to find useful information in case the system or network had a printer connected during the incident, and also if it was disconnected after the incident. The xxx.shd represents a shadow file and xxx.spl represent spool file, and xxx represents print job number. The .shd file contains details of the printed file such as name of the printed file, location, name of the printer used and timestamp.
Questions related to this topic
- What are the protocols used in TCP IP?
- Does IP include TCP and UDP?
- How does TCP IP send data?
- Does TCP use IP?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com