Segue into Cyber Operations

This lesson marks our departure from the "Models and Tools" portion of the course, to the final module: "Cyber Operations".

Digital Forensics and the War on Terror

When terrorists or insurgents are captured, or when a hideout is discovered, one of the first orders of business is to search for computers, memory sticks, cell phones, or other kinds of digital devices, and to carry out forensics analysis on them in hopes of finding information about things like attack plans, or identities of other terrorists.

For example, when Osama bin Laden's compound was raided, a wealth of digital data was captured: five computers, dozens of hard drives and more than 100 other storage devices.
CBS News article, May 2011
CNN Article, May 2012

What is Computer Forensics?

The term "forensics" refers to an application of scientific knowledge to a problem. When we use the term Computer Forensics we specifically mean the application of the scientific method in reconstructing a sequence of events involving computers and information. In other words, can we figure out after the fact what happened in an information system.

One scenario in which we might want to reconstruct a sequence of digital events is that we know one of our servers has been hacked, and we'd like to know how it was done. Another scenario, is that we don't know whether we've been hacked into, and we'd like look around — if only to check that everything's OK. However, the sexiest scenario for digital forensics is more CSI style: you recover a computer and you want to know what kind of shennanigans was done with it. For example, you might be looking for criminal evidence. We'll focus on that kind of scenario.

Locard's Exchange Principle

In traditional, CSI-style forensics, one of the guiding concepts is Locard's Exchange Principle, which essentially says that in the commission of a crime, the perpetrator leaves something at the crime scene, and takes away with him something from the crime scene. These "somethings" are evidence. More colorfully:

Wherever he steps, wherever he touches, whatever he leaves, even without consciousness, will serve as a silent witness against him, his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value. — Paul L. Kirk. 1953.

This principle holds in the digital world as well (although the concept of "crime scene" and "location" in general is not really defined) and, in fact, it holds whether you are perpretrating a crime or not. We have seen several examples of this already, and it's worth thinking about them.

Visiting a website: Suppose you visit amazon.com and login there. What evidence of this "visit" do you leave at the amazon.com webserver? An entry in the webserver log, of course! What evidence do you take with you? First of all a cookie from the amazon.com server. Second of all, your browser caches a copy of the webpages you visit — i.e. it stores a copy on your machine of each webpage. [This is so that when you look at a page a second time, you can just use the cached copy, provided the page hasn't changed, and not have to wait for the page to be resent from the server.] Third of all, your browser keeps a history of all the pages you've visited — which it uses to offer you a list of completions of the URL you're currently typing.
Message board injection attack: Recall the injection attacks that you guys used to bring down the class message board. You posted some "message" that included bad JavaScript which, ultimately, crashed the message board. What do you leave at the scene? Well the webserver log lists the URL you requested which, because of the message board using the GET method, includes the message you sent ... i.e. shows the JavaScript you injected. Also, the HTML source of the message board itself shows the JavaScript you injected. What did you take with you? Well you might have noticed that your browser "remembers" values you've entered into form elements in the past, which can often save you some typing. That means that your browser has stored, somewhere on your machine, your injected Javascript along with the fact that it was entered into the "message" element of the message board.
Man-in-the-middle demo: Recall the demo in which your instructor carried out a man-in-the-middle attack on two classmates who wanted to communicate with one another. What evidence did your instructor leave of this nefarious deed? The public key(s) that he posted to the message board. What eveidence did you instructor take away? The private key(s) that matches the public key(s) used in the attack are on their computer. The decrypted messages of the communicating midshipmen is another thing.

A few more examples of "things you leave" on remote hosts

In addition to visiting websites, one of the ways we've seen that we "go somewhere" in the cyber world is by using SSH to get a terminal on a remote host. It's interesting to see what you leave behind when you do this:

Login attempts: Every attempt you make to login to a system, succussful or not, is logged!
On rona, for example, there is a file /var/log/auth.log that the sysadmin (System Adminiatrstor) has access to, that contains a log entry for every successful and unsuccessful attempt to login. Here's an example of a few entries:
```
Nov  1 08:38:05 rona sshd[3962]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=131.122.6.104  user=m159999
Nov  1 08:38:05 rona sshd[3962]: Accepted password for stahl from 131.122.6.104 port 49961 ssh2
Nov  1 08:38:05 rona sshd[3962]: pam_unix(sshd:session): session opened for user m159999 by (uid=0)
```
This tells us that at 8:38am on 1 November, someone at host 131.122.6.104 tried to login as user m159999, gave the wrong password, then tried to login again and was successful. Think about how this could be used to track someone who was doing or trying to do bad things!
Commands executed: Every command you execute is logged!
On rona, for example, the sysadmin has a tool called lastcomm that lists every command executed by any user. Here's an example of a few lines output by the command:
```
md5sum                 m159999  ??         0.00 secs Thu Nov  3 07:36
bash              F    m159999  ??         0.00 secs Thu Nov  3 07:36
ssh                    m159999  ??         0.00 secs Thu Nov  3 07:36
bash              F    m159999  ??         0.00 secs Thu Nov  3 07:36
```
What do we learn from this? We learn that at 7:36am on 3 November user m159999 computed an MD5 hash and then ssh'd to some host. Think about how that might be used as evidence.
In fact, there's a command called history that will bring up the last N commands you've given, along with arguments like filenames, etc. If you login to your rona account and give the history command, you'll see all the commands probably that you've ever given on rona!

A few more examples of things that stay with you on your machine

The forensics lab will explore in-depth the kind of information that stays behind — perhaps unexpectedly — on your Windows computer. So we mention only a few examples here:

Browser cache: We discussed this above.
Recently accessed files: If you launch regedit and look under
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
```
shows you files that you opened recently, sorted by file type (extension). If you right-clock and choose "Modify", you'll see the file names.
Networks you've been on:
```
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures
```
and then look under both Managed and Unmanaged you'll see among other things the MAC addresses of the Gateway Routers for networks you've been on.
"Meta-data" in documents: Programs like Microsoft Word store "meta data" in the documents they create. For example, If you right-click on the icon for a Word file, choose "Properties" and look under the "Details" tab, you often find information like the name of the author of the document, an e-mail address, the username of the author and so forth. Thus, documents that get published to the world may leak information that could be put to evil purposes.