Segue into Cyber Operations
This lesson marks our departure from the "Models and Tools"
portion of the course, to the final module: "Cyber Operations".
Digital Forensics and the War on Terror
When terrorists or insurgents are captured, or when a hideout is
discovered, one of the first orders of business is to search for
computers, memory sticks, cell phones, or other kinds of digital
devices, and to carry out forensics analysis on them in hopes of
finding information about things like attack plans, or
identities of other terrorists.
For example, when Osama bin Laden's compound was raided, a
digital data was captured: five computers, dozens of hard
drives and more than 100 other storage devices.
News article, May 2011
CNN Article, May 2012
What is Computer Forensics?
The term "forensics" refers to an application of scientific knowledge
to a problem. When we use the term Computer Forensics we
specifically mean the application of the scientific method in
reconstructing a sequence of events involving computers and
information. In other words, can we figure out after the fact
what happened in an information system.
One scenario in which we might want to reconstruct a sequence
of digital events is that we know one of our servers has been
hacked, and we'd like to know how it was done. Another
scenario, is that we don't know whether we've been hacked into, and
we'd like look around — if only to check that
everything's OK. However, the sexiest scenario for digital
forensics is more CSI style: you recover a computer and you
want to know what kind of shennanigans was done with it. For
example, you might be looking for criminal evidence. We'll
focus on that kind of scenario.
Locard's Exchange Principle
In traditional, CSI-style forensics, one of the guiding concepts
is Locard's Exchange Principle, which essentially says
that in the commission of a crime, the
perpetrator leaves something at the crime scene, and
takes away with him something from the crime scene.
These "somethings" are evidence. More colorfully:
Wherever he steps, wherever he touches, whatever he leaves, even
without consciousness, will serve as a silent witness against him, his
fingerprints or his footprints, but his hair, the fibers from his
clothes, the glass he breaks, the tool mark he leaves, the paint he
scratches, the blood or semen he deposits or collects. All of these
and more, bear mute witness against him. This is evidence that does
not forget. It is not confused by the excitement of the moment. It is
not absent because human witnesses are. It is factual
evidence. Physical evidence cannot be wrong, it cannot perjure itself,
it cannot be wholly absent. Only human failure to find it, study and
understand it, can diminish its value. — Paul L. Kirk. 1953.
This principle holds in the digital world as well (although the
concept of "crime scene" and "location" in general is not really
in fact, it holds whether you are perpretrating a crime or not.
We have seen several examples of this already, and it's worth
thinking about them.
Visiting a website:
Suppose you visit amazon.com and login there.
What evidence of this "visit" do you leave at the amazon.com
webserver? An entry in the webserver log, of course!
What evidence do you take with you? First of all a cookie
from the amazon.com server. Second of all, your browser
caches a copy of the webpages you visit —
i.e. it stores a copy on your machine of each webpage.
[This is so that when you look at a page a second time, you
can just use the cached copy, provided the page hasn't
changed, and not have to wait for the page to be resent from
the server.] Third of all, your browser keeps
a history of all the pages you've visited —
which it uses to offer you a list of completions of the URL
you're currently typing.
Message board injection attack:
Recall the injection attacks that you guys
used to bring down the class message board.
which, ultimately, crashed the message board.
What do you leave at the scene? Well the webserver log
lists the URL you requested which, because of the message board using the
GET method, includes the message you sent ... i.e. shows the
What did you take with you?
Well you might have noticed that your browser "remembers"
values you've entered into form elements in the past, which
can often save you some typing. That means that your
browser has stored, somewhere on your machine, your injected
"message" element of the message board.
Recall the demo in which your instructor carried out a
man-in-the-middle attack on two classmates who wanted to
communicate with one another. What evidence did your
instructor leave of this nefarious deed? The public key(s)
that he posted to the message board. What eveidence did
you instructor take away? The private key(s) that matches the
public key(s) used in the attack are on their computer. The
decrypted messages of the communicating midshipmen is another thing.
A few more examples of "things you leave" on remote hosts
In addition to visiting websites, one of the ways we've seen
that we "go somewhere" in the cyber world is by using SSH to get
a terminal on a remote host. It's interesting to see what you
leave behind when you do this:
- Login attempts:
Every attempt you make to login to a system, succussful or
not, is logged!
On rona, for example, there is a file
that the sysadmin (System Adminiatrstor) has access to, that
contains a log entry for every successful and unsuccessful
attempt to login. Here's an example of a few entries:
Nov 1 08:38:05 rona sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=18.104.22.168 user=m159999
Nov 1 08:38:05 rona sshd: Accepted password for stahl from 22.214.171.124 port 49961 ssh2
Nov 1 08:38:05 rona sshd: pam_unix(sshd:session): session opened for user m159999 by (uid=0)
This tells us that at 8:38am on 1 November, someone at host
126.96.36.199 tried to login as user m159999, gave the wrong
password, then tried to login again and was successful.
Think about how this could be used to track someone who was
doing or trying to do bad things!
Every command you execute is logged!
On rona, for example, the sysadmin has a tool called
lastcomm that lists every command executed by
any user. Here's an example of a few lines output by the
md5sum m159999 ?? 0.00 secs Thu Nov 3 07:36
bash F m159999 ?? 0.00 secs Thu Nov 3 07:36
ssh m159999 ?? 0.00 secs Thu Nov 3 07:36
bash F m159999 ?? 0.00 secs Thu Nov 3 07:36
What do we learn from this? We learn that
at 7:36am on 3 November user m159999 computed an MD5 hash
and then ssh'd to some host. Think about how that might be
used as evidence.
In fact, there's a command called
that will bring up the last N commands you've given, along
with arguments like filenames, etc. If you login to your
rona account and give the
you'll see all the commands probably that you've ever
given on rona!
A few more examples of things that stay with you on your machine
The forensics lab will explore in-depth the kind of information
that stays behind — perhaps unexpectedly — on your
So we mention only a few examples here:
- Browser cache: We discussed this above.
Recently accessed files:
If you launch
regedit and look under
shows you files that you opened recently, sorted by file
type (extension). If you right-clock and choose "Modify",
you'll see the file names.
Networks you've been on:
and then look under both
Unmanaged you'll see
among other things the MAC addresses of the Gateway Routers
for networks you've been on.
"Meta-data" in documents:
Programs like Microsoft Word store "meta data" in the
documents they create. For example, If you right-click on
the icon for a Word file, choose "Properties" and look under
the "Details" tab, you often find information like the name
of the author of the document, an e-mail address, the
username of the author and so
forth. Thus, documents that get published to the world may
leak information that could be put to evil purposes.