Segue into Cyber Operations

This lesson marks our departure from the "Models and Tools" portion of the course, to the final module: "Cyber Operations".

Digital Forensics and the War on Terror

When terrorists or insurgents are captured, or when a hideout is discovered, one of the first orders of business is to search for computers, memory sticks, cell phones, or other kinds of digital devices, and to carry out forensics analysis on them in hopes of finding information about things like attack plans, or identities of other terrorists.

For example, when Osama bin Laden's compound was raided, a wealth of digital data was captured: five computers, dozens of hard drives and more than 100 other storage devices.
CBS News article, May 2011
CNN Article, May 2012

What is Computer Forensics?

The term "forensics" refers to an application of scientific knowledge to a problem. When we use the term Computer Forensics we specifically mean the application of the scientific method in reconstructing a sequence of events involving computers and information. In other words, can we figure out after the fact what happened in an information system.

One scenario in which we might want to reconstruct a sequence of digital events is that we know one of our servers has been hacked, and we'd like to know how it was done. Another scenario, is that we don't know whether we've been hacked into, and we'd like look around — if only to check that everything's OK. However, the sexiest scenario for digital forensics is more CSI style: you recover a computer and you want to know what kind of shennanigans was done with it. For example, you might be looking for criminal evidence. We'll focus on that kind of scenario.

Locard's Exchange Principle

In traditional, CSI-style forensics, one of the guiding concepts is Locard's Exchange Principle, which essentially says that in the commission of a crime, the perpetrator leaves something at the crime scene, and takes away with him something from the crime scene. These "somethings" are evidence. More colorfully:
Wherever he steps, wherever he touches, whatever he leaves, even without consciousness, will serve as a silent witness against him, his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value. — Paul L. Kirk. 1953.
This principle holds in the digital world as well (although the concept of "crime scene" and "location" in general is not really defined) and, in fact, it holds whether you are perpretrating a crime or not. We have seen several examples of this already, and it's worth thinking about them.

A few more examples of "things you leave" on remote hosts

In addition to visiting websites, one of the ways we've seen that we "go somewhere" in the cyber world is by using SSH to get a terminal on a remote host. It's interesting to see what you leave behind when you do this:
  1. Login attempts: Every attempt you make to login to a system, succussful or not, is logged!
    On rona, for example, there is a file /var/log/auth.log that the sysadmin (System Adminiatrstor) has access to, that contains a log entry for every successful and unsuccessful attempt to login. Here's an example of a few entries:
    Nov  1 08:38:05 rona sshd[3962]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=m159999
    Nov  1 08:38:05 rona sshd[3962]: Accepted password for stahl from port 49961 ssh2
    Nov  1 08:38:05 rona sshd[3962]: pam_unix(sshd:session): session opened for user m159999 by (uid=0)
    This tells us that at 8:38am on 1 November, someone at host tried to login as user m159999, gave the wrong password, then tried to login again and was successful. Think about how this could be used to track someone who was doing or trying to do bad things!
  2. Commands executed: Every command you execute is logged!
    On rona, for example, the sysadmin has a tool called lastcomm that lists every command executed by any user. Here's an example of a few lines output by the command:
    md5sum                 m159999  ??         0.00 secs Thu Nov  3 07:36
    bash              F    m159999  ??         0.00 secs Thu Nov  3 07:36
    ssh                    m159999  ??         0.00 secs Thu Nov  3 07:36
    bash              F    m159999  ??         0.00 secs Thu Nov  3 07:36
    What do we learn from this? We learn that at 7:36am on 3 November user m159999 computed an MD5 hash and then ssh'd to some host. Think about how that might be used as evidence.

    In fact, there's a command called history that will bring up the last N commands you've given, along with arguments like filenames, etc. If you login to your rona account and give the history command, you'll see all the commands probably that you've ever given on rona!

A few more examples of things that stay with you on your machine

The forensics lab will explore in-depth the kind of information that stays behind — perhaps unexpectedly — on your Windows computer. So we mention only a few examples here:
  1. Browser cache: We discussed this above.
  2. Recently accessed files: If you launch regedit and look under
    shows you files that you opened recently, sorted by file type (extension). If you right-clock and choose "Modify", you'll see the file names.
  3. Networks you've been on:
    KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures
    and then look under both Managed and Unmanaged you'll see among other things the MAC addresses of the Gateway Routers for networks you've been on.
  4. "Meta-data" in documents: Programs like Microsoft Word store "meta data" in the documents they create. For example, If you right-click on the icon for a Word file, choose "Properties" and look under the "Details" tab, you often find information like the name of the author of the document, an e-mail address, the username of the author and so forth. Thus, documents that get published to the world may leak information that could be put to evil purposes.