Eye Witness Report in Software

Encode PDF417 in Software Eye Witness Report

Several years ago, I was part of a team investigating an incident in a windowless, underground, overseas, secure government facility Someone had planted trojan code via the cron facility (the facility used to schedule the future execution of programs) on a mission-critical Unix server The trojan shut down the server during a critical time period The Unix server was one of many servers that logged all syslog messages to a remote syslog server Based on already discovered evidence, we thought we had identified the perpetrator However, we could not match the suspect s logon times to other evidence After long hours of review, we realized that the system our suspect logged on to had an incorrect system time! How did we find out Syslog entries are chronological because each new entry is simply appended to the log file Our suspect s logon time said 8:15, but because it was sandwiched between dozens of other entries around 6:14 and 6:16, we knew that the system time was inaccurate on our suspect s server We were then able to place the suspect in the room, on the system, during the time the trojan was planted

13:

In addition to all of the applications that take advantage of the system logging capability, another extremely valuable program that uses syslog is TCP Wrappers TCP Wrappers is a host-based access control for TCP and UDP services Any connection attempts to wrapped services are logged via syslog Here is an excerpt from the /var/log/messages file on a Red Hat Linux system:

Notice that the log entry provides a lot of valuable information: the time and date of the attempted logon, the hostname (victim), the service (sshd), the account (root), and the IP address of the system that attempted to log on Here is another example that shows how a successful connection to a service is recorded:

This entry shows that the host 10101010 connected to victim s TFTP server on April 26 The correlation of connections and file-access times can be one of the investigator s most powerful techniques We ll discuss how to find files within the relevant timeframe in the Reviewing Relevant Files section later in this chapter

In addition to syslog, Unix systems can maintain other network activity logs These logs are primarily service-specific, such as the log files for web servers When in doubt, consult the service (application) documentation for specific information An example of network activity log is the xferlog file from the Washington University FTP daemon Any file transfers are recorded with useful information:

This log entry provides the following information: M I I I I I I I I The time and date that the transfer occurred The number of seconds that the transfer took (1) The remote host (10111) The number of bytes transferred The name of the transferred file The type of file transfer (b for binary) A special action flag (_ indicates no special action) The direction of transfer (o represents outgoing; i is incoming) The access mode (r is for real, as opposed to anonymous or guest)

The username (chris) The service name (ftp) The authentication method (0 for none) The user ID (* indicates none available) The status of the transfer (c for complete)

As you can see, the xferlog file can be very useful when investigating incident response This is also true of other service-specific logs

Unix provides a variety of log files that track host operations Some of the more useful logs record su command execution, logged-on users, logon attempts, and cron job (scheduled program) execution

The su command allows a user to switch to another user ID during a session Attackers sometimes use this command to attempt to gain root access to a system Unix records every attempt to execute the su command on the system The log shows the time and date of the su attempt, whether the attempt was successful, the terminal device from which the user attempted to execute su, and the user ID before and after the su attempt On some flavors of Unix, a separate su log file is stored in one of the log directories; on other flavors, su attempts are recorded in the messages or syslog file Below is an excerpt from /var/log/messages on a Red Hat Linux box

Mar 22 13:12:17 falcon PAM_pwdb[959]: authentication failure; crose(uid=500) -> root for su service Mar 22 13:12:22 falcon PAM_pwdb[961]: authentication failure; crose(uid=500) -> root for su service Mar 22 13:12:29 falcon PAM_pwdb[962]: authentication failure; crose(uid=500) -> root for su service