Results 1 to 6 of 6

Thread: Evidence collection from compromised hosts

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130

    Evidence collection from compromised hosts

    I got into a debate with a professor of mine today and we can't seem to agree on a solution...

    We were discussing the cataloging of evidence from compromised hosts, and we came to the subject of sending that data to a remote computer with netcat. I brought up the point that by sending the data across a network from an untrusted machine, you are employing a possibly compromised OSI stack and therefore the integrity of your evidence and its accountability in court as well.

    His argument to this was that if the OSI stack had been compromised on a machine, it would not work at all. I do not agree. I would think that if a host was compromised, it would certainly be possible to modify the stack subtly enough to alter simple text data being sent across such as that acquired during an initial investigation.

    Has there ever been a successful compromise, or even a proof of concept, proving that it would be possible to replace the OSI stack on a compromised host with one that could alter data being sent out?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Well, you can add LSPs (Layered Service Providers) to a networking stack. If placed on the top of the stack, it will intercept all traffic and filter it for whatever you specify and pass the rest down the stack. This is how most VPN clients operate although they tend to call these things "SHIMS" (see www.v-one.com for info on how this works). Also, some older spyware operated this way. New.net is one that comes to mind.

    So in fact, you *can* modify a network stack and it will work fine. Tell your teacher to head back to the CHUBB institute for a refresher or if you prefer, I can learn him.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    A modified "OSI" stack does not mean it won't work, anymore than removing the windows from
    a car will keep it from starting. What is meant by modified is a key point in this discussion.

    In the real world, compromised hosts are not left on the network in _any_ way. People
    who know what they are doing take the host off the network, and make a full snapshot (backup) of
    the system _as_is_ to tape or another disk for evidence sake. Whether they restore the system
    from a known good backup, or leave it in it's current state depends on what the site policy is and
    who they have to report to.

    Agree with thehorse13, your prof should consider some re-education options.

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

  4. #4
    Senior Member
    Join Date
    Jun 2003
    Posts
    134
    When you investigate a host you are trying to capture the host just the way it is. That is why when you are transfering the data it has to be bit for bit. Also the integrity of the data can be checked with hashing like MD5 and SHA1 so if you are transfering data and it is tampered with you will know. Remember you are trying to prove that the data has not been tampered with. If your steps and methods are documented and all of the bits add up you can prove the integrity of your data is correct. You just need to have everything documented and a good chain of custody.
    Sysmin Sys73m47ic
    -The Hacker Pimps
    -Development Team {FuxorWRT}
    http://www.AntiOnline.com/sig.php?imageid=563

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    I would have to agree with this as well. I don't really think that relying on the network connection of a compromised host would be a good idea. As for unplugging it, I was talking about the initial look into a comuter to decide whether or not it has been compromised. Only after that can a decision be made as to whether or not to pull it. But it seems to me you wouldn't need to be sending netstat results and such over a network to find out. In some ways there is a need to preserve the information originally obtained from the first look, because by the time you take a second look it could all change. Personally, though, I would save all that stuff to a floppy.

    But id did get me thinking to how such a thing could be done. I have no doubt that it could, despite the teachings of my elders. TheHorse, you speak of placing another layer essentially on top of the application layer? Wouldn't this allow the recieving port to see the data before it gets miodified? It would seem to me that this would have to be done at either the presentation or session layers, before connections are established.

    This is really going to bug me until I find some proof of concept.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    TheHorse, you speak of placing another layer essentially on top of the application layer?
    No, LOL, even I cannot add an 8th layer to the fabric of computing (OSI model)

    I have attached a little tool from an MS development kit. What it does is allow you to view the network stack and you can see all of the LSPs in the order that data flows through them. Unzip the contents anywhere you like and run the exe file. Whatever you see on top gets first crack at whatever gets passed through. I think you are a little confused I am talking soley about altering the "normal" networking stack (OSI network layer - 3) by placing LSPs (Google it) in there to do my bidding.

    Now, someone mentioned Nestat. I can alter the Netstat.exe file (or any other local tool) in such a way that you'd never know that I have a port open, etc. I don't even trust backups because it is *very* difficult to prove when a compromise has occured. I haven't even talked about root kits and file streaming, two methods which are next to impossible to detect. Bottom line, when you're 0wned, get out the install disks.

    Now, back to the pile of leftover turkey....
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •