269
5
Expunging is the process of destroying information to cover the tracks of the attacker. These steps allow a computer user to remove traces of their activity from a computer so that someone else cannot determine what was done. Every modern computer system features a logging ability that tracks when certain activities take place. These logs could encompass all of the activities taken by users on the system, and they could also log activity from the attacker. This chapter will cover a few of the basic methods to erase information and help obscure an attacker’s presence on a computer system.
REMOVING WINDOWS LOGIN TRACES
Expunge
THE HACK DISSECTED
Pavel took Stepan’s laptop from Vlad and blanked the three Windows event log fi les. Next, he changed the “last logged in user” registry key so that it would appear that Stepan’s account was the last one used. (p. 8)
Early in our story, Pavel and Vlad hack into Stepan’s computer to gather details on their employer and the job that he has for them. Pavel used a Linux bootable oper-ating system on a Universal Serial Bus (USB) drive to change the password of the Administrator account and gain control of the system. However, when he was done siphoning off the information from the laptop, he went the extra step of cleaning up after himself and removing traces that he was on the computer at that time.
Exploit Techniques
There are many ways in which an attacker can remove the traces of his or her actions after the attacker’s work is done on a hacked system. All modern operating systems have account auditing and logging enabled in some form to log information on when users log in and log off of the system, which can help place a physical person at the
keyboard during an investigation. In other cases, the computer may log all of the activ-ities that a person performed while he or she had logged in. There may be additional locations in which data is stored, but only if the attacker knows where to look for it. Event Logs
Microsoft Windows stores all notable events into a collection of log fi les called the event logs . These logs store information about events that occur on a regular basis from within the Windows operating system and from the applications that run on it. When viewed through the integrated Windows Event Viewer application, event logs are commonly the fi rst area that a system administrator monitors when something goes amiss. Assuming that Stepan would return to work with the laptop in tow, Pavel expunged the records of his work on the system by completely removing the three event logs on it.
Although Windows stores events into a collection of event logs, each log stores a particular type of data. There are three main log fi les that have been in use since the event logs fi rst appeared in Windows NT: Application, Security, and System. 1
We’ll explore the details of these individual logs in the “Best Practices” section under “Event Logs”, but suffi ce it to say at this point that these three logs store many types of information that a hacker would want erased.
In the Windows NT and XP environments, these logs are stored in the %SystemRoot%\System32\Confi g directory or, for most computers, C:\Windows\ System32\Confi g. Here, they are named as AppEvent.evt, SecEvent.evt, and SysEvent .evt. Although most computer systems have the operating system installed onto the C: volume, there are a rare few that choose another volume; the %SystemRoot% is automatically replaced by the actual drive letter to make it work on all systems.
In a Windows Vista or Windows 7 environment, these logs are stored in %SystemRoot\System32\winevt\Logs, normally seen as C:\Windows\System32\ winevt\Logs. They have a different naming convention of Application.evtx, Security .evtx, and System.evtx.
Typically, these fi les are locked by an Event Logger service running on the sys-tem, preventing a user from simply deleting the fi le outright. However, in a hurry, their contents can always be cleared from within the Event Viewer application itself. This is done by highlighting the log that you wish to be cleared and selecting from the pull-down menu the Action | Clear Log… item, as shown in Figure 5.1 . This will immediately remove all entries from the specifi ed log, but it will leave a trace event that shows that the log was cleared at the current date and time.
Last Logged-In User Key
Immediately after cleaning out the event logs, the story notes that Pavel cleared the “last logged in user” registry key. This is an actual value in the Windows registry that stores which account last logged into the computer. This information is stored in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon\DefaultUserName
This registry key, shown in Figure 5.2 , will record the last user name that was manu-ally logged into the system. 2 As Pavel logged into Stepan’s laptop as Administrator,
that name would show up in this registry entry. To clear his trails, as Stepan would not have been able to log in as Administrator, Pavel changed this entry from “Administrator” to Stepan’s account name.
Best Practices
When an attacker reviews the logs shown here, he or she fi nds the information stored directly in Windows by the operating system itself. As this data is needed for system purposes, it may not be possible to either block its usage or modify it. For
FIGURE 5.1
Clearing a Windows Event Log
FIGURE 5.2
example, any user who has the administrative rights to the system can open the Registry Editor and change the DefaultUserName fi eld shown earlier. There is noth-ing to prevent this as long as the attacker has administrative rights to the machine. Your defenses will have to be set well ahead of this point to prevent a hacker from obtaining administrative rights in the fi rst place.
Event Logs
Unlike protecting against a registry edit, there are steps that you can take to main-tain the event logs in your Windows systems, even when they have been deleted or modifi ed. But, fi rst, let’s look at what data is contained within these fi les.
The Application log stores events created by applications running on the system. This fi le normally logs errors and warnings given by applications, such as when they crash or exhibit noticeable errors. An example of this is shown in Figure 5.3 , where an entry is shown for a Mozilla Firefox crash. The event records the exact time and date when the application crashed, as well as basic debugging information. This informa-tion shows that Firefox crashed because of a faulting module named FOXITR~1.OCX.
FIGURE 5.3
FIGURE 5.4
Windows Security Event Log
Tracking down that fi le leads to the FoxitReaderOCX.ocx plug-in for Firefox, part of Foxit Reader, a free PDF viewer from www.FoxitSoftware.com . This event coin-cided with the Web browser opening a corrupted PDF document and subsequently crashing.
The Security log is used by Windows to track security events such as account logins and logoffs, as shown in Figure 5.4 . It also notes when accounts attempt to read, modify, or delete protected audit fi les. On a properly confi gured system, this log reports any activity that would trigger a security audit for suspicious behavior.
The System log deals with system-level errors and warnings, such as those produced by device drivers and system services. This log will detail hardware issues, as well as when services are started and stopped. Additionally, it will dis-play any error messages that appear at the service level, such as the DNS errors shown in Figure 5.5 .
While the Application, Security, and System logs are the primary source of data for system events, Microsoft has included additional new logs with each recent
FIGURE 5.5
Windows System Event Log
release of Windows. Windows Vista and Windows 7 feature dozens of various event logs that cover many aspects of the operating system. For example, recent versions of Windows include one event fi le named Microsoft-Windows-Application-Experience%4Program-Inventory.evtx. This log, shown in Figure 5.6 , will log every time an application is installed onto the computer through offi cial setup scripts. Each entry will include the name of the application installed and its version num-ber. This is a log entry that should be scanned regularly to audit the applications being installed by your users.
In earlier versions of Microsoft Windows, the event logs were vulnerable to dele-tion easily from the command line. By simply stopping the Windows services associ-ated with the event logs, a hacker could then manually delete or rename the entries. However, additional fi le controls within Windows Vista and Windows 7 have made it diffi cult for hackers to simply remove or edit the fi les. In the case that a hacker has cleared event logs, one of the best ways to mitigate the issue is to simply have back-ups of the event logs already created. The backup process can be completed using the integrated command line tool “wevtutil.exe.”
To create a regular backup using the wevtutil utility, you can create a new sched-uled task in the Windows Task Scheduler. Create a new task inside Task Scheduler
and set the trigger to occur on a daily schedule and to repeat every 5 min indefi -nitely. For an action, start a batch fi le similar to the following:
@echo off
for /f "tokens=2-4 delims=/" %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
for /f "tokens=1-2 delims=/:" %%a in ("%TIME%") do (set mytime=%%a%%b)
:Above code takes the current date and time and strips out the illegal
:fi lename characters, from http://stackoverfl ow.com/ questions/203090
wevtutil epl Security C:\Users\_Hidden\SecurityBackup-%mydate%_%mytime%.evtx
This batch fi le, which is saved with a .bat extension and placed anywhere on your system, sets a foundation for creating your own customized script. Currently, the script retrieves the current date and time and strips out the illegal colon and slash
FIGURE 5.6
characters, allowing these values to be placed into the fi lename. The wevtutil utility is then run to export the Security log into the fi le C:\Users\_Hidden\SecurityBackup-%mydate% _%mytime%.evtx, although the folder location can be changed to meet your needs.
Ensure that the task is confi gured to run at the highest elevated privileges, to allow the script to access the Security log. After being enabled, the task will then start creating backups of your Security log in 5-min intervals. Naturally, this will eventually fi ll your hard drive, so you will need to modify the script to place limits or run clean-up routines. However, this is a basic example to show that it can be done.
SUMMARY OF REMOVING WINDOWS LOGIN TRACES
Performing an exploit is only the fi rst step in attacking a network system. Once an attacker has gained a foothold and stolen the resources needed from a system, the attacker will attempt to clean up his or her traces to throw off any investiga-tive efforts. We saw this through multiple examples throughout our story, and it is a tactic used widely by attackers. It is relatively easy to remove basic traces of a normal login through the Windows Registry Editor, as we discussed in this sec-tion. Although removing the basic system logs can prove more diffi cult, they are targeted by attackers because of the copious details they store on system-wide operations.
System administrators can perform basic mitigation to help prevent many of these attacks through proper security and backups of their system logs. With a proper backup strategy, an administrator can still retrieve details of an attack even if the logs are wiped clean.
FOR MORE INFORMATION
For this chapter, we’ve covered the basics on log scrubbing to remove traces of an attack. There are a variety of dedicated tools for this task and additional ways to protect against them. For more information, we refer you to the following Web sites:
WinZapper tool: http://ntsecurity.nu/toolbox/winzapper/
■
ClearLogs tool: http://ntsecurity.nu/toolbox/clearlogs/
■
How to Delete Corrupt Event Viewer Log Files: www.windowsnetworking
■
.com/kbase/WindowsTips/WindowsNT/AdminTips/EventLogs/HowtoDelete-CorruptEventViewerLogFiles.html
Back Up Your Event Logs with a Windows PowerShell Script: http://technet.
■
BROWSER CLEANUP
THE HACK DISSECTED
The sound of a car door out front announced Vlad’s return. Pavel surfed to the Black Hat confer-ence site and then cleared his browser cache before Vlad walked in. (p. 115)
In our story, Pavel is just beginning to worry about his working relationship with Vlad. He fears that his life may be in danger and starts creating a contingency plan for escaping the area. At that moment, Vlad returns to their hideout and Pavel quickly cleans up his traces. He switches to the Black Hat Web site, a site that Vlad would expect him to be on, and clears his browser cache.
By clearing his browser cache, Pavel removes all traces of his Web surfi ng his-tory. He hides the airlines and car rental Web sites that he was browsing just minutes before. If Vlad did attempt to view Pavel’s history, he would see a blank slate.
Exploit Techniques
Clearing the history of a Web browser has become a common technique in the daily browsing of many people. It allows for privacy while surfi ng the Web by removing a user’s activity log so that others can’t see it at a later point. 3 Additionally, by clearing
away the large amount of cached data on your hard drive, clearing the history can improve Web browser performance.
The typical Web browser records many aspects of our daily Web-browsing activi-ties. Every individual Web page that you view is stored, as well as copies of every page, image, and movie that you viewed. Additionally, all typed user names and passwords and every fi le downloaded is also stored. Modern Web browsers give you the ability to clear out this information, as shown by the Delete Browsing History window for Internet Explorer 8 in Figure 5.7 .
Although these options are normally buried within the multiple pull-down menus of their respective browsers, all modern browsers feature a universal keyboard shortcut to quickly bring up the history deletion function: Ctrl + Shift + Del. Upon pressing these three keys simultaneously, the browser’s history deletion window will appear. While each browser has a slightly different style to their functions, they all operate the same way. Internet Explorer 8’s feature is shown in Figure 5.7 while Mozilla Firefox and Google Chrome’s are shown, in respective order, in Figure 5.8 . Private Browsing
Although modern browsers allow for users to clean up their browsing history before signing off, they also offer a feature to prevent the system from logging this infor-mation in the fi rst place. Known as private browsing, though with differing names between Web browsers, the feature blocks cookies and Web browsing history from being stored to the local system. It will also not store the information you type into online forms nor cache any of the data to the hard drive.
FIGURE 5.8
Mozilla Firefox and Google Chrome’s Respective History Delete Windows
FIGURE 5.7
Internet Explorer 8 Delete Browsing History
Window
In Internet Explorer, this feature is known as InPrivate Browsing . Although InPrivate Browsing will not store search entries or Web sites, it does cache data to the hard drive. This cached data is deleted when you close the browser, but it can be recovered through basic forensics. InPrivate Browsing is enabled by select-ing Safety | InPrivate Browsing from the pull-down menu. Details on Internet Explorer’s InPrivate Browsing can be found at http://windows.microsoft.com/en-us/ Windows7/What-is-InPrivate-Browsing .
Mozilla Firefox also offers a Private Browsing feature with many of the same abili-ties. Its Private Browsing also blocks cookies and browser history from being stored to the local system. It is enabled from the pull-down menu under Tools | Start Private Browsing . Greater detail on Firefox’s Private Browsing is found at http:// support.mozilla.com/en-US/kb/Private+Browsing .
Google’s Chrome browser has the same feature set as the other major Web brows-ers in a feature they call Incognito Mode. Their implementation of private browsing is slightly different from Internet Explorer and Firefox. Upon selecting Tools (wrench icon) | New Incognito Window from the pull-down menu, a new browser window will open in private mode. Google Chrome then allows you to have a simultaneous Incognito window and a normal browsing window. Additionally, while in Incognito mode, Chrome disables all of your browser extensions and add-ons. This prevents your private information from being leaked through third-party applications.
Best Practices
As these options are controlled by the browser itself, it is diffi cult to control their use as an administrator. The one exception is Internet Explorer 7 and later versions, for which there is a group policy that allows you to disable the ability to delete browsing history. This setting can be found in the Group Policy editor under Administrative Templates | Windows Components | Internet Explorer | Delete Browser History . Under this fi nal folder is a setting to Turn off “Delete Browsing History” functionality, along with various other deletion controls. 4
For serious infractions that absolutely require determining the browser history, it may be possible to forensically recover the deleted browser cache fi les after they’ve been erased. This would assist in helping to see what content the user downloaded, and some sites, but may be limited. For instance, in Mozilla Firefox, all history details are now stored in miniature databases that are scrubbed clean after a user has deleted his or her browsing history.
SUMMARY OF BROWSER CLEANUP
As many attacks are beginning to use the Web browser as an attack vector, criminals have more of a need to clean their tracks on the browser itself. Additionally, even basic research and reconnaissance activities exist within the Web browser cache that can incriminate an attacker or a researcher in the middle of their tasks. The information stored within the browser cache can pinpoint the Web pages that a user browsed, as well as the content that he or she had viewed and downloaded. Not only can this store private data but also potentially embarrassing information for the user. For basic privacy reasons, all of the major Web browsers now support the ability to scrub browser history fi les and statistics, although this is also taken advantage of by attackers. Although users can easily clear their personal browsing history, an attacker can also scrub the history on their own computers in the event that their equipment is
seized by law enforcement. For businesses, your employees are also able to clear their browsing history to remove evidence of activity on unauthorized Web sites. There is little that can be done by a company to protect against this action, though. Forcing users to use a modern version of Internet Explorer, blocking any alternative browser, and disabling the ability to remove the browsing history can maintain the cache on a system that the company controls. Beyond this, the risk is always present.
FOR MORE INFORMATION
We’ve covered much of the ability to scrub a user’s history and activities from a Web browser in this chapter, as well as how to enter private browsing mode. There are a few topics that we were not able to cover here, especially in the realm of best prac-tices. The following Web sites cover some of the various aspects of recovering data from a Web browser, as well as some of the ways in which data can still be leaked out even while private browsing is enabled.
Web Browser Forensics – Part 1:
www.symantec.com/connect/articles/web-■
browser-forensics-part-1
Web Browser Forensics – Part 2:
www.symantec.com/connect/articles/web-■
browser-forensics-part-2
Why Private Browsing Isn’t…: http://ouseful.wordpress.com/2009/07/15/
■
why-private-browsing-isnt/
ENDNOTES
How to view and manage event logs in Event Viewer in Windows XP, Microsoft
1.
Support, http://support.microsoft.com/kb/308427 ; 2007 [accessed 18-03-10]. DefaultUserName, http://technet.microsoft.com/en-us/library/cc939710.aspx ;
2.
2010 [accessed 18-03-10] .
Rick B. Erase Internet Explorer 8’s Browsing History, The Washington Post, www
3.
.washingtonpost.com/wp-dyn/content/article/2010/03/03/AR2010030302628 .html ; 2010 [accessed 18-03-10].
Prevent users from deleting IE browsing history, Online Tech Tips, www
4.
.online-tech-tips.com/internet-explorer-tips/prevent-users-from-deleting- ie-browsing-history/; 2009 [accessed 18-03-10].
