What are you missing? AIX

Happy February Readers,

I didn't want to miss last week's posting, but I also didn't have the time to make a quality post before leaving on a trip. So quality over quantity will hopefully gain favor with you. 

I'm taking a break in the What was wiped series to give myself some more time to gather what I need and instead I am continuing the What are you missing series in this post.

Doing forensics on specialized servers, which I will define as anything non wintel and whose file systems have no parsers supported in forensic tools, is an interesting challenge. You have to:

1. Research where the system log files exist.

2. Determine what format the logs are in.

3. Capture the metadata of the file system.

4. Determine if the file system can be parsed by anything but the running OS.

5. Determine if it's feasible to image the server via DD.

6. Determine if here is any hardware specific evidence that exists.

A good example of this would be an older AIX system as detailed below

Read More

Blackberry Server Log Analysis

Hello Reader,

        To the end user the blackberry server is what their blackberries get their email from. But there are multiple methods of communication a blackberry is capable of relaying, logging and recovering by an informed investigator.

1. Email
   
2. SMS
   
3. Blackberry Messenger
   
4. PIN Messaging
   
5. Phone Call Log
   

The blackberry server will create the following type of logs in total:

• ALRT - BES Alert
  
• BBIM - BlackBerry Instant Messenger (4.1)
  
• BBUA - BlackBerry User Administration Service (BRK)
  
• CBCK - Backup Connector
  
• CEXC - Exchange PIM Connector
  
• CMNG - Management Connector
  
• CTRL - BlackBerry Controller
  
• DISP - BlackBerry Dispatcher
  
• MAGT - BlackBerry Mailbox Agent (aka BlackBerry Messaging Agent)
  
• MDAT - Mobile Data Services
  
• MDSS - MDS Services (4.1)
  
• MDSS-DISCOVERY - MDS Services (4.1)
  
• POLC - Policy Service
  
• ROUT - Router
  
• SYNC - BlackBerry SyncServer
  
• PhoneCallLog (4.1)
  
• PINLog (4.1)
  
• SMSLog (4.1)
  

  
   

(Thanks Wikipedia http://en.wikipedia.org/wiki/BlackBerry_Enterprise_Server)

1. Email – The blackberry server logs will store when a device connects to the server to pull email and delivers mail and other messages. When you are dealing with a time sensitive issue of did a message get received/sent/deleted from a blackberry these logs may be your best source of evidence if a enough time has passed to let the message be deleted from the blackberry device itself before imaging. Regarding imaging blackberry devices I personally use Paraben's device seizure (found here http://www.paraben-forensics.com/catalog/product_info.php?products_id=405) to do the device acquisition.
   

   The MAGT log with a name like "<Blackberry server name>_MAGT_01_20090108_0001.txt" will be a listing of every action taking place regarding the delivery of messages/calendar items/etc.. to every blackberry communicating with the server. You will find them in multiple segments per day. This is the place to look if the timing of the delivery/deletion/forwarding of a message from a blackberry is at issue.
   

2. SMS – When configured to do so the blackberry server will log into a csv file the following fields:
   

   "Name.ID,"Email Address","Type of Message","To","From","Callback Phone Number","Body","Send/Received Date","Server Log Date","Overall Message Status","Command","UID"
   

   With a file name such as "SMSLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out.
   

 

1. Blackberry Messenger – This is a blackberry IM program that according to my current research will not be logged on the server without creating an account to relay all the messages to. Without prior configuration the only way to recover these messages is from the device itself.
   

 

1. PIN Messaging – This is the PIN messaging log. PIN Messages are those messages sent between blackberries directly through the blackberry server directed to the PIN assigned to the blackberry by the server. By default the blackberry server will log into a csv the following fields:
   

   "Name.ID,"PIN","Email Address","Type of Message","To","Cc","Bcc","From","Subject","Body","Send/Received Date","Server Log Date","Overall Message Status","Command","UID"
   

   With a file name such as "PINLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out. I'm writing a parser now to dump them all into a mysql database that I will post when I correct a weird multiline message that I've found. Special bonus it's a perl script that correctly handles utf16.
   

 

1. Phone Call Log – This is a log of all of the calls being made out of the blackberry devices, note this only applies to calls made on blackberries connected to this blackberry server. This includes missed calls, outgoing calls and incoming calls that I've seen to date. By default the blackberry server will log into a csv the following fields:
   

   "Name.ID","Type of Call","Name","Phone Number","Start Date","Server Log Date","Elapsed Time","Memo","Command","UID"
   

   With a file name such as "PhoneCallLog_20070927.csv" with one log being created per day.
   

   The file is written out in utf16 so be aware of that if you to parse it out.
   

All of the CSV files will load into excel directly if you import them, otherwise if there is a large number of dates in question I would recommend parsing them into some kind of database so you can pull records by the user's name or PIN.

Depending in the current configuration of the blackberry server after the date in question or the changes you make to a server now in preparation (if you are internal) a large amount of responsive data that the user may not believe exists will be available to you. Don't expect your blackberry admin to be aware of this data existing but make sure to ask for a copy of the log director regardless.

Also Read: Outlook Web Access Log Analysis

Read More

Using OWA logs to make your Civil Case

Hello Readers,

I will not be talking about OWA every time.

In our prior time together we discussed parsing OWA logs to determine who has been accessing someone else's account. For criminal prosecution (unauthorized access) or internal investigations this might be enough, but for investigations involving the civil court system you need to show that the information accessed and the time they accessed it corresponds to some claim such as tortuous interference.

The same OWA logs we looked at last time will allow you to do this, with some caveats. When you see a single entry to access an item such as:

" /exchange/USA/Attach/read.asp?obj=000000007C6A5AC4439BD948B2EDEC2B4701083907007DC649E6901ED711982E0002B3A2389C000000C0411400007DC649E6901ED711982E0002B3A2389C0000013340B20000&att=ATT-0-C9D9D5C63632DD439C1AF3C6A4B4AF8A-TOD9D1%7E1.PPT"

This is a request to open up an email attachment, the obj show here in the query is a unique identifier for the item within the exchange database. This means that if you replay that url while, and this is important, logged in as that user you will be able to bring up the exact same message that was viewed at that time (If it was not deleted). 

If you attempt to access this object while logged in as any other user it will deny you, even if you login as the administrator. If you want to make sure the messages exist (meaning not deleted) restore the exchange server from a backup tape referring to the time period the message we viewed and replay it to the restored server. 

These are the following asp pages that can be called by an OWA user according to about two years worth of logs from one case I worked:

/exchange/USA/LogonFrm.asp

/exchange/USA/root.asp

/exchange/USA/Navbar/nbInbox.asp

/exchange/USA/inbox/main_fr.asp

/exchange/USA/inbox/peerfldr.asp

/exchange/USA/inbox/title.asp

/exchange/USA/inbox/messages.asp

/exchange/USA/inbox/commands.asp

/exchange/USA/forms/IPM/NOTE/frmRoot.asp

/exchange/USA/forms/IPM/NOTE/read.asp    

/exchange/USA/logoff.asp

/exchange/USA/Attach/read.asp

/exchange/USA/logon.asp

/exchange/USA/forms/IPM/NOTE/commands.asp

/exchange/USA/forms/IPM/NOTE/cmpTitle.asp

/exchange/USA/forms/IPM/NOTE/cmpMsg.asp

/exchange/USA/errinbox.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/frmRoot.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/read.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/commands.asp

/exchange/USA/options/set.asp

/exchange/USA/calendar/main_fr.asp

/exchange/USA/calendar/title.asp

/exchange/USA/calendar/events.asp

/exchange/USA/calendar/appts.asp

/exchange/USA/calendar/pick.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/frmRoot.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/mrread.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/commands.asp

/exchange/USA/contacts/main_fr.asp

/exchange/USA/contacts/title.asp

/exchange/USA/contacts/peerfldr.asp

/exchange/USA/contacts/messages.asp

/exchange/USA/contacts/commands.asp

/exchange/USA/finduser/root.asp

/exchange/USA/finduser/fumid.asp

/exchange/USA/finduser/fumsgdef.asp

/exchange/USA/finduser/fumsg.asp

/exchange/USA/finduser/details.asp

/exchange/USA/forms/REPORT/DR/frmRoot.asp

/exchange/USA/tshoot.asp

 

Of these we care about the following:

This is a user logging in - /exchange/USA/LogonFrm.asp

This is a user requesting to read a specific message - /exchange/USA/forms/IPM/NOTE/read.asp

This is a user opening an attachment - /exchange/USA/Attach/read.asp

This is a user composing a new message - /exchange/USA/forms/IPM/NOTE/cmpMsg.asp

This is a user reading a message request - /exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/mrread.asp

If you parsed our just these commands identified by the logged in user you could see what specific emails, meetings, and attachments a webmail user had viewed, created, sent using OWA and the time on which they did. Using these times and matching the ip address to the suspect you can then combine the information accessed, to the time it was accessed, to the benefit they received by having that information at that time. 

As an example, in the case Exel Transporation Services Inc v. Total Transportation Services LLC et al (3:06-cv-00593) I used this to uncover a large industrial espionage case. First I used the program in the prior post to find which accounts were being used to access other email accounts in the system. 

Then I looked up the IP Addresses and found out one of them was actually registered to one of the ex-executives of exel directly on ARIN. We then broke out just the accesses used by those accounts (I mean really why else would the blackberry server administrative account or the voicemail server be logging into a website .. something we had to explain to counsel) into a database divided up by type of item accessed (email, attachment, calendar).

The next part was more difficult, we had to replicate their exchange network, AD controller, etc.. to restore their exchange server backups and replay those months to find out what our suspects were viewing. This included almost every decision maker within exel and according to the filings I read about $120 million dollars in lost business as they were able to read the contracts sent to customers during a bidding process and always beat them. 

We fed the urls into a GUI automation tool that would interact with the web browser and save the emails and attachments into MHT (full website archive) files for the lawyers review. I couldn't within the time frame get a pure perl program to work the way I needed it to.

For more information read this news article:

http://www.bizjournals.com/memphis/stories/2006/08/21/daily30.html

 

The case was settled out of court with a public apology written by TTS. The final stone in my understanding that led to settlement was when we matched the TTS OWA logs to the Exel OWA logs and showed the suspects logged into the TTS server with their real user name, with the same ip and at the same date/time, as they were logged into the Exel OWA server with their administrative accounts.

I hope this was useful, I can post parsers I wrote if you think it would help you in the future.

Don't miss out on: Outlook Web Access Log Analysis

Read More

Outlook Web Access Log Analysis

Hello Reader,

In this post, I’d like to discuss log analysis on Outlook Web Access servers. I’ve successfully used OWA log analysis in the past to quickly determine who has been reading mailboxes other than their own. Two pieces of information in the logs that exist by default in the OWA creation process allow this to occur. 

The first is that OWA uses NTLM authentication for web mail users who log in and the domain and username authenticated is stored in the logs in the cs-username field with format “domain\username”, remember this field will only be populated if the user successfully authenticated otherwise it will be filled with “-“. The second is that the mailbox accessed is stored in the cs-uri-query field in the logs and will look something like “isnewwindow=0&mailbox=username”. By comparing the authenticated NTLM username to the username of the mailbox requested we can write some pretty easy code to determine who has been accessing the mailboxes of other users, or attempting to.

First things first, we need the OWA logs themselves. They should be located in the “%systemroot%\system32\logfiles” directory usually in W3SVC1 if it’s the first default web created. Once we have them we need to either copy or export the log files in that directory from the image. Our first bit of code reads the content of the directory:

opendir(IMD, $dirtoget) die("Cannot open directory");

@thefiles=

readdir(IMD);

closedir(IMD);

foreach $file

(@thefiles)

{

print "my file: $file\n";

open(FILE, "$file");

}

Next we need to do something with these files. We want to parse each line looking for people accessing mailboxes:

while(FILEHANDLE)

{

if ($_ =~ m/^([0-9\-]+

[0-9:]+) ([0-9.]+) ([^ ]+) [^ ]+ [^ ]+ [0-9.]+

[0-9]+ (GETPOST) ([^ ]+)

isnewwindow=0&mailbox=([^ ]+) ([1-3][0-9][0-9]) [0-9] [0-9]+ [0-9]+

[0-

9]+ HTTP.+ [^ ]+ ([^ ]+) ([^ ]+) (.+)$/i)

{

my ($access, $ip, $username, $method, $url, $query,

$status,

$useragent, $cookie, $referer) = ($1, $2, $3, $4, $5, $6, $7, $8,

$9,

$10);

}

Next we want to see if the username they have authenticated with matches the username of the mailbox they have requested. If it does, move on and print a . to the screen so we can see some activity. If it does not print a ! to the screen and write the resulting access to a separate file.

if ($username !~ m/$query/i )

{

print OUTFILE "$access, $ip, $username, $query,

$status\n";

print "!";

}

else

{

print

".";

}

We can also store a unique list of these users in a hash so we can get a list of offenders to review. Additionally you could store all of this in a database table in larger cases so you can begin to run queries in time periods, users affected and start breaking out what messages, attachments, tasks and calendar items have been accessed.

I have posted the raw perl code and the windows compiled executable for this. For the windows executable I made it just search the same directory the executable is in, so just copy it into the directory with the logs and run it. Load up the report.csv file and find out who your suspects are.

Raw Code

Windows Executable

Also Read: Using OWA logs to make your Civil Case

Read More