This second of two parts on practical forensics illustrates a means for detecting a type of "technical" activity as mentioned in the CERT study: “Organizations failed to detect or ignored policy rules such as forbidden downloads”. In the previous blog, I referred to this as red flag #5. For illustrative purposes, we are going to check for a user searching for and downloading password cracking tools or illegal software key generator utilities. If detected, there's a high probability that the user will actually use such a tool.
One of the things I love about advanced network analysis and forensics tools is the ability to easily apply custom triggers and triggers to find stuff inside packets. Triggers are a special case of filters that allow us to “trigger” to start a packet capture and/or send an alert if we are capturing in real time.
In this case, we are going to take advantage of a special capability of the analyzer to search for an arbitrary word or pattern anywhere in a packet. This “sliding pattern match” does not require any prior knowledge of where the pattern might be. To optimize performance a bit, we are going to start at offset 54 inside the packet, which tells the analyzer to start at the beginning of the TCP payload for any upper layer protocol. No sense in wasting CPU cycles looking for application data in the data link, IP, and TCP headers.
The screenshot you see here (from WildPackets OmniPeek) shows such a filter, using a combination of AND along with OR conditions. We start out by looking for the words ‘password’ or ‘key’. If password is found, it must match (AND) the words or patterns ‘crack’ OR ‘krack’ OR ‘recover’. Thus phrases like password crack, password krack, password recover, password recovery (or the reverse order) will be found. Likewise for ‘key serial’ <number>, ‘key generator’, ‘keygen’, and so on. I’ve also told the analyzer to ignore case sensitivity.
Test it by searching on-line with your favorite search engine (which will trigger a hit right there) or going to any website containing such tools. The filter and/or trigger will hit immediately – even if the tool is named something else, purveyors of such tools love to fill up their underlying web site code with key words to gain search engine positioning.
This is the tip of the iceberg when it comes to real time or forensics data mining. Such tools can be invaluable in assisting you to effectively combat potential sabotage and espionage in your network. For more ideas, check out the forensics filters available for download at the WildPackets Developer Network (Registration is free but a login is required).