National Computer Forensics Institute

Instructor’s Manual 155 pages For Official Use Only Law Enforcement Sensitive May 2, 2008		1.95 MB
Student Coursebook Vol.1 233 pages For Official Use Only Law Enforcement Sensitive January 2009		2.43 MB
Student Coursebook Vol.2 435 pages For Official Use Only Law Enforcement Sensitive January 2009		10.53 MB
NITRO Course Slides 1378 pages January 2009		8.13 MB
Classroom network configuration 2 pages		131.1KB
Zip file containing all five documents		20 MB

Course Introduction

Classification: Information contained in this instruction is UNCLASSIFIED. However, certain methodologies are Law Enforcement Sensitive.

Introduction

NITRO is a three-week course consisting of 14 days of lessons, incremental practical exams and a final practical exam.

Objective of this Course

NITRO is designed to introduce the officer to basic network intrusion investigation techniques.

Learning Outcomes

After completing this course the trained officer should be able to successfully conduct a network intrusion investigation.

Course Protocols

Information contained in each section of this student book is presented in sequential order so that knowledge gained from later lessons is built on a foundation of what was learned earlier. Other course protocols include the following:

• Practical exercises – Instructors will provide directives and handouts for practical exercises completed in the lab.
• Appendices – Include course related materials provided by the instructors.

Practical Exercises

Practical exercises in NITRO are hands-on. Each exercise is instructor-directed. In the exercises, students will:

• Perform network wiring and connecting activities
• Conduct manual log analysis
• Use automated log analysis tools
• Perform “Live” network gathering and analysis activities

In addition, every morning the students will have an opportunity to ask questions and/or review materials discussed on the previous day. This allows instruction to remain fresh and aids students with building practical connections to the training.

…

Network Intrusion Responder Program (NITRO)

NITRO Book I
Windows Operating System
Introduction to Networks
Network Connectivity and Protocols
IP Addresses and Subnets
Common Network Crimes
Phases of an Intrusion

NITRO Book II
Report Writing
Legal Issues
Fundamentals of Log Analysis
Log Sources
Log Analysis
LiveWire Investigations
Appendices

Table of Contents – Book I

Module 1 – Windows Operating System ………………………………. 1-1
Lesson 1 – Windows Operating System Basics ……………………………………………. 1-3
File Systems ……………………………………………………………………………………… 1-4
Operating System Installation ……………………………………………………………… 1-8
Operating System Updates ………………………………………………………………… 1-11
Module 2 – Introduction to Networks …………………………………… 2-1
Lesson 1 – Networks Basics ………………………………………………………………………. 2-3
Introduction to Networks ……………………………………………………………………. 2-4
Network Types ………………………………………………………………………………….. 2-6
Network Categories …………………………………………………………………………… 2-9
Lesson 2 – Network Technologies ……………………………………………………………. 2-11
Introducing Network Technologies ……………………………………………………. 2-12
Lesson 3 – Network Topologies ……………………………………………………………….. 2-15
Topologies Defined ………………………………………………………………………….. 2-16
Lesson 4 – Network Architecture ……………………………………………………………… 2-25
Introduction to Network Architecture …………………………………………………. 2-26
Ethernet ………………………………………………………………………………………….. 2-27
Token Ring……………………………………………………………………………………… 2-29
Fiber Distributed Data Interface (FDDI) …………………………………………….. 2-30
Asynchronous Transfer Mode (ATM) ………………………………………………… 2-31
Broadband ………………………………………………………………………………………. 2-32
Lesson 5 – The OSI Model………………………………………………………………………. 2-35
OSI Model Overview ……………………………………………………………………….. 2-36
OSI Model Layers ……………………………………………………………………………. 2-39
Module 3 – Network Connectivity and Protocols …………………… 3-1
Lesson 1 – Network Connectivity ………………………………………………………………. 3-3
Network Connectivity ………………………………………………………………………… 3-4
Network Transmission Media ……………………………………………………………… 3-5
Network Devices ……………………………………………………………………………… 3-10
Wireless Media ……………………………………………………………………………….. 3-18
Lesson 2 – Network Configuration Models ……………………………………………….. 3-23
Introduction to Network Models ………………………………………………………… 3-24
Lesson 3 – Network Protocols………………………………………………………………….. 3-27
Protocols ………………………………………………………………………………………… 3-28
TCP/IP……………………………………………………………………………………………. 3-29
Other Protocols ……………………………………………………………………………….. 3-31
Lesson 4 – Wireless Networks …………………………………………………………………. 3-35
About Wireless Networks …………………………………………………………………. 3-36
Types of Wireless Networks ……………………………………………………………… 3-37
Hardware Components……………………………………………………………………… 3-38
Security Concerns ……………………………………………………………………………. 3-40
Vulnerabilities …………………………………………………………………………………. 3-45
Module 7 – IP Addresses and Subnets ………………………………….. 4-1
Lesson 1 – IP Addresses ……………………………………………………………………………. 4-3
IP Address Basics ……………………………………………………………………………… 4-4
IP Address Classes …………………………………………………………………………….. 4-6
More about IP Addresses ……………………………………………………………………. 4-9
Lesson 2 – Ports …………………………………………………………………………………….. 4-13
Overview of Ports ……………………………………………………………………………. 4-14
How Ports are Used …………………………………………………………………………. 4-16
Configuring TCP/IP …………………………………………………………………………. 4-19
Lesson 3 – Subnets …………………………………………………………………………………. 4-21
Subnet Overview ……………………………………………………………………………… 4-22
Subnet Masks ………………………………………………………………………………….. 4-24
Virtual LAN ……………………………………………………………………………………. 4-25
Lesson 4 – Network Security …………………………………………………………………… 4-27
Data Encryption ………………………………………………………………………………. 4-28
Anti-Virus Software …………………………………………………………………………. 4-29
Firewalls …………………………………………………………………………………………. 4-30
IDS ………………………………………………………………………………………………… 4-37
Logs……………………………………………………………………………………………….. 4-39
Network Security Summary ………………………………………………………………. 4-41
Module 5 – Common Network Crimes …………………………………. 5-1
Lesson 1 – E-mail Scams ………………………………………………………………………….. 5-3
Overview of E-mail Scams …………………………………………………………………. 5-4
Attack Methodologies ………………………………………………………………………… 5-5
Investigative Response……………………………………………………………………….. 5-7
Lesson 2 – Online Fraud …………………………………………………………………………… 5-9
Online Fraud Overview…………………………………………………………………….. 5-10
Attack Methodologies ………………………………………………………………………. 5-11
Investigative Responses ……………………………………………………………………. 5-13
Lesson 3 – Identity Theft…………………………………………………………………………. 5-15
Identity Theft ………………………………………………………………………………….. 5-16
Investigative Reponses……………………………………………………………………… 5-18
Lesson 4 – Social Threats ………………………………………………………………………… 5-19
Social Threats………………………………………………………………………………….. 5-20
Attack Methodologies ………………………………………………………………………. 5-21
Investigative Responses ……………………………………………………………………. 5-22
Lesson 5 – Internal Threats ……………………………………………………………………… 5-23
Internal Threats Overview ………………………………………………………………… 5-24
Investigative Responses ……………………………………………………………………. 5-26
Lesson 6 – Malicious Code ……………………………………………………………………… 5-27
Malicious Code Attacks ……………………………………………………………………. 5-28
Investigative Responses ……………………………………………………………………. 5-29
Lesson 7 – Denial of Service Attacks ……………………………………………………….. 5-31
Denial of Service……………………………………………………………………………… 5-32
Investigative Responses ……………………………………………………………………. 5-33
Lesson 8 – Extortion……………………………………………………………………………….. 5-35
Extortion on the Internet …………………………………………………………………… 5-36
Investigative Responses ……………………………………………………………………. 5-38
Lesson 9 – Network Attacks ……………………………………………………………………. 5-39
Network vs. System Level Attacks …………………………………………………….. 5-40
Investigative Responses ……………………………………………………………………. 5-41
Lesson 10 – Terrorism …………………………………………………………………………….. 5-43
Extortion on the Internet …………………………………………………………………… 5-44
Investigative Responses ……………………………………………………………………. 5-45
Module 6 – Phases of an Intrusion ……………………………………….. 6-1
Lesson 1 – Defining an Intrusion ……………………………………………………………….. 6-3
Definition of an Intrusion……………………………………………………………………. 6-4
Goals of an Intrusion ………………………………………………………………………….. 6-5
Attacker Profiles ……………………………………………………………………………….. 6-6
Phases of an Intrusion ………………………………………………………………………… 6-9
Lesson 2 – Reconnaissance ……………………………………………………………………… 6-11
Goals ……………………………………………………………………………………………… 6-12
Strategies ………………………………………………………………………………………… 6-13
Techniques – General Web Browsing and Searching……………………………. 6-14
Techniques – Public Records and Archives Search ………………………………. 6-15
Techniques – Target Web Site Examination ……………………………………….. 6-18
Techniques – Identifying Physical Attack Vectors ……………………………….. 6-20
Techniques – Live Host Identification ………………………………………………… 6-22
Techniques – Identifying Available Protocols/Ports …………………………………………….. 6-23
Techniques – Type and Version Identification …………………………………….. 6-25
Techniques – Vulnerability Scans ……………………………………………………… 6-26
Lesson 3 – Network Attacks ……………………………………………………………………. 6-29
Goals ……………………………………………………………………………………………… 6-30
Strategic Categories …………………………………………………………………………. 6-31
Strategies – Authentication Attacks ……………………………………………………. 6-32
Techniques – Factor Guessing/Cracking …………………………………………….. 6-33
Techniques – Credential Recover/Reset ……………………………………………… 6-37
Techniques – Credential Injection ……………………………………………………… 6-39
Techniques – Credential Theft …………………………………………………………… 6-40
Strategies – Unexpected Input …………………………………………………………… 6-41
Techniques – Excessive Input ……………………………………………………………. 6-42
Techniques – Excessive Input / Buffer Overflows ……………………………….. 6-43
Techniques – Unexpected Input Content / XSS Attacks ……………………….. 6-44
Lesson 4 – Entrenchment ………………………………………………………………………… 6-45
Goals ……………………………………………………………………………………………… 6-46
Strategies ………………………………………………………………………………………… 6-47
Techniques – Log Cleaning ………………………………………………………………. 6-48
Techniques – Automatic Execution ……………………………………………………. 6-50
Techniques – Hooking ……………………………………………………………………… 6-52
Techniques – File Type Manipulation ………………………………………………… 6-54
Techniques – Naming Conventions and Placement………………………………. 6-55
Techniques – Remote Connectivity ……………………………………………………. 6-58
Techniques – File System Date/Time Stamp Manipulation …………………… 6-62
Privilege Escalation …………………………………………………………………………. 6-63
Lesson 5 – Infiltration and Extraction ……………………………………………………….. 6-67
Sniffers …………………………………………………………………………………………… 6-68
Trust Relationships ………………………………………………………………………….. 6-69
Data Extraction ……………………………………………………………………………….. 6-70

Table of Contents – Book II

Module 7 – Report Writing …………………………………………………. 7-1
Lesson 1 – Defining an Intrusion ……………………………………………………………….. 7-3
The Forensic Report …………………………………………………………………………… 7-4
Examiner Notes …………………………………………………………………………………. 7-5
Forensic Reporting …………………………………………………………………………….. 7-6
Title Page …………………………………………………………………………………………. 7-8
Items Analyzed ……………………………………………………………………………….. 7-10
Relevant Software ……………………………………………………………………………. 7-11
Glossary …………………………………………………………………………………………. 7-12
Details of Findings …………………………………………………………………………… 7-13
Items Provided ………………………………………………………………………………… 7-16
Creating a Hyperlink in Microsoft Word …………………………………………….. 7-17
Lesson 2 – Cyber Crime Interviews ………………………………………………………….. 7-19
Cyber Crime Interviews ……………………………………………………………………. 7-20
Interview Process …………………………………………………………………………….. 7-22
Module 8 – Legal Issues ……………………………………………………… 8-1
Lesson 1 – Search Warrants ………………………………………………………………………. 8-3
Search Warrants ………………………………………………………………………………… 8-4
Search Warrant Exceptions ……………………………………………………………….. 8-10
Consent Searches …………………………………………………………………………….. 8-11
Search Incident to Arrest or Apprehension ………………………………………….. 8-14
Other Search Warrant Exceptions ………………………………………………………. 8-16
Lesson 2 – Internet Service Providers ……………………………………………………….. 8-19
Legal Framework …………………………………………………………………………….. 8-20
Express Consent ………………………………………………………………………………. 8-24
Written Consent ………………………………………………………………………………. 8-26
Preservation Letters …………………………………………………………………………. 8-29
Subpoena ………………………………………………………………………………………… 8-30
Search Warrant………………………………………………………………………………… 8-31
Available Data ………………………………………………………………………………… 8-32
Module 9 – Fundamentals of Log Analysis……………………..9-1
Lesson 1 – Understanding Network Traffic …………………………………………………. 9-3
Overview of Network Traffic ……………………………………………………………… 9-4
Investigation Techniques ……………………………………………………………………. 9-5
Lesson 2 – The Scientific Method and Intrusion Analysis …………………………….. 9-9
Overview of the Scientific Method …………………………………………………….. 9-10
Digital Forensic Analysis and the Scientific Method ……………………………. 9-12
Lesson 3 – Observing Intrusion-related Activity and Generating a Hypothesis . 9-15
Common Observations……………………………………………………………………… 9-16
Hypothesis Formation ………………………………………………………………………. 9-19
Incident Classification ……………………………………………………………………… 9-21
Lesson 4 – Predicting the Nature and Location of Intrusion Artifacts ……………. 9-25
Predicting the Nature and Location of Intrusion Artifacts……………………… 9-26
Relating Observed Events to Network Services and Traffic Types ………… 9-27
Mapping Observed Activity to Traffic Flow ……………………………………….. 9-29
Using Traffic Flow and Service Type to Predict Artifact Location …………. 9-33
Lesson 5 – Using Log Analysis to Evaluate an Intrusion Hypothesis ……………. 9-37
Hypothesis Evaluation ……………………………………………………………………… 9-38
Acquiring Target Log Files ……………………………………………………………….. 9-39
Reviewing Target Log Formats …………………………………………………………. 9-40
Establishing Search/Extraction Criteria ………………………………………………. 9-41
Searching Target Logs and Extracting Relevant Data …………………………… 9-42
Recording and Correlating Findings …………………………………………………… 9-43
Keeping Track of New Leads ……………………………………………………………. 9-45
Module 10 – Log Sources …………………………………………………. 10-1
Lesson 1 – Windows Log Sources ……………………………………………………………. 10-3
Windows Logs ………………………………………………………………………………… 10-4
Windows Services Logs ……………………………………………………………………. 10-6
Lesson 2 – Linux Log Sources …………………………………………………………………. 10-9
Linux Logs ……………………………………………………………………………………. 10-10
Lesson 3 – Solaris Log Sources ……………………………………………………………… 10-13
Solaris Logs ………………………………………………………………………………….. 10-14
Lesson 4 – Log Searching ……………………………………………………………………… 10-15
Log Searching ……………………………………………………………………………….. 10-16
Regular Expressions……………………………………………………………………….. 10-17
Regular Expressions: Literal Characters ……………………………………………. 10-18
Lesson 5 – IDS Logs …………………………………………………………………………….. 10-19
IDS Logs ………………………………………………………………………………………. 10-20
Module 11 – Log Analysis ………………………………………………… 11-1
Lesson 1 – Binary Traffic Analysis …………………………………………………………… 11-3
Introduction to Wireshark …………………………………………………………………. 11-4
Converting Binary Logs to Text Format ……………………………………………… 11-5
Filtering and Searching in Wireshark …………………………………………………. 11-6
Filtering Data during Capture with Wireshark …………………………………….. 11-7
Filtering Displayed Data in Wireshark ……………………………………………….. 11-8
Colorizing Data Using Filters in Wireshark ………………………………………. 11-14
Searching in Wireshark …………………………………………………………………… 11-16
Generating Statistics with Wireshark………………………………………………… 11-17
Exporting Data from Wireshark……………………………………………………….. 11-22
Lesson 2 – Manual Log Analysis ……………………………………………………………. 11-23
Filtering and Searching Text Logs ……………………………………………………. 11-24
Deciding What to Search For …………………………………………………………… 11-25
Example Log …………………………………………………………………………………. 11-26
Lesson 3 – Automated Log Analysis Tools ……………………………………………… 11-29
What is Sawmill? …………………………………………………………………………… 11-30
Installing Sawmill ………………………………………………………………………….. 14-31
Network Log Analysis Using Sawmill ……………………………………………… 14-38
Module 15 – LiveWire Investigations …………………………………. 12-1
Lesson 1 – Data Collection ……………………………………………………………………… 12-3
Locating Physical Devices ………………………………………………………………… 12-4
Attaching Storage Equipment ……………………………………………………………. 12-6
Lesson 2 – Introduction to LiveWire ………………………………………………………… 12-9
Live Digital Investigations ………………………………………………………………. 12-10
LiveWire Installation ……………………………………………………………………… 12-13
LiveDiscover Installation ………………………………………………………………… 12-14
Updating LiveWire ………………………………………………………………………… 12-16
Updating LiveDiscover …………………………………………………………………… 12-17
LiveWire Initial Setup…………………………………………………………………….. 12-19
Lesson 3 – LiveDiscover ……………………………………………………………………….. 12-31
LiveDiscover Network Scanning ……………………………………………………… 12-32
Lesson 4 –Volatile Data Analysis …………………………………………………………… 12-39
LiveWire Initial Inquiry ………………………………………………………………….. 12-40
System State ………………………………………………………………………………….. 12-49
Current User Activity ……………………………………………………………………… 12-55
Active Network State ……………………………………………………………………… 12-68
Lesson 5 – Evidence Collection ……………………………………………………………… 12-73
File System Status ………………………………………………………………………….. 12-74
Physical vs. Logical ……………………………………………………………………….. 12-78
Collection and Preservation …………………………………………………………….. 12-84
Hashing ………………………………………………………………………………………… 12-88
Lesson 6 – Malicious Code Analysis ………………………………………………………. 12-93
Malicious Program Search ………………………………………………………………. 12-94
Lesson 7 – Alternate Data Collection Tools …………………………………………….. 12-99
Windows Forensic Toolkit …………………………………………………………….. 12-100
Helix …………………………………………………………………………………………… 12-103
Appendices ………………………………………………………………………. A-1
Appendix A – Intrusion Report Template …………………………………………………… A-1
Appendix B – Volatile Data Collection ……………………………………………………….B-1
Appendix C – Understanding Computer Hardware ……………………………………….C-1
Appendix D – Data Storage Components …………………………………………………… D-1
Appendix E – Input/Output Components …………………………………………………….. E-1

Share this: