Thursday, January 27, 2005

Locard's Exchange Principle in the Digital World

Ever been watching CSI and hear Grissom say something about "Locard's" or Nick say "possible transfer"? Like most people, you've probably just shrugged it off and not given it a second thought.

What is "Locard's"? From the Virginia Institute of Forensic Science and Medicine:

"Locard's Exchange Principle - Whenever two human beings come into contact, something from one is exchanged to the other, ie dust, skin cells, hair etc. "

Many of us are probably familiar with practical applications of this...give your wife or girlfriend a hug, and you may have a couple of her hairs on your jacket. But what does this mean to us in the digital world? Well, in essence, whenever two computers come "into contact" and interact, they exchange something from each other. This may appear in log files, and be visible in the output of commands.

There're a couple of really good ways to demonstrate this. First, take two Windows computers. Go to one, and then map a share from the other. If the audit policy is set properly on the second computer, you should see a login entry in the Security Event Log. If you type 'net session' on the second computer, you will see information (ie, the IP address of the first computer, etc.). If you type 'net use' on the first computer, information about the second computer will appear in the output of the command.

Another interesting way to demonstrate this is to open a netcat listener on computer A, then go to computer B, and use netcat to connect to the listener on computer A. If you set up the netcat listener on computer A using the necessary switches to open a command prompt upon connection (ie, '-e cmd.exe'), you can type commands like 'dir' and get a directory listing from computer A. Now, use pmdump.exe to dump the memory used by the netcat processes on each machine. Then use strings.exe to parse through the memory dumps, and see what you find. On the memory dump from computer A, you should see the IP address of computer B. Pretty neat, eh?

This is something to keep in mind when performing incident response and forensics investigations. On Windows systems in particular, there are many places where little bits and traces of 'contact' with other systems and devices are maintained. There are log files that few people know about, and there are Registry keys that hold information that can be of use. For example, on NT 4.0 (geez, remember NT??) the telnet client had a GUI. Everytime you connected to a system using the client, the name or IP address of the target system, and the port you were connecting to, was logged in a Registry key. The Registry key 'LastWrite' (similar to the last modification time on files...in fact, the LastWrite time is maintained in a FILETIME structure) time corresponded to the last system that the user tried to connect to.

This is just an example, and there are a lot of other keys that pertain to different activity. A lot of these different activities can be demystified with a little experimentation on your part, using a variety of monitoring tools.

Have you uncovered some interesting activity? How did you do this? Want to share your story? Better yet, want to get your research published?

1 comment:

Anonymous said...

Depending on how people log into search engines or respond to spam, it is possible to track use of porn sites by searching web site counters for either their coded email address or their IP address. This is especially useful for catching pedophiles viewing kiddie porn sites. A lot of those "users" do not realize that they have left their tracks on web site counters (if nowhere else). This is not nearly as sophisticated a comment as the entry on which I am commenting. I also realize that privacy issues are involved. I jsut think that some criminals have more privacy than they deserve.