Computer Crime Investigator's Toolkit: Part III

Tips on how to read Perl scripts; a networking fundamentals primer for the beginning investigator; and ways to trace email to its source.

By Enterprise Networking Planet Staff | Posted Feb 15, 2001
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn


Perl Scripting

Perl is a programming language adept at processing lists and strings. If you want to search log files and output the information, Perl is a very useful tool. Some computer writers have characterized the language as the duct tape of computing. The New Hacker's Dictionary describes it as the "Swiss-Army Chainsaw." Its compactness, flexibility, and relative ease of use make it attractive to hackers of all persuasions.

While one doesn't have to be a master programmer to be a computer crime sleuth, being able to read code helps generate insight. If you find a Perl script useful for checking the aging of passwords, for example, understanding how the program works goes a long way toward implementing the tool properly. And, you learn during the process how to develop your own tools. Some investigators may prefer C or C++ as a starting point. That preference has some merit since quite a few computer security tools are available written in those languages. But the most important skill is to learn a code and then build on that knowledge. More common ground exists between languages than you might realize.

The commonalities include:

  1. Comments. These lines of code document what is happening in the program. The compiler does not act on these lines, but they may be the most important lines of code. They serve as a record of why and how the program works. Perl tells the compiler that a line is a comment by beginning it with the pound sign, "#." (# This is an example of a comment line in Perl.) Learning to read comments tells a computer sleuth what's going on in a program.

  2. Conditionals. Acting as decision points in the program, they usually take the form of the IF, THEN, ELSE statement. In Perl the statement takes the form of:

<p>if ($a  = =  21) { print "Happy Birthday Scully!\n" }</p>
<p>else  { print "Mulder's been abducted!\n" }</p>
<p>Notice the THEN is implied through using the braces (known as the 
"block").
  The "= =" simply means "equal to." The "\n" 
tells the compiler to start a new
  line after the string expression.</p>
  1. Variables. "$a" is a variable. It is a place to store a value in memory. Perl identifies variables by beginning them with "$." $Rons_Paycheck_Amount is a variable in Perl. Perl declares or assigns variables by a simple statement, $Rons_Paycheck_Amount = 1000.00. You'll note the difference between the logical equal sign used for assigning "=" and the mathematical equal sign "= =."

  2. Loops. When the need arises for the computer to do something repetitive, loops do the trick. A loop consists of a counter value, which tells a loop where to start counting from; a conditional statement, which tells the loop what conditions to terminate under; and an increment, which tells the loop at what rate to count down or up. A possible Perl loop would be:

4<p>$Counter = 19;</p>
<p># This statement assigns the counter element a starting value of 19.  
Note
  most     # Perl statements end with the semicolon ";" unless 
terminated by a
  block. </p>
<p>while ($Counter > 0 )  {</p>
<p>            print "Still processing" ;</p>
<p>            $Counter - = 1 ;</p>
<p>} # The "while" statement gives the terminating condition, when 
$Counter equals
  # zero. </p>
<p># The phrase "- = 1" is the declining increment reducing the 
$Counter variable
  by</p>
<p># one each cycle of the loop.</p>
<p>print  "\n Counter reduced to zero.\n" ;</p>
<p># When the loop terminates, the last "print" statement 
executes.</p>

Other commonalities include functions, which are subroutines, arrays and other data structures, and variations on conditionals and loops. But this very basic introduction gives you some starting points to commence reading Perl code. If you want to see some Perl security scripts for Unix/Linux, go to http://www.softpanorama.org/Security/perl_sec_scripts.shtml.



Networking Basics

Perhaps, with the exception of cryptography, no other area of computer security is as arcane as networking. Myriad acronyms dominate networking discussions. Problems often emerge at several levels of abstraction. Security holes are often subtle, missing the attention of even experienced analysts. Yet, every computer crime professional must have some grasp of networking, even though networking may not be the main focus of their work. Any computer crime may spill over into a network.

A good test of one's network security knowledge is to read Stephen Northcutt's article, "Intelligence Gathering Techniques" at http://www.microsoft.com/technet/security/intel.asp. He covers topics such as host mapping, ICMP echo requests, UDP echo requests, Broadcast ICMP, detection of scans, netmask-based broadcasts, port scans, scanning for a particular port, complex scripts, random port scans, FTP bounce, NetBios traces, stealth attacks, SYN/ACK, and inverse mapping.

If the article is a real head spin for you, it is time to do some networking study, which is nothing to be ashamed of. Many a network engineer and architect has reams of books to refer to on their desks; they are in them all the time just to do their daily jobs. Realizing what you don't know is a healthy approach in this business. (If you want to see some Network security tools such as TAMU, COPS, and SATAN, ftp to wuarchive.wustl.edu and look at /packages/security.)

Possible attacks include:

  • Web Spoofing. An attacker's server becomes the de facto ISP to the user's browser. A user thinks he or she is reaching, say www.microsoft.com, when actually the user is receiving content from the hacker. An insidious attack when you consider the user may be supplying confidential data to the spoofed site.

  • Denial of Service. A common attack facing most public or commercial Websites. The trick lies in the attacker overloading the site's routers or servers with bogus packets, usually SYNs.

  • Sniffers. An attacker builds intelligence against your site by monitoring your traffic and picking off passwords and user data.

  • DNS Spoofing. The hacker compromises the DNS server and changes the IP address database, redirecting user URL calls to sites of the hacker's choice.

  • Mobile Code Attacks. Using Java applets or ActiveX controls, the attacker plants Trojan horses into your local machine. This malicious code can be embedded into HTML pages, making it especially vicious. And, external Web pages aren't the only concern. Any computer crime investigator looking at HTML pages on a local machine should examine any links using the source code viewer first. Links can contain booby traps that can plant viruses or Trojan horses on the investigator's disks or that can delete files on the machine's hard drive. Always assume any local machine contains booby traps.

  • IP Spoofing. An attacker fakes the IP address of a machine the server recognizes or trusts in order to gain entry. An interesting book describing IP attacks and the general process of investigating network and Internet attacks is Takedown by Tsutomu Shimomura with John Markoff, Hyperion, 1996.



Tracing Email

When you want to know from which machine an email originated, specialized search engines on the Web can help. The one available for the Americas is http://www.arin.net/whois/. Most people who send and receive email never see the detailed header information for a piece of electronic mail. Yet, many email services like MS Outlook allow you to see the full header when you select it under viewer options. The key phrase to pay attention to is "Received: from."

A sample email header (with alterations for security reasons) is below:

<p>Received: from hotmail.com
  (f54.pav1.hotmail.com [64.4.31.54]) by exchange.anyplace.com with SMTP 
(Microsoft
  Exchange Internet Mail Service Version 5.5.2650.21)</p>
<p>            id XBMVVB8A; Fri, 1 Dec 2000 05:04:58 -0600</p>
<p>Received: from mail pickup service by hotmail.com with Microsoft 
SMTPSVC;</p>
<p>             Fri, 1 Dec 2000 03:06:19 -0800</p>
<p>Received: from x.x.x.x by pv1fd.pav1.hotmail.msn.com with http:
  Fri, 01 Dec 2000 11:06:19 GMT</p>
<p>X-Originating-IP: [x.x.x.x]</p>
<p>From: "Anyone" <XXXXXX@hotmail.com></p>
<p>To: ronmen9938@britannica.com</p>
<p>Subject: Test</p>
<p>Date: Fri, 01 Dec 2000 05:06:19 -0600</p>
<p>Mime-Version: 1.0</p>
<p>Content-Type: text/plain; format=flowed</p>
<p>Message-ID: <F546hm8Ua8d9Ee4zadT0000a828@hotmail.com></p>
<p>X-OriginalArrivalTime: 01 Dec 2000 11:06:19.0949 (UTC) 
FILETIME=[BBB795D0:01C05B86]</p>
<p>The first "Received: from" phrase indicates that the last 
server to transmit
  the email was f54.pav1.hotmail.com with IP address 64.4.31.54. That server 
received
  the email from the fictionalized MS Exchange<span> server at 
"anyplace.com"
  using Simple Mail Transfer Protocol (SMTP).</p>
<p><i>What a search on ARIN produced for IP address 64.4.31.54:</i></p>


MS Hotmail (<a
href="http://www.arin.net/cgi-bin/whois.pl?queryinput=NETBLK-HOTMAIL" 
target="_blank">NETBLK-HOTMAIL</a>)<br>
1290 Oakmead Pkwy Ste 218<br>
Sunnyvale, CA 94086<br>
US<br>
 <br>
Netname: HOTMAIL<br>
Netblock: <a
href="http://www.arin.net/cgi-bin/whois.pl?queryinput=64.4.0.0" 
target="_blank">64.4.0.0</a> - <a
href="http://www.arin.net/cgi-bin/whois.pl?queryinput=64.4.63.255" 
target="_blank">64.4.63.255</a><br>
 <br>
Coordinator:<br>
Myers, Michael  (<a
href="http://www.arin.net/cgi-bin/whois.pl?queryinput=MM520-ARIN">MM520-ARIN</a>) 
  icon@HOTMAIL.COM<br>
408-222-7330<br>
 <br>
Domain System inverse mapping provided by:<br>
 <br>
NS1.HOTMAIL.COM   <a
href="http://www.arin.net/cgi-bin/whois.pl?queryinput=207.82.250.83" 
target="_blank">207.82.250.83</a>
NS3.HOTMAIL.COM<br>   <a
href="http://www.arin.net/cgi-bin/whois.pl?queryinput=209.185.130.68" 
target="_blank">209.185.130.68</a><br>
 <br>
Record last updated on 11-Feb-2000.<br>
Database last updated on 30-Nov-2000 19:05:05 EDT.<br>
 <br>

The next "Received: from" tells you what server at Hotmail.com received the email from anyplace.com. The next two lines tell you the IP address of the machine at machine anyplace.com sent the email to, or generated the email at, Hotmail.com before it was transmitted to ronmen9938@britannica.com. In this case that machine's address has been fictionalized to x.x.x.x. But the real IP address could be run on ARIN for identification. The same goes for the domain name. The "From" line gives the sender's email address at Hotmail.com.

Tracing emails will continue to play an ever-increasing role in computer crime investigation. To see how it played a role in a recent Texas homicide case, read "Murder via the Internet" at http://securityportal.com/topnews/murdervia20000721.html.



Resources

Print Sources:

Casey, Eoghan, Digital Evidence and Computer Crime, Academic Press, 2000.

Hayden, Matt, Networking in 24 Hours, Sams, 1998.

Hoffman, Paul E., Perl 5 for Dummies, IDG Books, 1997.

Mendell, Ronald L., Security Management, June 1999, "Is the Internet Just a Web of Misinformation?"

Raymond, Eric S., The New Hacker's Dictionary 3rd Edition, MIT Press, 1996.

Sharrar, Kristopher A. and Granado, Jose, Security Management, March 1997, "Confessions of a Hard Drive."

Shimomura, Tsutomu with John Markoff, Takedown, Hyperion, 1996.

Syngress Editors, Hack Proofing Your Network: Internet Tradecraft, Syngress, 2000.

Tiwana, Amrit, Web Security, Digital Press, 1999.

URLs:


Perl

http://www.perl.org
http://www.perl.com/perl/


Security scripts

http://www.softpanorama.org/Security/perl_sec_scripts.shtml


Intrusion Detection

Intrusion Detection Pages
http://www.cerias.purdue.edu/coast/intrusion-detection/welcome.html


Attacks

Attacks on IP Networks
http://www.docs.uu.se/~carle/datakomm/Notes/Networkin/51_AttacksOnIP.html

Network Intelligence
http://www.microsoft.com/technet/security/intel.asp

Whois Service
Internic and IP Address Searches:
http://rs.internic.net/cgi-bin/whois

Links to several registries
http://networksolutions.com/cgi-bin/whois/whois

American Registry for Internet Numbers (ARIN)
http://www.arin.net/whois


Email

Tracing Email
http://www.usus.org/elements/tracing.htm


SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
http://www.SecurityPortal.com
The Focal Point for Security on the Net (tm)

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter