FTimes is a system baselining and evidence collection tool. The
primary purpose of FTimes is to gather and/or develop topographical
information and attributes about specified directories and files in
a manner conducive to intrusion and forensic analysis.
FTimes is a lightweight tool in the sense that it doesn't need
to be "installed" on a given system to work on that system, it
is small enough to fit on a single floppy, and it provides only
a command line interface.
Preserving records of all activity that occurs during a snapshot
is important for intrusion analysis and evidence admissibility.
For this reason, FTimes was designed to log four types of
information: configuration settings, progress indicators, metrics,
and errors. Output produced by FTimes is delimited text, and
therefore, is easily assimilated by a wide variety of existing
tools.
FTimes basically implements two general capabilities: file
topography and string search. File topography is the process of
mapping key attributes of directories and files on a given file
system. String search is the process of digging through directories
and files on a given file system while looking for a specific
sequence of bytes. Respectively, these capabilities are referred
to as map mode and dig mode.
FTimes supports two operating environments: workbench and
client-server. In the workbench environment, the operator uses
FTimes to do things such as examine evidence (e.g., a disk image
or files from a compromised system), analyze snapshots for change,
search for files that have specific attributes, verify file
integrity, and so on. In the client-server environment, the
focus shifts from what the operator can do locally to how the
operator can efficiently monitor, manage, and aggregate snapshot
data for many hosts. In the client-server environment, the
primary goal is to move collected data from the host to a
centralized system, known as an Integrity Server, in a secure
and authenticated fashion. An Integrity Server is a hardened
system that has been configured to handle FTimes GET, PING, and
PUT HTTP/S requests.
The FTimes distribution contains a script called nph-ftimes.cgi
that may be used in conjunction with a Web server to implement
a public Integrity Server interface. Deeper topics such as the
construction and internal mechanics of an Integrity Server are
not addressed here.
Highlights and Advantages
FTimes is easy to use and fast! The rest is pure gravy...
FTimes has been written in C and ported to many popular OSes such
as AIX, BSDi, FreeBSD, HP-UX, Linux, Solaris, and Windows 98/ME/NT/2K/XP.
FTimes does not require additional runtime support such
as a script interpreter (e.g., Perl) or a Virtual Machine (e.g.,
JVM).
FTimes does not need to be installed on the client's machine. In
many cases it can be run from a floppy or CDROM. Because of this,
FTimes can be configured such that it is minimally invasive
to the target system. This is important when trying to collect
evidence of an attack on a live system.
FTimes has thorough logging. This helps to increase its
credibility and admissibility as evidence because the log information
can be used to determine the known or potential error rate of the
tool under various conditions. FTimes logs four types of
information: configuration settings, progress indicators, metrics,
and errors.
FTimes detects and encodes non-printable characters (e.g.,
white space, carriage returns, etc.) in filenames. This ensures
that your view of the output is not artificially altered by the data
you are looking at. The URL encoding scheme used also helps you to
quickly focus in on anomalous filenames. Other popular forensic
and/or analysis tools don't do this, and because of that, the
on-screen output they produce can potentially be manipulated through
the use of clever filenames. FTimes has had this feature for many
years.
FTimes detects and processes Alternate Data Streams (ADS)
when running on Windows NT/2K/XP systems. This is quite useful in
cases where the perpetrator has used Alternate Data Streams to hide
tools and information. As of version 3.8.0, FTimes can process ADS
from Linux when an NTFS partition is mounted as the ntfs-3g type.
More details on that can be found here.
FTimes produces configurable output on a per attribute basis that is delimited ASCII. Therefore, it is conducive
to analysis. This output can be assimilated using standard
database technology as well as a wide array of existing tools.
This makes it more flexible than proprietary database schemes
that are essentially opaque to the practitioner. Ultimately,
this format yields better analysis results because the practitioner
is able to manipulate data freely, and peers may independently
verify analysis results. Again, this helps to strengthen its
credibility and admissibility as evidence.
FTimes can be deployed as an enterprise solution with all
information being transmitted to and preserved on a hardened
Integrity Server. This allows for centralized management of data,
and avoids the problem of leaving data exposed on a client's
system. Data stored on a client's system is vulnerable to malicious
modification or destruction.
FTimes natively supports client initiated HTTP/HTTPS
uploads/downloads. This eliminates the need for boundary
devices such as firewalls to have a special inbound connection
rules. Furthermore, there's a good chance that existing boundary
devices already support the required outbound communications path
because it is the same as that needed to browse the Web.
FTimes provides an efficient string search capability
(a.k.a. dig mode). This is particularly useful in investigations
when the practitioner has a profile of key words or byte strings
that are likely to exist somewhere on the target system.
FTimes optionally supports device file digging (block/character).
FTimes optionally produces directory hashes. This is a
significant analysis advantage in situations where content rarely
changes. The advantage is that one hash effectively represents
the content of all directories and files contained in a given
tree.
FTimes optionally produces symlink hashes.
FTimes optionally performs file typing via XMagic. When
there are hundreds or thousands of unknown hashes, it is difficult
to determine which files may have changed as a result of a malicious
act. In these situations, type information can be used to
categorize files and prioritize the order in which they are
examined.
FTimes has an extremely fast, tunable compare capability.
This enables the practitioner to quickly analyze snapshots and
determine change.
FTimes has a growing test harness with literally thousands of
tests to help ensure reliability, consistency, and accurracy. This
also helps to increase its credibility and admissibility as
evidence.
Drawbacks and Issues
FTimes does not collect all possible attributes on every
supported platform.
FTimes can't be completely trusted on a compromised host even
when statically compiled -- think kernel patch. The best you
can hope for is to detect a breach before such a patch is effected.
This could potentially be done by running host integrity checks
on a frequent basis. By the way, if you suspect a kernel patch,
your only true recourse is to take the system down and inspect
it from another vantage point.
To support batch processing, FTimes stores authentication
credentials on the client system. Therefore, one must take
measures to prevent and/or detect spoofing and replays. This
becomes an issue as soon as the client is compromised.
FTimes can't protect client-server exchanges when used without
encryption and mutual authentication.
FTimes in Action
To read about the various ways in which FTimes has been put to
use, click here...
|
