H3E 2009R1 User Manual - sdp
Contents
1. ds 32 SOT VET SCO Sate ce 32 Console Administration Tool CAT Overview eeeee eere nennen 33 Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc CAT Graphical User Interface GUI set oit eie i beers t 33 lr occmr 34 4 User NECI LI T LO TIL TT 37 IVC aca I II P RT I T 38 TOOD I Saree Ne me 39 FIOSE AGENI cio m 39 STRE I 40 IUS M mS 41 Mri 45 SRI E S 46 Agent menu ODUONS siii Ever aar Seg dex a eoe rE ER qx DM MI oue EUR a 46 Mission Assurance Criticality MAC Level eese 51 Auditing Incident RESPONSEC 1 ccscccccecceecceecuecsescsusensuessuecsuetsusesesesenetsuesseesseeas 52 IMAGO stop NEUEM mM t Ind addu eua retur ted a Md 55 Sla TV AQUIIG EM 56 Bii qe IMAJIN mE 57 FUG SY SION IAG IAG mt 58 DEVICE MODICON uesstisscsceat A atem dun tabac dab cut uv Motu CoU RUE 59 Ie ROME 60 Keyboard CAPUTO usine taisibve edidi ET Mu MM UD 60 Electronic Discovery Search ssesxexexesssens es obaskus een out acce I QUO TET RN UDS Ln E MdPE 61 6 User Interlace LIE essee sese eaa NER NER SENE PRAE NE ER SERVE NA AN ERR EA VER SERO aa 63 MoguzrEE TI ITI 64 Copyright 2009 e fense Inc No part of this document m2. You will initially see the H3E splash which will show you the current version H3 Enterprise Console Administration Tool Version 2009 Release 1 HELIX ENTERPRISE fense Console Administration Tool Copyright 2009 e fense Inc All rights reserved Address 192 168 78 1 Username Admin Password eeee Cancel Login Figure 2 11 H3E Splash amp Login Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Started 22 Quick Tip Default Username Password In order to access the CAT for the first time you will need to login in with the username of Admin and the password of Admin These are case sensitive 4 Once you have successfully logged in select Help from the menu bar then choose Enter License Key from the drop menu Help Contents Users Manual Check for Updates Enter License Key Figure 2 12 Enter License Key 5 The license key window will appear Paste or type in the username and license key that arrived in your H3E CD ROM packet a key can be emailed to you upon request then choose Register COL Enter License Key License Key Cancel Register Figure 2 13 Enter License Key from Help Menu Once a valid username and license key have been entered a dialog box will appear thanking you for registerin
3. Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Understanding Content 76 The viewer can open any file for analysis but works very well for memory analysis You can search for keywords and they will be highlighted if found Highlighted text can be copied out of the viewer if needed To see a list of all the disk and RAM images made click on the hard drive icon in the tool panel and the list window will appear which shows a list of all the images based upon the selected agent Each audit date can contain images Clicking on the audit will display the actual files and two options exist copy the files out for additional analysis or open the file in the built in forensics viewer CR B Forensic Analysis Selected agent Windows XP SP3 File Systems RAM Disk Images Files 2009 01 08 19 34 37 ram dd Disk Image 2009 01 07 23 26 41 Show on Disk Figure 6 19 Image list window Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 77 Understanding Content Electronic Discovery H3E allows for very simple yet efficient electronic discovery You can search all the agents for specific files using keywords between specific dates The files can be de duplicated both on the agent level and on the enterprise level Only the de duplicated files will be sent to the H3E
4. fense CARPE DATUM E ly ci M p CECA a cr d m i4 Y j lat OL OLS MK User Manual H3E 2009R1 User Manual Copyright 02008 2009 The content of this document is wholly owned by e fense Inc and should not be copied either in part or in entirety without license or expressed written permission of the copyright holder Trademarks H3E Helix3 Enterprise Helix3 are registered trademarks of e fense Inc All other brand and product names are trademarks or registered trademarks of their respective holders Version This manual covers version 2009R1 of the H3E software for Mac OS X Linux and Windows Conventions in this Manual A number of conventions have been used during the writing of this manual Reference to H3E Features You will find elements of the application are referred to in Capital letters and Single Quoted Text from buttons is in bold Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Quick Tips Also included are what are referred to as Quick Tips in black bordered boxes with grey header boxes and emboldened titles Chapters amp Titles A section page breaks each chapter and core headings are again in red bold whilst sub headings are always in purple bold with further subtitles in bold Menu Shortcut References In this manual we refer to shortcuts in the following forma
5. Agent configurations which establish critical communication settings can be determined or adjusted on the main CAT screen Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc System Architecture 36 Page intentionally left blank Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 4 User Interface Understanding the H3E UI Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Putting the System into Action 38 Interface Design All activity on the H3E system begins on the main CAT screen Essentially a user visits the Host pane to initiate requests and the Content pane to view the results returned from those requests The CAT is broken down into 4 areas e The Toolbar Area 1 e The Host Agent Pane Area 2 e The Content Pane Area 3 e The Status Bar Area 4 auis server 1 2 17 2 19 6 windows XP SP2 Selected agent Windows XP SP2 Mi windows Vista M 172 17 2 66 M 172 17 2 68 OS Version Windows 2003 5 2 3790 Service Pack CPU Utilization RAM Utilization Disk FreeSpace Uptime Server Version 8 1 0 2089 BET Te E ed e LES Records in Database 47 Admin jowrT Users in Database Last Backup N Agent Total Active Agents Figure 4 1 Four
6. Key considerations for use with any management system include e Will you be using one or multiple software packages e Security configurations for all Agents must be identical e Agent configuration differs depending on the network and number of Servers e When multiple software packages are used so that varied configurations are possible a method for associating Agents with Servers must be established Installing the Server CAT on Mac OS X The CAT is the main interface a user has to the H3E system In order to take full advantage of the CAT you will need a system as outlined in the system requirements in section 2 3 Itis highly recommend that these CAT system s be secure You may run as many CAT systems as you would like as they are not limited by the license Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 27 Getting Started The server and the CAT are installed by launching the Mac OS X package files In order to install them simply double click on the SERVER PKG file or the CAT PKG file and you will be presented with the following dialogs 1 The initial installer screen will be the same for the CAT as well as the H3E server You will see the introduction page letting you know that you are about to install H3E OOO Install H3E Welcome to the H3E Installer Introduction You will be guided through the steps necessary to in
7. System Log Screen Capture 2008 11 20 04 26 40 2008 11 20 04 26 06 Figure 6 10 Audit History list The audits are automatically displayed by the GMT date and Time when the audit was run However you can change this display behavior by holding down the SHIFT key and double clicking on the audit date You will then be able to rename the audit to something more meaningful The original date time will still be associated to the audit and can be seen in the status bar when you hover the mouse over the audit The audits can be expanded by simply clicking on the disclosure triangle Then click on the audit type that you want to view in the results window s The Results Window is the final area of the content pane This part of the window is where all the resultant data is displayed when you click on any area from the audit tree view The complete content pane has a lot of information on it but is very easy to navigate once you understand the options Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 71 Understanding Content Audit Results Selected agent Windows XP SP2 gt Refresh Display Fast Audit Normal Audit Setupapi log Internet History Environment variables Network Configurations ARP table Routing Table Network Connections Clipboard Volume Information Network SMB Data Processes Installed Drivers Services Regis
8. file file file registry registry registry registry registry registry registry registry registry registry registry registry registry registry registry registry registry registry registry registry how Network SMB Data rabs the Recent Folders Files Listing rabs the Setupapi Log File from the System rabs all of the Internet History for Each User rabs the Office Recent Folder ump Startup Run Registry ump Startup RunOnce Registry ump Startup RunOnceEx Registry ump Startup RunServices Registry ump Startup RunServiceOnce Registry ump Startup Current User Run Registry ump Startup Current User RunOnce Registry ump Startup Current User RunOnceEx Registry ump Startup Current User RunServices Registry ump SharedDLLs Registry ump KnownDLLs Registry ump Startup Scripts ump Startup Explorer Run ump Typed URLs ump Run MRU ump Last Save ump Memory Settings ump Hotfix Information ump Mounted Devices ump USB Key ump USB Storage Key Cc Uu D E h D c D E E Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Contextual Menu Options 54 If you are unsure which type of audit best suits your needs select Custom Capture This will open a new window that displays each of the data elements contained in the above table Here you can select which elements you would like to include in your audit To add items left click on
9. 1 Days 15 Hours 52 Minutes v Server Version 8 1 0 2128 Database Status Online Records in Database 4 137 Users in Database 1 Last Backup Never E Authorized Agents 10 aos a Agent Total 4 Active Agents 4 Figure 3 4 CAT Graphical User Interface The Agents The H3E Agents are called into action whenever a system user suspects malicious activity on the network or must respond to an incident that already has occurred The CAT establishes an encrypted link with the Agent and commands that the Agent return such information as Internet use history user keystrokes or screen captures from the target Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 35 System Architecture Agents remain invisible to the user by masquerading as routine processes on the workstation no icons appear in the system tray or tool areas Agents can respond only to commands from a designated CAT via encrypted TCP UDP communication and do not interfere with the operation of anti virus engines or other detection applications The amount of network traffic generated by Agents is minimal and highly configurable by the user A user may set the system to return data by the minute hour upon system start up or only upon demand Data is returned by the Agents in XML formatted text files averaging about 3KB in size with screen captures requiring about 47KB
10. 405D 0100 525D 645D 0100 785D 0100 845D 0100 905D 0100 A RNAI A Eae A T EEN 1 0001307C 9E5D 0100 AES5D 0100 0100 D25D 0100 E85D 0100 FA5D 0100 OASE PE eo Pe ee Jrs 00013096 0100 225E 0100 385E 465E 0100 545E 0100 625E 0100 705E 0100 oe hee bak C VTL lb p 000130B0 845E 0100 985E 0100 0100 B65E 0100 C85E 0100 D65E 0100 E amp 85E i EA a T ES e a T 000130CA 0100 O65F 0100 225F 3C5F 0100 545F 0100 6E5F 0100 845F 0100 PS cars BAA oY 000130E4 9E5F 0100 B65F 0100 0100 DESF 0100 FOS5F 0100 OA60 0100 1A60 000130FE 0100 3060 0100 4660 6060 0100 7460 0100 8460 0100 9660 0100 00013118 A460 0100 BO60 0100 0100 C660 0100 p660 0100 EC60 0100 FEED 00013132 0100 1061 0100 2061 5261 0100 0000 0000 345c 0100 0000 0000 0001314C 0000 0000 0000 0000 E340 0000 0000 0200 0000 3900 0000 C458 ene 00013166 0100 C458 0100 2573 4572 726F 7220 496E 6974 6961 6C69 7A69 f X 8 Error Initializi 00013180 6E67 2044 7269 7665 7769 7468 206F 6666 7365 7473 2E0A 0000 ng Driver with offsets 0001319A 0000 4D65 6D6F 7279 6C6C 6F63 6174 696F 6E20 6661 696C 6564 Memory allocation failed 000131B4 2E0A 0000 556E 6162 2074 6F20 4C6F 6164 2044 7269 7665 7200 Unable to Load Driver 000131CE 0000 5cO00 0000 OA4F 7261 7469 6E67 2053 7973 7465 6D20 5665 Operating System Ve 000131bEB8 7273 696F 6E20 2564 6420 4E6F 7420 5375 7070 6F72 7465 6421 rsion d d Not Supported 00013202 0A00 5365 456E 6162 4465 6C65 6761 7469 6F6E 5072 6976 696C SeEnableDelegationPr
11. Agent A Host is a computer that is turned on and available for use on the network while an Agent is a component of the H3E system that resides on the associated Host and gathers information about that Host when directed to do so The Content pane appears on the right side of the main CAT screen and contains the DashBoard Chat window Case window Incident Response Forensics Results Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc System Architecture 34 Reporting window and E Discovery window This CAT screen is the starting point for requesting and reviewing information from Agents on the network 00 H3 Enterprise Console Administration Tool oO DL O C amp Dashboard Chat Log l Incident Response Forensics E Discovery Reports i List Cases Add Case 0 AGENTS v C Workstations Server 172 17 2 19 Windows XP SP3 Windows XP SP2 Windows Vista vw Servers Windows 2003 Server s OS Version Last 30 Events Windows 2003 5 2 3790 Service Pack Admin Imaging Ram Windows XP SP3 TM METRE Admin Custom audit Windows XP SP3 CPU Utilization 1 Admin Screen Capture audit Windows XP SP3 Unknown Agent restricted because of license Windows XP SP2 RAM Utilization Total 2097152 K Unknown Agent restricted because of license Windows Vista Available 2097152 K Usage 7 Disk FreeSpace 8 02 GB Uptime
12. E FENSE Incorporated for the H3 Enterprise Software software product identified ahnwve which includes anline or elerctrrnanirc I accept the terms in the License Agreement Ido not accept the terms in the License Agreement Figure 2 3 Server Install End User License Agreement Advanced Installer Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Started 3 Click Install to proceed i H3E SERVER Setup Ready to Install The Setup Wizard is ready to begin the Typical installation Click Install to begin the installation IF you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Advanced Installer Figure 2 4 Server Installation 4 Click Finish to complete the installation i H3E SERVER Setup Completing the H3bE SERVER Setup Wizard Click the Finish button to exit the Setup Wizard l i ap 4 Cn TOR PR Ie Figure 2 5 Server Installation Complete Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 17 Getting Started Quick Tip Server Installation Location on Windows The server has been installed into the following directory C Program Files H3Enterprise The server will start automatically after install and whenever the computer reboots At this point the
13. a file what a DNA marker is to a person it matches only the file to which it belongs The hash changes as the file itself changes A hash search thus allows you to determine who has access to files that are proprietary in nature Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Contextual Menu Options 62 If you know the 32 character MD5 hash you are seeking enter it one entry per line in the Hash Expressions box by clicking on the button If you do not simply drag and drop file s to be searched from your Desktop into the Hash Expressions box The speed of a hash search is dependent on several host variables such as CPU speed current processor workload memory and the size of the device being searched Tests have shown that H3E can find a single hash on a 40 GB hard drive in about 30 minutes Results can be found in the E discovery Results window in the Content Pane of the CAT described in section 6 of this manual Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 6 User Interface III H3E Content Pane Understanding Content 64 Content Pane Now that you have requested information and your Agents have retrieved and returned it to the CAT it s time to take a look at what they found That s where the Content pane located on the right side of the main CAT scr
14. be created Add Network Name new network MM Network Folder IP Address 0 0 0 0 Subnet Mask 255 255 255 255 Cancel Jf Add Figure 4 6 Add network folder window The gear button allows for quick action items such as renaming a agent or clearing the activity viewer By clicking on gear button a menu will appear which will allow you to either rename a selected agent configure a selected agent or to clear the activity viewer Rename Agent Configure Clear Activity Figure 4 7 status Bar Menu The arrow button will either show or hide the activity window within the host pane When the activity window is visible any activity that is conducted will be visible in this window You can also pause certain actions and restart them at will Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 43 Putting the System into Action i When an activity is finished you will be notified that AIF ry YLA File System 192 168 78 129 that activity is completed and you can click on the Sie magnifying glass icon which is called the revealer and be taken to the results of that audit molete RAM Image 192 168 78 129 nDiz MD SEC You can stop running audits by clicking on the stop f HM mak LOL icon If you click on the stop icon on a finished audit you will clear it from the list Figur
15. e fense Inc 87 System Preferences Preferences File Library Location Any files that are downloaded RAM and Disk Images File Systems etc are stored here HDD Users dfahey Library Application Support Time Display vi Use GMT date time default 2009 01 25 01 11 08 Figure 7 2 CAT Preferences General H3E Server Configuration The server settings can be accessed by clicking on the Server then Settings menu option on the CAT toolbar CAT Mac File Edit Window Help Settings Figure 7 3 Server Settings Menu The first screen to appear is the Network Settings Here you can accept default communication settings or select your own for the following Console TCP Listen Port default 9010 Console UDP Listen Port default 64000 Console FTP Listen Port default 9090 Console Admin Port default 59345 Agent Idle Time default 300 seconds Direct Transfer Port default 9090 Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc System Preferences 88 Server Settings Network Settings User Admin Backups Updates Network Settings Console TCP Listen Port B010 default 9010 Console UDP Listen Port 64000 default 64000 Console FTP Listen Port 9090 default 9090 Console Admin Port 59345 default 59345 Agent Idle Time 300 seconds default 300 Direct Transfer Port 9090 default 9090 Ca
16. of this document may be copied or reproduced without the written permission of e fense Inc 13 Getting Started A download link along with version information 1s accessible on the product page of the site Simply click the respective link and the file will automatically begin to download to the workstation s desktop or specified download location H3E versions are distributed in a ZIP archive format and can be decompressed with a simple double click of the file This will place the decompressed application file in the same location as the original ZIP archive in this case the desktop Having decompressed the application H3E will now be ready for installation 2 3 System Requirements CS Minimum Requirements Recommended Requirements Server e Microsoft Windows 2003 Server or later e Mac OS X 10 4 or later e Linux Kernel 2 6 15 or later e Dual Core Intel Xeon E5205 6MB Cache 1 86GHz 1066MHz FSB e 1 GB 667MHz RAM e 500 GB disk space SAS or SATA e Intel PRO 1000PT 1GbE Dual Port NIC e Microsoft Windows XP or later e Mac OS X 10 4 or later e Linux Kernel 2 6 15 or later e 2 2GHz Intel Core 2 Duo processor e 1 GB 667MHz RAM 20 MB free disk space extra space required for image transfers e Microsoft Windows 2000 or later e 400 MHz Celeron or equivalent e 256 MB RAM 10 MB free disk space Figure 2 1 System Requirements Table e Microsoft Windows 2003 Server or later e Mac OS X 10 4 or later e Li
17. reduced UI qr UI does not show any wizard dialogs e basic UI qb passive only a progress bar will be shown e no UI qn quiet no UI will be shown If you choose to manually install the agent on each machine then a very simple dialog box will appear while the install takes place H3E Agent Please wait while Windows configures H3E Agent COCO eee Cancel Figure 2 15 Initial Agent Install Quick Tip Agent Installation Location on Windows The agent has been installed into the following directory C Program Files H3Enterprise The agent is called h3e sma and runs as a windows service The service is displayed as Service Monitor Agent Software Management Installation Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Started 26 A software distribution tool allows a user to install Agents from a single source on the network The tool when run pushes the Agents to workstations throughout the system Examples of software distribution tools include SMS for Windows Tivoli HP Open View or Hercules Each type of software management carries its own instructions but most should be compatible with H3E Agents operate as routine system processes and do not degrade system performance once installed Please refer to the users guides for your particular software management system for further guidance
18. servers Complete logging will will saved which shows why a particular file was responsive and why another was not The search is conducted on the logical file system and does not search slack or free Space However deleted files that have not been overwritten will be searched The search date and time will appear in the left hand results column as a date time stamp Simply click on an agent and then on an item in the results column The returned results will be listed in the right hand listbox Simply clicking on an item will reveal more information on that item in the lower window E Discovery Selected agent Windows XP SP2 f Show Search Results Show Search Criteria J Report File Name update SP2QFE inf ieapfltr dil h3e png OUTLFLTR msp EXCEL CAB 412ec msp 2009 01 20 15 40 40 Help vv mstime dll HwLocal xdb REALbasicSetup 1 exe gt inetcpl cpl 3 copies MBSChartDirectorPlugin15813 dll Shortcut to CAT exe Ink 31b69fb9 rbf mshtml dil mshtml dll TFR4 tmp h3e cfg vnc P4 4 3 x86 x64 win32 1 exe vw H3E 4 copies Debugh3e sma Debugh3e sma Libs H3E CAT Date Created 2008 10 30 20 45 04 Date Modified 2008 10 30 20 45 04 Last Accessed 2009 01 16 18 48 49 File Size 0 0 00 bytes Agent Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows
19. the checkboxes next to the desired items To remove items left click on the checkboxes that already are marked The Custom Capture screen also allows you to select Network Registry File or Logs as your Audit Type This narrows your audit to data elements that fit the selected category For example if you selected Registry all the data elements that fit the registry category and only those data elements will be included in the audit The custom capture window displays all the elements in a hierarchal fashion They are also color coded for simple reference Blue elements are fast capture elements green are normal capture and red are actual files 5 63 Custom Scan v IM Files M Grabs the Setupapi log file from the system IM Grabs all of the Internet History for each user M Obtain System Chat Logs Skype Yahoo MSN M Grab the SAM file M Obtain NTUSER DAT files v f Network M Determine System Hostname IM List Network Configurations M List ARP table M List Routing Table M List Current Network Connections YM Memory M Extract Windows Clipboard Text Input Only vi System M List Installed Applications M Show Volume Info M Collect Server Uptime M Get environment variables iM Show Network SMB Data v I Processes Cancel Run Figure 5 9 Auditing Retrieve Live Data Options Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permiss
20. the console to the servers on the TCP ports that have been configured How many Agents do you want to access and what is the scope of the audits you wish to conduct Installing the Server on Windows Depending on your installation media CD or Web download you will need to install the H3E server first This can be accomplished by locating the SERVER MSI file from the installation source Double click the SERVER MSI file on windows to run the installation The Install wizard will guide you through the following series of screens Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 15 Getting Started 1 The Initial screen Click Next to continue the installation ie H3E SERVER Setup Welcome to the H3bE SERVER Setup Wizard The Setup Wizard will install H3E SERVER on your computer Click Next to continue or Cancel to exit the Setup Wizard Figure 2 2 Initial Server Install 2 You must accept the End User License Agreement to continue installation Click I accept the terms in the License Agreement then Next to do so iw H3E SERVER Setup End User License Agreement Please read the Following license agreement carefuly H3 Enterprise END USER LICENSE AGREEMENT FOR H3 ENTERPRISE IMPORTANT READ CAREFULLY This E FENSE INC End User License Agreement EULA is a legal agreement between you either an individual or a single entity and
21. the written permission of e fense Inc 1 Introduction About H3E Helix3 Enterprise Introduction 8 What is H3E Helix3 Enterprise was developed as a strong rapid defense against the forces at work to transfer and destroy data technology and organizational survivability by attacking our increasingly global computer networks Unlike layered defense systems that have proven to be effective only against external threats H3E focuses on addressing the problems of compromised systems caused by malicious insiders or the unsafe network practices of employees Using digital surveillance the H3E system can reveal insider activities such as permission elevation data exfiltration or the creation of covert data tunnels and makes remote incident response possible within a matter of minutes The Helix3 Enterprise system consists of three main components the Server the Console Administration Tool CAT and the Agents In simple terms the Server acts as the system s headquarters and warehouse facility the CAT as the command center and the Agents as the skilled employees You may also choose to utilize an optional Supervisor Server to consolidate views from multiple H3E servers in an enterprise network Most interactions between the CAT and Agents on the system are conducted through the Server On command from the CAT the Server dispatches a designated number of Agents to monitor collect and analyze activities on the network and to alert H3
22. to see the agent you want to acquire and the ability to change the acquisition port Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 59 User Interface II File System View Host Windows XP SP2 172 17 2 65 Transfer Port bo90 Cancel Start Figure 5 12 File System Viewer Acquisition Window Like the RAM and Disk imaging the progress of the acquisition will be displayed in the activity monitor within the host pane Initially the progress will show the number of filesystem entries it has copied and when all the entries have been determined the activity view will display the full progress of items copied to items left When the filesystem copy has finished the activity window will display a reveal icon magnifying glass which when clicked will display the filesystem in the content pane Device Monitoring The next feature on the Agent drop menu is device monitoring This allows the user to capture and review selected activities of an individual The two available methods of active device monitoring are the screen capture and the keyboard capture or key logger To access the device monitoring option highlight the Agent whose information you wish to retrieve using a left click then right click to bring up the Agent menu From that menu select device monitoring Copyright 2009 e fense Inc No part of this do
23. up the system s database You may enter a time and select any or all days of the week by marking the appropriate checkboxes Server Settings Network Settings User Admin Backups Updates Database Backups _ Enable Backups Time of Day 2 30 Days of Week V Monday M Tuesday V Wednesday v Thursday v Friday vi Saturday vi Sunday e Cancel Save Figure 7 7 Database Configuration System Updates The system can be set to check for updates on a weekly basis or you can force a check by clicking on the Check Now button If any updates are available they will be listed in the listbox The application that has an update along with the version and date of release will be listed Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc System Preferences 92 yo m vm Server Settings Network Settings User Admin Backups Updates Software Updates f Check Weekly L Check Now Install Application Version Date vi Admin Tool 1 0 1 29 09 vi h3e agent 1 0 1 29 09 v h3e server 1 0 1 29 09 Install Updates Cancel C Save Figure 7 8 System Updates In order to update an element of the H3E system simply check the box next to the Application name and click on the Install Updates button The updates will be downloaded to the H3E server and will be install in this order 1 Server will automatically ins
24. 5 2 3790 3959 Path E WINDOWS System32 svchost exe E WINDOWS system32 ntdll dll E WINDOWS system32 kernel32 dll E WINDOWS system32 ADVAPI32 dll E WINDOWS system32 RPCRT4 dll E WINDOWS system32 Secur32 dll E WINDOWS System32 NTMARTA DLL E WINDOWS system32 msvert dll E WINDOWS system32 USER32 dll E WINDOWS system32 GDI32 dll E WINDOWS system32 WLDAP32 dll E WINDOWS System32 SAMLIB dll E WINDOWS system32 ole32 dll E WINDOWS System32 xpsp2res dll e windows system32 wzcsvc dll e windows system3 2 rtutils dll e windows system32 WMI dll e windows system32 DHCPCSVC DLL e windows system32 DNSAPLdll e windows system32 WS2_32 dill e windows system32 WS2HELP dll e windows system32 iphipapi dll Size 24576 786432 1056768 634880 651264 77824 135168 368640 593920 294912 188416 61440 1282048 2904064 581632 49152 20480 126976 172032 94208 32768 106496 Quick Tip Result Information Note All recovered results reflect system information at the time the audit was run not at the time the results are being reviewed except as indicated otherwise Information relates to the target computer not a specific user on that computer except as indicated otherwise Understanding Content 72 Forensics Forensics analysis is important when you need to understand the who what where and when The ability to view Windows filesystems is built into H3E so you can view the native fil
25. 9 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Started 20 5 Click Finish to complete the installation ie CAT Setup Completing the CAT Setup Wizard Click the Finish button to exit the Setup Wizard Figure 2 10 CAT Installation Complete At this point both the Server and the CAT will operate only in demo mode Agent connections are accepted only from the same systems as the Server local host and time out after two hours To make the system fully operational you must next register the Server Quick Tip CAT Installation Location on Windows The CAT has been installed into the following directory C Program Files H3Enterprise Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 21 Getting Started Registering the Server Once you have registered your Server it will accept Agents from throughout the network and no longer will time out after two hours To register the Server you must 1 Install the Server as directed in section 2 4 2 Install the CAT as directed in section 2 4 3 Start up the CAT by double clicking the CAT icon and log in using Admin case sensitive as the default username and the default password Change from the defaults to your own account name and password as soon as possible to eliminate the risk of unauthorized use see 4 1
26. E users to suspicious findings Information is both reported back to the CAT and stored within the Server All network communication is encrypted using 256 bit Advanced Encryption Standard AES which specifies the cryptographic algorithm for use in protecting electronic data that has been approved by the Federal Information Processing Standards FIPS Encryption converts data to an unintelligible form called cipher text which is converted back to its original plaintext form during decryption Information stored within the H3E CAT database also is protected using the 256 bit Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Oo Iintroduction AES as are database passwords The encryption key is randomized between connections and never is the same twice Data retrieval takes place via custom Application Program Interface API calls which means no native operating system commands are executed Such commands at times are corrupted via malicious logic but hide the corruption to appear valid H3E uses its own code to audit operating systems and devices and provides highly reliable results H3E Server CAT Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Introduction Page intentionally left blank Copyright 2009 e fense Inc No part of this document may be copi
27. ER LICENSE AGREEMENT FOR H3 ENTERPRISE IMPORTANT READ CAREFULLY This E FENSE INC End User License Agreement EULA is a legal agreement between you either an individual or a single entity and E FENSE Incorporated for the H3 Enterprise Software software product identified ahnve which ineludes anline nr elerctranir I accept the terms in the License Agreement CO Ido not accept the terms in the License Agreement Advanced Installer Figure 2 7 CAT Install End User License Agreement Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 19 Getting Started 3 Select your desired shortcut locations by clicking on the appropriate boxes The system allows up to four shortcuts When you have made all your selections click Next i CAT Setup Confiqure Shortcuts Create application shortcuts Create shortcuts for CAT in the Following locations Desktop w Start Menu Programs folder Quick Launch toolbar Startup folder Advanced Installer Figure 2 8 CAT Shortcut Configuration 4 Click Install to proceed i CAT Setup Ready to Install The Setup Wizard is ready to begin the Typical installation Click Install to begin the installation IF you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Advanced Installer Figure 2 9 CAT Installation Copyright 200
28. LING 202 482 3332 OR REQUESTING DIRECTIY QN THE B19 INEZEBNEI WEB SITE ASSISTANCE IN RQILLELING OUT THE FORM OR ANY ASPECT OF EXPORTING LS PROVIDED BY THE EXPORT COUNSELING DIVISION IN WASHINGTON D C AT 202 482 4811 OR THE WESTERN REGIONAL OFFICE IN NEWPORT BEACH CALIFORNIA AT 714 660 0144 LICENSE EXCEPTIONS BE AWARE THAT THE LICENSING REQUIREMENTS FOR SOME DESTINATIONS MAY BE OVERCOME BY ANY LICENSE EXCEPTION FOR WHICH YOUR ITEMS QUALIFY SEE PART 740 OF EAR FOR INFORMATION ON LICENSE EXCEPTIONS THE LICENSE AVAILABLE COLUMN ON ILS FORM INL ONLY THOSE LICENSE EXCEPTIONS OF THE SET GB CIV APP CSR WHICH ARE APPLICABLE TO YOUR ITEMS OTHEZE LICENSE EXCEPTIONS MAY APPLY DEPENDING UPON THE CIRCUMSTANCES OF YOUR INTENDED TRANSACTION EXPORT CONTROL CLASSIFICATION NUMBERING SYSTEM ECCN THE ECCN NUMBERING SYSTEM IS FOUND IN THE COMMERCE CONTROL LIST CCL PART 774 OF THE EAR THE CCL IS A COMPREHENSIVE LIST THAT IDENTIFIES ALL ITEMS CONTROLLED AND LICENSED BY COMMERCE WITHIN THE CCLh ENTRIES ARE TDENTIP IED BY AN ECCN EACH ENTRY SPECIFIES THE LICENSE REOUIREMENTS FOR THE LTEM AND THE REASON S FOR CONTROL PLEASE CONSULT PARTS 738 AND 774 OF THE EAR FOR SPECIFIC INFORMATION ON ECCNS SHIPPERS EXPORT DECLARATION SED WHEN AN EXPORT Lo MADE IE LS NECESSARI FOR THE EXPORTER TO SHOW ON THE SHIPPERS EXPORT DECLARATION EORM 7525 V IN BLOCK 27 EITHER IHE LICENSE NUMBER IHE APPLICABLE LICENSE EXCE
29. PTION SYMBOL OR THE SYMBOL NCR FORM 7525 V IS AVAILABLE FROM THE SUPERINTENDENT OF DOCUMENTS U S GOVERNMENT PRINTING OFFICE OF WASHINGTON D C 20402 AND FROM EXPORT ADMINISTRATION DLOSTIRICI GONBICHS CDS DEPT OM OOMMERCBJ FOR INFORMATION CONCERNING THCS CLASSIFICATION CONTACT AARON AMUNDSON CATHERINE PRATT PHONE 202 42192 75299 DIVISION DIRECTOR BISCSTCIE Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc
30. R COUNTRY GROUPS ITEM 1 1 COMPUTER NETWORK SECURITY SOFTWARE 59DOUZC L ENC 0 HELIX ENTERPRISE H3E COMMENTS FROM LICENSING OFFICER S ITEM 1 THIS ENCRYPTION ITEM IS AUTHORIZED FOR LICENSE EXCEPTION ENC UNDER SECTIONS 740 17 A AND B 3 OF THE EXPORT ADMINISTRATION REGULATIONS ITEM 2 THIS ENCRYPTION ITEM IS AUTHORIZED FOR LICENSE EXCEPTION ENC UNDER SECTIONS 740 17 A AND B 3 OF THE EXPORT ADMINISTRATION REGULATIONS ITEMS OTHERWISE ELIGIBLE FOR EXPORT OR RERXPORT UNDER A LICENSE EXCEPTION OR NLR NO LICENSE REQUIRED AND USED IN THE DESIGN DEVELOPMENT PRODUCTION OR USE OR NUCLEAR CHEMICAL OR BIOLOGICAL WEAPONS OR MISSILES REQUIRE A LICENSE FOR EXPORT OR REEXPORT AS PROVIDED IN PART 744 OF THE EXPORT ADMINISTRATION REGULATIONS EAR DESTINATIONS REQUIRING A LICENSE SEE THE COMMERCE COUNTRY CHART SUPPLEMENT NO 1 TO PART 738 OF THE EAR TO DETERMINE WHICH COUNTRIES REQUIRE A LICENSE USE THE COUNTRY CHART COLUMN Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc System Help 96 INFORMATION GIVEN ON THIS FORM IN CONJUNCTION WITH THE COUNTRY CHART TO DETERMINE THE LICENSING REQUIREMENTS FOR YOUR PARTICULAR ITEMS FOR ITEMS CLASSIFIED EAR99 SEE PART 746 OF THE EAR TO DETERMINE THE LICENSING REQUIREMENTS APPLICATIONS FOR EXPORT MUST BE SUBMITTED ON FORM BIS 748P MULTIPURPOSE APPLICATION THESE FORMS MAY BE OBTAINED BY CAL
31. Server will operate only in demo mode and will accept only a single connection from an Agent on the local system To make the Server fully functional you must next install the CAT Installing the CAT on Windows The CAT is the main interface a user has to the H3E system In order to take full advantage of the CAT you will need a system as outlined in the system requirements in section 2 3 Itis highly recommend that these CAT system s be secure You may run as many CAT systems as you would like as they are not limited by the license Like the server the CAT is installed by launching the MSI file Select the computer you would like to host the CAT and run the CAT MSI file The Install wizard will guide you through the following screens Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Started 18 1 The Initial screen Click Next to start the installation ie CAT Setup Welcome to the CAT Setup Wizard The Setup Wizard will install CAT on your computer Click FICE EX v d Next to continue or Cancel to exit the Setup Wizard ENTERPRISE Figure 2 6 Initial CAT Install 2 You must accept the End User License Agreement to continue installation Click I accept the terms in the License Agreement then Next to do so i CAT Setup End User License Agreement Please read the Following license agreement carefuly H3 Enterprise END US
32. XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 Windows XP SP2 File Hash d41d8cd98f00b204e9800998ecf8427e File Path DOCUME 1 root APPLIC 1 Figure 6 20 E Discovery Window Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Match Reason keyword H3E keyword H3E filename H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E keyword H3E filename H3E keyword H3E filename H3E filename H3E filename H3E filename H3E Understanding Content 78 However you will want to see what the search options were that returned this particular results You can view that information by clicking on the Show Search Criteria option in the command bar All of the search criteria for the highlighted search will be displayed in the search criteria window A E Discovery selected agent Windows XP SP2 Show Search Results Show Search Criteria J Report Date Isolation Modified between 10 15 08 and 1 1 09 Search file name Yes Search file Data Yes De Duplicate Yes Hash All Files No Agents Keywords Hashes Windows XP SP2 H3E Figure 6 21 E Discovery Search Criteria Window Reporting The final window in the Content pane allows you to create report
33. ag and drop content from the Content Pane onto the tag window and a new tag will be created for you OYrCEA0 Case Editor Details Tags 11 4 08 2 07 PM Admin 11 4 08 2 07 PM Admin New Tag Print Cancel Figure 6 27 Case editor tag window Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 7 System Preferences Setting user and server preferences for H3E System Preferences 86 System Preferences The local CAT Preferences are accessed through the Preferences menu option Specific options can be assigned for the local CAT To access the Preferences menu File Edit Server Window Help Preferences 25 Services P Hide CAT Mac 36H Hide Others X 36H Sh ow Al Quit CAT Mac Q Figure 7 1 Preferences Menu On Mac OS X click on the CAT menu item in the Apple toolbar and select Preferences On Windows and Linux select Edit in the top left corner of the toolbar screen then select Preferences Admin Tool Preferences Here you can select different where downloaded file items will be saved by default You can also choose the Greenwich Mean Time display options By default all times in H3E are displayed and stored in GMT time However you can change the display only to show the local time Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of
34. areas of the CAT Graphical User Interface Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 39 Putting the System into Action Tool Bar The tool bar is the means to navigate the different windows within the CAT There are 8 options on the menu bar by default They are in order e Dashboard e Chat Log e Incident Response e Forensics e E Discovery e Reports e List Cases e Add Case BSR GD C amp Dashboard Chat Log Incident Response Forensics E Discovery Reports List Cases Add Case Figure 4 2 CAT Menu Bar Clicking on one of the options in the toolbar will take you to that particular option within the content pane area 3 on figure X Each option will be discussed in detail later in this manual Host Agent Pane The Host pane offers a hierarchical list of all agents in existence on the network The system users can group agents or Internet Protocol IP addresses into an order that reflects the organizational structures of their particular networks A user can move any IP address to another location in the list simply by grabbing and dragging it Agents initially appear in the host pane as their numerical IP address however the IP address can be changed to something more meaningful by holding down the SHIFT key and double clicking the left mouse button The name field will change to an edit field whereby the new name can be entere
35. ately Important Level 3 Least Important Users must determine which components fit which categories for their particular systems Generally speaking however Level 1 encompasses those features on which Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc System Preferences 90 your entire enterprise depends for productivity Without them your entire system grinds to a halt Examples might include a database or an e mail server Level 2 might include such features as a back up server while Level 3 might be assigned to printers or individual workstations Network Access Click the Network Access button to bring up this box where you can select the appropriate access level for the user oTo User Network Access XP Systems 192 168 78 0 r 1 Cancel Set Figure 7 6 Network Access Private Information Access Finally mark the appropriate checkboxes in the Private Information Access section to determine whether the user can access ScreenShots Disk Imaging RAM Imaging or KeyLogger These features are described in greater detail in chapter 5 Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 91 System Preferences Database Backup Click the Enable Backups checkbox to enable database backups You have the option to set the time and day s you wish to back
36. ay be copied or reproduced without the written permission of e fense Inc Pa ashBOAl uv hia ates lend ou e iz tein Ta ED EE sess ETE A 64 User COMMUNICATOR mor 65 Incident RESPONSE Audit Results cccccccseccsesccuscneeenseensuensusssuseauscaesensnesauensussans 67 FOONSIO S nested su cotuste eic tem idu utenti MM IL DEL DD MD EE 72 EICCHONIC TIIGCOV CIV tt 77 KEPONG srair EE 78 Adding ManagingG Casas vesti oe EXE e n voveo ee 83 5ystem Preferences ioo de HERE eI ARE AR SERIE SDUEEE DANA VON IIR RAV CE AE VERTI SCIT EP 85 S EE eE E notetur estos doble etes auti cde ness Sd EEE 86 Admin Tool Preferent S veiba tess da bte p Fue ts esa ule ere ur Us date ard Slot 86 General H3E Server Configuration eese isses enarrant 87 B lgrgTo er iloibicziioo PEE 88 Mission Assurance GCalegofi8s e EET AER INDIRIM ORE Seu MIA 89 INGIWOIK ACCESO aod e haat alate eee eae ELS LA PON D EET 90 FEXIVate InfomnallOnJACCOSS d e arto ocu Cui sede deni oUe aec pM meia o DEELEE 90 Database Back vested ipei iam Len a wea ona ud 91 OVSIOnbUDOdles een RE vue tura ERE ane ROE redu BU APOC Neen EI ME 91 S Adaitionat Information oio vo eio Ea R ee ee eo SV eY APP XR NEVER RSR E dove EXE FEE VR E eo UENR YES 93 MY donee 94 LEGALINOTIT CALION PRI 94 EXD OG Ex CII P Oeann ovt Capuam sealuatecneutnad wetesaseunsen eaten Eee EMO 95 Copyright 2009 e fense Inc No part of this document may be copied or reproduced without
37. ct Retrieve Live Data Three options will appear Fast Capture Normal Capture or Custom Capture Both fast and normal captures begin immediately once either is selected A Fast Capture takes about 5 seconds to complete and a Normal Capture takes about one minute 8 Agent Windows XP SP3 E W Mission Assurance Level gt Retrieve Live Data P Fast Capture 8 Image RAM Normal Capture Image Disk s Custom Capture amp FileSystem View Device Monitoring gt O amp Search Figure 5 8 Auditing Retrieve Live Data Options The following table shows the information retrieved by either a Normal or a Fast Capture Data Element Category Normal Capture Fast Capture etermine System Hostname ist Network Configurations LLL X C X Gsto mew X C X st ARP Tabie x ist Current Network Connections ee Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Data Element Category Normal Capture Fast Capture process X services X ist All Processes ist All Services UI process services Extract Windows Clipboard Text Input Only ist Installed Drivers ist Installed Applications how Volume Info et Environment Variables ollect Server Uptime how User Current Identity enerate Desktop Screen Capture btain Application Event Log log btain Security Event Log btain System Event Log log file file file
38. cument may be copied or reproduced without the written permission of e fense Inc Contextual Menu Options 60 Screen Capture To conduct a screen capture which allows you to see what appears on any individual s screen at any given time simply click on that option and the process begins immediately Results will appear in the audit history list in the Content Pane of the CAT described in detail in chapter 6 of this manual The screen captures can also be captured during normal scans from the Retrieve Live Data menu The screenshot will be captured in seconds but that screenshot is only a snapshot in time from when the screenshot was made Every screenshot made for a particular agent will be stored and can be viewed as thumbnails within the content pane Keyboard Capture To conduct a keyboard capture click on that option after selecting device monitoring from the System drop menu This will open another drop menu You must select Start KeyLogger to begin the process of capturing keystrokes Agent Windows XPSP3 gt W Mission Assurance Level b amp Retrieve Live Data P Image RAM Image Disk s amp FileSystem View Device Monitoring W Screen Capture LE amp Search KeyBoard gt gt Start KeyLogger Figure 5 13 Device Monitoring Keyboard Capture You may return to this menu and select Stop KeyLogger for keystrokes to be returned to the CAT for viewing in the Audit Results tab o
39. cutable PID Source Address Remote Address Socket State Executable PID Source Address Remote Address Socket State Executable PID Source Address Remote Address Socket State Executable PID Source Address Remote Address Socket State Executable PID Source Address Remote Address Socket State Executable PID Source Address Remote Address Socket State Executable PID Source Address Remote Address Socket State Executable UDP Protocol Listen C WINDOWS system32 svchost exe 4 System 0 0 0 0 445 0 0 0 0 28874 Listen System 1712 WinVNC4 exe 0 0 0 0 5800 0 0 0 0 51267 Listen C Program Files RealVNC VNC4 WinVNC4 exe 1712 WinVNC4 exe 0 0 0 0 5900 0 0 0 0 53248 Listen C Program FilessReal VNCWNCANWin VNCA exe 1772 h3e sma exe 0 0 0 0 9009 0 0 0 0 30825 Listen C Program Files H3Enterpriseh3e sma exe 324 alg exe 127 0 0 1 1026 0 0 0 0 32853 Listen C WINDOWS System3 2 alg exe 4 System 172 17 2 68 139 0 0 0 0 38990 Listen System 1784 msmsgs exe 172 17 2 68 2174 207 46 109 96 1863 Established C Program Files Messenger msmsgs exe 1772 h3e sma exe 172 17 2 68 2997 172 17 2 19 9010 Established CAProgram Files H3Enterprise n3e sma exe 1772 h3e sma exe 172 17 2 68 2998 172 17 2 19 9010 Established C Program Files H3Enterprise nSe sma exe Figure 6 25 Samplar of a Report Copyright 2009 e
40. d Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Putting the System into Action 40 AGENTS v 172 17 2 0 Windows 2003 Server Windows Vista Windows XP SP2 Windows XP SP3 VMware XP SP2 Figure 4 3 Host Pane The Host pane is the starting point for conducting audits imaging RAM or disks monitoring devices or conducting searches on your network Before initiating any of these activities you may want to set some preferences and configurations using the Preferences menu Content Pane The Content pane located on the right side of the main CAT screen is where all the recovered data is displayed for analysis The Content pane has many areas which are all accessible from the tool bar In fact six of the eight items on the toolbar directly effect the view of the content pane In order to view the different areas of content simply left click the mouse on one of the icon buttons in the toolbar and that area will become available in the content pane The default view of the content pane is the dashboard The dashboard like the dashboard of a car provides a quick overview of activity on the Server to which the CAT is connected Consider this the home screen Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 41 Putting the System into Action Server 172 17 2 19 am
41. e 4 8 CAT Activity Window Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Putting the System into Action 44 Page intentionally left blank Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 5 User Interface IT H3E Contextual Menu options Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Contextual Menu Options 46 System Menu The System menu launches such key features of H3E as conducting audits imaging RAM or disks monitoring devices or conducting searches 2 Agent Windows XP SP3 W Mission Assurance Level amp Retrieve Live Data image RAM Image Disk s amp FileSystem View Device Monitoring amp Search Figure 5 1 Agent Menu To access the System menu select an Agent from the Host pane with a left click or a mark in the check box beside the entry Then right click on the selected Agent and the contextual menu will appear Agent menu options The first option on the contextual menu is Agent This option has a submenu that contains many options The options in this submenu allow you to start or stop an Agent or wake an agent When you stop an agent using the Stop Agent menu item the agent will suspend itself and the agent icon in the agent pane will t
42. e fense Inc 3 System Architecture H3E Basics Copyright 2008 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Svstem Architecture 32 Server Overview All data exchanged between the CATs and the Agents passes through the Server except during the transfer of large image files such as a RAM when the CAT and Agents communicate directly The Server also acts as the central repository for all data collected by the system s Agents The Server authenticates and routes commands from the CAT to the Agents on a network then simultaneously forwards data responses back to the CAT and stores them in the internal SQL database Server Database Once the Server has been installed successfully the system automatically knows the H3E database is running No separate installation or configuration is necessary even after a system crash or power failure Unlike SQL database engines that require programs to interact with the Server in requesting and receiving information H3E allows programs to read and write directly from the database files on disk Server Settings The Server is a running service listed in the process list as H3E Server The Server is linked by TCP connection to the CAT and to the Agents Default settings have the Server listening for CAT communications on TCP port 59345 and for Agent communications on TCP port 9010 All ports are user configurable Copyri
43. ed 24 Manual Installation Manual installation requires that the user run the AGENT MSI file on each computer or workstation The following components are necessary for successful manual installation of Agents e Physical access to the target system Login ability admin permissions to the target system to carry out the actual installation e A target system that meets the system requirements see section 2 1 Ports notalready in useon the target system and thus available for Agents e A local firewall that if enabled does not block the Agents from operating Microsoft Windows firewall will block certain packets required by H3E so it is best to configure the firewall to allow H3E Manual installation requires that the user proceed through similar installation steps outlined for the Server and the CAT When deploying MSI installation packages through GPO or SMS or simply to your clients you may want to make them silent The AGENT MSI file has been created to facilitate a silent install You can also choose to push the msi file out using Microsoft s psexec command line utility and then run the msiexec command Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 25 Getting Started Quick Tip MSIEXEC Command line options Parameters which affect the user interface for msiexec full UI qf default parameter used by the package e
44. ed or reproduced without the written permission of e fense Inc 10 2 Getting Started Basics of Helix3 Enterprise Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Started 12 2 1 Key Features Among the unique features of the H3E system are the abilities to Acquire live data from across the network Image a system s RAM for forensic analysis Image a system s physical drives for forensic analysis Make screen captures Log key strokes for any user on the network Search Internet use history Search for files based on hash values Search Enterprise based on time date stamps and keywords Define mission critical systems Preview and copy files from systems E Discovery searching for litigation hold matters H3E also requires minimal training and provides incident responders with a secure virtually undetectable system that allows for rapid data collection analysis and reaction 2 2 How To Obtain the Latest Version From the CD The CD contains versions for Windows Mac and Linux Choose your appropriate platform and install the Server CAT agent Windows installation files are in the form of MSI files Mac files are packages and Linux files are deb packages Downloading From the Web Site One can also install the latest version of H3E by visiting the official web site at http h3e e fense com Copyright 2009 e fense Inc No part
45. een comes into play The Content pane has many areas accessible from the menu bar DashBoard The dashboard like the dashboard of a car provides a quick overview of activity on the Server to which the CAT is connected Information on the dashboard is organized into four main sections Server 172 17 2 19 22 OS Version Last 30 Events N Windows 2003 5 2 3790 Service Pack Admin Searching Files 172 17 2 67 x e te Admin Searching Files 172 17 2 66 CPU Utilization 1 Admin Searching Files 172 17 2 65 Admin Searching Files 172 17 2 68 TE Em 2 Admin Downloading mft file 172 17 2 65 Total 2097152 K RAM Utilization a eni K Admin Grabbing Filesystem Snapshot 172 17 2 65 i Admin Custom audit 172 17 2 67 Unknown Agent restricted because of license 172 17 2 67 Unknown Agent restricted because of license 172 17 2 66 Usage 996 Disk FreeSpace 8 03 GB Uptime 16 Days 390 Hours 23452 M a Server Version 8 1 0 2019 Database Status online Records in Database 46 825 Users in Database 1 Last Backup n a Fe Authorized Agents 20 a re Agent Total 4 Active Agents 4 Figure 6 1 The DashBoard Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 65 Understanding Content The four sections are simply Server Status Database Status Agent Information KR W N e Last 30 eve
46. em Hostname List Network Configurations List ARP table List Routing Table List Current Network Connections Extract Windows Clipboard Text Input Only List Installed Applications Show Volume Info Collect Server Uptime Get environment variables Show Network SMB Data List All Processes List Installed Drivers List All Services Dump Startup Run registry Dump Startup RunOnce registry Dump Startup RunOnceEx registry Dump Startup RunServices registry Dump Startup RunServiceOnce registry Dump Startup Current User Run registry Dump Startup Current User RunOnce registry Dump Startup Current User RunOnceEx registry Dump Startup Current User RunServices registry Dump SharedDLLs registry Dump KnownDLLs registry Dump Startup Scripts Dump Startup Explorer Run Dump TypedURLs Dump RunMRU Dump LastSave Dump Memory Settings Diimn Hntfiv information The following is an example of an Analyst Audit Activity Report in PDF format Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Understanding Content 82 lf mab 4 Network Statistics Information CwTGRPRIStC Agent Date IT audit TCP Protocol PID 984 svchost exe Source Address 0 0 0 0 135 Remote Address 0 0 0 0 28834 Socket State Executable PID Source Address Remote Address Socket State Executable PID Source Address Remote Address Socket State Exe
47. esystem tree without harming or altering the files or their metadata In order to get the filesystem view you need to select the Filesystem View option in the system menu as outlined in chapter 5 Forensic Analysis _ Selected agent Windows XP SP3 File Systems RAM Disk Images SExtend Config Msi Name amp i386 ListPrivileges txt fu exe msdirectx sys Date Created 2009 01 07 22 41 06 2003 02 03 06 30 54 2004 06 30 23 11 34 2004 08 27 06 59 50 Date Modified 2009 01 07 22 41 06 2003 02 03 06 30 54 2004 06 30 23 11 34 2004 08 27 06 59 50 Date Accessed 2009 01 07 23 16 13 2009 01 07 23 16 00 2009 01 07 23 22 37 2009 01 07 23 22 37 Documents and All Users Default User LocalService NetworksServict root Application Cookies Desktop FU_Rootki FU_Roo Po KE Sys fu Favorites Local Settinc My Docume NetHood PrintHood Recent SendTo Start Menu Figure 6 12 Forensics Window When you view the filesystem you will see the filesystem tree view on the left and the content on the right Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 73 Understanding Content Every filesystem image will be displayed in a drop down menu for the highlighted agent Simply choose the date time for which you want to view and the results will be displayed AGENTS Y C Workstations mE Forensic A OY wind
48. f the Content Pane on the CAT described in detail in chapter 6 of this manual You can also click on the stop sign icon in the activity viewer window in the host pane Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 61 User Interface II Electronic Discovery Search The final option on the Agent drop menu is to Search To access the search option highlight the Agent whose information you wish to retrieve using a left click then right click to bring up the Agent menu From that menu select Search O Search Agents to Search Isolate by Date Keywords Mi 192 168 78 128 192 168 78 128 Date Type Created John Doe M File Name Start Date 8 6 08 345 23 9283 M File Data Stop Date 11 12 08 M RegEX Additional Options u Import M De Duplicate Files C Hash All Files is Hash Search Hash Value File A16SFDA8C8DOB8AAG6BDEABC13D33E868 manifest zip Import Cancel Search Figure 5 14 E discovery Search There are three search methods 1 Date amp Time stamps for start and end dates 2 Keywords in filenames file content and regular expressions 3 Hash values The option to de duplicate all the search results and hash all files also exists Using a Hash Search allows you to search every machine on your network for files matching a unique digital signature hash The digital signature is to
49. fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 83 Understanding Content Adding Managing Cases The H3E system allows you to set up cases to manage work flow New cases can be created from the man menu bar on the CAT Simply click on the Add new case button and you will be presented with the case editor window The case editor window has two tabs Details and Tags The Details tag contains all the case information such as the case number the date of the case opening the status priority and any comments The date opened closed and updated are all set for you automatically by the system Simply fill out the case number status and priority The investigator name is set to the login name of the H3E user Fill in any comments for the case as well ff Case Editor Details Tags Case Number 3 Opened Tuesday November 4 2008 2 06 46 PM Closed Last Update Status Open Priority High Investigator Admin Comments New Tag Print Cancel Save Figure 6 26 Case editor window Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Understanding Content 84 Once you have filled in the case details click on the New Tag button to create a case tag This is similar to a bookmark However tags work differently than bookmarks Simply dr
50. formation for offline users for viewing at a later time The page also shows the currently logged in users last login time to the H3E system as well as the last event that was conducted The user ID and name is also supplied for reference s9 User Communication I3 Add New Note X Delete Note Users Online Live Messages Admin User Notes check server systems Admin Type message here Figure 6 3 User Communication Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 67 Understanding Content AOC Note Subject Live System Audit Testing New Note Cancel Save Figure 6 4 New note To leave a note simply click the Add New Note button in the command bar and add your note Click the Delete Note button while the note to be deleted is highlighted When you click on the Add New Note button a window will open in which you can enter notes To chat with other users simply type your message in the box with the label type msg here and your message will be sent out across the H3E system for all logged in users The communication is encrypted via a AES 256 bit encryption key When a user communicates with other users logged into the CAT the status bar will update with a chat icon notifying that a message has arrived Simply click on the icon to take you amp A new chat message has arrived Fi
51. full screenshot within the content pane When you first click on the Show Screencapture Thumbnails you will see a dialog box telling you the thumbnails are being loaded If any of the thumbnails are all black than that indicates no users were currently logged into the system when the screenshot was made Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 69 Understanding Content Audit Results Selected agent Windows XP SP3 Refresh Display Filter Display Show Screencapture Thumbnails Keyword Filter pt 2009 01 09 02 17 44 2009 01 07 23 23 34 2009 01 07 21 14 42 Figure 6 9 Display for all thumbnails on a particular agent The Audit History tree view has a list of all the audits the selected Agent has ever had run Information displayed here will only show returned results in a tree view with the audits listed in chronological order This listis controlled by the filter options in the command bar Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Understanding Content 70 Live Audit Setupapi log Internet History Environment variables Network Configurations ARP table Routing Table Network Connections Clipboard Volume Information Network SMB Data Processes Installed Drivers Services Registry Application Log Security Log
52. g Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 23 Getting Started ps Thank you for registering Figure 2 14 Register License Key 6 Registration is complete You may now begin installing Agents Quick Tip License Limitations Up to 250 Agents can be installed on a single Server using a single license key If you wish to use more than one Server to host your Agents of if your network is large enough that you wish to install more than 250 Agents you must request a second license key via e mail and repeat the registration process using that license key as well Installing Agents Agents must be installed before an incident in order for the H3E system to function as intended most importantly because doing so significantly reduces the risk of losing crucial information from the RAM or hard drive during incident response Installing Agents before they are needed guarantees the system is ready to harvest critical time sensitive information without contaminating potential evidence Agents can be installed on any or all system workstations simultaneously via an existing software distribution tool A second option is to install Agents manually on any or all system workstations one at a time Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Start
53. ght 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 33 System Architecture Console Administration Tool CAT Overview The CAT initiates all connections involved in a network based audit Communicating through the H3E Server the CAT manages any Agent groups approved by the Server administrator whether they are located on the internal network or elsewhere This function allows the user to ems view operations on network workstations hosting Agents and also ensures analysts can access only those Agents within their areas of responsibility The size and amount of data sent from CAT to Agent via the Server is small but audit results returned vary in size based on the scope of the request and the amount of data available on the target system Typical audits have ranges of around 500KB The CAT is a stand alone device and does not interfere with the administration distribution or installation of software patch management solutions CAT Graphical User Interface GUI The CAT appears as two panes on the monitor screen the Host or Agent pane and the Content pane Both use a simple point and click process for configuration and operation The Host pane appears on the left side of the main CAT screen and contains a list of all network nodes agents The agents will be listed by Internet Protocol IP address by default These IP addresses represent both a Host and an
54. gure 6 5 New Chat notification message to the message Incident Response Audit Results The Incident Response toolbar item allows you to view the outcome of the requests to your Agents Once you have selected this option the Content pane will appear as four major separate sections The audit banner which has the name of the system You can see the IP address of the selected system in the status bar by hovering the mouse over the agent name in the agent pane Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Understanding Content 68 Audit Results Selected agent Windows XP SP2 Figure 6 6 The audit banner The command bar allows you to refresh the audit lists set a view filter and view all the thumbnail screenshots taken from the selected agent Refresh Display Filter Display Show Screencapture Thumbnails Figure 6 7 The command bar ALL No Filter 51 Day 35 Days 10 Days The filter allows the audit history list to be filtered between no filter and up to 30 days Click on Set to apply the filter 3 30 Days The default is set to no filter The filter will set the display for all audits Camel Set Figure 6 8 Filter Window The screen icon will display thumbnail pictures of all the screenshots ever taken from the selected agent You can double click on the thumbnail pictures to open the
55. he written permission of e fense Inc Contextual Menu Options 48 The options listed in the middle of the Agent Configuration screen are similar to those available through the Preferences menu but include some additional key communication settings Here you can Select the following Console Address CA DNS Name or IP Address Console TCP Port Console FTP Port Agent TCP Port not set through the Options menu Beacon Interval Agent Idle Time on the Options menu The port settings relate to asynchronous communication between the CAT and Agents while the CAT FIP Port is dedicated for the transfer of files You may choose to load the values set by the system by clicking on the Load From Agent button Agents are configured to beacon the CAT upon workstation start The beacon updates the DashBoard display to reflect active status on the network Users can change the configuration to direct Agents to beacon on demand or at any desired interval The beacon automatically restarts in the event of a system crash The Auto Discover checkbox allows the agents to discover H3E server automatically The first server that is auto discovered will be used by the agent s unless otherwise directed If you would like to view all of the audits ever conducted on an agent then simply select the Retrieve Agent Audit Log item and a new window will appear showing every audit along with details of the audit Copyright 2009 e fense Inc No part of th
56. ion of e fense Inc 55 User Interface II A contextual menu is available by right clicking with the mouse in the window A drop down menu will appear allowing you to select specific elements In addition you can select deselect elements using the checkboxes next to the names If you select a parent element all the children will be selected as well Completed audits can be found in the Incident Response Window of the CAT described in detail in chapter six of this manual Imaging The next two options on the Agent drop menu are related to imaging which can be done of either RAM or disks All imaging is done between the Agent and the CAT over a pseudo peer to peer network on port 9090 Establishing a peer to peer connection between the host Agent and CAT diverts a large volume stream of network traffic from the H3E Server and leaves critical Server resources available for other audits To begin imaging highlight the Agent s whose information you wish to image If a single Agent is to be involved use a left click to select If the image involves multiple Agents mark the appropriate checkboxes Quick Tip Multiple Agent Imaging While you can forensically image multiple agents at a time it is not recommended as you can very quickly over exceed your network bandwidth It is highly recommended to just image one system at a time and during time when the systems are not in use Copyright 2009 e fense Inc No part of this documen
57. is document may be copied or reproduced without the written permission of e fense Inc 49 User Interface II Agent test1 00 D0O B7 7F 7D 65 Complete 172 17 2 68 2009 01 07 21 14 42 2009 01 07 21 14 47 2009 01 07 23 23 34 2009 01 07 23 24 34 172 17 2 68 2009 01 07 23 26 41 2009 01 07 23 28 31 172 17 2 68 2009 01 08 19 34 37 Tasks Grabs the Setupapi log file from the system Grabs all of the Internet History for each user Obtain System Chat Logs Skype Yahoo MSN etc Grab the SAM file Obtain NTUSER DAT files Determine System Hostname List Network Configurations List ARP table List Routing Table List Current Network Connections Figure 5 4 Agent Audit Log Window You can export the highlighted audit log by clicking on the Export button The exported file is a simple txt file of the selected audit The host options Delete Ping Traceroute features relate to the physical location or computer workstation where the Agent resides and to its functioning Here the user can delete an Agent from the Host pane or remove a computer workstation that no longer is available on the network Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Contextual Menu Options 50 Target 172 17 2 68 Max TTL 32 DNS Hop 1 Address 172 17 2 68 Figure 5 5 Traceroute Window Timeout 1000 ms Status Echo reply Other options o
58. ivil 0001321C 6567 650A 0000 0000 5379 6E63 4167 656E 7450 7269 7669 6C65 ege SeS8yncAgentPrivile 00013236 6765 0A00 0000 5365 646F 636B 5072 6976 696C 6567 650A 0000 ge SeUndockPrivilege 00013250 5365 5265 6D6F 7465 7574 646F 776E 5072 6976 696C 6567 650A SeRemoteShutdownPrivilege 0001326A 0000 5365 4368 616E 4E6F 7469 6679 5072 6976 696C 6567 650A SeChangeNotifyPrivilege 00013284 0000 0000 5365 5379 656D 456E 7669 726F 6E6D 656E 7450 7269 SeSystemEnvironmentPri 0001329E 7669 6C65 6765 OAO00 5365 4175 6469 7450 7269 7669 6C65 6765 vilege SeAuditPrivilege 000132B8 0A00 0000 5365 4465 6750 7269 7669 6C65 6765 0A00 0000 5365 SeDebugPrivilege Se 000132D2 5368 7574 646F 776E 6976 696C 6567 650A 0000 0000 5365 5265 ShutdownPrivilege 000132EC 7374 6F72 6550 7269 6C65 6765 0A00 5365 4261 636B 7570 5072 storePrivilege SeBackupPr 00013306 6976 696C 6567 650A 5365 4372 6561 7465 5065 726D 616E 656E ivilege SeCreatePermanen 00013320 7450 7269 7669 6C65 OA00 5365 4372 6561 7465 5061 6765 6669 tPrivilege SeCreatePagefi 0001333A 6C65 5072 6976 696C 650A 0000 5365 496E 6372 6561 7365 4261 lePrivilege SeIncreaseBa 00013354 7365 5072 696F 7269 5072 6976 696C 6567 650A 0000 0000 5365 sePriorityPrivilege S 0001336E 5072 6F66 696C 6553 676C 6550 726F 6365 7373 5072 6976 696C ProfileSingleProcessPrivil 00013388 6567 650A 0000 0000 5379 7374 656D 7469 6D65 5072 6976 696C ege SeSystemtimePrivil Connected to Windows XP SP3
59. local system by coloring the file list Name amp i386 ListPrivileges txt fu exe msdirectx sys Figure 6 17 Downloaded files Date Created 2009 01 07 22 41 06 2003 02 03 06 30 54 2004 06 30 23 11 34 2004 08 27 06 59 50 Date Modified 2009 01 07 22 41 06 2003 02 03 06 30 54 2004 06 30 23 11 34 2004 08 27 06 59 50 Date Accessed 2009 01 07 23 16 13 2009 01 07 23 16 00 2009 01 07 23 22 37 2009 01 07 23 22 37 Actual Size Disk Size 0 0 bytes 0 0 0 bytes 0 636 0 bytes 636 636 0 bytes 636 96 0 k 98304 96 0 k 98304 6 5 k 6656 6 5 k 6656 Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 75 Understanding Content Once a file has been downloaded you can show where it is located by clicking on the Show on Disk menu item or you can choose to view the file which will bring up the forensics viewer You can also view the file by streaming it s contents to the CAT without having to download it Simply double click the file Properties V Contents Text Strings Address Data 00012FFA 0000 0000 0000 D45C C25C 0100 B25C 0100 A25C 0100 905C 0100 00013014 7A5C 0100 645C 0100 0100 E45C 0100 0000 0000 3261 0100 185C TTA 0001302E 0100 OA5C 0100 FC5B EC5B 0100 D45B 0100 C25B 0100 BO5B 0100 Veciver d rts Sal 00013048 A45B 0100 4261 0100 0100 045D 0100 145D 0100 245D 0100 345D SL Bas Llescd eas POET 00013062 0100
60. lso change the throttling speed of the transfer by changing the Max Speed value from 300 to 600 Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 57 User Interface II Quick Tip RAM amp Disk Image file storage location H3E stores RAM and Disk images into standard default locations MacOSX Library Application Support H3E Windows C Documents and Settings Application Data H3E Linux home H3E Tests have shown that H3E can acquire 1 GB of RAM in as little as three minutes Disk Imaging Once Image Disk s has been selected the Disk Image window will appear Like the RAM image a disk image name and location will be automatically defined for you The disk image window will show you all of the available disks that can be imaged This includes the physical as well as logical disks Check the disk you would like to image and choose the options you would like to set for that image There are 5 options that can be set for disk imaging Choose a segment size that is compatible with the size limitation of your filesystem images will be split into as many files of that size as are necessary to capture the entire disk The Sector Size flow enter the amount of disk sectors you would like to acquire at once The higher the amount the faster the acquisition but the greater the chance of missing data you are acquiring from potential bad sectors C
61. m Version dia l Windows 2003 5 2 3790 Service Pack Admin Imaging Ram Windows XP SP3 ASEA Admin Custom audit Windows XP SP3 CPU Utilization 1 Admin Screen Capture audit Windows XP SP3 Unknown Agent restricted because of license Windows XP SP2 RAM Utilization Total 2097152 K Unknown Agent restricted because of license Windows Vista Last 30 Events Available 2097152 K Usage 7 Disk FreeSpace 8 02 GB Uptime 1 Days 18 Hours 0 Minutes a Server Version 8 1 0 2128 Database Status Online Records in Database 4 137 Users in Database 1 Last Backup Authorized Agents 10 Agent Total 4 Active Agents 4 Figure 4 4 Content pane displaying the dashboard Status Bar The status bar contains status information as well as notification and system buttons There are three 3 buttons on the status bar which enable you to conduct certain activity amp A new chat message has arrived Figure 4 5 CAT Status Bar Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Putting the System into Action 42 First is the button This button allows you to create a new network folder on the host pane When you click on the button the Add Network window will appear This window allows network folders named folders to be created on the host pane or even parent networks to
62. n this menu allow the user to ping an Agent when there appears to be a network communications problem or conduct a traceroute to an Agent Target 172 17 2 68 Timeout 1000 ms Ping Status Time Interval 10 ms Count 20 Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Ping Address 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 17 2 68 Average 5 51 ms Idle Figure 5 6 Ping Window Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply Echo reply 6 38 ms 6 25 ms 6 11 ms 5 94 ms 5 87 ms 6 18 ms 6 05 ms 5 89 ms 5 89 ms 5 86 ms 5 72 ms 5 66 ms 6 00 ms 5 98 ms 5 69 ms 5 57 ms 5 43 ms 5 56 ms 5 71ms 5 39 ms Max 6 38 ms Min 5 39 ms 51 Mission Assurance Criticality MAC Level User Interface II Each Agent listed on the Host pane can appear with a flag to the right of its name This flag represents the Mission Assurance Criticality or the Information Assurance Methodology MAC TAM level described in chapter seven under Mission Assurance Categories You may assign a MAC IAM level using this
63. ncel Save Figure 7 4 General Configuration User Configuration Click on the Users Admin tab to bring up the User Configuration screen Here you will see a list of current users or those allowed access to the Server Below that list click on New User to add or Delete to eliminate users with log in privileges The right side of screen contains User Information To create settings for any user first enter the user name and password at the top Below that mark the Has Administrator Access checkbox if you would like that user to have such access Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 89 System Preferences f 7 7 Server Settings Network Settings User Admin Backups Updates User Configuration User Information R Username Current Users ORC S Admin Show Password Drew Has Administrator Access Mission Assurance Categories Level O Level 2 Level 1 Level 3 Network Access Private Information Access ScreenShots RAM Imaging Disk Imaging KeyLogger Search New User Delete gt Cancel Save Figure 7 5 User Configuration Mission Assurance Categories Next select the appropriate Mission Assurance Category for the Host the computer or devices to which the user has access Available MAC levels are Level 0 Not defined or set guest Level 1 Critically Important Level 2 Moder
64. nstall the package f Installer requires that you type your e password Name User Password sesccscccccd Change Install Location 4 Figure 2 19 Mac OS X CAT Installation Admin Password entry 5 Installation progress Installing H3E Introduction License Destination Select Installation Type installation Preparing the Disk Go Back JA Continue 4 Figure 2 20 Mac OS X CAT Installation Process Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc d Getting Started 30 6 Installation Success AOA wes Install H3E Installation completed successfully Introduction License O Destination Select Installation Type Installation Install Succeeded Summary The software was successfully installed C Close Figure 2 21 Mac 0S X CAT Installation success Currently agents for the H3E system do not exist for the Mac OS X or Linux platforms So there are no installation files for them Quick Tip Standard File Locations Mac OS X H3E installs all of its files in standard default locations e Application stored in Applications H3E User preferences are stored in Library Preferences e Files are stored in Library Application Support Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of
65. nts The Server and Database Status sections contain information about the network database and operating system including the versions of each number of records and users in the database and last backup on the database and the CPU and RAM utilization free disk space and uptime on the OS The number of total agents and active agents are also represented In addition the last thirty commands sent to any Agents on the network are displayed and updated in real time If the H3E system has not been registered the dashboard on the CAT will notify you that the system is not registered by displaying a label at the bottom of the screen Server is not licensed Click to enter license key Figure 6 2 Unlicensed Banner You can click on the red tag to enter a H3E license and the tag will disappear if the registration is valid User Communication The Users section identifies the user by name and ID displays the last login and last event shows any other users also online and provides space for notes and for live messages The list of users online represents the number of individuals logged into the same server and thus available to respond to requests Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Understanding Content 66 Communication between CAT users using the Live Messages window is an encrypted live chat The User Notes window allows users to leave in
66. nux Kernel 2 6 15 or later e Quad Core Intel Xeon X5460 2x6MB Cache 3 16GHz 1333MHz FSB e 8GB 667MHz RAM e RAID 5 SAS or SATA 750GB e Intel PRO 1000PT 1GbE Dual Port NIC e Microsoft Windows XP or later e Mac OS X 10 4 or later e Linux Kernel 2 6 15 or later e 2 4GHz Intel Core 2 Duo processor e 2 GB 667MHz RAM 20 MB free disk space extra space required for image transfers e Microsoft Windows XP or later e 400 MHz Celeron or equivalent e 256 MB RAM 40 MB free disk space Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Started 14 Providing the system with more resources and faster equipment such as faster Processor and Hard Drive can of course improve the performance of H3E where data reading and calculation amp verification functions are taking place For network purposes it is best to ensure that the workstation is enabled with the fastest possible network interface 2 4 Installation Selecting a System for Installation Key questions to consider when selecting a system for installation of H3E include e Is the system secure e Are you using a protected section of the network with an appropriate number of security features enabled e Does the system you are using have sufficient network connectivity e With your existing firewall configuration between console and servers can you establish a TCP connection from
67. option on the Agent Menu To do so select the Agent from the list with a right click select Mission Assurance Level from the drop menu then select the appropriate level for that host a Agent Windows XPSP3 I Mission Assurance Level v None amp Retrieve Live Data b W Level 1 image RAM W Level 2 Image Disk s UR Level 3 amp FileSystem View Device Monitoring gt amp Search Figure 5 7 Mission Assurance Level The flags that appear beside the IP addresses in the host pane represent the corresponding levels Level 1 Red Level 2 Yellow Level 3 Green Levels are defined in section chapter seven of this manual By default agents are not assigned a MAC TAM level and they will not display a flag next to their name or IP address in the host pane Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Contextual Menu Options 52 Auditing Incident Response The primary feature of H3E is auditing of any activity on a network To begin an audit select an Agent or Agents from the Host pane If the audit is to include a single Agent simply highlight that Agent with a left click If the audit is to include multiple Agents select each by checking the box next to its identifying information Once you have finished selecting Agents for inclusion in an audit use a right click to call up the System drop menu and from that menu sele
68. opyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Contextual Menu Options 58 Disk Y Windows XP SP3 PhysicalDriveO 3 C Y Windows XP SP2 PhysicalDriveO PhysicalDrivel OU U U LJ onmes amp Windows Vista W F lt nm 3 a lt rb o I C H D Disk Image Type 172 17 2 68 Fixed hard disk Fixed Media 172 17 2 65 Fixed hard disk Fixed hard disk Removable Media Fixed Media Fixed Media Fixed Media 172 17 2 66 Fixed hard disk Fixed Media Fixed Media Volume Name Size 38 20 GB 38 20 GB 37 20 GB 74 50 GB 1 30 MB 12 20 GB 12 20 GB 74 40 GB 74 50 GB 18 50 GB 18 50 GB a a v Wi 172 17 2 67 Fixed hard disk ows 2003 Server PhysicalDriveO 37 20 GB Options Segment Size 2048 Sector Size Flow 32768 Transfer Port 9090 Max Speed Kb 300 M Encrypt Stream Cancel Start Figure 5 11 Disk Imaging Window File System Imaging H3E allows the forensic copying of the filesystem from any agent This allows a snapshot of what s on the system at the time of imaging Once the File System whether MFT Master File Table or FAT File Allocation Table has been copied it can be viewed within the content pane in the CAT The filesystem is imaged by clicking on the Filesystem View menu option The file system view window will be presented allowing you
69. owsxPSP3 000 Selected agent Wii V windows XP SP2 amp M windows Vista File Systems RAM Disk li vw Servers Windows 2003 Server Figure 6 13 FileSystem View Drop down highlighted by red box Quick Tip Supported Filesystems Currently only Windows NTFS and FAT filesystems are supported but all the other major filesystems from EXT2 and EXT3 HFS will be supported in a future update As you view into the filesystem tree on the left side of the screen you can view the contents on the right This is accomplished by clicking on a file or folder in the tree view The folder and its contents will be displayed in a listbox on the right For each file listed you can view the date it was created modified and last accessed You can also see the size of the file and the size it takes up on the hard drive Name Date Created Date Modified Date Accessed Actual Size Disk Size amp i386 2009 01 07 22 41 06 2009 01 07 22 41 06 2009 01 07 23 16 13 0 0 bytes 0 0 0 bytes 0 ListPrivileges txt 2003 02 03 06 30 54 2003 02 03 06 30 54 2009 01 07 23 16 00 636 0 bytes 636 636 0 bytes 636 fu exe 2004 06 30 23 11 34 2004 06 30 23 11 34 2009 01 07 23 22 37 96 0 k 98304 96 0 k 98304 msdirectx sys 2004 08 27 06 59 50 2004 08 27 06 59 50 2009 01 07 23 22 37 6 5 k 6656 6 5 k 6656 Figure 6 14 File view with partial metadata Copyright 2009 e fense Inc No part of this document may be copied or reproduced withou
70. rt has finished a dialog box will be displayed which asks if you would like to view the PDF report Click View in the dialog box to view the file A Do you want to view the report now The report has been successfullly created and saved Viewing the report will open the PDF file in an external viewing 3 application L No View Figure 6 23 View created report option The second page to Report generation are the adhoc reports which allow you to view the history of all the audits as well as the login history to the H3E system Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 81 Understanding Content _ Audit Reports Report Generation 172 17 2 65 Adhoc Reports Audit History Login History User Admin Admin Admin Admin Admin Admin Figure 6 24 View ad hoc reports Start Date 2008 11 26 03 45 01 2008 11 26 04 25 43 2008 11 29 07 15 01 2008 11 29 07 15 01 2008 11 29 07 15 01 2008 11 29 07 15 01 Completion 2008 11 26 03 45 50 2008 11 25 21 27 07 2008 11 29 07 26 52 2008 11 29 07 25 46 2008 11 29 07 26 04 2008 11 29 08 07 44 IP EFA TES T 172 17 2 65 172 17 2 67 172 17 2 66 172 17 2 65 172 17 2 68 Tasks Grabs the Setupapi log file from the system Grabs all of the Internet History for each user Obtain System Chat Logs Skype Yahoo MSN etc Grab the SAM file Obtain NTUSER DAT files Determine Syst
71. s in the PDF format The first report page is based on the agent that is selected in the host pane When Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 79 Understanding Content you click on an agent the Audit Date drop down list will be populated for the data corresponding the the selected agent When the audit from the Audit Date drop down is chosen the individual audits counts will be displayed which allows you to see what data is associated to that particular audit You can select any report task in order to create the report Once you have checked which option you want click on the Create Report button to generate the PDF Report Generation Windows XP SP2 X Audit Reports j Adhoc Reports Audit History Audit Date v Network 49 ty Processes 27 E4 Arp Tables 2 T4 Event Logs 128019 E Netstat Info 38 4 Application 42673 Route Tables 7 T4 System 42673 ki Interface Info 2 ty Security 42673 E4 System E Screen Capture 1 E Operating Sys Info 19 E4 Clipboard 1 ki Volume Info 9 Installed Apps 140 E4 Web History 992 E Installed Drivers 105 E4 Registry 21 E4 Services 7 Create Report Figure 6 22 Report Window Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 80 Understanding Content When the repo
72. stall this software Continue Figure 2 16 Mac OS X CAT Installation Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Getting Started 28 2 Read and accept the EULA and click on Continue Introduction License Destination Select Installation Type Installation e Summary STRICTLY PROHIBITED TO DISTRIBUTE F SH OR SUBLICENSE GIVE OR DISCLOSE TO ANYJDTHER PARTY THIS OR THE DOCUMENTS IN HARD COPY DIGITAL FORM OR ANY OTHER R EXISTING OR NOT YET EXISTING EXC AS SPECIFICALLY IMITTED BELOW The use of this software is governed by the terms and read them carefully This EULA is applicable to all and accepted the terms of this EULA when you install or use the Software 1 LIMITED LICENSE You are granted a limited non exclusive license to install the 4 Figure 2 17 Mac OS X CAT Installation EULA Agreement 3 Select Install to proceed This will install in the default location of Applications Introduction License Destination Select this software Installation Type amp Installation e Summary Change Install Location Figure 2 18 Mac OS X CAT Installation location Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 29 Getting Starte 4 You have to enter the user password to i
73. stered trademarks or copyrights of their respective companies and are used only for identification or explanation into the owners benefit without intent to infringe Any use and duplication of this material is subject to the terms of the license agreement between you and e fense Inc Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act no part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording scanning or otherwise Product Manuals and Documentation are specific to the software versions for which they are written Specifications and information contained in this manual are furnished for informational use only and are subject to change at any time without notice Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 95 System Preferences Export Exemption COMMODITY CLASSIFICATION UNITED STATES DEPARTMENT OF COMMERCE BUREAU OF INDUSTRY AND SECURITY WASHINGTON D C 20230 CASE NUMBER 2727203 E FENSE INC APRIL O1 2008 ATTN ROWLAND KIRKS CCATS G061201 120 NORTH SAINT ASAPH STREET ALEXANDRIA VA 22314 THE FOLLOWING INFORMATION IS IN RESPONSE TO YOUR INQUIRY OF JANUARY 30 2008 REQUESTING LICENSE INFORMATION FOR IVL REQUIRED LVS COMMODITY ECCN LVS FOR DOLLA
74. t button name button name button name with as many bracketed button names as is required Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Table of Contents 1 Introductio ene aoda aeiaai 7 WNAI O E ar E anes O AEE EET E E A 8 2 Getting Started e EM 11 PIKOV FOI TUOS T 12 2 2 How To Obtain the Latest Version scscscsccccscscscscscscecscscscscssesasesees 12 ROME OO p M 12 Downloading From the Web Site ossis seen nnne 12 2 9 Sustemiectllellle ti Sscoocsatorss ouo Quei oe cs Rar ve PS apta Pro TROU int EUM 13 2E Instalati OT P 14 Selecting a System for Installation eese E enne 14 Installing the Server on WINDOWS ii i e ae oe ei 14 Installing tbe CATON WINGOWS v sie od d ee DIRE E eee LONE 17 Hegisterihg he Serve iE eta diae a OE BIN Mas eu M ene 21 Jer ille pstor ig ic 23 Man arinstalatlO MR a 24 Software Management Installation eeeessses essei eene nnns 25 Installing the Server CAT on Mac OS X ssssesiissesis essen enne 26 3 Sustem Architect le ooo vues eee ovre ER VS NE Sao NES NER Ee EC E QE UE E EVER TER eR EE EUE Cove Gua 31 Server OVE qt c m 32 laud Bu
75. t may be copied or reproduced without the written permission of e fense Inc Contextual Menu Options 56 Once Agents have been selected right click to bring up the Agent drop menu From that menu select either Image RAM or Image Disk s RAM Imaging Once Image RAM has been selected the RAM Image window will appear The RAM image will automatically be saved for you in a special folder on the computer running the CAT Choose a Segment Size that is compatible with the size of the image file on your files system images will be split into as many files of that size as are necessary to capture the entire RAM A segment size of 0 will not split the image Memory Image Collection Agent RAM Size M windows XP SP3 255 4 MB memory you would like to capture at M windows xP sp2 1023 4 MB M windows Vista 1022 9 MB M windows 2003 Server 1023 4 MB In the Buffer Size enter the amount of once The higher the amount the faster the acquisition but the greater the risk of overwriting evidence in the uu Segment Size MB memory you are acquiring That is M Buffer Size Kb 64 because only a limited amount of space Transfer Port 9090 is available for temporary storage of iunii the data that has been acquired Max Speed Kb 300 M Encrypt Stream Cancel C Start Figure 5 10 RAM Imaging Window You have the ability to change the transfer port from the default of 9090 You can a
76. t the written permission of e fense Inc Understanding Content 74 At any time you can copy a file from the listbox to the local CAT system by right clicking on the file and choosing Download File from the menu Name amp i386 ListPrivileges txt fu exg msdi Download File Date Created 2009 01 07 22 41 06 2003 02 03 06 30 54 2004 06 30 23 11 34 2004 08 27 06 59 50 Date Modified 2009 01 07 22 41 06 2003 02 03 06 30 54 2004 06 30 23 11 34 2004 08 27 06 59 50 Figure 6 15 Downloading a file from the File System view Date Accessed 2009 01 07 23 16 13 2009 01 07 23 16 00 2009 01 07 23 22 37 2009 01 07 23 22 37 Actual Size Disk Size 0 0 bytes 0 0 0 bytes 0 636 0 bytes 636 636 0 bytes 636 96 0 k 98304 96 0 k 98304 6 5 k 6656 6 5 k 6656 By selecting the Download File option you will be presented with the download window This window will show you the file you are downloading as well as it s size You have options just like when you make a forensics image of RAM or disk You also have a choice to encrypt the transfer Click on the Start button to begin the copying process Host File Buffer Size Kb Transfer Port Max Speed Kb Cancel Windows XP SP3 fu exe 96 0 k 64 9090 Encrypt Stream Start Figure 6 16 Downloading a file window When the file has finished copying the listbox will indicate the file has been copied to the
77. tall updates first after download 2 Updates on agents will be installed when they first beacon in after a download 3 CAT updates will happen upon login after a download If the Check Weekly checkbox is checked and an update is discovered the dashboard on the CAT will display the following banner Software updates are available for download Figure 7 9 System Updates Banner Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 8 Additional Information Everything Else System Help 94 Customer Support Please first refer to the instructions included in this users manual if you encounter problems using H3E If you are unable to find the solution you need please contact Customer Support at http fogbugz e fense com with a detailed explanation of the issue or request Please also contact us about features you would like to see in a future Helix3 Enterprise release We are committed to continually improving our product to ensure it meets your needs in the future as well as the present Legal Notification H3E Helix3 Enterprise Helix3 are registered trademarks or trademarks owned by e fense Inc in the United States and other jurisdictions and may not be used without prior written permission All other marks and brands may be claimed as the property of their respective owners Products and corporate names appearing in this manual may or may not be regi
78. try Application Log Security Log System Log Screen Capture Figure 6 11 Audit Results Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc Filter Display Show Screencapture Thumbnails Process services exe Isass exe svchost exe svchost exe svchost exe svchost exe svchost exe spoolsv exe msdtc exe svchost exe svchost exe Path E WINDOWS system32 services exe E WINDOWS system32 Isass exe E WINDOWS system32 svchost exe E WINDOWS system32 svchost exe E WINDOWS system32 svchost exe E WINDOWS system32 svchost exe E WINDOWS System32 svchost exe E WINDOWS system32 spoolsv exe E WINDOWS system32 msdtc exe E WINDOWS System32 svchost exe E WINDOWS system32 svchost exe ieee PLR She Oa 8 ee T ee ee RE Rem Base 0x1000000 0x7C800000 0x77E40000 0x77F50000 0x77C50000 0x76F50000 0x77E00000 Ox77BA0000 0x77380000 0x77C00000 0x76F10000 0x7E020000 0x77670000 0x650000 Ox7FCFOODO 0x76E30000 0x76CC0000 0x76D10000 Ox76ED0000 0x71C00000 Ox71BF0000 0x76CF0000 Version 5 2 3790 3959 5 2 3790 3959 5 2 3790 4062 5 2 3790 3959 2 3790 4115 2 3790 3959 2 3790 3959 0 3790 3959 2 3790 4033 2 3790 4237 2 3790 3959 2 3790 3959 2 3790 3959 2 3790 3959 d d oh a sd d d 2 3790 3959 3790 3959 3790 0 3790 3959 3790 4238 3790 3959 3790 3959 5 5 5 7 5 5 5 5 5 5 5 5 5 5 5 5 5
79. urn red signifying it has stopped You can restart the agent using the Start Agent menu item The Wake Agent forces the agent to beacon in immediately Copyright 2009 e fense Inc No part of this document may be copied or reproduced without the written permission of e fense Inc 47 Agent Windows XP SP3 W Mission Assurance Level A Retrieve Live Data image RAM Image Disk s amp FileSystem View Device Monitoring amp Search Figure 5 2 Agent Start Stop and Configuration User Interface II Q Start Ar lent Q Stop Agent Wake Agent Configure Retrieve Agent Audit Log Q Delete Ping Traceroute To configure an agent first select an Agent and right click to bring up the System menu Then select Configure from the drop menu to bring up the Agent Configuration window Agent Machines Settings M 192 168 78 128 Server Address Server Port Server FTP Port Agent Port Beacon Interval Load From Agent Figure 5 3 Agent Configuration Window 192 168 78 1 f Auto Discover 9010 9090 9009 300 f Restore Defaults O SA ini Once Agents have been installed successfully the IP addresses should appear automatically in the box on the left side of the Agent Configuration window The and buttons below the agent list box allow you to add or delete Agents from this list Copyright 2009 e fense Inc No part of this document may be copied or reproduced without t
Download Pdf Manuals
Related Search