Monday, September 8, 2008

Parse IIS FTP logs

I recently had an investigation involving the IIS FTP service. It involved an unauthorized person getting access to a specific user account and then being able to login via the FTP server and download several confidential files.

When reviewing the FTP logs, which had numerous legitimate logins everyday, I found an immediate need to isolate the logins of the specific compromised user account. I could easily do this using a keyword search, but then found a lot of the FTP log information was co-mingled with legitimate FTP traffic, making it hard to follow. I decided to write an EnScript that parsed the FTP logs and broke out each FTP session into its own log file.

The IIS FTP log is similar to the IIS web log, except not nearly as verbose. There are several defined fields that look like this:

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-10-29 17:04:39
#Fields: time c-ip cs-method cs-uri-stem sc-status
17:04:39 [1]USER anonymous 331
17:04:39 [1]PASS guest@unknown 230
17:04:46 [1]QUIT - 257
17:04:49 [2]USER anonymous 331
17:04:49 [2]PASS guest@unknown 230
17:10:51 [2]QUIT - 257
17:10:54 [3]USER anonymous 331
17:10:54 [3]PASS guest@unknown 230
17:11:33 [3]closed - 426

There are a couple of important pieces of information contained in each line:
1. Timestamp
2. Source IP address
3. Session number
4. FTP command
5. FTP result code

Using the session number (the number in the brackets) the EnScript parses through the file and pulls out all the associated log entries for each specific session and writes it to new file. For my specific purpose, it made things much easier. The EnScript will write out each session and name the new file with the session number, combined with the original filename that the entry came from and also the user account the specific FTP session is concerning, if it can be determined.

Using the IIS FTP log quoted above, and then selecting the log file and running the EnScript, the following files are created in the default export folder for the case:

The contents of each file is the FTP activity for that specific session:

17:04:49 [2]USER anonymous 331
17:04:49 [2]PASS guest@unknown 230
17:10:51 [2]QUIT - 257

By sorting and looking at the naming convention of each file, I could then quickly look at the FTP activity for the compromised user account and I could quickly identify large amounts of activity by the size of each log.

Hopefully, someone else has a use for it as well.

Download Here


Anonymous Friday, 12 September, 2008  

Thanks Lance ! I am sure I am not the only one who greatly appreciates your EnCase scripts!

Best Regards,

mitch impey

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles