[VOIPSEC] VOIP and Forensics

Mark Teicher mht3 at earthlink.net
Fri Mar 18 13:17:41 CST 2005 

As some people have contacted me off the list regarding their degrees of education and to numbers of years experience in network security.  The point I was attempting to imply was that vendors are just starting to offer installation and maintenance courses, administration courses regarding their specific product, but none have offered a VOIP Forensics type training course and in some instances there is this "mystical box" that may lead to some form of "integerity" or "trust" issues or possibly provide the ability to accurately "record time".  But back to my point of VOIP Forensics and the start of a possible checklist.

Steps to start off a VOIP Forensics

Physical Security examination 
            Is the system or facility physically secure?
            Can the system or facility that the brains of the system is containe only accessible by authorized individuals
            Has the badge system been bypassed 
            Has anyone checked the badge system logs and find a list of people whose access should be examined for possible violations?

Service Modem Validation - 
           Some VOIP vendors ship a remote access support system with their VOIP hardware (usually a modem of sorts with some auth tokeny/pre-programmed security key or not).  
           Is the modem off hook ? If so, you may want to check the line for any fradulent activity
           Is the service modem behind some type of PBX firewall, and only allowing authorized parties to communicate it with it
          Has the modem been configured to respond to PC Anywhere or other remote modem utilities

Services Disabled?
          Some VOIP vendors ship their equipment with underlying operating systems that may or may not be hardened (as in Windows or Linux), but something to check out 
         Are services enabled when they shouldn't be, one can never be too careful, a enabled service on outwardly facing or non-security protected VOIP gateway could be vulnerable to a host of operating system exploits, but here are some common ones to check if they have been trojanized.  

              NFS Server (enabled, check permissions and should it be, most cases it should not be, if it has been, start sniffing around the system for other services that should have been disabled and now have been re-enabled
             Anonymous FTP Server
             DNS Server
             Web Server some VOIP gateways have an underlying web server that provides a user interface for administration, some are freeware web servers, or commercially available, validate whether the underlying web server has been trojaned, rootkitted or modified in some way other than initially configured
             Mail Server
             TFTP server - may be configured for IP phones to download their configuration, changes, etc, validate that the tftp service only allows authorized IP phones, etc to utilize the protocol, and check if the service is being used other than it's intended use
            Telnet 
            root access - is root access enabled as it should have been disabled and other methods of authenticating privileged access
            Validate the use of cron, has anything new been added
            NIS/NIS+ - should it be enabled, is it now
           

Verification of Backups
           Have backups ever been made?
           Are they useable?
          When was the last backup made, validate the last time changes were made and compare it to the backups?

Permissions
Validate umask permissions - are they set correctly, have they been modified

Banner Messages
Have banner messages been set other than default?
If set, have they have been modified ?

Probably enough to get started

More information about the Voipsec mailing list