Professional Documents
Culture Documents
July 12 2001
Computer Forensics: A
Critical Process in Your
Incident Response Plan
Version 2.0
Gregory S. Miles,
Ph.D.
Version 2.0
Agenda
Incident Response Overview
Computer Forensics Defined
Contemporary Issues in Computer
Forensics
Forensic Process
Forensic Tools
Forensic Problems
The Future of Computer Forensics
Version 2.0
Incident Response
Version 2.0
Incident Response
Why is it Critical?
Resolve the problem
Find out what happened
How it happened
Who did it
Version 2.0
Elements of Incident
Response
Preparation
Identification
Containment
Eradication
Recovery
Follow-up
Version 2.0
Preparation
Without adequate preparation, it is
extremely likely that response efforts
to an incident will be disorganized
and that there will be considerable
confusion among personnel.
Preparation limits the potential for
damage by ensuring response
actions are known and coordinated.
Version 2.0
Identification
The process of determining whether or not
an incident has occurred and the nature
of an incident. Identification may occur
through the use of automated network
intrusion equipment or by a user or SA.
Identification is a difficult process.
Noticing the symptoms of an incident is
often difficult. There are many false
positives. However, noticing an
anomaly should drive the observer to
investigate further.
Version 2.0
Version 2.0
Possible Incident
Classifications
Unauthorized Privileged (root) Access
Access gained to a system and the use of
root privileges without authorization.
Unauthorized Limited (user) Access
Access gained to a system and the use of
user privileges without authorization.
Unauthorized Unsuccessful Attempted
Access Repeated attempt to gain access
as root or user on the same host, service, or
system with a certain number of
connections from the same source.
Version 2.0
Possible Incident
Classifications (cont.)
Unauthorized Probe Any attempt to gather
information about a system or user on-line
by scanning a site and accessing ports
through operating system vulnerabilities.
Poor Security Practices Bad passwords,
direct privileged logins, etc, which are
collected from network monitor systems.
Denial of Service (DOS) Attacks Any action
that preempts or degrades performance of a
system or network affecting the mission,
business, or function of an organization.
Version 2.0
Possible Incident
Classifications (cont.)
Malicious Logic Self-replicating
software that is viral in nature; is
disseminated by attaching to or
mimicking authorized computer system
files; or acts as a trojan horse, worm,
malicious scripting, or a logic bomb.
Usually hidden and some may replicate.
Effects can range from simple monitoring
of traffic to complicated automated
backdoor with full system rights.
Version 2.0
Possible Incident
Classifications (cont.)
Hardware/Software Failure Nonmalicious failure of HW or SW assets.
Infrastructure Failure Non-malicious
failure of supporting infrastructure to
include power failure, natural disasters,
forced evacuation, and service providers
failure to deliver services.
Unauthorized Utilization of Services This
can include game play, relaying mail
without approval, creating dial-up access,
use organizational equipment for personal
gain, and personal servers on the network.
Version 2.0
Containment
Version 2.0
Containment - Example
Incidents involving using malicious code
are common, and since malicious code
incidents can spread rapidly, massive
destruction and compromise of information
is possible.
It is not uncommon to find every
workstation connected to a LAN infected
when there is a virus outbreak.
Internet Worm of 1988 attacked 6,000 computers
in the U.S. in one day.
LoveBug Virus affected over 10Million computers
with damage estimated between $2.5B-$10B US
Kournikova worm affects still being analyzed
Version 2.0
Eradication
Version 2.0
Recovery
The process of restoring a system to
its normal operating status
Unsuccessful incidents assure system
operation and data not affected
Complex and/or successful incidents
May require complete restoration from
known clean system backups. Essential
to assure the backups integrity and to
verify restore operation was successful
Version 2.0
Follow-Up
Critical
Helps to improve incident handling
procedures
Address efforts to prosecute perpetrators
Activities Include:
Version 2.0
Computer Forensics
Version 2.0
19
What is Computer
Forensics?
Computer Forensics can be
defined simply, as a process of
applying scientific and analytical
techniques to computer
Operating Systems and File
Structures in determining the
potential for Legal Evidence.
Version 2.0
Version 2.0
Version 2.0
Private Business
Government
Private Individuals
Version 2.0
Version 2.0
Version 2.0
Version 2.0
Version 2.0
Disk Forensics
Network Forensics
E-mail Forensics
Internet (Web) Forensics
Source Code Forensics
Disk Forensics
Disk forensics is the process
of acquiring and analyzing the
data stored on some form of
physical storage media.
Includes the recovery of hidden
and deleted data.
Includes file identification,
which is the process used to
identify who created a particular
file or message.
Melissa Virus
Version 2.0
Network Forensics
Network forensics is the
process of examining network
traffic. It includes:
After the fact analysis of
transaction logs
Real-time analysis via network
monitoring
Sniffers
Real-time tracing
Version 2.0
E-mail Forensics
E-mail forensics is the study of
source and content of electronic
mail as evidence.
It includes the process of identifying
the actual sender and recipient of a
message, the date and time it was sent,
and where it was sent from.
E-mail has turned out to be the Achilles
Heal for many individuals and
organizations.
Many time issues of sexual
harassment, racial and religious
prejudice, or unauthorized activity are
tied to e-mail.
Version 2.0
Internet Forensics
Version 2.0
Technological Progress
The Population is More Computer
Literate
The World is Networked, Yet Users
Can Retain a Sense of Anonymity
The Use of Encryption is Becoming
Common
Network Bandwidth is Increasing
while Cost is Decreasing
Disks are Less Expensive and have
Higher Capacities
More Data Available On-Line
Version 2.0
Technological Progress
Version 2.0
Technological Progress
Computers are Tools and Targets
Instrumentality
Data Repository
Many Criminals Are Using Computers in
the Normal Course of Business
Version 2.0
A crime in which
technology plays an
important, and often a
necessary, part.
The computer is:
the target of an attack
the tool used in an attack
used to store data related
to criminal activity
Version 2.0
Version 2.0
Unauthorized Access
Denial of Service
Extortion
Theft
Sabotage
Espionage
Computer Fraud
Embezzlement
Copyright Violation
Forgery and
Counterfeiting
Internet Fraud Imposter
Sites
SEC Fraud and Stock
Manipulation
Child Pornography
Stalking & Harassment
Credit Card Fraud &
Skimming
Contemporary Issues in
Computer Forensics
Criminal Justice System is not
Prepared to Handle High-Tech Crime
Shortage of Trained Investigators &
Analysts
Lack of Forensic Standards
Version 2.0
Contemporary Issues in
Computer Forensics
Evidence Collection and
Examination Must not Violate
the following:
4th Amendment
Privacy Protection Act
Electronic Communications
Privacy Act
Version 2.0
Forensics Process
Preparation
Protection
Imaging
Examination
Documentation
Version 2.0
Preparation
Confirm the authority to conduct
analysis/search of media.
Verify the purpose of the analysis and the
clearly defined desired results.
Ensure that sterile media is available and
utilized for imaging. (ie..Free of virus, Nonessential files, and verified before use.)
Ensure that all software tools utilized for
the analysis are tested and widely accepted
for use in the forensics community.
Version 2.0
Legal Overview
Employer Searches in Private-Sector
Workplaces
Warrantless workplace searches by private
employers rarely violate the Fourth
Amendment. So long as the employer is not
acting as an instrument or agent of the
Government at the time of the search, the search
is a private search and the Fourth Amendment
does not apply. See Skinner v. Railway Labor
Executives Assn, 489 U.S. 602, 614 (1989).
Version 2.0
Protection
Protect the integrity of the
evidence. Maintain control until
final disposition.
Prior to Booting target computer,
DISCONNECT HDD and verify
CMOS.
When Booting a machine for
Analysis, utilize HD Lock
software.
Version 2.0
Imaging
Utilize disk imaging software to
make an exact image of the target
media. Verify the image.
When conducting an analysis of
target media, utilize the restored
image of the target media; never
utilize the actual target media.
Version 2.0
Examination
The Operating System
Services
Applications/processes
Hardware
LOGFILES!
System, Security, and Application
File System
Version 2.0
Examination (Cont)
Deleted/Hidden Files/NTFS
Streams
Software
Encryption Software
Published Shares/Permissions
Password Files
SIDS
Network Architecture/Trusted
Relationships
Version 2.0
Off-Site Storage
X-Drives
FTP Links
FTP Logs
Shares on internal networks
Version 2.0
Documentation
Document EVERYTHING
Reason for Examination
The Scene
Utilize Screen Capture/Copy
Suspected files
All apps for Analysis/apps on
Examined system.
Version 2.0
Forensic Tools
Version 2.0
Version 2.0
Media Options
Removable Media (REM-KIT)
Disk Imaging Hardware
Image MASSter 500 & 1000
Media Options
Your Forensic System should have
plenty of room for expansion and
external media.
This is usually best supported by
SCSI Systems.
Version 2.0
Media Options
Internal Hard Disk
Tape Media
QIC Tape Drive
Travan Tape Drive
DAT
Optical Media
CD-ROM
CD-Writer
DVD
Version 2.0
Removable Media
Hard Drives
ZIP Drives
Jazz Drives
PCMCIA Flash
Disks
Version 2.0
Version 2.0
Forensic Software
Clean Operating System(s)
Disk Image Backup
Software
Search & Recovery Utilities
File Viewing Utilities
Cracking Software
Archive & Compression
Utilities
Version 2.0
Validate Software
Determine Functionality
Verify operation
Identify limitations
Identify bugs
Court Presentation
Testify from own experience
Version 2.0
Version 2.0
Search Utilities
Forensic Software
EnCase
The Coroners Tool Kit
Norton Utilities
Version 2.0
Version 2.0
Forensic Analysis
Computer Forensics
Version 2.0
Version 2.0
Version 2.0
Steganography
The Art of Hiding Communications
While Encryption Conceals the
Data, Steganography Denies the
Data Exists
Files Can Be Hidden within an
Image
Disguising Data as Innocent Text
Version 2.0
S-Tools
Hides Data inside Images,
Audio Files and Slack Space
Version 2.0
Ghosting
White letters on a white
background, or black letters on a
black background
Version 2.0
Ghosting
White letters on a white
background, or black letters on a
black background.
Version 2.0
Cluster Analysis
Cluster Analysis Criteria
Content, Location and Condition
Version 2.0
Analysis Problems
Searching Access Controlled
Systems
Virus Infection
Formatted Disk
Corrupted Disk
DiskWipe or Degaussed Media
Defragmented Disk
Cluster Boundaries
Evidence Eliminator
Version 2.0
Evidence Protection
Transparent Static Shielding Bags
Provides shielding from
electrostatic discharge by safely
enveloping static sensitive devices
in a humidity-independent Faraday
cage. The nickel shielding layer
creates a Faraday type shield. Meets
MIL-B-81705 and DoD-STD-1686A
Version 2.0
Evidence Protection
Version 2.0
Network Forensics
Analyze Packet Traces
Establish a Sequence of Events
Goal is Identify the Intruder
Tools
Network Sniffer
System Logs
NTSC Adapter
Version 2.0
Network Forensics
IP Spoofing
Hijacking
Password Attacks
Social Engineering
Cracking Passwords
Sniffers
Distributed-Coordinated Attacks
Identity Concealed by Connection
Laundering
Version 2.0
Connection Laundering
Version 2.0
E-mail Forensics
E-mail Usage in 2000
108 Million E-mail Subscribers
25.2 Billion Message Daily
E-mail is a asynchronous
communications mechanisms that
allows venting.
People have a tendency to include
more in an e-mail message than they
would say in person of over the phone.
E-mail Spoofing
Version 2.0
E-mail Spoofing
Requires Only:
Mail Relay Server
Knowledge of Mail Commands
Version 2.0
Version 2.0
Conclusions
Version 2.0
Questions ?
Version 2.0