2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation

7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation

1/19

2006 Carnegie Mellon University

Security Breach Notification ProgramSeptember 14, 2007

Rich Nolan


2/19


Role of a First Responder

Essentially the first person notified and reacting to thesecurity incident

Responsibilities:

Determine the severity of the incident Collect as much information about the incident as possible Document all findings Share this collected information to determine the root cause


3/19


First Responder Toolkit

Understand program dependenciesSelect tools

Test and verify tools

Understand the benefits to using this methodology


4/19


Methodology for Creating a First

Responder Toolkit

Create the forensic tool testbed

Document the testbed

Document and set

up forensic tools

Test the tools


5/19


NIST Methodology

NIST: National Institute of Standards and Technology, InformationTechnology Laboratory, Computer Forensic Tool Testing Program

The Computer Forensics Tools Verification project provides a

measure of assurance that the tools used in the investigations of

computer-related crimes produce valid results. It also supports otherprojects in the National Institute of Justices overall computer

forensics research program, such as the National Software Reference

Library(NSRL).

http://www.cftt.nist.gov/


6/19


What is Volatile Data?

Definition:

Any data stored in system

memory that will be lost when the

machine loses power or is shut

down

Location:

Registers, cache, and

RAM (this module focuses on

RAM)


7/19


Order of Volatility

Registers and cache

Routing table, arpcache, process table,kernel statistics,connections

Temporary filesystems

Hard disk or othernonvolatile storagedevices

Remote or off-sitelogging andmonitoring data

Physical configurationand network topology

Archival media such asbackup tapes, disk, and soon


8/19


Why is Volatile Data Important?

Gain initial insight Current state of the system What activities are currently/were being

executed Validity of the alert that flagged the

suspicious computer

Root of the problemDetermine a logical timeline of the incident

Identify the time, date, and userresponsible for the security incident

Determine next step

Decide whether a full collection of thepersistent data on the suspicious

computer is necessaryOne chance to collect

After the system is rebooted or shut down,its too late!


9/19


Common First Responder Mistakes

Nothaving

accessto

baseline

documentatio

n

aboutth

e

suspicio

uscomp

uter

Assumingthatsome

partsofthesuspicious

machinemaybe

reliableandusable

Shuttingdownor

rebootingthe

suspiciouscomputer


10/19


Types of Volatile Information

Volatile System Information:A collection of information about the current configuration

and running state of the suspicious computer

Volatile Network Information:

A collection of information about the network state of the

suspicious computer


11/19


Volatile System Information

System profileCurrent system date and time

Command history

Current system uptime

Running processesOpen files, start up files, clipboard data

Logged on users

DLLs or shared libraries


12/19


Volatile Data Collection Methodology


13/19


Step 1: Incident Response Preparation

Forensic Tool Test Bed

First responder toolkit

Creation of Collection

policies


14/19


Step 2: Incident Documentation

Incident profileForensic collection logbook

First responder toolkit documentation


15/19


Step 3: Policy Verification

Determine your authority to collectDetermine your manner to collect


16/19


Step 4: Volatile Data Collection Strategy

Types of volatile information to collect

Tools and techniques that facilitate this collection

Location for saved forensic tool output

Administrative vs. user access

Type of media access(floppy, CD-ROM, USB)

Machine connected to

the network


17/19


Step 5: Volatile Data Collection Setup

Establish a trusted command shellEstablish the transmission and storage method

Ensure the integrity of forensic tool output


18/19


Step 6: Volatile Data Collection Process

Collect uptime, date, time, and command history for the securityincident.

As you execute each forensic tool or command, generate the date and

time to establish an audit trail.

Begin a command history that will document all forensic collectionactivities.

Collect all types of volatile system and network information.

End the forensic collection with date, time, and command history.


19/19


Summary

Collected volatile data can lead the first responder to theroot cause of the security incident.

Volatile data can be easily changed and lost.

Document all findings and actions performed during the

volatile data collection process.

Use a first responder toolkit to collect volatile data.

Documents

2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation