Embed Size (px)
Citation preview
Version 2.0
BlackHat BriefingsBlackHat Briefings
July 12 2001July 12 2001
Computer Forensics: A Critical Process in Your Incident Response Plan
Version 2.0
Gregory S. Miles, Ph.D.Gregory S. Miles, Ph.D.
• Director – JAWZ Cyber Crime Unit• COO – Security Horizon Inc.• Information Technology – 14 Years• Information Security – 10 Years• e-mail: [email protected]
[email protected]• Web: www.jawzinc.com
www.securityhorizon.com
Version 2.0
AgendaAgenda
• Incident Response Overview• Computer Forensics Defined• Contemporary Issues in Computer
Forensics• Forensic Process• Forensic Tools• Forensic Problems• The Future of Computer Forensics
4Version 2.0
Incident ResponseIncident Response
Version 2.0
Incident Response – Incident Response – Why is it Critical?Why is it Critical?
• Resolve the problem– Find out what happened– How it happened– Who did it
• Create a record of the incident for later use• Create a record to observe trends• Create a record to improve
processes• Avoid confusion
Version 2.0
Elements of Incident ResponseElements of Incident Response
•Preparation
• Identification
•Containment
•Eradication
•Recovery
• Follow-up
Version 2.0
PreparationPreparation
Without adequate preparation, it is extremely likely that response efforts to an incident will be disorganized and that there will be considerable confusion among personnel. Preparation limits the potential for damage by ensuring response actions are known and coordinated.
Version 2.0
IdentificationIdentification
The process of determining whether or not an incident has occurred and the nature of an incident. Identification may occur through the use of automated network intrusion equipment or by a user or SA.
Identification is a difficult process. Noticing the symptoms of an incident is often difficult. There are many false positives. However, noticing an anomaly should drive the observer to investigate further.
Version 2.0
Who can identify an Who can identify an IncidentIncident
• Users – My system is slow, my mail is missing, my files have changed
• System support personnel – servers locked up, files missing, accounts add/deleted, weird stuff happening , anomalies in the logs
• Intrusion Detection Systems and Firewalls – Automatically ID violations to policies
10Version 2.0
Possible Incident ClassificationsPossible Incident Classifications
• Unauthorized Privileged (root) Access – Access gained to a system and the use of root privileges without authorization.
• Unauthorized Limited (user) Access – Access gained to a system and the use of user privileges without authorization.
• Unauthorized Unsuccessful Attempted Access – Repeated attempt to gain access as root or user on the same host, service, or system with a certain number of connections from the same source.
11Version 2.0
Possible Incident Possible Incident Classifications (cont.)Classifications (cont.)
• Unauthorized Probe – Any attempt to gather information about a system or user on-line by scanning a site and accessing ports through operating system vulnerabilities.
• Poor Security Practices – Bad passwords, direct privileged logins, etc, which are collected from network monitor systems.
• Denial of Service (DOS) Attacks – Any action that preempts or degrades performance of a system or network affecting the mission, business, or function of an organization.
12Version 2.0
• Malicious Logic – Self-replicating software that is viral in nature; is disseminated by attaching to or mimicking authorized computer system files; or acts as a trojan horse, worm, malicious scripting, or a logic bomb. Usually hidden and some may replicate. Effects can range from simple monitoring of traffic to complicated automated backdoor with full system rights.
Possible Incident Classifications (cont.)
13Version 2.0
Possible Incident Possible Incident Classifications (cont.)Classifications (cont.)
• Hardware/Software Failure – Non-malicious failure of HW or SW assets.
• Infrastructure Failure – Non-malicious failure of supporting infrastructure to include power failure, natural disasters, forced evacuation, and service providers failure to deliver services.
• Unauthorized Utilization of Services – This can include game play, relaying mail without approval, creating dial-up access, use organizational equipment for personal gain, and personal servers on the network.
14Version 2.0
ContainmentContainment
The process of limiting the scope and magnitude of an incident.
As soon as it is recognized that an incident has occurred or is occurring, steps should immediately be taken to contain the incident.
15Version 2.0
Containment - ExampleContainment - Example
• Incidents involving using malicious code are common, and since malicious code incidents can spread rapidly, massive destruction and compromise of information is possible.
• It is not uncommon to find every workstation connected to a LAN infected when there is a virus outbreak.– Internet Worm of 1988 attacked 6,000 computers
in the U.S. in one day.– LoveBug Virus affected over 10Million computers
with damage estimated between $2.5B-$10B US– Kournikova worm affects still being analyzed
16Version 2.0
EradicationEradication
• The process of removing the cause of the incident. – For a virus – anti-virus software is best– For a network may involve block/filter IP
address at the router/firewall– Ideally, but difficult, best eradicated by
bringing the perpetrators into legal custody and convicting them in a court of law.
17Version 2.0
RecoveryRecovery
• The process of restoring a system to its normal operating status– Unsuccessful incidents – assure
system operation and data not affected– Complex and/or successful incidents –
May require complete restoration from known clean system backups. Essential to assure the backups integrity and to verify restore operation was successful
18Version 2.0
Follow-UpFollow-Up
• Critical• Helps to improve incident handling
procedures• Address efforts to prosecute
perpetrators• Activities Include:
– Analyze the Incident and the Response– Analyze the Cost of the Incident– Prepare a Report– Revise Policies and Procedures
19Version 2.0
Computer ForensicsComputer Forensics
20Version 2.0
What is Computer Forensics?What is Computer Forensics?
Computer Forensics can be defined simply, as a process of applying scientific and analytical techniques to computer Operating Systems and File Structures in determining the potential for Legal Evidence.
21Version 2.0
Why is Evidence important?Why is Evidence important?
• In the legal world, Evidence is EVERYTHING.
•Evidence is used to establish facts.
• The Forensic Examiner is not biased.
22Version 2.0
Who needs Computer Who needs Computer Forensics?Forensics?
• The Victim!
• Law Enforcement
• Insurance Carriers
•Ultimately the Legal System
23Version 2.0
Who are the Victims?Who are the Victims?
•Private Business•Government•Private Individuals
24Version 2.0
25Version 2.0
26Version 2.0
27Version 2.0
• ID the perpetrator.• ID the method/vulnerability of the network that allowed the perpetrator to gain access into the system.•Conduct a damage assessment of the victimized network.•Preserve the Evidence for Judicial action.
Reasons for a Forensic AnalysisReasons for a Forensic Analysis
Version 2.0
• Disk Forensics
• Network Forensics
• E-mail Forensics
• Internet (Web) Forensics
• Source Code Forensics
Types of Computer Forensics
29Version 2.0
Disk ForensicsDisk Forensics
•Disk forensics is the process of acquiring and analyzing the data stored on some form of physical storage media.– Includes the recovery of hidden
and deleted data.– Includes file identification,
which is the process used to identify who created a particular file or message.• Melissa Virus
30Version 2.0
Network ForensicsNetwork Forensics
•Network forensics is the process of examining network traffic. It includes:– After the fact analysis of
transaction logs– Real-time analysis via network
monitoring• Sniffers• Real-time tracing
31Version 2.0
E-mail ForensicsE-mail Forensics
• E-mail forensics is the study of source and content of electronic mail as evidence.– It includes the process of identifying
the actual sender and recipient of a message, the date and time it was sent, and where it was sent from.
– E-mail has turned out to be the Achilles Heal for many individuals and organizations.
– Many time issues of sexual harassment, racial and religious prejudice, or unauthorized activity are tied to e-mail.
32Version 2.0
Internet ForensicsInternet Forensics
• Internet or Web forensics is the process of piecing together where and when a user has been on the Internet. – For example, it is used to determine
whether the download of pornography was accidental or not.
33Version 2.0
Source Code ForensicsSource Code Forensics
•Source code forensics is used to determine software ownership or software liability issues. – It is not merely a review of the actual
source code. – It is an examination of the entire
development process, including development procedures, review of developer time sheets, documentation review and the review of source code revision practices.
34Version 2.0
Technological ProgressTechnological Progress
• The Population is More Computer Literate
• The World is Networked, Yet Users Can Retain a Sense of Anonymity
• The Use of Encryption is Becoming Common
• Network Bandwidth is Increasing while Cost is Decreasing
• Disks are Less Expensive and have Higher Capacities– More Data Available On-Line
35Version 2.0
Technological ProgressTechnological Progress
Albert Einstein said “Technological progress is like an axe in the hands of a pathological criminal.”
36Version 2.0
Technological ProgressTechnological Progress
• Computers are Tools and Targets– Instrumentality– Data Repository
• Many Criminals Are Using Computers in the Normal Course of Business
• Computer Crime Today– Crime Without Punishment– Media Sensationalism– Public Apathy– Easy to Commit
37Version 2.0
What is Cyber Crime?What is Cyber Crime?
• A crime in which technology plays an important, and often a necessary, part.– The computer is:
• the target of an attack
• the tool used in an attack
• used to store data related to criminal activity
38Version 2.0
Types of Cyber CrimeTypes of Cyber Crime
• Unauthorized Access• Denial of Service• Extortion• Theft• Sabotage• Espionage• Computer Fraud• Embezzlement• Copyright Violation
• Forgery and Counterfeiting
• Internet Fraud – “Imposter Sites”
• SEC Fraud and Stock Manipulation
• Child Pornography• Stalking & Harassment• Credit Card Fraud &
Skimming
39Version 2.0
Contemporary Issues in Contemporary Issues in Computer ForensicsComputer Forensics
• Criminal Justice System is not Prepared to Handle High-Tech Crime– Shortage of Trained Investigators &
Analysts– Lack of Forensic Standards
• Too Much Data!– Large Disk Drives and Disk Arrays– High Speed Network Connections
• Issues Relating to Time
40Version 2.0
Contemporary Issues in Contemporary Issues in Computer ForensicsComputer Forensics
•Evidence Collection and Examination Must not Violate the following:– 4th Amendment– Privacy Protection Act– Electronic Communications
Privacy Act
41Version 2.0
Forensics ProcessForensics Process
•Preparation
•Protection
• Imaging
•Examination
•Documentation
42Version 2.0
PreparationPreparation
• Confirm the authority to conduct analysis/search of media.
• Verify the purpose of the analysis and the clearly defined desired results.
• Ensure that sterile media is available and utilized for imaging. (ie..Free of virus, Non-essential files, and verified before use.)
• Ensure that all software tools utilized for the analysis are tested and widely accepted for use in the forensics community.
43Version 2.0
Legal OverviewLegal Overview
Employer Searches in Private-Sector Workplaces
Warrantless workplace searches by private employers rarely violate the Fourth Amendment. So long as the employer is not acting as an instrument or agent of the Government at the time of the search, the search is a private search and the Fourth Amendment does not apply. See Skinner v. Railway Labor Executives’ Ass’n, 489 U.S. 602, 614 (1989).
•Consult with your Legal Counsel
44Version 2.0
ProtectionProtection
•Protect the integrity of the evidence. Maintain control until final disposition.•Prior to Booting target computer, DISCONNECT HDD and verify CMOS.•When Booting a machine for Analysis, utilize HD Lock software.
45Version 2.0
ImagingImaging
•Utilize disk “imaging” software to make an exact image of the target media. Verify the image.
•When conducting an analysis of target media, utilize the restored image of the target media; never utilize the actual target media.
46Version 2.0
ExaminationExamination
• The Operating System
•Services
•Applications/processes
•Hardware
• LOGFILES!
•System, Security, and Application
• File System
47Version 2.0
Examination (Cont)Examination (Cont)
•Deleted/Hidden Files/NTFS Streams•Software•Encryption Software•Published Shares/Permissions•Password Files•SIDS•Network Architecture/Trusted Relationships
48Version 2.0
Off-Site StorageOff-Site Storage
• “X-Drives”
• FTP Links
• FTP Logs
•Shares on internal networks
49Version 2.0
DocumentationDocumentation
•Document EVERYTHING
•Reason for Examination
• “The Scene”
•Utilize Screen Capture/Copy Suspected files
•All apps for Analysis/apps on Examined system.
Version 2.0
Forensic ToolsForensic Tools
• Forensic Tool Kit
• Forensic Computer System
• Forensic Software
51Version 2.0
Forensic Tool KitForensic Tool Kit
52Version 2.0
Forensic System HardwareForensic System Hardware
• Main Systems– Pentium-based Computer– Multiple O/S
• UNIX, Windows, MAC
• Media Options• Removable Media (REM-KIT)• Disk Imaging Hardware– Image MASSter 500 & 1000
• Static-Dissipative Grounding Kit w/Wrist Strap
• UPS
53Version 2.0
Media OptionsMedia Options
• Your Forensic System should have plenty of room for expansion and external media.• This is usually best supported by
SCSI Systems.
54Version 2.0
Media OptionsMedia Options
• Internal Hard Disk• Tape Media– QIC Tape Drive– Travan Tape Drive– DAT
• Optical Media– CD-ROM– CD-Writer– DVD
55Version 2.0
Removable MediaRemovable Media
• Hard Drives• ZIP Drives• Jazz Drives• PCMCIA Flash
Disks
56Version 2.0
Disk Imaging HardwareDisk Imaging Hardware
• Supports IDE & SCSI• Sector by Sector Copy
– DOS, Windows 3.1, – Windows 95, NT, SCO, – UNIX, OS/2 & Mac O/S
• Full Read/Write Verification & Reporting
• Logging Capability• No Writing to Master Disk
57Version 2.0
Forensic SoftwareForensic Software
•Clean Operating System(s)•Disk Image Backup Software•Search & Recovery Utilities• File Viewing Utilities•Cracking Software•Archive & Compression Utilities
58Version 2.0
Validate SoftwareValidate Software
•Determine Functionality – Verify operation– Identify limitations– Identify bugs
•Court Presentation– Testify from own experience
59Version 2.0
Disk Imaging SoftwareDisk Imaging Software
• Bit Level Copy of the Disk, not File Level
• Not Operating System Dependent• Must have Logging or Error Reporting• Must Copy Deleted Files and
Slackspace• Tools
– EnCase– SafeBack– SnapBack
60Version 2.0
Search UtilitiesSearch Utilities
• Forensic Software– EnCase– The Coroners Tool Kit
• File System Utilities – DOS, Windows, NT, UNIX
•Norton Utilities
61Version 2.0
File Viewing UtilitiesFile Viewing Utilities
•Quick View Plus
•Drag & View
• Thumbs Plus
Version 2.0
Forensic AnalysisForensic Analysis
• Computer Forensics– Lock the Disk– Create an Image of the Disk(s)– File System Authentication– List Disk Directories and File
Systems– Locate Hidden or Obscured Data– Cluster Analysis
63Version 2.0
File System AuthenticationFile System Authentication
• Integrity of data related to any seizure is essential
• Message Digest - One-way Hash Algorithm– CRC32 (32 bits)–MD5 (128 bits)– SHA (160 bits)
• Create MD for system directories and files
64Version 2.0
File System AuthenticationFile System Authentication
65Version 2.0
List Directories and FilesList Directories and Files
• Create Hierarchical Directory Listing (Tree)
• Identify Suspect Files• Inventory All Files on the Disk• Search Communications Programs• Registry Files• Last Files Accessed• Document Association
66Version 2.0
Identify Suspect FilesIdentify Suspect Files
• File Name Search based on Case Characteristics
•Key Word Search based on Case Characteristics
•Modified File Extensions that Do Not Match the File Type
•Hidden or Deleted Files
67Version 2.0
Hidden & Obscure DataHidden & Obscure Data
•Hidden File Attributes•Hidden Directories• Temporary Directories•Deleted Files•Slack Space•Unallocated Space•Swap Space•Steganography
68Version 2.0
SteganographySteganography
• The Art of Hiding Communications• While Encryption Conceals the
Data, Steganography Denies the Data Exists • Files Can Be Hidden within an
Image• Disguising Data as Innocent Text
69Version 2.0
S-ToolsS-Tools
• Hides Data inside Images, Audio Files and Slack Space
70Version 2.0
GhostingGhosting
• White letters on a white background, or black letters on a black background
71Version 2.0
GhostingGhosting
• White letters on a white background, or black letters on a black background.
72Version 2.0
Cluster AnalysisCluster Analysis
• Cluster Analysis Criteria– Content, Location and Condition
• Identifies System Usage & History– Initial Load of the System– Defragmentation
• “Repacks” data files w/o Changing Date/Times
– System Wipes and Reloads• All Slack Space and Unallocated Blocks
set to Zero• All Date/Times close to the same
73Version 2.0
Analysis ProblemsAnalysis Problems
• Searching Access Controlled Systems
• Virus Infection• Formatted Disk• Corrupted Disk• DiskWipe or Degaussed Media• Defragmented Disk• Cluster Boundaries• Evidence Eliminator
74Version 2.0
Evidence ProtectionEvidence Protection
• Transparent Static Shielding Bags – Provides shielding from
electrostatic discharge by safely enveloping static sensitive devices in a humidity-independent Faraday cage. The nickel shielding layer creates a Faraday type shield. Meets MIL-B-81705 and DoD-STD-1686A
• Foam-Filled Disk Transport Box• EMF Warning Labels
75Version 2.0
Evidence ProtectionEvidence Protection
76Version 2.0
Network ForensicsNetwork Forensics
• Analyze Packet Traces– Establish a Sequence of Events– Goal is Identify the Intruder
• Tools– Network Sniffer– System Logs– NTSC Adapter
77Version 2.0
• IP Spoofing• Hijacking• Password Attacks– Social Engineering– Cracking Passwords– Sniffers
• Distributed-Coordinated Attacks• Identity Concealed by Connection
Laundering
Network ForensicsNetwork Forensics
Version 2.0
Connection LaunderingConnection Laundering
79Version 2.0
E-mail ForensicsE-mail Forensics
• E-mail Usage in 2000– 108 Million E-mail Subscribers– 25.2 Billion Message Daily
• E-mail is a asynchronous communications mechanisms that allows venting.
• People have a tendency to include more in an e-mail message than they would say in person of over the phone.
• E-mail Spoofing
80Version 2.0
E-mail SpoofingE-mail Spoofing
• Requires Only:– Mail Relay Server– Knowledge of Mail Commands
• telnet <relay server>• helo• mail from: [email protected]• rcpt to: [email protected]• Data <message>
81Version 2.0
The Future ForensicsThe Future Forensics
• Crimes and Methods to Hide Crimes are becoming more Sophisticated, thus Investigators and Analyst must become more Technical– Specialist are Needed– More Training is needed in both the
Public and Private Sectors
• Encryption will Continue to be an Issue, but Only Time will Tell
82Version 2.0
The Future ForensicsThe Future Forensics
• Forensic Tools– Must Become Automated– Forensic Search Engines Must
include Fuzzy Logic and Intelligence to handle Cluster Boundaries
– UNIX Tools Must be Developed– Better Network Analysis Tools need
to be Developed– Tools to Analyze Distributed
Applications such as Java, COM, and DCOM will need to be Developed.
83Version 2.0
ConclusionsConclusions
• Computer forensics is an integral function within incident response• Processes are the most important
aspects of computer forensics• The future of cyber crime will lead to
an increased need for computer forensic capabilities
84Version 2.0
Questions ?Questions ?
