Transcript Chapter 13: Advanced Security and Beyond

Chapter 13: Advanced
Security
and Beyond
Security+ Guide to Network
Security Fundamentals
Second Edition
Objectives
Define computer forensics
 Respond to a computer forensics
incident
 Harden security through new solutions
 List information security jobs and skills

Understanding Computer
Forensics
Computer forensics can attempt to
retrieve information— even if it has been
altered or erased —that can be used in
the pursuit of the criminal
 The interest in computer forensics is
heightened:




High amount of digital evidence
Increased scrutiny by legal profession
Higher level of computer skills by criminals
Forensics Opportunities
and Challenges
Computer forensics creates opportunities
to uncover evidence impossible to find
using a manual process
 One reason that computer forensics
specialists have this opportunity is due
to the persistence of evidence



Electronic documents are more difficult to
dispose of than paper documents
Deleting a data file does NOT actually delete
the file from the computer’s hard drive, it
changes the status of that storage location
to unused
Responding to a Computer
Forensics Incident

Generally involves four basic steps
similar to those of standard forensics:




Secure the crime scene
Collect the evidence
Establish a chain of custody
Examine and preserve the evidence
http://en.wikipedia.org/wiki/Computer_forensics
Securing the Crime Scene
Physical surroundings of the computer
should be clearly documented
 Photographs of the area should be taken
before anything is touched
 Cables connected to the computer
should be labeled to document the
computer’s hardware components and
how they are connected
 Team takes custody of the entire
computer along with the keyboard and
any peripherals

Preserving the Data
Computer forensics team first captures
any volatile data that would be lost
when computer is turned off and moves
data to a secure location
 Includes any data not recorded in a file
on the hard drive or an image backup:






Contents of RAM
Current network connections
Logon sessions
Network configurations
Open files
http://www.porcupine.org/forensics/forensic-discovery/
http://ntsecurity.nu/onmymind/2006/2006-06-01.html
Preserving the Data (continued)
After retrieving volatile data, the team
focuses on the hard drive
 Mirror image backup (or bit-stream
backup) is an evidence-grade backup
because its accuracy meets evidence
standards (exact duplicate or original)


Mirror image backups are considered a
primary key to uncovering evidence;
they create exact replicas of the
computer contents at the crime scene
http://www.forensics-intl.com/def2.html
Mirror Image Backups

Mirror image backups must meet the following
criteria:





Mirror image software should only be used by trained
professionals
Those using the mirror image software must have
evidence handling experience
The mirror imaging tools must be able to find any
bad sectors on the original drive that may cause
problems for the imaging software
Forensic imaging done in a controlled manner
Imaging personnel should be a disinterested thirdparty
http://www.syschat.com/how-create-mirror-image-your-hard-438.html
Establishing the Chain of
Custody
As soon as the team begins its work,
they must start and maintain a strict
chain of custody
 Chain of custody documents that
evidence was under strict control at all
times and no unauthorized person was
given the opportunity to corrupt the
evidence




A chain of custody includes documenting all
of the serial numbers of the systems and
devices involved
Who handled the systems and for how long
How systems were shipped and stored
Examining Data for Evidence
After a computer forensics expert creates
a mirror image of system, original
system should be secured and the mirror
image examined to reveal evidence
 All exposed application data should be
examined for clues (documents,
spreadsheets, email, digital photographs,
cookies, cache…)
 Microsoft Windows operating systems
use Windows page file as a “scratch pad”
to write data when sufficient RAM is not
available

http://www.porcupine.org/forensics/forensic-discovery/chapter8.html
Windows Page File

Windows page files can range from 1
megabyte to over a gigabyte in size
and can be temporary or permanent


By default, XP creates a page file which is
1.5 times the amount of installed RAM
pagefile.sys
These files can contain remnants of
work done in past
 Special programs are needed to
search through the page file quickly

http://www.theeldergeek.com/paging_file.htm
Examining Data for Evidence


Slack is another source of hidden
data
Windows computers use two types of
slack
RAM slack
2. File slack
http://www.forensics-intl.com/def7.html
http://www.forensics-intl.com/def6.html
1.
RAM Slack

Windows stores files on a hard drive or other
media type in 512-byte sectors


When a file saved is not long enough to fill up
the last sector, Windows pads the remaining
sector space (for that cluster) with data that is
currently stored in RAM


Multiple sectors make up a cluster
This padding creates “RAM slack” and pertains only
to the last sector of a file
If additional sectors are needed to round out
the block size for the last cluster assigned to
the file (if there is not enough data in RAM), a
different type of slack is created…
File Slack
File slack (drive slack): padded data that
Windows uses comes from data stored
on the hard drive
 Such data could contain remnants of
previously deleted files

Examining Data for Evidence
Summary of Examining Data for
Evidence
Exploring Information Security Jobs
and Skills




Need for information security workers will
continue to grow for the foreseeable future
Information security personnel are in short
supply; those in the field are being rewarded
well
Security budgets have been spared the drastic
cost-cutting that has plagued IT since 2001
Companies recognize the high costs
associated with weak security and have
decided that prevention outweighs cleanup
Exploring Information Security Jobs
and Skills
Most industry experts agree security
certifications continue to be important
 Preparing for the Security+
certification will help you solidify your
knowledge and skills in cryptography,
firewalls, and other important security
defenses

TCP/IP Protocol Suite

One of the most important skills is a
strong knowledge of the foundation
upon which network communications
rests, namely Transmission Control
Protocol/Internet Protocol (TCP/IP)

Understanding TCP/IP concepts helps
effectively troubleshoot computer
network problems and diagnose
possible anomalous behavior on a
network
Packets
No matter how clever the attacker is,
they still must send their attack to
your computer with a packet
 To recognize the abnormal, you must
first understand what is normal

Firewalls

Firewalls are essential tools on all
networks and often provide a first
layer of defense

Network security personnel should
have a strong background of how
firewalls work, how to create access
control lists (ACLs) to mirror the
organization’s security policy, and how
to tweak ACLs to balance security with
employee access
Routers

Routers form the heart of a TCP/IP
network

Configuring routers for both packet
transfer and packet filtering can
become very involved

As network connections become more
complex (VPN, IPv6), understanding
how to implement and configure
routers becomes more important
Intrusion-Detection Systems (IDS)

Security professionals should know how
to administer and maintain an IDS

Capabilities of these systems has
increased dramatically since first
introduced, making them mandatory for
today’s networks

One problem is that IDS can produce an
enormous amount of data that requires
checking

In addition, IDS/IPS systems can produce a
number of false positives.
Other Skills

A programming background is another
helpful tool for security workers

Security workers should also be familiar
with penetration testing

Once known as “ethical hacking,” probes
vulnerabilities in systems, networks, and
applications
Computer Forensic Skills

Computer forensic specialists require an
additional level of training and skills:




Basic forensic examinations
Advanced forensic examinations
Incident responder skills
Managing computer investigations
http://www.infosecinstitute.com/courses/computer_forensics_training.html?cf
Summary
Forensic science is application of
science to questions of interest to the
legal profession
 Several unique opportunities give
computer forensics the ability to
uncover evidence that would be
extremely difficult to find using a
manual process
 Computer forensics also has a unique
set of challenges that are not found in
standard evidence gathering, including
volume of electronic evidence, how it
is scattered in numerous locations,
and its dynamic content

Summary (continued)
Searching for digital evidence includes
looking at “obvious” files and e-mail
messages
 Need for information security workers
will continue to grow, especially in
computer forensics
 Skills needed in these areas include
knowledge of TCP/IP, packets,
firewalls, routers, IDS, and penetration
testing
