Transcript Network Forensics

Network Forensics
An example of a computer crime – VIRTUAL crime that needs computer
forensic expertise.
Your company has recently hired a new salesman. Six months after his hire, he leaves your
company and forms a competing interest, sending letters to all of your clients. You may think this
a bit odd and contact an attorney to consider filing a suit. What has occurred is a virtual theft -the salesman stole a copy of your client database. Note that this is a VIRTUAL theft -- since you
were not deprived of any property (he didn't delete it, just copied it) you will likely not be able to
prosecute him criminally.
What is Computer Forensics?
• Computer forensics involves the preservation, identification,
extraction, documentation, and interpretation of computer media for
evidentiary and/or root cause analysis.
• Arose as a result of the growing problem of computer crimes.
• Computer crimes fall into two categories:
– Computer is a tool used in a crime – because of the role of computers
and networks in modern communications, it is inevitable that computers
are used in crimes.
• Investigation into these crimes often involves searching computers
suspected to be involved.
– Computer itself is a victim of a crime – this commonly referred to as
incident response.
• It refers to the examination of systems that have been remotely attacked.
• Forensics experts follow clear, well-defined mythologies and
procedures
• Computer forensics started a few years
ago- when it was simple to collect
evidence from a computer.
• While basic forensic methodologies
remain the same, technology itself is
rapidly changing – a challenge to forensic
specialists.
• Basic forensic methodology consists of:
– Acquire the evidence without altering or
damaging the original
– Authenticate that your recovered evidence is
the same as the originally seized data
– Analyze the data without modifying it.
Acquire the Evidence
• Keep in mind that every case is different
• Do not disconnect the computers – evidence may be
only in RAM – So collect information from a live system.
• Consider the following issues:
– Handling the evidence- if you do not take care of the evidence,
the rest of the investigation will be compromised.
– Chain of custody – the goal of maintaining a good chain of
custody to ensure evidence integrity, prevent tempering with
evidence. The chain should be answers to:
•
•
•
•
•
Who collected it
How and where
Who took possession of it
how was it stored and protected in storage
Who took it out of storage and why?
– Collection
• You want the evidence to be so pure that it supports your
case.
– Identification
• Methodically identify every single item that comes out of the
suspect’s/victim’s location and labeled.
– Transportation
• Evidence is not supposed to be moved so when you move it
be extremely careful.
– Storage
• Keep the evidence in a cool, dry, and appropriate place for
electronic evidence.
– Documenting the investigation
• Most difficult for computer professionals because technical
people are not good at writing down details of the
procedures.
• Authenticating evidence
– It is difficult because
• Crime scenes change
• Evidence is routinely damaged by environmental
conditions
• Computer devices slowly deteriorate
– Keep proof of integrity and timestamp the
evidence through encryption of files of data
• Two algorithms (MD5 and SHA) are in common
use today
• Analysis
– Make two backups
– Use any well known analysis tools.
Tracking the Offender
•
•
•
Keep in mind that cyber sleuths often have to track their offenders across a
digital matrix
Also that digital forensic techniques and tools are largely undeveloped- so
you have little to run on.
Tracing IP addresses
– For http addresses in dotted quad ( base 256) use a ping to covert it to digit
decimal (base 10)
– For MAC address use the ARP tables ( be aware that MAC addresses can be
changed by software) and NIC can be changed/removed/replaced.
– Beware of DNS – may resolve and query with IP addresses.
– After getting some information, try to traceroute
•
•
•
•
Learn to read an email trail.
NetBIOS – a Windows protocol that used to run exclusively on LANS (
instead of TCP/IP) now running on top of TCP/IP to cover WANs, has a
nbstat function that can display protocol statistics for all TCP/IP connctions.
Other tracing tools include: Neotrace and Netscan Pro. These can do a
trace route
Use IDS logs
Storage Media
• Hard Drives
– Make an image copy and then restore the
image to a freshly wiped hard drive for
analysis
– Remount the copy and start to analyze it.
– Before opening it get information on its
configuration
– Use tools to generate a report of lists of the
disk’s contents ( PartitionMagic)
– View operating system logs.
Encryption and Forensics
• Many times the evidence may be
encrypted. Find a way to decrypt it while
preserving the its integrity.
• In addition to encryption codes and
compression of data may make the
forensic work difficult.
• Find a way to overcome data compression
and use of code.
Data Hiding
• There are several techniques that
intruders may hide data.
– Obfuscating data through encryption and
compression.
– Hiding through codes, steganoraphy, name
embedding, obscurity and nonames on files
– Blinding investigators through changing
behavior of system commands and modifying
operating systems.
• Use commonly known tools to overcome
Hostile Code
• Any unauthorized code on your computer. It is
becoming increasing significant.
• Hostile code fall into two categories:
– Manual – like network tools that allow unauthorized
access (NetBus, BackOrifice, IRC), fix utilities that
seamlessly replace legitimate binary code with a
hostile version, log manipulators, vulnerability
scanners, DDoS,
– Autonomous – viruses(Melissa, time bombs), DDoS,
and IRC bots.
Forensic Electronic Toolkit
• Computer and network forensics involves and requires:
–
–
–
–
Identification
Extraction
Preservation
Documentation
• A lot of tools are needed for a thorough work
• The “forensically sound “ method is never to conduct any
examination on the original media.
• Before you use any forensic software, make sure you know how to
use it, and also that it works.
• Tools:
– Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic)
– File Viewers – to thumb through stacks of data and images looking for
incriminating or relevant evidence (Qiuckview Plus, Conversion Plus,
DataViz, ThumnsPlus)
More tools (cont.)
• Unerase – if the files are no longer in the recycle bin or
you are dealing with old systems without recycle bins.
• CD-R/W – examine them as carefully as possible. Use
CD-R Diagnostics
• Text – because text data can be huge, use fast scans
tools like dtSearch.
• Other kits:
– Forensic toolkit – command-line utilities used to reconstruct
access activities in NT File systems
– Coroner toolkit - to investigate a hacked Unix host.
– ForensiX – an all-purpose set of data collection and analysis
tools that run primarily on Linux.
– New Technologies Incorporated (NTI)
– EnCase
– Hardware- Forensic-computers.com
Forensics based on OS Brands
• Investigating
– Windows computers – pay attention to the
Registry. It contains a wealth of information
– Unix – take a look at the password files, the
shell, the filesystem,
Internet Data Incident Response
Guidelines
•
•
•
•
•
•
•
•
•
Restore service safely
Estimate extent and cost of incident
Identify source of attack and their motivation
Deter future crime
Recover loss
Protect public image
Conduct due diligence
Assume corporate responsibility
Increase understanding of security landscape.
Roles and Responsibilities
• To facilitate teamwork the organization’s roles
must be assigned as fallows:
– Corporate security and incident team
– Security investigator
– Emergency response core team
– Application owner
– Application developer
– System owner/administrator
– Network administrator
– Firewall administrator
– Security consultants