Transcript Lesson 20

Cyber Crime, Computer Forensics,
and Incident Response
Lesson 20
Computer Crime
• The corporate world is beginning to
understand that computers are just another
medium for crime.
• According to the 1999 CSI/FBI survey
• average bank robbery yields $2,500
• average computer crime nets $500,000
• Security breaches are the cause of an estimated
$1.6 trillion in damage worldwide.
“Old” Predictions for the future?
• There will be an increasing use of the Internet to commit
•
•
•
•
•
everyday crimes.
New forms of cybercrime will continue to occur.
Identity theft and fraud will increase.
Cyberextortion will become a mainstay.
Manipulation of corporate data to meet various ends will
become more sophisticated.
Acts of Hactivism will rise.
– Dave Morrow, April 2001 SC Magazine, “Computer Forensics”
Computer Forensics
• Computer Forensics Principles.
•P1: Preserve the evidence in an unchanged state.
•P2: Thoroughly and completely document the
Investigative Process.
Recommendation: Handle the corporate investigation as if
Law enforcement will be called in and the attackers will be
prosecuted.
Computer Forensics Definitions
 Evidence Media: The original media to be investigated whether subject
or victim.
 Target Media: A forensic duplicate of the evidence media. The forensic
evidence transferred to the target media.
 Restored Image: A copy of the forensic image restored to its bootable
form.
 Native Operating System: The OS utilized when the evidence media or
forensic duplicate is booted for analysis.
 Live Analysis: A analysis conducted on the original evidence media.
 Offline Analysis: Analysis conducted on the Forensic Image.
 Trace Evidence: Fragments of information from thefree space, etc.
Best Evidence Rule
• "...if data are stored on a computer or similar
device, any printout or other output readable by
sight, shown to reflect the data accurately, is an
'Original.'"
• Common Mistakes include:
• Altering time and date stamps.
• Killing rogue processes.
• Patching the system before the investigation.
• Not recording commands executed on the system.
• Using untrusted commands and binaries.
• Writing over potential evidence by:
• Installing software on the evidence media
• Running programs that store their output on the
evidence media.
Evidence Chain of Custody
• The prosecution is responsible for proving that whatever is
presented in court is what was originally collected. An Evidence
Chain of Custody must be maintained.
• Create an Evidence Tag at the time of evidence collection.
• A designated Evidence Custodian with a Laptop to generate
the Evidence Tags.
• Date and Time
• Case Number
• Evidence Tag number
• Evidence Description
• Individual receiving the evidence and Date
• Each time the evidence moves from one person to another or
from one media to another it must be recorded.
Forensic Image
•Initial Response: Power the system down or work it live?
• Volatile Data. If the system is powered down then volatile data
will be lost.
• Memory
• State of of Network connections
• State of running Processes.
• Useful Windows NT/2000 commands/utilities
• date, time, loggedon, netstat, fport, pslist, nbtstat, and doskey.
•http://www.sysinternals.com
• Useful Unix commands
• w, netstat -amp, lsof, ps, netstat, script.
•Recommendation: If you need to work a live system then create
a command script and stick to it.
BIOS Review
• Review the Target Basic Input/Output System (BIOS)
before beginning a duplication to determine:
• Basic geometry of the hard drive on the target System.
• Document the hard drive setting to include maximum
capacity, cylinders, heads, and sectors.
• For proper recovery by the original OS the partitions should
be aligned on the cylinder boundaries.
• Determine the Boot Sequence on the target System.
• Floppy drives.
• CD-Rom
• Hard Drive.
• PCMCIA Card.
Forensic Duplication
• Three Forensic Duplication Approaches.
•1. Remove the storage media and connect it to a
Forensics Workstation.
• Document the system details to include serial number,
jumper settings, visible damage, etc.
• Remove media from he target system and connect it to the
Forensics workstation.
• Image the media using Safeback, the Unix dd utility or
EnCase.
Forensics Workstations http://www.computer-forensics.com
Safeback
http://www.forensics-intl.com/safeback.html
EnCase
http://guidancesoftware.com
DiskPro
http://www.e-mart.com/www/cnr.html
Forensic Duplication Cont.
• Three Forensic Duplication Approaches Cont.
• 2. Attach a hard drive to the Target Computer.
• Make sure the target computer works as expected.
• 3. Image the storage media by transmitting the disk
image over a closed network to the forensics
Workstation.
• Establish a point-to-point interface from
evidence system to forensics workstation using an
Ethernet Switch of Ethernet cross-connect cable.
• Perform MD5 computation on both the original
and target system.
Forensic Analysis
• Physical Analysis. Performed on the forensic Image.
• Perform a String Search
•String Search
http://www.maresware.com/maresware/forensic1.htm
• Perform a Search and Extract.
• Looks for file types.
•File Formats http://www.wotsit.org/
• Extract File slack and/Free Space.
• Free Space: Hard Drive space not allocated to a file and
deleted file fragments.
• Slack Space: Space left when a minimum block size is
not filled by a write operation.
•NTI Tool Suite
http://www.forensics-intl.com/
Forensic Analysis Cont.
• Logical Analysis.
• A partition by partition analysis of each file.
• A typical process includes:
• Mount each partition in Read-Only mode under Linux.
• Export the partition via SAMBA to the Forensics System.
• Examine each file with the appropriate file viewer.
• Typical Lists created:
• Web Sites
• E-mail addresses
• Specific Key words, etc
Common Forensics Mistakes
 Failure to Maintain thorough complete documentation.
 Failure to control access to digital information.
 Underestimate the scope of the incident.,
 Failure to report the incident in a timely manner.
 Failure to provide accurate information.
 No incident response plan.
Network Forensics
Definitions
• Sniffer: Hardware or software that passively intercepts packets as
they traverse the network. Other name include Protocol Analyzer and
Network Monitor.
• Silent Sniffers will not respond to any received packets.
• Illegal Sniffers violate 18 USC 2511 dealing with wiretaps.
• Promiscuous Mode. A sniffer operates in a mode that intercepts all
packets flowing across the network.
• A normal NIC only intercepts packets packets addressed to its IP
address and Broadcasts address.
• Transactional (Noncontent) information consists only of header
information. For example, IP, TCP or UDP headers.
• Same as a LE Trap and Trace or Pen Register.
• Content Information consists of not only the headers but also part or
all of the encapsulated data.
Network Forensics Data
• Network data can come from:
• Routers, Firewalls, Servers, IDS, DHCP Servers, etc.
• These logs may have different formats, be difficult to find,
difficult to correlate and have a broken chain of custody.
• Chain of Custody
• Strictly controlled network monitoring can maintain a
proper chain of custody.
• Electronic evidence requires tighter control than most
other types of evidence because it can be easily altered.
• A broken chain can affect admissibility.
Chain of Custody
• Network data Chain of Custody should include:
• Date and time Recorded.
• Make, model, serial number and description of recording
device.
• Names of individual recording or the name of
individuals recovering the logs.
• Description of the logs.
• Name, Signature and date of individual receiving the
data.
• Evidence Tag for this item.
• Hash value (MD5) of each log file.
Monitoring The Network
• What are the Network Monitoring goals?
• Monitor traffic to and from a Host?
• Monitor traffic to and from a Network?
• Monitor a specific person?
• Verify an Intrusion Attempt?
• Monitor attack signatures?
• Monitor a specific protocol?
• Monitor a specific port?
•Check with corporate legal counsel prior to starting
the monitor.
Note: Make sure the corporate policy supports the type of
monitoring to be performed!
Monitoring The Network Cont.
• Possible Network Monitors.
• tcpdump, Ethereal and Snort.
• Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer
• NetMon, Network Tracing and Logging and Cisco IDS.
• Network Monitor Location.
• Host Monitoring - On the same Hub or switch. The
switch should have Switch Port Analysis (SPAN).
• Network Monitoring - At the network perimeter.
• A Physically secure location.
Note: Run a Sniffer detection tool prior to connecting yours.
Some Notes
• Run a Sniffer detection tool prior to connecting yours.
• Someone may already be listening to the network.
• Capture the network traffic as close to the source host as
possible.
• Hackers use bounce sites to attack hosts.
• Have the capability of viewing the captured data as a
continuous stream.
• This provides an overview of what the hacker is attempting to do.
• Reconstruct documents, etc
• Have the capability of viewing the packets at the lowest
level.
• High-level analyzers will sometimes strip off data that is not
important for fault analysis but could be important for investigative
purposes.
• Options and fields to identify the OS.
• Typing speed of user.
• Printer variables, X display variables , etc.
Common Forensics Mistakes
• Failure to Monitor.
• ICMP Traffic
• SMTP, POP and IMAP Traffic.
• UseNet Traffic
• Files saved to external media.
• Web Traffic
• Senior Executives Traffic.
• Internal IP Traffic.
• Failure to Detect:
• ICMP Covert Channels.
• UDP Covert Channels.
• HTTP Covert Channels.
Common Forensics Mistakes Cont.
• Failure to PlayBack.
• Encrypted traffic.
• Graphics
• Modeling and Simulation traffic.
• Failure to Trace:
• Denial-of-Service.
• Distributed Denial of Services.
• Spoofed EMail.
• Failure to Detect.
•Steganography.
• Erasing Logs
• File Encryption.
• Binary Trojans
Monitoring Tools
Dsniff
http://www.monkey.org/~dugsong/dsniff
tcpdump
http://www.tcpdump.org/
WinDump
http://netgroup-serv.polito.it/windump/
ethereal
http://www.ethereal.com/
Snort
http://www.snort.org/
Some Basics To Remember
• Freeze and image the hard drive before anything else is done,
remembering that freezing a system is best done when its workings are
not critical to business needs.
• Get the intruders out of the network or close the holes so they cannot
breach the system through the same vulnerability in the future. This
can be achieved by collecting and correlating information from system,
web, and other log files.
• Determine how bad the breach really is and decide what information
should be divulged to the public. This is where legal counsel from an
experienced and knowledgeable person can help.
– Chris Wysopal, director of research and development for @Stake
Volatile Data
• “When an incident is reported, certain steps need to
be taken on a live system before you perform
forensic duplication of that system.”
• “The initial response is an effort to obtain as much
volatile data as possible before you power down the
evidence system for forensic duplication.”
• Volatile (and possibly useful) data can be found in:
•
•
•
•
Registers, cache contents
Memory contents
State of network connections
State of running processes
Important Note!
• “A computer changes states through user
interaction, process execution, data transfers, and
power cycles; therefore, data in memory and
storage is going to change. It is vitally important
to understand the changes that will occur when
you perform a command or operation. As you
respond at the console, make sure that you
document every step in detail.”
• “Before you review a ‘live’ system, create a stepby-step plan and stick to it like a script.”
Live Response Sample Steps
From Incident Response by Mandia & Prosise
Step
Establish a new shell
Record the system date and time
Determine who is logged on
Record open sockets
List processes that open sockets
List currently running processes
List systems that recently connected
Record steps taken
Windows NT/2000 UNIX
cmd.exe
bash
date, time
w
loggedon
w
netstat
netstat -anp
fport
lsof
pslist
ps
nbstat
netstat
doskey
script, vi, history
Extracting File Slack and Free Space
• “File system residue exists, to some extent, in all file
systems. The types of residue fall into two
categories”:
• Free space – unallocated space
• May be space never before allocated to a file, or
• Space that was created when a file was deleted
• Slack space – “occurs when data is written to a storage
medium in chunks that fail to fill the minimum block size
defined by the operating system.”
• If you want this info, you need a tool that is aware of
the particular file system structure.
Common Incidents
• Denial-of-Service attack
• e.g. TFN
• Unauthorized use
• e.g. Use of systems to surf porn sites
• Vandalism
• e.g. defaced web site
• Theft of information
• e.g. stolen credit card info from customer DB
• Computer intrusion
• e.g. remote administrative access
A thought -“Remember, the first to discover a problem is likely to be your
company’s lowest paid system administrator on the night shift.
If this person cannot get guidance -- preferably prior guidance,
he or she might decide to call the police or worse, the media.
The plan should include who to call, who not to call, what to
do with the machines, priorities -- (for example,) is keeping
the data center up a higher priority than preserving evidence?
You decide as much as possible what the trade-offs are, based
on you understanding of your vulnerabilities or consultation
with experts in the field.”
-- Computer Forensics, April 2001 SC Magazine
Incident Definitions
• An Incident is any event that disrupts normal
operating procedure and precipitates some
level of crisis.
• A Computer Intrusion.
• Denial of Service Attack.
• Theft of information.
• Computer Misuse.
• A power failure.
• Investigator(s) gather facts, analyze and resolve
the incident.
Goals of Incident Response
• Confirms or dispels whether an incident occurred
• Promotes the accumulation of accurate information
• Establishes controls for proper retrieval and handling of
•
•
•
•
evidence
Protects privacy rights established by law and policy
Minimizes disruption to business and network operations
Allows for legal or civil recriminations against perpetrators
Provides accurate reports and useful recommendations
Incident Response
• In developing an incident response roadmap, companies
should plan:
• How to secure or preserve evidence, whether making an image copy or
•
•
•
•
•
locking up the original until computer forensic specialists arrive.
How or where to search for evidence, be it on the local drive, back-up
system, home computers or laptops.
A list of topics to consider when preparing a thorough report.
A list of outside agencies and resources to consult or report to given a
particular situation.
A recommended list of software to be used internally for investigations.
A recommended list of experts with whom to consult.
• “Computer Forensics”, April 2001 SC Magazine
• Consider creating a Computer Incident Response Team
(CIRT)
Computer Incident Response Team
• Mission
• Provide a rapid response capability to address
(suspected) intrusions/security incidents.
• Composition
• Core – Manager, IT staff, legal counsel, support
personnel.
• Support – specific area experts
• Forensic Best practices
• Tools
• Organizations
• FIRST, CERT, CIAC, SANS, ISSA, NIPC…
Incident Response Team Mission
• Respond to all security incidents with a formal
investigative process based upon the Incident
Response Plan and Corporate policies.
• Conduct a bias free investigation.
• Determine if a true incident did occur.
• Assess the damage and scope of the incident.
• Control and contain the incident.
• Document the incident and maintain a chain of custody.
• Protect Privacy Rights by law and corporate policy.
• Liaison to law Enforcement and Legal Authorities.
• Provide Expert Testimony.
• Provide recommendation to senior level management.
Incident Response Team
• Team Composition depends upon:
• Number and type of hosts involved.
• Number and type of networks involved.
• Number and type of Operating Systems involved.
• Attack sophistication.
• Incident Publicity.
• Internal Politics.
• Corporate Liability.
Computer Incident Response Team (CIRT)
Team Manager.
- Single Point of Contact
- Leader/decision maker
- Clear authority to act/decide.
- Assess potential impact/loss
- Upper management support
- Spokesman
- Documents team actions.
Computer Specialist
- System Administrator
- Systems Operator/Programmer
- Technically Tracks intruder
- Monitors on-going system activity.
- Reconstructs crime.
- Documents technical aspects of
crime.
Network Specialist Advisor
- Advises computer specialist
- Network protocol specialist
- As Required
Computer Crime Investigator
- CI Investigator w/jurisdiction.
- Collects/documents evidence.
- Advises on investigative aspects.
- This may be a team of investigators.
Company Attorney
- Legal advice
- Case preparation
- Adjunct to Team
Public Affairs
- Advise senior management on PR
- Press Spokesperson
- Adjunct to Team
Security Auditor
- Assists Computer specialist.
- Audit trails/logs
- Assess Economic impact
- Adjunct to Team
9 Steps to Incident Response
•
•
•
•
•
•
•
•
•
Emergency Action Card
Preparation
Identification
Investigation and Containment
Eradication
Recovery
Follow-up
Incident Record Keeping
Incident Specific Procedures
Steps to take when an incident happens
•
•
•
•
•
•
•
•
•
•
Remain Calm !!!
Document everything
Notify appropriate personnel and get help
Enforce “need to know” policy
If compromise has occurred, use “out of band”
communication channels
First priority should be to contain problem
Make backup copies of systems for possible
prosecution purposes
Identify problem/vulnerability, patch
Get back to business
Prosecute/follow-up
Incident Preparation
•Has a lot to do with just securing your system
•Risk Management.
• Host preparation.
• Network Preparation.
• Network Policies and Procedures.
• A Response toolkit.
• The Incident Response Team.
Detection of Incident Process
Firewall Logs
IDS Logs
DETECT
Suspicious user
System Admin
Begin IR
Checklist
Activate
CIRT
Incident Detection
• Intruder discovery
• Strange activities
•
•
•
•
•
•
•
•
•
System crashes
Unusual hard disk activity.
Unexplained Reboots.
Account discrepancies
Sluggish response
Strange login hours.
Failed logins with bad passwords.
Unusual activity with the su command.
A message from a remote System Administrator
Incident Detection Cont.
• System monitoring:
•
•
•
•
Another superuser logs in.
A user on vacation who is logged in.
Deleted or corrupted log files.
A user who is not a programmer but is running
compilers.
• Network connections from unknown machines.
• Unauthorized changes to system programs.
• New account entries in /etc/passwd file.
• Analysis tools such as Tripwire.
• The System Administrator should investigate any
strange activity.
• Various UNIX commands can be employed to
explore who is doing what on the system.
Incident Detection Cont.
• Stopping the Intruder.
• Power Down?
• Interrupts users.
• Deletes evidence
• Damage the file systems.
• Ask him to leave?
• He may damage the system to prevent being caught.
• Kill his/her processes?
•
•
•
•
Use the ps command to list all his/her processes.
Change all compromised account passwords.
Use the kill command to terminate the processes.
Check for backdoors/sniffers/undesired programs.
•
Interrupts other users.
• Break the connection?
Incident Reporting
• Incident Response Team Leader is
notified.
• Notifies the organization Computer Incident
Response Team.
• Briefs senior level management
• Coordinates the response activities
• Notifies all Points of contact.
•
•
•
•
•
•
Local System Administrators/Network Managers.
Remote System Administrators/Network Managers.
Internet Service Provider managers/technicians.
Law Enforcement Computer Crime specialists.
Public Affairs specialist.
Legal Affairs officer.
Incident Reporting Cont.
• Incident notification Guidelines.
•Use explicit language that is clear, concise
and fully qualified.
• No smoke screens.
• No generalities
• Use factual language..
• No false information
• No incomplete information.
• Use matter a fact language.
• No emotion
• No inflammatory language
Initial Response
• Freeze the Incident Scene.
• Verbally contain the scene with instructions
such as:
• “Take your hands off the keyboard and step away
from the computer.”
• “Physically disconnect the computer from the
network.”
• “What is your name, office and telephone number.”
• “What is the hardware and operating system?”
• “I’m going to fax you a set of instruction. What is
your Fax number?”
Incident Response Checklist
Version 1.0
Date:
Time:
Name:
Telephone Number:
Nature of Incident:
Time of Incident:
How was the incident detected:
Current Impact of Incident;
Future Impact of incident:
Description of the incident:
Hardware/OS/Software involved:
IP and network addresses of compromised systems:
Network Type:
Modem:
Criticality of Information:
Physical location:
System Administrator Name and Number:
Current status of machine:
Description of Hacker Actions
Ongoing activity:
Source Address:
Malicious program involved:
Denial of Service
Vandalism:
Indication of insider or outsider:
Incident Response Checklist Cont.
Version 1.0
Client Actions
Network disconnected:
Remote access available:
Local Access available:
Audit logs available and examined:
Any changes to firewall:
Any changes to ACL:
Who has been notified:
Other actins taken:
Available Tools
Third party host auditing:
Network monitoring:
Network Auditing:
Additional Contacts
Users:
System Administrators:
Network Administrators:
Special Information
Who should not know about this incident:
Response Team Member Signature/Date:__________________________________
Incident Response Team Fax
Version 1.0
Date:_____________
Time:____________
Name:_______________________
Thank you for notifying the incident response team and agreeing to
help. Please do not touch the affected computer(s) unless told to do so by a
member of the Incident Response team. Please remain within sight of the
computer until a member of the Incident Response Team arrives and assure
that no one touches the computer.
Please help us by detailing as much information about the incident as
possible. Please complete the following items. If additional space is required
use a separate sheet of paper.
Witnesses:
1.
2.
3.
What indicators lead you to notice and/or report the incident. Be as
specific as possible.
Incident Indicators:
The next section is important so be as accurate as possible. From the time
you noticed the incident to the time you took your hands from the computer,
list every command you typed and any file you accessed.
Commands typed and Files accessed:
Initial Response Cont.
• Physically contain the scene.Two personnel, if
possible, should immediately respond to the
scene.
• Incident Scene Survey (1st Member)
• Use a portable tape recorder to:
• 1. Record the scene
• 2. Everyone present.
• Order everyone to leave the scene who is not directly
involved in the incident.
• 3. Interview the individual who reported the incident.
• 4. Record, intermittently, the actions of the second
individual.
• 5. Assist the 2nd Member.
Initial Response Cont
• Contain the System (2nd Member).
• Ask the System Administrator to assist.
• Back up the system.
• Do this with forensic type tool that does bit-by-bit backup
such as SafeBack at http://www.forensics-intl.com.
• Alternatively, remove the drive and seal it in a plastic bag
with your notes and the notes of the individual who
reported the incident.
• Attempt to identify the changed files through:
• Tripwire http://www.tripwire.org/ or alternatively
• Expert Witness at http://www.asrdata.com.
•Instructor Note: The details are under the Computer
Forensics Lecture.
Response Toolkit
• High-end processor
• Large capacity drives
• Fast DVD/CD-RW drive
• Extra power cables, SCSI cables, parallel-to-SCSI
adapters, Cat 5 cables and hubs, CD/DVD’s, labels,
Toolkit
• Software
• 2 or 3 native operating systems on the machine
• Windows, Linux
• Safeback, EnCase, and other forensics tools used to
recreate exact images of computer media
• All of the drivers for all of the HW on your system
• Quickview Plus, some other SW that allows you to
view nearly all types of files
SafeBack
EnCase
Quick View Plus
System Restoration
• System Administrator recovers the system.
• Don't trust anything that is on-line.
• Don't believe anything your system tells you.
•
•
•
•
•
•
Reformat disks
Restore operating system.
Reload software.
Assign new passwords.
Scan the /etc/passwd for newly created files
Check for changes to files that may affect security
(trapdoors, logic bombs, etc.).
System Restoration
• Check critical files for the appropriate file
protection and permissions.
• Scan the system for newly created SUID and
SGID files.
• Delete and recreate all .rhosts files.
• Check for changes to the /etc/hosts.equiv
file.
• Check for changes in user startup files.
• Check for a modified .forward file.
• Check for hidden or unowned files and
directories.
• Run audit tools such a COPS and Tripwire.
System Restoration
• The recovery should be planned to
have minimal impact on the users.
• Keep the users informed.
• Engage in rumor control.
Incident Evaluation
• Conduct an after action meeting.
• Prepare an after action report to document the
incident, the response to the incident and the
recovery from the incident.
• Lessons Learned?
• Policy to general!
• Responsibilities not sufficiently defined!
• Inadequate monitoring tools!
• Systems not backed up!
• Hard disk needs smaller partitions!
• Set smaller limits on disk usage!
• System not scanned with tools such as SATAN and
ISS!
Computer Crime Investigation
• Notify law Enforcement.
• Brief/coordinate with upper management.
• The Law Enforcement Computer Crime
Team assumes control.
• Computer crime investigation is complex,
time consuming, and resource intensive.
• Allow time/resources for
• Investigation.
• Prosecution.
Network Surveillance
• Why perform network surveillance?
• To confirm or dispel suspicions concerning a possible
•
•
•
•
•
security incident
To accumulate additional evidence
To verify the scope of a compromise
To identify additional parties involved
To determine a timeline of events occurring on the
network
To ensure compliance with mandated activity
“Honey Pots”
• If you’re trying to gather evidence for prosecution or to
determine the origin of the attacker, consider using a
“honey pot”
• a file or directory designed to attract an intruder
• can be used to help warn of an intrusion
• no legitimate access to the file or directory so if anybody does
attempt to access them then its either an intruder or an insider
attempting to exceed their authority
• Often contains large files or a large number of files to
keep the intruder on for as long as possible..
Predictions
• The security industry in general, and the computer forensics
and incident response arenas specifically, will have to begin
dealing with new technologies, such as wireless. The wireless
world will bring new challenges to computer forensic
investigations.
• More legislation and standards related to computer forensics,
comparable to other forms of criminal investigation, will come
into force.
• Information security insurance will become more widely
available.
– Dave Morrow, April 2001 SC Magazine, “Computer
Forensics”
Summary
• Two major things to remember:
• Preserve the chain of evidence! Don’t do
anything that will modify disks or log files.
Document everything you do.
• If a criminal investigation is started, you may
lose access to equipment or disks. Best thing to
have in this case are -- BACKUPS!