Transcript here

CSE 4482: Computer Security Management:
Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by
appointment.
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
4/13/2015
1
Performing RAID Data Acquisitions
• Size is the biggest concern
– Many RAID systems now have terabytes
of data
• What is RAID and what is it used for?
• Redundant array of independent
(formerly “inexpensive”) disks (RAID)
– Computer configuration involving two or
more disks
– Originally developed as a dataredundancy measure
2
Raid Techniques
RAID: Mirroring
4
RAID : Bit-level Striping
5
RAID versions
• RAID 0
– Provides rapid access and increased storage
– Lack of redundancy
• RAID 1
– Designed for data recovery
– More expensive than RAID 0
• RAID 2
–
–
–
–
Similar to RAID 1
Data is written to a disk on a bit level
Has better data integrity checking than RAID 0
Slower than RAID 0
6
RAID: Block level striping
7
RAID versions II
• RAID 3
– Uses data striping and dedicated parity
• RAID 4
– Data is written in blocks
• RAID 5
– Similar to RAIDs 0 and 3
– Places parity recovery data on each disk
• RAID 6
– Redundant parity on each disk
• RAID 10, or mirrored striping
– Also known as RAID 1+0
– Combination of RAID 1 and RAID 0
8
Acquiring RAID Disks
• Concerns
–
–
–
–
How much data storage is needed?
What type of RAID is used?
Do you have the right acquisition tool?
Can the tool read a forensically copied RAID
image?
– Can the tool read split data saves of each
RAID disk?
• Older hardware-firmware RAID systems
can be a challenge when you’re making an
image
9
Acquiring RAID Disks
(continued)
• Vendors offering RAID acquisition functions
–
–
–
–
–
Technologies Pathways ProDiscover
Guidance Software EnCase
X-Ways Forensics
Runtime Software
R-Tools Technologies
• Occasionally, a RAID system is too large for a
static acquisition
– Retrieve only the data relevant to the investigation with
the sparse or logical acquisition method
10
Using Remote Network
Acquisition Tools
• You can remotely connect to a suspect computer
via a network connection and copy data from it
• Remote acquisition tools vary in configurations and
capabilities
• Drawbacks
– LAN’s data transfer speeds and routing table conflicts
could cause problems
– Gaining the permissions needed to access more secure
subnets
– Heavy traffic could cause delays and errors
11
Remote Acquisition with ProDiscover
• With ProDiscover Investigator you can:
– Preview a suspect’s drive remotely while it’s in use
– Perform a live acquisition
– Encrypt the connection
– Copy the suspect computer’s RAM
– Use the optional stealth mode
• ProDiscover Incident Response additional functions
– Capture volatile system state information
– Analyze current running processes
– Locate unseen files and processes
– Remotely view and listen to IP ports
– Run hash comparisons
– Create a hash inventory of all files remotely
12
Remote Acquisition with
ProDiscover (continued)
• PDServer remote agent
– ProDiscover utility for remote access
– Needs to be loaded on the suspect
• PDServer installation modes
– Trusted CD
– Preinstallation
– Pushing out and running remotely
• PDServer can run in a stealth mode
– Can change process name to appear as OS
function
13
Remote Acquisition with
ProDiscover (continued)
• Remote connection security features
–
–
–
–
–
Password Protection
Encryption
Secure Communication Protocol
Write Protected Trusted Binaries
Digital Signatures
14
Remote Acquisition with EnCase
Enterprise
• Remote acquisition features
– Remote data acquisition of a computer’s media
and RAM data
– Integration with intrusion detection system (IDS)
tools
– Options to create an image of data from one or
more systems
– Preview of systems
– A wide range of file system formats
– RAID support for both hardware and software
15
Remote Acquisition with R-Tools
R-Studio
• R-Tools suite of software is designed for
data recovery
• Remote connection uses Triple Data
Encryption Standard (3DES) encryption
• Creates raw format acquisitions
• Supports various file systems
16
Remote Acquisition with
Runtime Software
• Utilities
– DiskExplorer for FAT
– DiskExplorer for NTFS
– HDHOST
• Features for acquisition
– Create a raw format image file
– Segment the raw format or compressed image
– Access network computers’ drives
17
Using Other ForensicsAcquisition Tools
• Tools
–
–
–
–
–
–
–
SnapBack DatArrest
SafeBack
DIBS USA RAID
ILook Investigator IXimager
Vogon International SDi32
ASRData SMART
Australian Department of Defence PyFlag
18
SnapBack DatArrest
• Columbia Data Products
• Old MS-DOS tool
• Can make an image on three ways
– Disk to SCSI drive
– Disk to network drive
– Disk to disk
• Fits on a forensic boot floppy
• SnapCopy adjusts disk geometry
19
NTI SafeBack
• Reliable MS-DOS tool
• Small enough to fit on a forensic boot
floppy
• Performs an SHA-256 calculation per
sector copied
• Creates a log file
• Functions
–
–
–
–
Disk-to-image copy (image can be on tape)
Disk-to-disk copy (adjusts target geometry)
Copies a partition to an image file
Compresses image files
20
More tools
• DIBS USA RAID (Rapid Action Imaging
Device)
– Makes forensically sound disk copies
– Portable computer system designed to make
disk-to-disk images
– Copied disk can then be attached to a writeblocker device
• ILook Investigator IXimager
– Runs from a bootable floppy or CD
– Designed to work only with ILook Investigator
– Can acquire single drives and RAID drives
21
More tools II
Vogon International SDi32
• Creates a raw format image of a drive
• Write-blocker is needed when using this tool
• Password Cracker POD
– Device that removes the password on a drive’s firmware
card
ASRData SMART
• Linux forensics analysis tool that can make image
files of a suspect drive
• Capabilities
–
–
–
–
Robust data reading of bad sectors on drives
Mounting suspect drives in write-protected mode
Mounting target drives in read/write mode
Optional compression schemes
22
Next: Network Forensics
• Guide to Computer Forensics and
Investigations, Third Edition, Chapter
11
23
Objectives
• Describe the importance of network
forensics
• Explain standard procedures for
performing a live acquisition
• Explain standard procedures for
network forensics
• Describe the use of network tools
24
Network Forensics Overview
• Network forensics
– Systematic tracking of incoming and
outgoing traffic
– To ascertain how an attack was carried out
or how an event occurred on a network
• Intruders leave trail behind
• Determine the cause of the abnormal
traffic
– Internal bug
– Attackers
25
Securing a Network
• Layered network defense strategy
– Sets up layers of protection to hide the
most valuable data at the innermost part of
the network
• Defense in depth (DiD)
– Similar approach developed by the NSA
– Modes of protection
• People
• Technology
• Operations
26
Securing a Network (continued)
• Testing networks is as important as
testing servers
• You need to be up to date on
– the latest methods intruders use to infiltrate
networks, and
– methods internal employees use to
sabotage networks
27
Performing Live Acquisitions
• Live acquisitions are especially useful when
you’re dealing with active network intrusions or
attacks
• Live acquisitions done before taking a system
offline are also becoming a necessity
– Because attacks might leave footprints only in
running processes or RAM
• Live acquisitions don’t follow typical forensics
procedures
• Order of volatility (OOV)
– How long a piece of information lasts on a system
28
Performing Live Acquisitions
(continued)
• Steps
– Create or download a bootable forensic CD
– Make sure you keep a log of all your actions
– A network drive is ideal as a place to send
the information you collect
– Copy the physical memory (RAM)
– The next step varies, depending on the
incident you’re investigating
– Be sure to get a forensic hash value of all
files you recover during the live acquisition
29
Performing a Live Acquisition in
Windows
• Several bootable forensic CDs are available
– Such as Helix and DEFT
• Helix operates in two modes:
– Windows Live (GUI or command line) and
bootable Linux
• The Windows Live GUI version includes a
runtime prompt for accessing the command
line
• GUI tools are easy to use, but resource
intensive
30
Performing a Live Acquisition in
Windows (continued)
31
Performing a Live Acquisition in
Windows (continued)
32
Developing Standard Procedures
for Network Forensics
• Long, tedious process
• Standard procedure
– Always use a standard installation image
for systems on a network
– Close any way in after an attack
– Attempt to retrieve all volatile data
– Acquire all compromised drives
– Compare files on the forensic image to the
original installation image
33
Developing Standard Procedures
for Network Forensics II
• Computer forensics
– Work from the image to find what has
changed
• Network forensics
– Restore drives to understand attack
• Work on an isolated system
– Prevents malware from affecting other
systems
34
Reviewing Network Logs
• Record ingoing and outgoing traffic
– Network servers
– Routers
– Firewalls
• Tcpdump tool for examining network traffic
– Can generate top 10 lists
– Can identify patterns
• Attacks might include other companies
– Do not reveal information discovered about other
companies
35
Using Network Tools
• Sysinternals
– A collection of free tools for examining
Windows products
• Examples of the Sysinternals tools:
– RegMon shows Registry data in real time
– Process Explorer shows what is loaded
– Handle shows open files and processes
using them
– Filemon shows file system activity
36
Using Network Tools (continued)
37
Using Network Tools (continued)
• Tools from PsTools suite created by
Sysinternals
–
–
–
–
–
–
–
–
–
PsExec runs processes remotely
PsGetSid displays security identifier (SID)
PsKill kills process by name or ID
PsList lists details about a process
PsLoggedOn shows who’s logged locally
PsPasswd changes account passwords
PsService controls and views services
PsShutdown shuts down and restarts PCs
PsSuspend suspends processes
38
Using UNIX/Linux Tools
• Knoppix Security Tools Distribution
(STD)
– Bootable Linux CD intended for computer
and network forensics
• Knoppix-STD tools
– Dcfldd, the U.S. DoD dd version
– memfetch forces a memory dump
– photorec grabs files from a digital camera
– snort, an intrusion detection system
– oinkmaster helps manage your snort rules
39
Using UNIX/Linux Tools
(continued)
• Knoppix-STD tools (continued)
– john
– chntpw resets passwords on a Windows
PC
– tcpdump and ethereal are packet sniffers
• With the Knoppix STD tools on a
portable CD
– You can examine almost any network
system
40
Using UNIX/Linux Tools
(continued)
41
Using UNIX/Linux Tools
(continued)
• The Auditor
– Robust security tool whose logo is a Trojan
warrior
– Based on Knoppix and contains more than
300 tools for network scanning, brute-force
attacks, Bluetooth and wireless networks,
and more
– Includes forensics tools, such as Autopsy
and Sleuth
– Easy to use and frequently updated
42
Using Packet Sniffers
• Packet sniffers
– Devices or software that monitor network
traffic
– Most work at layer 2 or 3 of the OSI model
• Most tools follow the PCAP format
• Some packets can be identified by
examining the flags in their TCP
headers
43
Using Packet Sniffers
(continued)
44
Using Packet Sniffers
(continued)
• Tools
–
–
–
–
–
–
–
–
–
–
–
Tcpdump
Tethereal
Snort
Tcpslice
Tcpreplay
Tcpdstat
Ngrep
Etherape
Netdude
Argus
Ethereal
45
Using Packet Sniffers
(continued)
46
Examining the Honeynet Project
• Attempt to thwart Internet and network
hackers
– Provides information about attacks methods
• Objectives are awareness, information, and
tools
• Distributed denial-of-service (DDoS)
attacks
– A recent major threat
– Hundreds or even thousands of machines
(zombies) can be used
47
Examining the Honeynet Project
(continued)
48
Examining the Honeynet Project
(continued)
• Zero day attacks
– Another major threat
– Attackers look for holes in networks and OSs and
exploit these weaknesses before patches are
available
• Honeypot
– Normal looking computer that lures attackers to it
• Honeywalls
– Monitor what’s happening to honeypots on your
network and record what attackers are doing
49
Examining the Honeynet Project
(continued)
• Its legality has been questioned
– Cannot be used in court
– Can be used to learn about attacks
• Manuka Project
– Used the Honeynet Project’s principles
• To create a usable database for students to
examine compromised honeypots
• Honeynet Challenges
– You can try to ascertain what an attacker
did and then post your results online
50
Examining the Honeynet Project
(continued)
51
Summary
• Network forensics tracks down internal
and external network intrusions
• Networks must be hardened by applying
layered defense strategies to the
network architecture
• Live acquisitions are necessary to
retrieve volatile items
• Standard procedures need to be
established for how to proceed after a
network security event has occurred
52
Summary (continued)
• By tracking network logs, you can become
familiar with the normal traffic pattern on your
network
• Network tools can monitor traffic on your
network, but they can also be used by intruders
• Bootable Linux CDs, such as Knoppix STD and
Helix, can be used to examine Linux and
Windows systems
• The Honeynet Project is designed to help
people learn the latest intrusion techniques that
attackers are using
53