Network Forensics

Download Report

Transcript Network Forensics

Network Forensics

An example of a computer crime – VIRTUAL crime that needs computer forensic expertise.

Your company has recently hired a new salesman. Six months after his hire, he leaves your company and forms a competing interest, sending letters to all of your clients. You may think this a bit odd and contact an attorney to consider filing a suit. What has occurred is a virtual theft - the salesman stole a copy of your client database. Note that this is a VIRTUAL theft -- since you were not deprived of any property (he didn't delete it, just copied it) you will likely not be able to prosecute him criminally.

What is Computer Forensics?

• Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.

• Arose as a result of the growing problem of computer crimes.

• Computer crimes fall into two categories: – Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes.

• Investigation into these crimes often involves searching computers suspected to be involved.

– Computer itself is a victim of a crime – this commonly referred to as incident response. • It refers to the examination of systems that have been remotely attacked. • Forensics experts follow clear, well-defined mythologies and procedures

• Computer forensics started a few years ago- when it was simple to collect evidence from a computer.

• While basic forensic methodologies remain the same, technology itself is rapidly changing – a challenge to forensic specialists.

• Basic forensic methodology consists of: – Acquire the evidence without altering or damaging the original – Authenticate that your recovered evidence is the same as the originally seized data – Analyze the data without modifying it.

Acquire the Evidence

• Keep in mind that every case is different • Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system.

• Consider the following issues: – Handling the evidence- if you do not take care of the evidence, the rest of the investigation will be compromised.

– Chain of custody – the goal of maintaining a good chain of custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to: • Who collected it • How and where • Who took possession of it • how was it stored and protected in storage • Who took it out of storage and why?

– Collection • You want the evidence to be so pure that it supports your case.

– Identification • Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled.

– Transportation • Evidence is not supposed to be moved so when you move it be extremely careful.

– Storage • Keep the evidence in a cool, dry, and appropriate place for electronic evidence.

– Documenting the investigation • Most difficult for computer professionals because technical people are not good at writing down details of the procedures.

• Authenticating evidence – It is difficult because • Crime scenes change • Evidence is routinely damaged by environmental conditions • Computer devices slowly deteriorate – Keep proof of integrity and timestamp the evidence through encryption of files of data • Two algorithms (MD5 and SHA) are in common use today • Analysis – Make two backups – Use any well known analysis tools.

• • • • • • •

Tracking the Offender

Keep in mind that cyber sleuths often have to track their offenders across a digital matrix Also that digital forensic techniques and tools are largely undeveloped- so you have little to run on.

Tracing IP addresses – For http addresses in dotted quad ( base 256) use a ping to covert it to digit decimal (base 10) – For MAC address use the ARP tables ( be aware that MAC addresses can be changed by software) and NIC can be changed/removed/replaced.

– Beware of DNS – may resolve and query with IP addresses.

– After getting some information, try to traceroute Learn to read an email trail. NetBIOS

nbstat

– a Windows protocol that used to run exclusively on LANS ( instead of TCP/IP) now running on top of TCP/IP to cover WANs, has a function that can display protocol statistics for all TCP/IP connctions.

Other tracing tools include: Neotrace and Netscan Pro. These can do a trace route Use IDS logs

Storage Media

• Hard Drives – Make an image copy and then restore the image to a freshly wiped hard drive for analysis – Remount the copy and start to analyze it.

– Before opening it get information on its configuration – Use tools to generate a report of lists of the disk’s contents ( PartitionMagic) – View operating system logs.

Encryption and Forensics

• Many times the evidence may be encrypted. Find a way to decrypt it while preserving the its integrity.

• In addition to encryption codes and compression of data may make the forensic work difficult.

• Find a way to overcome data compression and use of code.

Data Hiding

• There are several techniques that intruders may hide data.

– Obfuscating data through encryption and compression.

– Hiding through codes, steganoraphy, name embedding, obscurity and nonames on files – Blinding investigators through changing behavior of system commands and modifying operating systems.

• Use commonly known tools to overcome

Hostile Code

• Any unauthorized code on your computer. It is becoming increasing significant. • Hostile code fall into two categories: – Manual – like network tools that allow unauthorized access (NetBus, BackOrifice, IRC), fix utilities that seamlessly replace legitimate binary code with a hostile version, log manipulators, vulnerability scanners, DDoS, – Autonomous – viruses(Melissa, time bombs), DDoS, and IRC bots.

Forensic Electronic Toolkit

• Computer and network forensics involves and requires: – Identification – Extraction – Preservation – Documentation • A lot of tools are needed for a thorough work • The “forensically sound “ method is never to conduct any examination on the original media.

• Before you use any forensic software, make sure you know how to use it, and also that it works.

• Tools: – Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic) – File Viewers – to thumb through stacks of data and images looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus)

More tools (cont.)

• Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins. • CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics • Text – because text data can be huge, use fast scans tools like dtSearch.

• Other kits: – Forensic toolkit – command-line utilities used to reconstruct access activities in NT File systems – Coroner toolkit - to investigate a hacked Unix host.

– ForensiX – an all-purpose set of data collection and analysis tools that run primarily on Linux.

– New Technologies Incorporated (NTI) – EnCase – Hardware- Forensic-computers.com

Forensics based on OS Brands

• Investigating – Windows computers – pay attention to the Registry. It contains a wealth of information – Unix – take a look at the password files, the shell, the filesystem,

Internet Data Incident Response Guidelines

• Restore service safely • Estimate extent and cost of incident • Identify source of attack and their motivation • Deter future crime • Recover loss • Protect public image • Conduct due diligence • Assume corporate responsibility • Increase understanding of security landscape.

Roles and Responsibilities

• To facilitate teamwork the organization’s roles must be assigned as fallows: – Corporate security and incident team – Security investigator – Emergency response core team – Application owner – Application developer – System owner/administrator – Network administrator – Firewall administrator – Security consultants