Transcript Network Forensics
Network Forensics
An example of a computer crime – VIRTUAL crime that needs computer forensic expertise.
Your company has recently hired a new salesman. Six months after his hire, he leaves your company and forms a competing interest, sending letters to all of your clients. You may think this a bit odd and contact an attorney to consider filing a suit. What has occurred is a virtual theft - the salesman stole a copy of your client database. Note that this is a VIRTUAL theft -- since you were not deprived of any property (he didn't delete it, just copied it) you will likely not be able to prosecute him criminally.
What is Computer Forensics?
• Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.
• Arose as a result of the growing problem of computer crimes.
• Computer crimes fall into two categories: – Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes.
• Investigation into these crimes often involves searching computers suspected to be involved.
– Computer itself is a victim of a crime – this commonly referred to as incident response. • It refers to the examination of systems that have been remotely attacked. • Forensics experts follow clear, well-defined mythologies and procedures
• Computer forensics started a few years ago- when it was simple to collect evidence from a computer.
• While basic forensic methodologies remain the same, technology itself is rapidly changing – a challenge to forensic specialists.
• Basic forensic methodology consists of: – Acquire the evidence without altering or damaging the original – Authenticate that your recovered evidence is the same as the originally seized data – Analyze the data without modifying it.
Acquire the Evidence
• Keep in mind that every case is different • Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system.
• Consider the following issues: – Handling the evidence- if you do not take care of the evidence, the rest of the investigation will be compromised.
– Chain of custody – the goal of maintaining a good chain of custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to: • Who collected it • How and where • Who took possession of it • how was it stored and protected in storage • Who took it out of storage and why?
– Collection • You want the evidence to be so pure that it supports your case.
– Identification • Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled.
– Transportation • Evidence is not supposed to be moved so when you move it be extremely careful.
– Storage • Keep the evidence in a cool, dry, and appropriate place for electronic evidence.
– Documenting the investigation • Most difficult for computer professionals because technical people are not good at writing down details of the procedures.
• Authenticating evidence – It is difficult because • Crime scenes change • Evidence is routinely damaged by environmental conditions • Computer devices slowly deteriorate – Keep proof of integrity and timestamp the evidence through encryption of files of data • Two algorithms (MD5 and SHA) are in common use today • Analysis – Make two backups – Use any well known analysis tools.
• • • • • • •
Tracking the Offender
Keep in mind that cyber sleuths often have to track their offenders across a digital matrix Also that digital forensic techniques and tools are largely undeveloped- so you have little to run on.
Tracing IP addresses – For http addresses in dotted quad ( base 256) use a ping to covert it to digit decimal (base 10) – For MAC address use the ARP tables ( be aware that MAC addresses can be changed by software) and NIC can be changed/removed/replaced.
– Beware of DNS – may resolve and query with IP addresses.
– After getting some information, try to traceroute Learn to read an email trail. NetBIOS
nbstat
– a Windows protocol that used to run exclusively on LANS ( instead of TCP/IP) now running on top of TCP/IP to cover WANs, has a function that can display protocol statistics for all TCP/IP connctions.
Other tracing tools include: Neotrace and Netscan Pro. These can do a trace route Use IDS logs
Storage Media
• Hard Drives – Make an image copy and then restore the image to a freshly wiped hard drive for analysis – Remount the copy and start to analyze it.
– Before opening it get information on its configuration – Use tools to generate a report of lists of the disk’s contents ( PartitionMagic) – View operating system logs.
Encryption and Forensics
• Many times the evidence may be encrypted. Find a way to decrypt it while preserving the its integrity.
• In addition to encryption codes and compression of data may make the forensic work difficult.
• Find a way to overcome data compression and use of code.
Data Hiding
• There are several techniques that intruders may hide data.
– Obfuscating data through encryption and compression.
– Hiding through codes, steganoraphy, name embedding, obscurity and nonames on files – Blinding investigators through changing behavior of system commands and modifying operating systems.
• Use commonly known tools to overcome
Hostile Code
• Any unauthorized code on your computer. It is becoming increasing significant. • Hostile code fall into two categories: – Manual – like network tools that allow unauthorized access (NetBus, BackOrifice, IRC), fix utilities that seamlessly replace legitimate binary code with a hostile version, log manipulators, vulnerability scanners, DDoS, – Autonomous – viruses(Melissa, time bombs), DDoS, and IRC bots.
Forensic Electronic Toolkit
• Computer and network forensics involves and requires: – Identification – Extraction – Preservation – Documentation • A lot of tools are needed for a thorough work • The “forensically sound “ method is never to conduct any examination on the original media.
• Before you use any forensic software, make sure you know how to use it, and also that it works.
• Tools: – Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic) – File Viewers – to thumb through stacks of data and images looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus)
More tools (cont.)
• Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins. • CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics • Text – because text data can be huge, use fast scans tools like dtSearch.
• Other kits: – Forensic toolkit – command-line utilities used to reconstruct access activities in NT File systems – Coroner toolkit - to investigate a hacked Unix host.
– ForensiX – an all-purpose set of data collection and analysis tools that run primarily on Linux.
– New Technologies Incorporated (NTI) – EnCase – Hardware- Forensic-computers.com
Forensics based on OS Brands
• Investigating – Windows computers – pay attention to the Registry. It contains a wealth of information – Unix – take a look at the password files, the shell, the filesystem,
Internet Data Incident Response Guidelines
• Restore service safely • Estimate extent and cost of incident • Identify source of attack and their motivation • Deter future crime • Recover loss • Protect public image • Conduct due diligence • Assume corporate responsibility • Increase understanding of security landscape.
Roles and Responsibilities
• To facilitate teamwork the organization’s roles must be assigned as fallows: – Corporate security and incident team – Security investigator – Emergency response core team – Application owner – Application developer – System owner/administrator – Network administrator – Firewall administrator – Security consultants