Chapter 14: Computer and Network Forensics Guide to Computer Network Security Computer Forensics Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of.
Download
Report
Transcript Chapter 14: Computer and Network Forensics Guide to Computer Network Security Computer Forensics Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of.
Chapter 14: Computer and
Network Forensics
Guide to Computer Network Security
Computer Forensics
Computer forensics involves the preservation, identification,
extraction, documentation, and interpretation of computer
media for evidentiary and/or root cause analysis.
Arose as a result of the growing problem of computer
crimes.
Computer crimes fall into two categories:
– Computer is a tool used in a crime – because of the role of
computers and networks in modern communications, it is
inevitable that computers are used in crimes.
Investigation into these crimes often involves searching computers
suspected to be involved.
– Computer itself is a victim of a crime – this commonly referred
to as incident response.
It refers to the examination of systems that have been remotely
attacked.
Forensics experts follow clear, well-defined mythologies and
procedures
Kizza - Guide to Computer Network
Security
2
History Of Computer Forensics
– Computer forensics started a few years
ago- when it was simple to collect
evidence from a computer.
– While basic forensic methodologies
remain the same, technology itself is
rapidly changing – a challenge to
forensic specialists.
Kizza - Guide to Computer Network
Security
3
Basic forensic methodology consists
of:
– Acquire the evidence without altering or
damaging the original
Look for evidence
Recover evidence
Handle evidence with care
Preserve evidence
– Authenticate that your recovered
evidence is the same as the originally
seized data
– Analyze the data without modifying it.
Kizza - Guide to Computer Network
Security
4
Acquire the Evidence
Keep in mind that every case is different
Do not disconnect the computers – evidence may be only in RAM
– So collect information from a live system.
Consider the following issues:
– Handling the evidence- if you do not take care of the evidence,
the rest of the investigation will be compromised.
– Chain of custody – the goal of maintaining a good chain of
custody to ensure evidence integrity, prevent tempering with
evidence. The chain should be answers to:
Who collected it
How and where
Who took possession of it
how was it stored and protected in storage
Who took it out of storage and why?
Kizza - Guide to Computer Network
Security
5
Storage Media
Hard Drives
– Make an image copy and then restore
the image to a freshly wiped hard drive
for analysis
– Remount the copy and start to analyze
it.
– Before opening it get information on its
configuration
– Use tools to generate a report of lists of
the disk’s contents ( PartitionMagic)
– View operating system logs.
Kizza - Guide to Computer Network
Security
6
Handle Evidence With Care
– Collection
You want the evidence to be so pure that it supports your
case.
– Identification
Methodically identify every single item that comes out of
the suspect’s/victim’s location and labeled.
– Transportation
Evidence is not supposed to be moved so when you move it
be extremely careful.
– Storage
Keep the evidence in a cool, dry, and appropriate place for
electronic evidence.
– Documenting the investigation
Most difficult for computer professionals because technical
people are not good at writing down details of the
procedures.
Kizza - Guide to Computer Network
Security
7
Authenticating evidence
Authenticating evidence is difficult
because:
– Crime scenes change
– Evidence is routinely damaged by
environmental conditions
– Computer devices slowly deteriorate
Keep proof of integrity and timestamp the
evidence through encryption of files of
data
– Two algorithms (MD5 and SHA-1) are in
common use today
Kizza - Guide to Computer Network
Security
8
Analysis
Use any well known analysis tools.
Make two backups
Kizza - Guide to Computer Network
Security
9
Data Hiding
There are several techniques that
intruders may hide data.
– Obfuscating data through encryption
and compression.
– Hiding through codes, steganoraphy,
deleted files, slack space, and bad
sectors.
– Blinding investigators through changing
behavior of system commands and
modifying operating systems.
Use commonly known tools to
overcome
Kizza - Guide to Computer Network
Security
10
Network Forensics
Unlike computer forensics that retrieves information from the
computer’s disks, network forensics, in addition retrieves
information on which network ports were used to access the
network.
There are several differences that separate the two including the
following:
– Unlike computer forensics where the investigator and the person
being investigated, in many cases the criminal, are on two different
levels with the investigator supposedly on a higher level of knowledge
of the system, the network investigator and the adversary are at the
same skills level.
– In many cases, the investigator and the adversary use the same tools:
one to cause the incident, the other to investigate the incident. In fact
many of the network security tools on the market today, including
NetScanTools Pro, Tracroute, and Port Probe used to gain information
on the network configurations, can be used by both the investigator
and the criminal.
– While computer forensics, deals with the extraction, preservation,
identification, documentation, and analysis, and it still follows welldefined procedures springing from law enforcement for acquiring,
providing chain-of-custody, authenticating, and interpretation,
network forensics on the other hand has nothing to investigate unless
steps were in place ( like packet filters, firewalls, and intrusion
detection systems) prior to the incident.
Kizza - Guide to Computer Network
Security
11
Network Forensics Intrusion
Analysis
Network intrusions can be difficult to detect let
alone analyze. A port scan can take place without
a quick detection, and more seriously a stealthy
attack to a crucial system resource may be
hidden by a simple innocent port scan.
So the purpose of intrusion analysis is to seek
answers to the following questions:
– Who gained entry?
– Where did they go?
– How did they do it?
Kizza - Guide to Computer Network
Security
12
Damage Analysis
It is difficult to effectively assess
damage caused by system attacks.
It provides a trove of badly needed
information showing how widespread
the damage was, who was affected
and to what extent.
Kizza - Guide to Computer Network
Security
13
To achieve a detailed report of an intrusion
detection, the investigator must carry out
a post mortem of the system by analyzing
and examining the following:
– System registry, memory, and caches. To
achieve this, the investogator can use dd for
Linux and Unx sytems.
– Network state to access computer networks
accesses and connections. Here Netstat can be
used.
– Current running processes to access the
number of active processes. Use ps for both
Unix and Linux.
– Data acquisition of all unencrypted data. This
can be done using MD5 and SHA-1 on all files
and directories. Then store this data in a
secure place.
Kizza - Guide to Computer Network
Security
14
Forensic Electronic Toolkit
Computer and network forensics involves and requires:
–
–
–
–
Identification
Extraction
Preservation
Documentation
A lot of tools are needed for a thorough work
The “forensically sound “ method is never to conduct any
examination on the original media.
Before you use any forensic software, make sure you know
how to use it, and also that it works.
Tools:
– Hard Drive - use partitioning and viewing ( Partinfo and
PartitionMagic)
– File Viewers – to thumb through stacks of data and images
looking for incriminating or relevant evidence (Qiuckview Plus,
Conversion Plus, DataViz, ThumnsPlus)
Kizza - Guide to Computer Network
Security
15
More tools (cont.)
Unerase – if the files are no longer in the recycle bin or you are
dealing with old systems without recycle bins.
CD-R/W – examine them as carefully as possible. Use CD-R
Diagnostics
Text – because text data can be huge, use fast scans tools like
dtSearch.
Other kits:
– Forensic toolkit – command-line utilities used to reconstruct
access activities in NT File systems
– Coroner toolkit - to investigate a hacked Unix host.
– ForensiX – an all-purpose set of data collection and analysis
tools that run primarily on Linux.
– New Technologies Incorporated (NTI)
– EnCase
– Hardware- Forensic-computers.com
Kizza - Guide to Computer Network
Security
16