The Forensics Process
advertisement
Topics in Privacy, Security, Internal Audit and Forensics The Forensics Process Focus on Internal and Civil Lawsuit Investigations Types of Investigations Internal Fastest and most covert investigation Company owns the resources that are the target No need for subpoenas and discovery orders Examiner can conduct expediently with full access to relevant data Suspect is typically an active employee Secrecy is a must Technical process is similar to a civil examiner, and the case may ultimately go to civil court Popularity Simplicity Impact 8 6 6 Risk Rating 7 Types of Investigations Civil Similar to internal investigation An opposing firm owns the resources that are the target There is need for subpoenas and discovery orders (expensive, problematic) Examiner may not have full access to relevant data The investigation lives or dies based on what happens in court Involves dispute between two companies Secrecy is mainly from media Technical process is similar to an internal investigation Popularity Simplicity Impact 10 8 7 Risk Rating 8 Types of Investigations Criminal High stakes, risky investigation Suspect’s livelihood is on the line Accuracy is paramount Any problems are likely to show up in the media Case may go on for months or years With much rework of evidence E.g., the 6 o’clock news Technical process is difficult Investigators must be good and credible If you don’t have the proper credentials, don’t try this Popularity Simplicity Impact 8 10 10 Risk Rating 10 Role of the Investigator What is involved in Computer Forensics Collecting evidence What ever is needed for the chain of inference Cross-validation of findings Proper evidence handling Completeness of investigation Management of archives Technical competency (especially with computer / network technology) Explicit definition and justification for the process (inference line) Legal compliance and knowledge Flexibility Steps in Processing Evidence Assessment Acquisition Authentication Analysis Articulation Archival Inference Network Analysis Legal cases are proved through inferences. These inferences, built in chains, must lead logically from point A to point B He strength (or weakness) of these inferences determines the strength of the legal case Evidence Inference Proof Chain of Inferences Processing of evidence is directed towards step by step the inferential chain between the Perpetrator and Asset This may also involve identifying a perpetrator And identifying specifically the breach of security involving the asset Alleged or Candidate Perpetrator Line of Inference Connecting Perpetrator to Asset Evidence Asset Some Key Concepts in Controls And why as auditors, we look where we do Control Process Internal controls are processes and subsystems that assure that processing and output of an accounting system is running ‘within specification’ Internal controls appear at three points in a transaction processing cycle: Preventive controls anticipate problems and prevent them from occurring Detective controls identify problems that have occurred Corrective controls are subsystems of the correction process that assure that errors detected are corrected properly Because if an error is made once, it is likely to be made twice, and even more times. Identifying whether Asset users are or are not Authorized Detection of Authorization is perhaps the most common and fundamental of all control processes As Preventive controls, they prevent a potential accessor from any access unless they are properly identified by the system As Detective controls, they assure an audit trail of all activity by an identified user As Corrective controls, they identify who to go after in an investigation Passwords for Authorization Passwords have traditionally been the most commonly used tool for identifying a user to a computer system Though they may soon be overtaken by biometric tools Through hashing and public key systems, they allow signatures and fingerprints to be left on information assets by the password holder Through encryption systems, they allow the password holder to read and use information assets Through access systems, they allow the password holder free access to the information assets Evidence of Access Why Passwords are Important One of the main pieces of evidence supporting any inferential link Since access authorization is controlled through who has a password Is the record of accesses (with a password) to an asset, etc. Password control is the first place we tend to look for evidence And is also the first thing that is controlled in authorization and logging systems … Let’s look at passwords and encryption more closely Hash Function A hash function provides a way of creating a small digital "fingerprint" from any kind of data The function chops and mixes (i.e., substitutes or transposes) the data to create the fingerprint The fingerprint (formally “hash value”) is commonly represented in hexadecimal notation A good hash function is one that yields few hash collisions in expected input domains In hash tables and data processing, collisions inhibit the distinguishing of data, making records more costly to find. What you get Hash Function A cryptographic hash function should behave as much as possible like a random function while still being deterministic and efficiently computable. A cryptographic hash function is considered insecure if either of the following is computationally feasible: finding a (previously unseen) message that matches a given digest finding "collisions", wherein two different messages have the same message digest. An attacker who can do either of these things might, for example, use them to substitute an unauthorized message for an authorized one. Ideally, it should not even be feasible to find two messages whose digests are substantially similar; nor would one want an attacker to be able to learn anything useful about a message given only its digest besides the digest itself. Common Commercial Hash Algorithms (note: The SHA hash functions are a series of functions developed by the NSA: SHA, also known as SHA-0, SHA-1 and four flavors of a function known as SHA-2. ) Algorithm Output size Internal state size Block size Length size Word size Collision HAVAL 256/224/192/160/128 256 1024 64 32 Yes MD2 128 384 128 No 8 Almost MD4 128 128 512 64 32 Yes MD5 128 128 512 64 32 Yes PANAMA 256 8736 256 No 32 With flaws RIPEMD 128 128 512 64 32 Yes RIPEMD-128/256 128/256 128/256 512 64 32 No RIPEMD-160/320 160/320 160/320 512 64 32 No SHA-0 160 160 512 64 32 Yes SHA-1 160 160 512 64 32 With flaws SHA-256/224 256/224 256 512 64 32 No SHA-512/384 512/384 512 1024 128 64 No Tiger(2)-192/160/128 192/160/128 192 512 64 64 No VEST-4/8 (hash mode) 160/256 176/304 8 80 1 No VEST-16/32 (hash mode) 320/512 424/680 8 88 1 No WHIRLPOOL 512 512 512 256 8 No Password Attacks Passwords are the main identifier for establishing authorization for a task or access to an information asset. Password Attacks are the main way of breaching computer security to commit a crime Cracking Recovering secret passwords from data that has been stored in or transmitted by a computer system A common approach is to repeatedly try guesses for the password The purpose of password cracking Might be to help a user recover a forgotten password though installing an entirely new password is less of a security risk,but involves system administration privileges To gain unauthorized access to a system,or As a preventive measure by system administrators to check for easily crackable passwords. Cracks: Principal attack methods Weak encryption If a system uses a cryptographically weak function to hash or encrypt passwords, exploiting that weakness can recover even 'well-chosen' passwords Decryption need not be a quick operation, and can be conducted while not connected to the target system Any 'cracking' technique of this kind is considered successful if it can decrypt the password in fewer operations than would be required by a brute force attack The fewer operations required, the "weaker" the encryption is considered to be (for equivalently well chosen passwords) Cracks: Principal attack methods Guessing Many users choose weak passwords, usually one related to themselves in some way Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs Examples of insecure choices include: blank (none) the word "password", "passcode", "admin" and their derivates the user's name or login name the name of their significant other or another relative their birthplace or date of birth a pet's name automobile license plate number a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters. a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop) Guessing Some users even neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password, and such service accounts often have higher access privileges than a normal user account. The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information. Cracks: Principal attack methods Dictionary attack Password cracking programs usually come equipped with "dictionaries", or word lists, with thousands or even millions of entries of several kinds, including: words in various languages names of people places commonly used passwords Dictionary attack The cracking program encrypts each word in the dictionary, and simple modifications of each word, and checks whether any match an encrypted password. This is feasible because the attack can be automated and, on inexpensive modern computers, several thousand possibilities can be tried per second Guessing, combined with dictionary attacks, have been repeatedly and consistently demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all account passwords on production systems. Cracks: Principal attack methods Brute force attack A last resort is to try every possible password, known as a brute force attack In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the length of the password increases, so does the number of possible passwords This method is unlikely to be practical unless the password is relatively small But with expanding computing power, and the possibility of massively parallel systems with cheap desktops ‘small’ is not that small any more. Precomputation Precomputation involves hashing each word in the dictionary or any search space of candidate passwords and storing the <plaintext, ciphertext> pairs in a way that enables lookup on the ciphertext field This way, when a new encrypted password or is obtained, password recovery is instantaneous There exist advanced precomputation methods that are even more effective. By applying a time-memory tradeoff, a middle ground can be reached a search space of size N can be turned into an encrypted database of size O(N2/3) in which searching for an encrypted password takes time O(N2/3). The theory has recently been refined into a practical technique, and the online implementation at http://passcracking.com/ achieves impressive results on 8 character alphanumeric MD5 hashes. Salting (a remedy) The benefits of precomputation and memoization can be nullified by randomizing the hashing process This is known as salting When the user sets a password, Since the salt is different for each user, a short string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification the attacker can no longer use a single encrypted version of each candidate password. If the salt is long enough, the attacker must repeat the encryption of every guess for each user, and this can only be done after obtaining the encrypted password record for that user. Programs for password cracking John the Ripper John the Ripper is password cracking software. Initially developed for the UNIX operating system, It currently runs on fifteen different platforms. It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker. The encrypted password formats which it can be run against include various DES formats, MD4, MD5, Kerberos AFS, and Windows LM hash. Additional modules have extended its ability to include passwords stored in LDAP, MySQL and others. John is designed to discover weak passwords from the encrypted information in system files. It operates by taking text strings (usually from a file containing words found in a dictionary), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. It also offers a brute force mode. Programs for password cracking L0phtCrack L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by L0pht Heavy Industries (later produced by @stake and now by Symantec, which acquired @stake in 2004) It is used to test password strength and to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks. It is one of the crackers' tools of choice Ways of obtaining passwords illicitly (without cracking) social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, identity management system attacks and compromising host security Social engineering The most common and effective way of illicitly obtaining passwords A collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim. Computer criminal and security consultant Kevin Mitnick points out …that it's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in He claims it to be the single most effective method in his arsenal Social engineering Pretexting The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action It is usually done over the telephone It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number, last bill amount to establish legitimacy in the mind of the target. Social engineering Phishing Phishing applies to email appearing to come from a legitimate business e.g., a bank, or credit card company requesting "verification" of information and warning of some dire consequence if it is not done The letter usually contains a link to a fradulent web page that looks legitimate with company logos and content and has a form requesting everything from a home address to an ATM card's PIN. Social engineering Pretexting The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action It is usually done over the telephone It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number, last bill amount to establish legitimacy in the mind of the target. Social engineering Pretexting The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action It is usually done over the telephone It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number, last bill amount to establish legitimacy in the mind of the target. Social engineering Pretexting The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action It is usually done over the telephone It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information e.g., For impersonation: Birthday, Social Security Number, last bill amount to establish legitimacy in the mind of the target. Social engineering Trojan Horse / Gimmes Gimmes take advantage of curiosity or greed to deliver malware Also known as a Trojan Horse, gimmes can arrive as an email attachment promising anything from a cool or sexy screen saver, an important anti-virus or system upgrade, or even the latest dirt on an employee The recipient is expected to give in to the need to see the program and open the attachment In addition, many users will blindly click on any attachments they receive that seem even mildly legitimate Social engineering Quid pro Quo Something for something An attacker calls random numbers at a company claiming to be calling back from technical support Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access and/or launch malware. Keystroke logging (keylogging) A diagnostic hardware device (see right) used in software development that captures the user's keystrokes It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks Such systems are also highly useful for law enforcement and espionage for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures Keyloggers are widely available on the internet and can be used by anyone for the same purposes. Wiretapping Monitoring of telephone and Internet conversations by a third party, often by covert means The telephone tap or wire tap received its name (telephone tapping ; wire tapping) because historically the monitoring connection was applied to the wires of the telephone line of the person who was being monitored and drew off or tapped a small amount of the electrical signal carrying the conversation Illegal in most countries without a court order Login spoofing Technique used to obtain a user's password The user is presented with an ordinary looking login prompt for username and password, which is actually a malicious program under the control of the attacker When the username and password are entered, this information is logged or in some way passed along to the attacker, breaching security. Dumpster diving also called dumpstering, binning, trashing, garbing, or garbage gleaning; in the UK binning or skipping Rummaging through commercial or residential trash to find useful free items that have been discarded. The term originates from the fanciful image of someone leaping into large rubbish bins Files, letters, memos, photographs, IDs, passwords, credit cards and more can be found in dumpsters This is a result of the fact that many people never consider that sensitive items they throw in the trash may be recovered Such information, when recovered, is sometimes usable for fraudulent purposes like "identity theft" Shoulder surfing A direct observation technique for acquiring sensitive data such as looking over someone's shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter their PIN at an automated teller machine, use a calling card at a public pay phone, or enter passwords at a cybercafe, public and university libraries, or airport kiosks Shoulder surfing can also be done at a distance with the aid of binoculars or other vision-enhancing devices Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand Timing attack A side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms The attack exploits the fact that every operation in a computer takes time to execute. Information can leak from a system through measurement of the time it takes respond to certain queries How much such information can help an attacker depends on many variables: crypto system design, the CPU running the system, the algorithms used, assorted implementation details, timing attack countermeasures, the accuracy of the timing measurements, etc. Timing attacks are generally overlooked in the design phase of security algorithms because they are so dependent on the implementation. Acoustic cryptanalysis A side channel attack which exploits sounds, audible or not, produced during a computation or input-output operation. In 2004, Dmitri Asonov and Rakesh Agrawal of the IBM Almaden Research Center announced that computer keyboards and keypads used on telephones and automated teller machines (ATMs) are vulnerable to attacks based on differentiating the sound produced by different keys. Their attack employed a neural network to recognize the key being pressed. By analyzing recorded sounds, they were able to recover the text of data being entered. These techniques allow an attacker using covert listening devices to obtain passwords, passphrases, personal identification numbers (PINs) and other security information. Identity management system attacks Typically users who have forgotten their password launch a selfservice application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a password notification e-mail or, less often, by providing a biometric sample Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided. Social engineering attacks can occur where an intruder calls the help desk, pretends to be the intended victim user, claims that he has forgotten his password, and asks for a new password.
