Basics of IT Security

advertisement
BlackHat Briefings
July 12 2001
Computer Forensics: A
Critical Process in Your
Incident Response Plan
Version 2.0
Gregory S. Miles,
Ph.D.
•
•
•
•
•
Director – JAWZ Cyber Crime Unit
COO – Security Horizon Inc.
Information Technology – 14 Years
Information Security – 10 Years
e-mail: gmiles@jawzinc.com
gmiles@securityhorizon.com
• Web:
www.jawzinc.com
www.securityhorizon.com
Version 2.0
Agenda
• Incident Response Overview
• Computer Forensics Defined
• Contemporary Issues in Computer
Forensics
• Forensic Process
• Forensic Tools
• Forensic Problems
• The Future of Computer Forensics
Version 2.0
Incident Response
Version 2.0
4
Incident Response –
Why is it Critical?
• Resolve the problem
– Find out what happened
– How it happened
– Who did it
• Create a record of the incident for
later use
• Create a record to observe trends
• Create a record to improve
processes
• Avoid confusion
Version 2.0
Elements of Incident
Response
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Follow-up
Version 2.0
Preparation
Without adequate preparation, it is
extremely likely that response efforts
to an incident will be disorganized
and that there will be considerable
confusion among personnel.
Preparation limits the potential for
damage by ensuring response
actions are known and coordinated.
Version 2.0
Identification
The process of determining whether or
not an incident has occurred and the
nature of an incident. Identification
may occur through the use of
automated network intrusion
equipment or by a user or SA.
Version 2.0
Identification is a difficult process.
Noticing the symptoms of an
incident is often difficult. There are
many false positives. However,
noticing an anomaly should drive the
observer to investigate further.
Who can identify an
Incident
• Users – My system is slow, my
mail is missing, my files have
changed
• System support personnel –
servers locked up, files missing,
accounts add/deleted, weird stuff
happening , anomalies in the logs
• Intrusion Detection Systems and
Firewalls – Automatically ID
violations to policies
Version 2.0
Possible Incident
Classifications
• Unauthorized Privileged (root) Access –
Access gained to a system and the use of
root privileges without authorization.
• Unauthorized Limited (user) Access –
Access gained to a system and the use of
user privileges without authorization.
• Unauthorized Unsuccessful Attempted
Access – Repeated attempt to gain access
as root or user on the same host, service, or
system with a certain number of
connections from the same source.
Version 2.0
10
Possible Incident
Classifications (cont.)
• Unauthorized Probe – Any attempt to
gather information about a system or user
on-line by scanning a site and accessing
ports through operating system
vulnerabilities.
• Poor Security Practices – Bad passwords,
direct privileged logins, etc, which are
collected from network monitor systems.
• Denial of Service (DOS) Attacks – Any
action that preempts or degrades
performance of a system or network
affecting the mission, business, or
function of an organization.
Version 2.0
11
Possible Incident
Classifications (cont.)
• Malicious Logic – Self-replicating
software that is viral in nature; is
disseminated by attaching to or
mimicking authorized computer
system files; or acts as a trojan
horse, worm, malicious scripting, or a
logic bomb. Usually hidden and
some may replicate. Effects can
range from simple monitoring of
traffic to complicated automated
backdoor with full system rights.
Version 2.0
12
Possible Incident
Classifications (cont.)
• Hardware/Software Failure – Nonmalicious failure of HW or SW assets.
• Infrastructure Failure – Non-malicious
failure of supporting infrastructure to
include power failure, natural
disasters, forced evacuation, and
service providers failure to deliver
services.
• Unauthorized Utilization of Services –
This can include game play, relaying
mail without approval, creating dial-up
access, use organizational equipment
for personal gain, and personal
servers on the network.
Version 2.0
13
Containment
The process of limiting the scope and
magnitude of an incident.
As soon as it is recognized that an
incident has occurred or is occurring,
steps should immediately be taken to
contain the incident.
Version 2.0
14
Containment - Example
• Incidents involving using malicious
code are common, and since
malicious code incidents can spread
rapidly, massive destruction and
compromise of information is
possible.
• It is not uncommon to find every
workstation connected to a LAN
infected when there is a virus
outbreak.
Version 2.0
– Internet Worm of 1988 attacked 6,000
computers in the U.S. in one day.
– LoveBug Virus affected over 10Million
computers with damage estimated
between $2.5B-$10B US
– Kournikova worm affects still being
analyzed
15
Eradication
• The process of removing the cause of
the incident.
– For a virus – anti-virus software is best
– For a network may involve block/filter IP
address at the router/firewall
– Ideally, but difficult, best eradicated by
bringing the perpetrators into legal
custody and convicting them in a court of
law.
Version 2.0
16
Recovery
• The process of restoring a system
to its normal operating status
– Unsuccessful incidents – assure
system operation and data not
affected
– Complex and/or successful incidents –
May require complete restoration from
known clean system backups.
Essential to assure the backups
integrity and to verify restore
operation was successful
Version 2.0
17
Follow-Up
• Critical
• Helps to improve incident handling
procedures
• Address efforts to prosecute
perpetrators
• Activities Include:
–
–
–
–
Version 2.0
Analyze the Incident and the Response
Analyze the Cost of the Incident
Prepare a Report
Revise Policies and Procedures
18
Computer Forensics
Version 2.0
19
What is Computer
Forensics?
Computer Forensics can be
defined simply, as a process of
applying scientific and analytical
techniques to computer Operating
Systems and File Structures in
determining the potential for
Legal Evidence.
Version 2.0
20
Why is Evidence important?
• In the legal world, Evidence is
EVERYTHING.
• Evidence is used to establish
facts.
• The Forensic Examiner is not
biased.
Version 2.0
21
Who needs Computer
Forensics?
• The Victim!
• Law Enforcement
• Insurance Carriers
• Ultimately the Legal System
Version 2.0
22
Who are the Victims?
•Private Business
•Government
•Private Individuals
Version 2.0
23
Version 2.0
24
Version 2.0
25
Version 2.0
26
Reasons for a Forensic
Analysis
• ID the perpetrator.
• ID the method/vulnerability of the
network that allowed the
perpetrator to gain access into the
system.
• Conduct a damage assessment of
the victimized network.
• Preserve the Evidence for Judicial
action.
Version 2.0
27
Types of Computer Forensics
•
•
•
•
•
Version 2.0
Disk Forensics
Network Forensics
E-mail Forensics
Internet (Web) Forensics
Source Code Forensics
Disk Forensics
• Disk forensics is the process
of acquiring and analyzing the
data stored on some form of
physical storage media.
– Includes the recovery of hidden
and deleted data.
– Includes file identification,
which is the process used to
identify who created a particular
file or message.
• Melissa Virus
Version 2.0
29
Network Forensics
• Network forensics is the
process of examining network
traffic. It includes:
– After the fact analysis of
transaction logs
– Real-time analysis via network
monitoring
• Sniffers
• Real-time tracing
Version 2.0
30
E-mail Forensics
• E-mail forensics is the study of
source and content of electronic
mail as evidence.
– It includes the process of identifying
the actual sender and recipient of a
message, the date and time it was
sent, and where it was sent from.
– E-mail has turned out to be the
Achilles Heal for many individuals
and organizations.
– Many time issues of sexual
harassment, racial and religious
prejudice, or unauthorized activity are
tied to e-mail.
Version 2.0
31
Internet Forensics
• Internet or Web forensics is the
process of piecing together
where and when a user has been
on the Internet.
– For example, it is used to determine
whether the download of
pornography was accidental or not.
Version 2.0
32
Source Code Forensics
• Source code forensics is used
to determine software
ownership or software liability
issues.
– It is not merely a review of the actual
source code.
– It is an examination of the entire
development process, including
development procedures, review of
developer time sheets, documentation
review and the review of source code
revision practices.
Version 2.0
33
Technological Progress
• The Population is More Computer
Literate
• The World is Networked, Yet Users
Can Retain a Sense of Anonymity
• The Use of Encryption is
Becoming Common
• Network Bandwidth is Increasing
while Cost is Decreasing
• Disks are Less Expensive and
have Higher Capacities
– More Data Available On-Line
Version 2.0
34
Technological Progress
Albert Einstein said
“Technological
progress is like an axe
in the hands of a
pathological criminal.”
Version 2.0
35
Technological Progress
• Computers are Tools and Targets
– Instrumentality
– Data Repository
• Many Criminals Are Using Computers in
the Normal Course of Business
• Computer Crime Today
–
–
–
–
Version 2.0
Crime Without Punishment
Media Sensationalism
Public Apathy
Easy to Commit
36
What is Cyber Crime?
• A crime in which
technology plays an
important, and often a
necessary, part.
– The computer is:
• the target of an attack
• the tool used in an attack
• used to store data related
to criminal activity
Version 2.0
37
Types of Cyber Crime
•
•
•
•
•
•
•
•
•
Version 2.0
Unauthorized Access
Denial of Service
Extortion
Theft
Sabotage
Espionage
Computer Fraud
Embezzlement
Copyright Violation
• Forgery and
Counterfeiting
• Internet Fraud – “Imposter
Sites”
• SEC Fraud and Stock
Manipulation
• Child Pornography
• Stalking & Harassment
• Credit Card Fraud &
Skimming
38
Contemporary Issues in
Computer Forensics
• Criminal Justice System is not
Prepared to Handle High-Tech
Crime
– Shortage of Trained Investigators &
Analysts
– Lack of Forensic Standards
• Too Much Data!
– Large Disk Drives and Disk Arrays
– High Speed Network Connections
• Issues Relating to Time
Version 2.0
39
Contemporary Issues in
Computer Forensics
• Evidence Collection and
Examination Must not Violate
the following:
– 4th Amendment
– Privacy Protection Act
– Electronic Communications
Privacy Act
Version 2.0
40
Forensics Process
• Preparation
• Protection
• Imaging
• Examination
• Documentation
Version 2.0
41
Preparation
• Confirm the authority to conduct
analysis/search of media.
• Verify the purpose of the analysis and
the clearly defined desired results.
• Ensure that sterile media is available and
utilized for imaging. (ie..Free of virus,
Non-essential files, and verified before
use.)
• Ensure that all software tools utilized for
the analysis are tested and widely
accepted for use in the forensics
community.
Version 2.0
42
Legal Overview
Employer Searches in Private-Sector
Workplaces
Warrantless workplace searches by private
employers rarely violate the Fourth
Amendment. So long as the employer is not
acting as an instrument or agent of the
Government at the time of the search, the search
is a private search and the Fourth Amendment
does not apply. See Skinner v. Railway Labor
Executives’ Ass’n, 489 U.S. 602, 614 (1989).
Version 2.0
•Consult with your Legal Counsel
43
Protection
• Protect the integrity of the
evidence. Maintain control until
final disposition.
• Prior to Booting target computer,
DISCONNECT HDD and verify
CMOS.
• When Booting a machine for
Analysis, utilize HD Lock
software.
Version 2.0
44
Imaging
• Utilize disk “imaging” software to
make an exact image of the target
media. Verify the image.
• When conducting an analysis of
target media, utilize the restored
image of the target media; never
utilize the actual target media.
Version 2.0
45
Examination
• The Operating System
• Services
• Applications/processes
• Hardware
• LOGFILES!
• System, Security, and Application
• File System
Version 2.0
46
Examination (Cont)
• Deleted/Hidden Files/NTFS
Streams
• Software
• Encryption Software
• Published Shares/Permissions
• Password Files
• SIDS
• Network Architecture/Trusted
Relationships
Version 2.0
47
Off-Site Storage
• “X-Drives”
• FTP Links
• FTP Logs
• Shares on internal networks
Version 2.0
48
Documentation
• Document EVERYTHING
• Reason for Examination
• “The Scene”
• Utilize Screen Capture/Copy
Suspected files
• All apps for Analysis/apps on
Examined system.
Version 2.0
49
Forensic Tools
• Forensic Tool Kit
• Forensic Computer System
• Forensic Software
Version 2.0
Forensic Tool Kit
Version 2.0
51
Forensic System Hardware
• Main Systems
– Pentium-based Computer
– Multiple O/S
• UNIX, Windows, MAC
• Media Options
• Removable Media (REM-KIT)
• Disk Imaging Hardware
– Image MASSter 500 & 1000
• Static-Dissipative Grounding Kit
w/Wrist Strap
• UPS
Version 2.0
52
Media Options
• Your Forensic System should have
plenty of room for expansion and
external media.
• This is usually best supported by
SCSI Systems.
Version 2.0
53
Media Options
• Internal Hard Disk
• Tape Media
– QIC Tape Drive
– Travan Tape Drive
– DAT
• Optical Media
– CD-ROM
– CD-Writer
– DVD
Version 2.0
54
Removable Media
• Hard Drives
• ZIP Drives
• Jazz Drives
• PCMCIA Flash
Disks
Version 2.0
55
Disk Imaging Hardware
• Supports IDE & SCSI
• Sector by Sector Copy
– DOS, Windows 3.1,
– Windows 95, NT, SCO,
– UNIX, OS/2 & Mac O/S
• Full Read/Write Verification
& Reporting
• Logging Capability
• No Writing to Master Disk
Version 2.0
56
Forensic Software
• Clean Operating System(s)
• Disk Image Backup
Software
• Search & Recovery Utilities
• File Viewing Utilities
• Cracking Software
• Archive & Compression
Utilities
Version 2.0
57
Validate Software
• Determine Functionality
– Verify operation
– Identify limitations
– Identify bugs
• Court Presentation
– Testify from own experience
Version 2.0
58
Disk Imaging Software
• Bit Level Copy of the Disk, not File
Level
• Not Operating System Dependent
• Must have Logging or Error
Reporting
• Must Copy Deleted Files and
Slackspace
• Tools
– EnCase
– SafeBack
– SnapBack
Version 2.0
59
Search Utilities
• Forensic Software
– EnCase
– The Coroners Tool Kit
• File System Utilities
– DOS, Windows, NT, UNIX
• Norton Utilities
Version 2.0
60
File Viewing Utilities
• Quick View Plus
• Drag & View
• Thumbs Plus
Version 2.0
61
Forensic Analysis
• Computer Forensics
–
–
–
–
Lock the Disk
Create an Image of the Disk(s)
File System Authentication
List Disk Directories and File
Systems
– Locate Hidden or Obscured Data
– Cluster Analysis
Version 2.0
File System Authentication
• Integrity of data related to any
seizure is essential
• Message Digest - One-way
Hash Algorithm
– CRC32 (32 bits)
– MD5 (128 bits)
– SHA (160 bits)
• Create MD for system
directories and files
Version 2.0
63
File System Authentication
Version 2.0
64
List Directories and Files
• Create Hierarchical Directory
Listing (Tree)
• Identify Suspect Files
• Inventory All Files on the Disk
• Search Communications
Programs
• Registry Files
• Last Files Accessed
• Document Association
Version 2.0
65
Identify Suspect Files
• File Name Search based on
Case Characteristics
• Key Word Search based on
Case Characteristics
• Modified File Extensions
that Do Not Match the File
Type
• Hidden or Deleted Files
Version 2.0
66
Hidden & Obscure Data
• Hidden File Attributes
• Hidden Directories
• Temporary Directories
• Deleted Files
• Slack Space
• Unallocated Space
• Swap Space
• Steganography
Version 2.0
67
Steganography
• The Art of Hiding Communications
• While Encryption Conceals the
Data, Steganography Denies the
Data Exists
• Files Can Be Hidden within an
Image
• Disguising Data as Innocent Text
Version 2.0
68
S-Tools
• Hides Data inside Images,
Audio Files and Slack Space
Version 2.0
69
Ghosting
• White letters on a white
background, or black letters on a
black background
Version 2.0
70
Ghosting
• White letters on a white
background, or black letters on a
black background.
Version 2.0
71
Cluster Analysis
• Cluster Analysis Criteria
– Content, Location and Condition
• Identifies System Usage & History
– Initial Load of the System
– Defragmentation
• “Repacks” data files w/o Changing
Date/Times
– System Wipes and Reloads
• All Slack Space and Unallocated Blocks
set to Zero
• All Date/Times close to the same
Version 2.0
72
Analysis Problems
• Searching Access Controlled
Systems
• Virus Infection
• Formatted Disk
• Corrupted Disk
• DiskWipe or Degaussed Media
• Defragmented Disk
• Cluster Boundaries
• Evidence Eliminator
Version 2.0
73
Evidence Protection
• Transparent Static Shielding
Bags
– Provides shielding from
electrostatic discharge by safely
enveloping static sensitive
devices in a humidity-independent
Faraday cage. The nickel
shielding layer creates a Faraday
type shield. Meets MIL-B-81705
and DoD-STD-1686A
• Foam-Filled Disk Transport Box
• EMF Warning Labels
Version 2.0
74
Evidence Protection
Version 2.0
75
Network Forensics
• Analyze Packet Traces
– Establish a Sequence of Events
– Goal is Identify the Intruder
• Tools
– Network Sniffer
– System Logs
– NTSC Adapter
Version 2.0
76
Network Forensics
• IP Spoofing
• Hijacking
• Password Attacks
– Social Engineering
– Cracking Passwords
– Sniffers
• Distributed-Coordinated Attacks
• Identity Concealed by Connection
Laundering
Version 2.0
77
Connection Laundering
Version 2.0
E-mail Forensics
• E-mail Usage in 2000
– 108 Million E-mail Subscribers
– 25.2 Billion Message Daily
• E-mail is a asynchronous
communications mechanisms that
allows venting.
• People have a tendency to include
more in an e-mail message than
they would say in person of over
the phone.
• E-mail Spoofing
Version 2.0
79
E-mail Spoofing
• Requires Only:
– Mail Relay Server
– Knowledge of Mail Commands
•
•
•
•
•
Version 2.0
telnet <relay server>
helo
mail from: gwbush@whitehouse.com
rcpt to: twelch@sendsecure.com
Data <message>
80
The Future Forensics
• Crimes and Methods to Hide
Crimes are becoming more
Sophisticated, thus Investigators
and Analyst must become more
Technical
– Specialist are Needed
– More Training is needed in both the
Public and Private Sectors
• Encryption will Continue to be an
Issue, but Only Time will Tell
Version 2.0
81
The Future Forensics
• Forensic Tools
– Must Become Automated
– Forensic Search Engines Must
include Fuzzy Logic and Intelligence
to handle Cluster Boundaries
– UNIX Tools Must be Developed
– Better Network Analysis Tools need
to be Developed
– Tools to Analyze Distributed
Applications such as Java, COM, and
DCOM will need to be Developed.
Version 2.0
82
Conclusions
• Computer forensics is an integral
function within incident response
• Processes are the most important
aspects of computer forensics
• The future of cyber crime will lead to
an increased need for computer
forensic capabilities
Version 2.0
83
Questions ?
Version 2.0
84
Download