Uploaded by djzctkgadilpbukvsa

10. Forensics and Audit

Audit Frameworks
■ Compliance Frameworks
SANS Top 20
Inventory of Devices
Inventory of Software
Secure Configurations-workstations
Vulnerability Assessment and Remediation
Malware Defenses
SANS Top 20
6. Application Software Security
7. Wireless Access Control
8. Data Recovery Capability
9. Security Skills Assessment/Training
10. Secure Configurations for Network Devices
SANS Top 20
11. Limitation and Control of Network Ports
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Logs
15. Controlled Access Based on the Need to Know
SANS Top 20
16. Account Monitoring and Control
17. Data Protection
18. Incident Response and Management
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
What is COBIT?
■ A set of best practices for Information Technology
■ Developed by (ISACA)
■ Framework helping IT professionals and enterprise leaders
fulfill their IT Governance responsibilities while delivering
value to the business.
■ COBIT 5 is an end-to-end business view of the governance of
enterprise IT that reflects the central role of IT in creating
value for enterprises.
What’s In COBIT
Framework - Organize IT governance objectives and good practices by IT
domains and processes, and links them to business requirements
Process Descriptions - A reference process model and common language
for everyone in an organization. The processes map to responsibility
areas of plan, build, run and monitor.
Control Objectives - Provide a complete set of high-level requirements to
be considered by management for effective control of each IT process.
Management Guidelines - Help assign responsibility, agree on objectives,
measure performance, and illustrate interrelationship with other
Maturity Models - Assess maturity and capability per process and helps
to address gaps.
■ Maintain high-quality information to support business decisions
■ Achieve strategic goals and realize business benefits through the
effective and innovative use of IT
■ Achieve operational excellence through reliable, efficient application of
■ Maintain IT-related risk at an acceptable level
■ Optimize the cost of IT services and technology
■ Support compliance with relevant laws, regulations, contractual
agreements and policies
US Cert Overview:
What is Forensics
■ The discipline that combines elements of law and computer
science to collect and analyze data from computer systems,
networks, wireless communications, and storage devices in a
way that is admissible as evidence in a court of law
■ Defense in Depth
■ New Discipline, there is little consistency…. (2008)
■ Persistent Data – stored
■ Volatile Data – lost when computer is turned off
US Cert Overview:
Legal Aspects
You must have authorization
– Management
– Policy monitor and collect
■ New Rulings on admissibility
■ Avoid Lawsuit
■ Regulatory Audit
US Cert Overview:
Legal Aspects
■ 4th Amendment-unreasonable search and seizure
■ 5th Amendment-protection against self
■ Wire Tap Act
■ Pen Registers and Trap and Trace Devices statute
■ Stored wired and Electronic Communications Act
■ US Federal Rules of Evidence –hearsay,
authentication, reliability and best evidence
NIST 800-86:
Executive Summary
■ Forensics – Application of science to the law
■ Digital Forensics – Application of science to the
identification, collection, examination and analysis
of data while preserving the integrity of the
■ Development of Policies and Procedures
NIST 800-86:
Policies, Procedures and
1. Organizations should ensure that their policies contain clear
statements addressing all major forensic considerations
2. Organizations should create and maintain procedures and
guidelines for performing forensic tasks
3. Organizations should ensure that their policies and procedures
support the use of forensic tools.
4. Organizations should ensure that their IT professionals are
prepared to participate in forensic activities
NIST 800-86:
The Need for Forensics
“ ….most often thought of in the context of criminal
investigations…also useful for many other types of
1. Operational Troubleshooting
2. Log Monitoring
3. Data Acquisition
4. Regulatory Compliance
NIST 800-86:
Digital Forensic Staffing
1. Investigators
2. IT Professionals
3. Incident Handlers
Internal vs External
1. Cost
2. Response Time
3. Data Sensitivity
NIST 800-86:
Digital Forensic Techniques
Supporting Forensics in the Information Systems Life Cycle
Perform Regular Backups
Enable Auditing on workstations, servers and network devices
Forward Audit records to secure centralized log servers
Configure mission critical applications to perform auditing
Maintain standard configurations of OS’s and file hashes
Use file integrity checking software on particularly important
Maintain baselines of network and system configurations
SANS Critical Controls:
Critical Control 14
Maintenance, Monitoring an Analysis of Audit Logs
“Sometimes logging records are the only evidence of a successful attack”
“Many organizations only keep audit records for compliance purposes”
Quick Wins
2 synchronized time sources
Validate Audit logs / Adequate Storage
Log Retention Policy
Verbose Logging
By-weekly reports
NIST 800-86:
Digital Forensic Process
Collection: identifying, labeling, recording, and acquiring data from the possible
sources of relevant data, while following procedures that preserve the integrity of
the data.
Examination: forensically processing collected data using a combination of
automated and manual methods, and assessing and extracting data of particular
interest, while preserving the integrity of the data
Analysis: analyzing the results of the examination, using legally justifiable
methods and techniques, to derive useful information that addresses the
questions that were the impetus for performing the collection and examination.
Reporting: reporting the results of the analysis, which may include describing the
actions used, explaining how tools and procedures were selected, determining
what other actions need to be performed (e.g., forensic examination of additional
data sources, securing identified vulnerabilities, improving existing security
controls), and providing recommendations for improvement to policies,
procedures, tools, and other aspects of the forensic process
NIST 800-86:
Digital Forensic Process
NIST 800-86:
Data Collection
■ Primary Sources
■ Information may also be recorded by other organizations
■ Sometimes it is not feasible to collect data from a primary
NIST 800-86:
Data Collection
Four major categories of data source
1. Files
2. OS
3. Network Traffic
4. Applications
NIST 800-86:
Data Collection: Acquiring the
1. Develop a plan
Multiple potential data sources
Likely Value
Amount of Effort required
2. Acquire the data
Forensic Tools
3. Verify the integrity of the data
Using tools to compute the message digest/hash
NIST 800-86:
Incident Response
■ Response should consider in advance the impact that various
containment strategies may have on the organization to
operate effectively
■ Criminal – Collected hardware may be unavailable for an
extended period of time
■ Incident – Secure the perimeter around a computer
NIST 800-86:
Data Collection: Examination
■ Involves assessing and extracting the relevant pieces of
information from the collected data
An acquired hard drive may contain thousands of data files
– (and interesting deleted files)
Yesterday’s firewall log might hold millions of records
– Only 5 or 10 may be of value
NIST 800-86:
Data Collection: Analysis
■ The foundation of forensics is using a methodical approach to
reach appropriate conclusions based on the available data or
determine that no conclusion can yet be drawn.
■ Should include identifying people, places, items, and events
and determining how these elements are related
■ Tools can facilitate this process by automatically gathering
and correlating the data
NIST 800-86:
Data Collection: Reporting
Many factors affect reporting
Alternate Explanations
– Maybe multiple plausible explanations
– Methodical approach
Audience Considerations
– Law enforcement – Detailed collection information
– System Admins – Logs
– Management – High level overview, Business outcomes
Actionable Information
– List of contacts
– Prevent future events
NIST 800-86:
Using Data from Data Files
■ Analysts should have a reasonably comprehensive
understanding before beginning
■ Media (HD/USB/CD/DVD.. SD Card/Tape
■ File systems – Partitioning, directory structure, file allocation
■ Copying files from media (Logical Backup/Bit Stream Imaging)
■ Data File Integrity – Write blockers
■ File Attributes (Modification Time/Access Time/Creation
■ Locating and Extracting
■ Analyzing
NIST 800-86:
Using Data from Operating Systems
■ An OS is a program that runs on a computer and provides a
software platform on which other programs run
■ Volatile vs Non–Volatile
■ Config Files, Users and Groups , Password files, Scheduled
■ Logs! (System Event/Audit/Application /Events/Command
■ Applications
■ Swap Files/Dump Files /Hibernation Files
■ Memory – Volatile
■ Network information – Volatile?
■ Prioritization?
NIST 800-86:
Using Data from Network Traffic
■ Network Traffic refers to computer network communications
that are carried between hosts
4 Layer TCP/IP Stack
Sources firewall/routers Packet sniffers, protocol analyzers
 Packet sniffers are designed to monitor network traffic
and capture packets
 Protocol analyzers can re-assemble streams from
IDS Intrusion detection systems
 analyze network traffic to identify suspicious activity
Remote Access
Security information event management (SIEM)
NIST 800-86:
Using Data from Applications
■ From a forensic perspective, applications bring together files,
OSs, and network
Application and supporting files
Type of Application (Web/Email/File share/Office)
Concealment Tools
– Encryption
– Steganographic tools
– Clean up tools
■ Collection