here
advertisement
CSE 4482: Computer Security Management: Assessment and Forensics Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J. Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE Learning, 2010, 4th Edition. 4/13/2015 1 Performing RAID Data Acquisitions • Size is the biggest concern – Many RAID systems now have terabytes of data • What is RAID and what is it used for? • Redundant array of independent (formerly “inexpensive”) disks (RAID) – Computer configuration involving two or more disks – Originally developed as a dataredundancy measure 2 Raid Techniques RAID: Mirroring 4 RAID : Bit-level Striping 5 RAID versions • RAID 0 – Provides rapid access and increased storage – Lack of redundancy • RAID 1 – Designed for data recovery – More expensive than RAID 0 • RAID 2 – – – – Similar to RAID 1 Data is written to a disk on a bit level Has better data integrity checking than RAID 0 Slower than RAID 0 6 RAID: Block level striping 7 RAID versions II • RAID 3 – Uses data striping and dedicated parity • RAID 4 – Data is written in blocks • RAID 5 – Similar to RAIDs 0 and 3 – Places parity recovery data on each disk • RAID 6 – Redundant parity on each disk • RAID 10, or mirrored striping – Also known as RAID 1+0 – Combination of RAID 1 and RAID 0 8 Acquiring RAID Disks • Concerns – – – – How much data storage is needed? What type of RAID is used? Do you have the right acquisition tool? Can the tool read a forensically copied RAID image? – Can the tool read split data saves of each RAID disk? • Older hardware-firmware RAID systems can be a challenge when you’re making an image 9 Acquiring RAID Disks (continued) • Vendors offering RAID acquisition functions – – – – – Technologies Pathways ProDiscover Guidance Software EnCase X-Ways Forensics Runtime Software R-Tools Technologies • Occasionally, a RAID system is too large for a static acquisition – Retrieve only the data relevant to the investigation with the sparse or logical acquisition method 10 Using Remote Network Acquisition Tools • You can remotely connect to a suspect computer via a network connection and copy data from it • Remote acquisition tools vary in configurations and capabilities • Drawbacks – LAN’s data transfer speeds and routing table conflicts could cause problems – Gaining the permissions needed to access more secure subnets – Heavy traffic could cause delays and errors 11 Remote Acquisition with ProDiscover • With ProDiscover Investigator you can: – Preview a suspect’s drive remotely while it’s in use – Perform a live acquisition – Encrypt the connection – Copy the suspect computer’s RAM – Use the optional stealth mode • ProDiscover Incident Response additional functions – Capture volatile system state information – Analyze current running processes – Locate unseen files and processes – Remotely view and listen to IP ports – Run hash comparisons – Create a hash inventory of all files remotely 12 Remote Acquisition with ProDiscover (continued) • PDServer remote agent – ProDiscover utility for remote access – Needs to be loaded on the suspect • PDServer installation modes – Trusted CD – Preinstallation – Pushing out and running remotely • PDServer can run in a stealth mode – Can change process name to appear as OS function 13 Remote Acquisition with ProDiscover (continued) • Remote connection security features – – – – – Password Protection Encryption Secure Communication Protocol Write Protected Trusted Binaries Digital Signatures 14 Remote Acquisition with EnCase Enterprise • Remote acquisition features – Remote data acquisition of a computer’s media and RAM data – Integration with intrusion detection system (IDS) tools – Options to create an image of data from one or more systems – Preview of systems – A wide range of file system formats – RAID support for both hardware and software 15 Remote Acquisition with R-Tools R-Studio • R-Tools suite of software is designed for data recovery • Remote connection uses Triple Data Encryption Standard (3DES) encryption • Creates raw format acquisitions • Supports various file systems 16 Remote Acquisition with Runtime Software • Utilities – DiskExplorer for FAT – DiskExplorer for NTFS – HDHOST • Features for acquisition – Create a raw format image file – Segment the raw format or compressed image – Access network computers’ drives 17 Using Other ForensicsAcquisition Tools • Tools – – – – – – – SnapBack DatArrest SafeBack DIBS USA RAID ILook Investigator IXimager Vogon International SDi32 ASRData SMART Australian Department of Defence PyFlag 18 SnapBack DatArrest • Columbia Data Products • Old MS-DOS tool • Can make an image on three ways – Disk to SCSI drive – Disk to network drive – Disk to disk • Fits on a forensic boot floppy • SnapCopy adjusts disk geometry 19 NTI SafeBack • Reliable MS-DOS tool • Small enough to fit on a forensic boot floppy • Performs an SHA-256 calculation per sector copied • Creates a log file • Functions – – – – Disk-to-image copy (image can be on tape) Disk-to-disk copy (adjusts target geometry) Copies a partition to an image file Compresses image files 20 More tools • DIBS USA RAID (Rapid Action Imaging Device) – Makes forensically sound disk copies – Portable computer system designed to make disk-to-disk images – Copied disk can then be attached to a writeblocker device • ILook Investigator IXimager – Runs from a bootable floppy or CD – Designed to work only with ILook Investigator – Can acquire single drives and RAID drives 21 More tools II Vogon International SDi32 • Creates a raw format image of a drive • Write-blocker is needed when using this tool • Password Cracker POD – Device that removes the password on a drive’s firmware card ASRData SMART • Linux forensics analysis tool that can make image files of a suspect drive • Capabilities – – – – Robust data reading of bad sectors on drives Mounting suspect drives in write-protected mode Mounting target drives in read/write mode Optional compression schemes 22 Next: Network Forensics • Guide to Computer Forensics and Investigations, Third Edition, Chapter 11 23 Objectives • Describe the importance of network forensics • Explain standard procedures for performing a live acquisition • Explain standard procedures for network forensics • Describe the use of network tools 24 Network Forensics Overview • Network forensics – Systematic tracking of incoming and outgoing traffic – To ascertain how an attack was carried out or how an event occurred on a network • Intruders leave trail behind • Determine the cause of the abnormal traffic – Internal bug – Attackers 25 Securing a Network • Layered network defense strategy – Sets up layers of protection to hide the most valuable data at the innermost part of the network • Defense in depth (DiD) – Similar approach developed by the NSA – Modes of protection • People • Technology • Operations 26 Securing a Network (continued) • Testing networks is as important as testing servers • You need to be up to date on – the latest methods intruders use to infiltrate networks, and – methods internal employees use to sabotage networks 27 Performing Live Acquisitions • Live acquisitions are especially useful when you’re dealing with active network intrusions or attacks • Live acquisitions done before taking a system offline are also becoming a necessity – Because attacks might leave footprints only in running processes or RAM • Live acquisitions don’t follow typical forensics procedures • Order of volatility (OOV) – How long a piece of information lasts on a system 28 Performing Live Acquisitions (continued) • Steps – Create or download a bootable forensic CD – Make sure you keep a log of all your actions – A network drive is ideal as a place to send the information you collect – Copy the physical memory (RAM) – The next step varies, depending on the incident you’re investigating – Be sure to get a forensic hash value of all files you recover during the live acquisition 29 Performing a Live Acquisition in Windows • Several bootable forensic CDs are available – Such as Helix and DEFT • Helix operates in two modes: – Windows Live (GUI or command line) and bootable Linux • The Windows Live GUI version includes a runtime prompt for accessing the command line • GUI tools are easy to use, but resource intensive 30 Performing a Live Acquisition in Windows (continued) 31 Performing a Live Acquisition in Windows (continued) 32 Developing Standard Procedures for Network Forensics • Long, tedious process • Standard procedure – Always use a standard installation image for systems on a network – Close any way in after an attack – Attempt to retrieve all volatile data – Acquire all compromised drives – Compare files on the forensic image to the original installation image 33 Developing Standard Procedures for Network Forensics II • Computer forensics – Work from the image to find what has changed • Network forensics – Restore drives to understand attack • Work on an isolated system – Prevents malware from affecting other systems 34 Reviewing Network Logs • Record ingoing and outgoing traffic – Network servers – Routers – Firewalls • Tcpdump tool for examining network traffic – Can generate top 10 lists – Can identify patterns • Attacks might include other companies – Do not reveal information discovered about other companies 35 Using Network Tools • Sysinternals – A collection of free tools for examining Windows products • Examples of the Sysinternals tools: – RegMon shows Registry data in real time – Process Explorer shows what is loaded – Handle shows open files and processes using them – Filemon shows file system activity 36 Using Network Tools (continued) 37 Using Network Tools (continued) • Tools from PsTools suite created by Sysinternals – – – – – – – – – PsExec runs processes remotely PsGetSid displays security identifier (SID) PsKill kills process by name or ID PsList lists details about a process PsLoggedOn shows who’s logged locally PsPasswd changes account passwords PsService controls and views services PsShutdown shuts down and restarts PCs PsSuspend suspends processes 38 Using UNIX/Linux Tools • Knoppix Security Tools Distribution (STD) – Bootable Linux CD intended for computer and network forensics • Knoppix-STD tools – Dcfldd, the U.S. DoD dd version – memfetch forces a memory dump – photorec grabs files from a digital camera – snort, an intrusion detection system – oinkmaster helps manage your snort rules 39 Using UNIX/Linux Tools (continued) • Knoppix-STD tools (continued) – john – chntpw resets passwords on a Windows PC – tcpdump and ethereal are packet sniffers • With the Knoppix STD tools on a portable CD – You can examine almost any network system 40 Using UNIX/Linux Tools (continued) 41 Using UNIX/Linux Tools (continued) • The Auditor – Robust security tool whose logo is a Trojan warrior – Based on Knoppix and contains more than 300 tools for network scanning, brute-force attacks, Bluetooth and wireless networks, and more – Includes forensics tools, such as Autopsy and Sleuth – Easy to use and frequently updated 42 Using Packet Sniffers • Packet sniffers – Devices or software that monitor network traffic – Most work at layer 2 or 3 of the OSI model • Most tools follow the PCAP format • Some packets can be identified by examining the flags in their TCP headers 43 Using Packet Sniffers (continued) 44 Using Packet Sniffers (continued) • Tools – – – – – – – – – – – Tcpdump Tethereal Snort Tcpslice Tcpreplay Tcpdstat Ngrep Etherape Netdude Argus Ethereal 45 Using Packet Sniffers (continued) 46 Examining the Honeynet Project • Attempt to thwart Internet and network hackers – Provides information about attacks methods • Objectives are awareness, information, and tools • Distributed denial-of-service (DDoS) attacks – A recent major threat – Hundreds or even thousands of machines (zombies) can be used 47 Examining the Honeynet Project (continued) 48 Examining the Honeynet Project (continued) • Zero day attacks – Another major threat – Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available • Honeypot – Normal looking computer that lures attackers to it • Honeywalls – Monitor what’s happening to honeypots on your network and record what attackers are doing 49 Examining the Honeynet Project (continued) • Its legality has been questioned – Cannot be used in court – Can be used to learn about attacks • Manuka Project – Used the Honeynet Project’s principles • To create a usable database for students to examine compromised honeypots • Honeynet Challenges – You can try to ascertain what an attacker did and then post your results online 50 Examining the Honeynet Project (continued) 51 Summary • Network forensics tracks down internal and external network intrusions • Networks must be hardened by applying layered defense strategies to the network architecture • Live acquisitions are necessary to retrieve volatile items • Standard procedures need to be established for how to proceed after a network security event has occurred 52 Summary (continued) • By tracking network logs, you can become familiar with the normal traffic pattern on your network • Network tools can monitor traffic on your network, but they can also be used by intruders • Bootable Linux CDs, such as Knoppix STD and Helix, can be used to examine Linux and Windows systems • The Honeynet Project is designed to help people learn the latest intrusion techniques that attackers are using 53
