Forensic Duplicate
advertisement
CIT 380: Securing Computer Systems Forensics CIT 380: Securing Computer Systems Slide #1 Computer Forensics 1. 2. 3. 4. 5. 6. 7. 8. Forensic Toolkit Live Data Collection Forensic Duplication Network Data Collection Evidence Handling Disk Data Analysis UNIX Forensics Network Data Analysis CIT 380: Securing Computer Systems Slide #2 Forensic Toolkit Forensic investigation required trusted set of tools to collect and analyze data. Hardware/Media: – CD-ROM containing tools. – USB drive or floppy for saving collected data. – Laptop for network data collection and/or saving larger quantities of data. – Secure data analysis workstation • Hard drive space for analyzing drive images. • Drive bays and controllers for analyzing multiple types of hard disks. CIT 380: Securing Computer Systems Slide #3 Forensic Toolkit Software bash: known good copy of shell (cmd.exe for Win) dd: create bit level images of disks find and ls: examine directory listings ifconfig: network configuration (ipconfig for Win) lsmod: list loaded kernel modules (modinfo for Sun) lsof: list open files (and network connections) md5sum: generate/validate file checksums netcat or cryptcat: save collected data via network netstat: collect status of network connections ps: collect process data (pslist for Win) script: records terminal session strace: system call tracer (truss for Sun) strings: list text strings in binaries vim: edit CIT and/or view binary/text files 380: Securing Computer Systems Slide #4 Forensic Toolkit Software Live CD toolkits – FIRE: Forensic & Incident Response Environment – Helix Forensics CD: Contains Sleuthkit. Specialized Forensics Tools – Sleuthkit (http://www.sleuthkit.org/) • Includes Autoposy Forensic Browser. – The Coroner’s Toolkit • http://www.porcupine.org/forensics/tct.html – Encase • Commercial MS Windows toolkit. CIT 380: Securing Computer Systems Slide #5 Live Data Collection • In-memory system state is volatile and must be collected before system is shutdown. • These types of data will be lost on shutdown: – – – – Running processes. Open network connections. Deleted binaries whose programs are still executing. Deleted files in use by a running program. • Caveat: Even using tools from CD-ROM will modify system state, both memory (perhaps including swap) and disk files. CIT 380: Securing Computer Systems Slide #6 Saving Live Data Floppy drive – small but ubiquitous. USB drive – larger but not on older systems. Network storage – Use netcat listener on remote host. • nc –l –p 2222 >output – Pipe to netcat on machine you’re investigating: • /mnt/cdrom/bin/date | /mnt/cdrom/bin/nc –w 3 destIP 2222 – Use cryptcat or pipe through DES for security. CIT 380: Securing Computer Systems Slide #7 Live Data Procedure 1. Mount forensic toolkit media • mount –n /mnt/cdrom 2. Start trusted shell • • /mnt/cdrom/bin/bash export PATH=/mnt/cdrom/bin 3. Record current date • date 4. ARP and route cache tables • • arp –an route -Cn CIT 380: Securing Computer Systems Slide #8 Live Data Procedure 5. Logged-in users • w 6. File-modification times • • • atime: ls –alRu / ctime: ls –clRu / mtime: ls –alR 7. Open network connections/sniffers • • ifconfig -a netstat –anp 8. Physical memory image • dd if=/proc/kcore | nc remoteIP port CIT 380: Securing Computer Systems Slide #9 Live Data Procedure 9. Kernel modules and symbols • • cat /proc/modules cat /proc/ksyms • For detecting hidden kernel modules, • • insmod –f /mnt/cdrom/hunter.o cat /proc/showmodules 10. Process list • ps aux • Memory image of suspicious processes: • • pcat PID or kill –STOP PID && gcore –o PID.img PID CIT 380: Securing Computer Systems Slide #10 Live Data Procedure 11. Record system logs 1. 2. 3. 4. utmp: current user access/accounting data wtmp: historical user access/accounting data lastlog: last access/login data syslog files: • • /etc/syslog.conf /var/adm/messages or /var/log/messages 5. Application logs • • • Shell history files Apache access_log FTP xferlog CIT 380: Securing Computer Systems Slide #11 Live Data Procedure 12. Save configuration files Authentication: /etc/passwd, /etc/shadow Scope of access: /etc/group Local machines: /etc/hosts Trust relationships: /etc/hosts.equiv,~/.rhosts TCP wrapper rules: /etc/hosts.allow, /etc/hosts.deny Syslog configuration: /etc/syslog.conf inetd/xinetd: /etc/inetd.conf, /etc/xinetd.conf, /etc/xinetd.d Startup files: /etc/inittab, /etc/rc* Scheduled events: /var/spool/cron/* CIT 380: Securing Computer Systems Slide #12 Live Data Procedure 13. Find deleted files lsof: list open files Look for files named only by disk partition. Investigate /proc entries for processes # ls –al /proc/1403 dr-xr-xr-x dr-xr-xr-x dr-xr-xr-x -r--------r--r--r-lrwxrwxrwx -r-------lrwxrwxrwx dr-x------r--------rw-------r--r--r-lrwxrwxrwx -r--r--r--r--r--r--r--r--r-dr-xr-xr-x -r--r--r-- 3 78 2 1 1 1 1 1 2 1 1 1 1 1 1 1 3 1 root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr Apr 22 17 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 CIT 380: Securing Computer Systems 04:09 13:33 19:25 19:25 19:24 19:25 19:25 19:25 19:25 19:25 19:25 19:25 19:25 19:24 19:25 19:24 19:25 19:25 . .. attr auxv cmdline cwd -> / environ exe -> /sbin/syslogd fd maps mem mounts root -> / stat statm status task wchan Slide #13 Live Data Procedure 13. Find deleted files (continued) exe link points to binary image file for process Can access binary via link even if file deleted cmdline file contains command line args cat cmdline fd directory lists all open files by file descriptor > ls -al fd total 7 dr-x-----dr-xr-xr-x lrwx-----l-wx-----l-wx-----l-wx-----l-wx-----l-wx-----l-wx------ 2 3 1 1 1 1 1 1 1 root root root root root root root root root root root root root root root root root root 0 0 64 64 64 64 64 64 64 Apr Apr Apr Apr Apr Apr Apr Apr Apr CIT 380: Securing Computer Systems 26 22 26 26 26 26 26 26 26 19:25 04:09 19:25 19:25 19:25 19:25 19:25 19:25 19:25 . .. 0 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7 -> socket:[2715] /var/log/messages /var/log/secure /var/log/maillog /var/log/cron /var/log/spooler /var/log/boot.log Slide #14 Live Data Procedure 14. Record completion date. 15. Record your actions. history will list all of your commands script command will record all keystrokes and output of commands script /mnt/floppy/log.txt 16. Record secure checksums on files md5sum * >md5sums.txt CIT 380: Securing Computer Systems Slide #15 Forensic Duplication Forensic Duplicate: File that contains every bit of information from source. Qualified Forensic Duplicate: A file or set of files that contains every bit of information in source, but which may be stored in altered format. – checksums – compression Restored Image: The result of restoring a qualified forensic duplicate to another medium. – Problems: Different drive geometries, partition tables. CIT 380: Securing Computer Systems Slide #16 Forensic Duplication • Compare and record data checksum – md5sum /dev/hda == md5sum hda.img • Duplicating a drive to local media – dd if=/dev/hda of=/mnt/disk/hda.img conv=noerror,notrunc bs=16384 • Duplicating a drive across the network – dd if=/dev/had conv=noerror,sync | des –e –c –k password | nc –w 3 targetIP 2222 – nc –l –p 2222 | des –d –c –k password | dd of=hda.img CIT 380: Securing Computer Systems Slide #17 Forensic Duplication Duplicating a drive to multiple files #!/bin/bash blocksz=20480k let count=1 while(dd if=/dev/hda of=/mnt/disk/hda.$count.img bs=$blocksz skip=($($count-1)) conv=noerror,notrunc) do echo “Block $count output.” count=$((count+1)) done CIT 380: Securing Computer Systems Slide #18 Evidence Handling Original Evidence: original copy of evidence provided for client/victim. Best Evidence: duplication of evidence most closely linked to original evidence. Authentication of Evidence: testimony of evidence collector in court that evidence is what the proponent claims. CIT 380: Securing Computer Systems Slide #19 Evidence Handling Chain of Custody – Evidence must be stored in tamperproof manner, where it cannot be accessed by unauthorized people. – Requirements: • • • • • Know location of evidence at all times. Maintain custody of keys/passwords for access. Document all receipts and transfers of evidence. Provide testimony to defend evidence handling. Secure checksums of all files to validate that best evidence matches original evidence. CIT 380: Securing Computer Systems Slide #20 Evidence Handling Procedures 1. Record information about original system. – Include photographs of system and media. 2. Create evidence tag for evidence stored. 3. Label all media with evidence label. – – Case number and evidence tag number. Timestamp and description of contents. 4. Store best evidence copy in evidence safe. 5. Evidence custodian records entry in log. 6. All examinations performed on forensic copy of best evidence. 7. Evidence custodian responsible for backups and audits of contents of evidence safe. CIT 380: Securing Computer Systems Slide #21 Evidence Tags • Description of place and/or persons from whom evidence was received. • Description of item and data contained. • Timestamp of when evidence received. • Full name and signature of individual receiving evidence. • Case and tag number related to evidence. • Record of all people who have possessed the evidence, including names, timestamps, and reasons why evidence was transferred. CIT 380: Securing Computer Systems Slide #22 Disk Data Analysis Use Linux analysis system – Support for wide range of filesystems: FAT12, FAT16, FAT32, NTFS, HFS+, FFS, UFS Mount read-only partition image via loopback device: – mount –r –t ntfs –o loop /mnt/evi hda1.img Examine mounted image with standard UNIX tools. CIT 380: Securing Computer Systems Slide #23 Disk Data Analysis Mount read-only full disk image via loopback: – Install NASA enhanced loopback patches. – losetup /dev/loopa hda.img – fdisk –l /dev/loopa Disk /dev/loopa: 255 heads, 63 sectors, 592 cylinders Units = sectors of 1 * 512 = 512 bytes Device Boot Start End Blocks Id System /dev/loopa1 *63 7438094 3719016 7 HPFS/NTFS /dev/loopa2 7438095 9510479 1036192+ 5 Extended /dev/loopa5 7438158 7695134 128488+ 82 Lin swap – mount –r –t vfat /dev/loopa1 /mnt/evi CIT 380: Securing Computer Systems Slide #24 Recovering Deleted Files Linux Tools – fatback • FAT/VFAT filesystem undelete by name. – foremost • Recovers files based on header/footer tags. – Sleuthkit TASK • FAT/BSD/Linux/UFS filesystems. • Autopsy GUI forensic browser. CIT 380: Securing Computer Systems Slide #25 Recovering Unused Space Types of Unused Space – Unallocated space • Disk blocks not currently allocated to any files. – Slack space • Portions of disk blocks currently used by file. – Free space • Portion of disk unused by any current partition. CIT 380: Securing Computer Systems Slide #26 File Lists Create list of all files – – – – Full path All timestamps (atime, ctime, mtime on UNIX) Logical file size Cryptographic checksum of file Tool: CATALOG –p /mnt/loopa1 Compare checksums against known good checksums of OS distribution to find altered files. CIT 380: Securing Computer Systems Slide #27 Identify suspicious files New SUID files find /mnt/evi \(–perm –0400 –o – perm – 0200 \) –print Files with no owner find /mnt/evi –nouser –o –nogroup Core files may reveal attacker programs find /mnt/evi –name core –print CIT 380: Securing Computer Systems Slide #28 String Searches Preparations – Recover deleted files. – Recursively uncompress/decrypt files as needed. Using GNU grep grep –a –i -# –f search /dev/hda >results -a: search binary files -i: case insensitive -#: lines of context before/after match -f: search file contains list of regular expressions CIT 380: Securing Computer Systems Slide #29 UNIX Forensics 1. 2. 3. 4. 5. 6. 7. 8. 9. Review log files Keyword searches of disk image Review configuration files Identify unauthorized users/groups Identify suspicious files Identify suspicious processes Check for backdoors Analyze trust relationships Check for kernel rootkits CIT 380: Securing Computer Systems Slide #30 Network Data Collection Goals 1. 2. 3. 4. Monitor specific host/network. Monitor specific protocol. Monitor specific person’s actions. Check for known attack signatures. Process 1. Deploy sniffing hardware on appropriate network. 2. Deploy software to collect packet or session data. 3. Use data analysis software. CIT 380: Securing Computer Systems Slide #31 Deploying a Sniffer Hub – Hubs flood packets to all interfaces. – Insert a hub between source and destination. – Disadvantages: half-duplex, collisions. SPAN Port – – – – Switched Port ANalyzer, aka mirror port. Supported by most enterprise class managed switches. Configure switch to mirror traffic to one port. Switch may drop SPAN packets when load is heavy. TAP – Insert between source and destination of traffic. – 4-ports: input, output, outbound mirror, inbound mirror CIT 380: Securing Computer Systems Slide #32 Hardware Issues Fast networks require high resources to monitor. – High quality network card (PCIe card for gigabit) – RAID striped disk for heavily used 100+Mbps network. – Modern dual-core CPU. Silent Sniffers – Use SPAN port or TAP to avoid sending traffic. – Configure interface without IP address to monitor while not being scannable. • Turn off ARP responses (ifconfig –arp eth0 up) • Unbind NetBIOS and IPX protocols on MSWindows. – Construct a read-only ethernet tap cable by cutting transmit wires on cable for maximum stealth. CIT 380: Securing Computer Systems Slide #33 Full Content Data Full content data – – – – Captures complete packets. Most flexible form of network data. Largest type of network data. Can limit by IP address, protocol, etc. to reduce size. Data file formats – – – – – Free software uses libpcap format files. Sun snoop Many other commercial formats. editcap can read and write most formats. Free tools: tcpdump, snort, tshark, wireshark CIT 380: Securing Computer Systems Slide #34 tcpdump • Older tool, comes with libpcap. • Increase perf using –n to avoid DNS resolution. • Defaults to collecting first 68 bytes. – Collect headers for traffic analysis • tcpdump –n –w log.pcap – Collect full-content using –s snaplen argument: • tcpdump –n –s 1514 –w log.pcap • Use Berkley Packet Filter (BPF) to limit data – – – – – By IP address: host 10.10.10.1 By source or destination IP address: src or dest By port: src port 1337, dest port 80 By protocol: icmp, udp, tcp Combined: udp and dest port 53 CIT 380: Securing Computer Systems Slide #35 Analysis with tcpdump > tcpdump -n -v -r red1.1.cap -c 1 icmp reading from file red1.1.cap, link-type EN10MB (Ethernet) 18:04:06.277539 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 192.168.1.5 > 192.168.1.2: ICMP echo request, id 44551, seq 256, length 64 > tcpdump -n -X -r red1.1.cap -c 1 tcp reading from file red1.1.cap, link-type EN10MB (Ethernet) 17:59:22.900778 IP 192.168.1.5.32779 > 192.168.1.2.80: S 890177987:890177987(0) win 5840 <mss 1460,sackOK,timestamp 486086 0,nop,wscale 0> 0x0000: 4500 003c 6305 4000 4006 545f c0a8 0105 E..<c.@.@.T_.... 0x0010: c0a8 0102 800b 0050 350f 09c3 0000 0000 .......P5....... 0x0020: a002 16d0 83e4 0000 0204 05b4 0402 080a ................ 0x0030: 0007 6ac6 0000 0000 0103 0300 ..j......... CIT 380: Securing Computer Systems Slide #36 Wireshark • Based on libpcap like tcpdump. • Convenient graphical interface. – – – – Slows down data collection, may lose packets. Useful for analysis. View filters for colorizing packet display. “Follow TCP Stream” • Select one packet from a TCP session. • Display and/or save single TCP session. • Reconstruct files transferred via TCP file transfer protocols. • Formerly known as Ethereal. CIT 380: Securing Computer Systems Slide #37 tshark • Text only version of Wireshark. – Uses libpcap and BPF like tcpdump. • Collecting full content data – tshark –n –s 1514 –w log.pcap • Log rotation – tshark –n –s 1514 –b filesize:50000 – w log.pcap • Analysis with tshark > tshark -n -r red1.1.cap|head -1 1 0.000000 00:c0:95:e0:0e:ac -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.37? Tell 192.168.1.1 CIT 380: Securing Computer Systems Slide #38 Analysis with tshark > tshark -n -V -r red1.1.cap Frame 1 (60 bytes on wire, 60 bytes captured) Arrival Time: Aug 2, 2002 17:58:53.320480000 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 60 bytes Capture Length: 60 bytes Protocols in frame: eth:arp Ethernet II, Src: 00:c0:95:e0:0e:ac (00:c0:95:e0:0e:ac), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) .... ...1 .... .... .... .... = Multicast: This is a MULTICAST frame .... ..1. .... .... .... .... = Locally Administrated Address: This is N OT a factory default address Source: 00:c0:95:e0:0e:ac (00:c0:95:e0:0e:ac) Address: 00:c0:95:e0:0e:ac (00:c0:95:e0:0e:ac) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Type: ARP (0x0806) Trailer: 000000000000000000000000000000000000 Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) Sender MAC address: 00:c0:95:e0:0e:ac (00:c0:95:e0:0e:ac) Sender IP address: 192.168.1.1 (192.168.1.1) Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00) Target IP address: 192.168.1.37 (192.168.1.37) CIT 380: Securing Computer Systems Slide #39 ngrep > ngrep -I ../ctf.pcap -q -i '^get.*cgi-bin.*%3b' > match: ^get.*cgi-bin.*%3b T 10.254.0.101:44355 -> 10.251.0.31:80 [AP] GET /cgibin/chmod?file=/root/flag%3becho%20%22Team5%22%3 e/root/flag HTTP/1.1..Host: 10.251.0.31..User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20061201 Firefox/2.0.0.8 (Ubuntufeisty)..Accept:text/xml,application/xml,application/xhtml +xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 ..Accept-Language: en-us,en;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf8;q=0.7,*;q=0.7..Keep-Alive: 300..Co CIT 380: Securing Computer Systems Slide #40 Session Data Session: summary of packet exchange between two systems. – TCP connections. – UDP and ICMP request-response protocols. – One-to-many connections like port sweeps. Session data includes – – – – – Source IP address and port Destination IP address and port Timestamp Data size Other items (protocol type, TCP flags, etc.) Collecting session data – Use a session oriented collector like NetFlow or Argus. – Convert packet captures into session data. CIT 380: Securing Computer Systems Slide #41 argus > argus -r ctf.pcap -w ctf.argus > rahosts -n -r ctf.argus >hosts 0.0.0.0 2.0.0.171 10.11.241.133 10.251.0.1 10.251.0.20 10.251.0.21 10.251.0.29 > ra -n -r ctf.argus -s saddr sport daddr dport proto >flow-summary > head flow-summary 10.251.0.35.22 10.254.0.100.48928 tcp 10.254.0.100.48926 10.251.0.35.22 tcp 10.251.0.21.902 10.253.0.101.52231 tcp 10.251.0.21.902 10.253.0.101.52229 tcp 10.251.0.35.22 10.254.0.101.40438 tcp > ra -n -r ctf.argus –L0 src 10.251.0.21 10.251.0.21.902 10.253.0.101.52231 tcp 10.251.0.21.902 10.253.0.101.52229 tcp CIT 380: Securing Computer Systems Slide #42 tcpflow > tcpflow -r ctf.pcap -c dst port 23 >telnet 010.254.000.101.59505-010.251.000.031.00023: 010.254.000.101.59505-010.251.000.031.00023: 010.254.000.101.59505-010.251.000.031.00023: 010.254.000.101.59505-010.251.000.031.00023: ..... ..#..' ..............! ... BBBBBBBBBC 010.254.000.101.59505-010.251.000.031.00023: BBBBBBBBBC 010.251.000.020.60760-010.251.000.035.00023: 010.251.000.020.60760-010.251.000.035.00023: 010.251.000.020.60760-010.251.000.035.00023: 010.251.000.020.60760-010.251.000.035.00023: 010.251.000.020.60760-010.251.000.035.00023: 010.251.000.020.60760-010.251.000.035.00023: 010.251.000.020.60760-010.251.000.035.00023: ... .. ..#..' ... ...........! ... ... qcixctfw 010.251.000.020.60760-010.251.000.035.00023: eggs 010.251.000.020.60760-010.251.000.035.00023: /sbin/iptables -L /bin/cat /etc/hosts.allow /bin/cat /etc/hosts.deny exit CIT 380: Securing Computer Systems Slide #43 snort > snort -r ctf-practice.pcap -c /etc/snort/snort.conf -l . –b > less alert [**] [1:1122:5] WEB-MISC /etc/passwd [**] [Classification: Attempted Information Leak] [Priority: 2] 11/16-15:27:36.368040 10.254.0.101:59614 -> 10.251.0.31:80 TCP TTL:61 TOS:0x0 ID:44688 IpLen:20 DgmLen:149 DF ***AP*** Seq: 0xBC71ADEB Ack: 0x646F2D9F Win: 0x5B4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1966949 388673 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 11/16-15:52:00.466694 10.251.0.35 -> 10.253.0.104 ICMP TTL:47 TOS:0x0 ID:3264 IpLen:20 DgmLen:28 Type:8 Code:0 ID:29436 Seq:19126 ECHO [Xref => http://www.whitehats.com/info/IDS162] [**] [122:1:0] (portscan) TCP Portscan [**] 11/16-15:52:13.568939 10.251.0.35 -> 10.253.0.104 PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:160 DF CIT 380: Securing Computer Systems Slide #44 Key Points • • • • • • Don’t trust the system being investigated. Document all of your actions. Collect as much data as possible without modifying system state. Cryptographically sign all digital data so copies can be verified to match originals. Forensic duplication and restoration process. Network capture and analysis tools. – – – Hardware for network captures. Full content data: tcpdump, ngrep Session data: argus, tcpflow CIT 380: Securing Computer Systems Slide #45 References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2005. N. Brownlee and E. Guttman, , “RFC 2350 - Expectations for Computer Security Incident Response,” http://www.faqs.org/rfcs/rfc2350.html, 1998. Mariusz Burdach, “Forensic Analysis of a Live Linux System, Part One,” http://www.securityfocus.com/infocus/1769, March 2004. Mariusz Burdach, “Forensic Analysis of a Live Linux System, Part Two,” http://www.securityfocus.com/infocus/1773, April 2004. Brian Carrier, Sleuthkit Informer #11, http://sleuthkit.sourceforge.net/informer/sleuthkitinformer-11.html, December 2003. CERT, “Computer Security Incident Response Team (CSIRT) FAQ,” http://www.cert.org/csirts/csirt_faq.html William Cheswick, Steven Bellovin, Steven, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, Addison-Wesley, 2003. Dan Farmer and Wietse Venema, Forensic Discovery, Addison-Wesley, 2004. Fraser (ed.), “RFC 2196 - Site Security Handbook,” http://www.faqs.org/rfcs/rfc2196.html, 1997. Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. Kevin Mandia, Chris Prosise, and Matt Pepe, Incident Response & Computer Forensics, 2nd edition, McGraw-Hill, 2003. CIT 380: Securing Computer Systems Slide #46
