Chapter 14: Computer and Network Forensics Guide to Computer Network Security Computer Forensics Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Arose as a result of the growing problem of computer crimes. Computer crimes fall into two categories: – Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes. Investigation into these crimes often involves searching computers suspected to be involved. – Computer itself is a victim of a crime – this commonly referred to as incident response. It refers to the examination of systems that have been remotely attacked. Forensics experts follow clear, well-defined mythologies and procedures Kizza - Guide to Computer Network Security 2 History Of Computer Forensics – Computer forensics started a few years ago- when it was simple to collect evidence from a computer. – While basic forensic methodologies remain the same, technology itself is rapidly changing – a challenge to forensic specialists. Kizza - Guide to Computer Network Security 3 Basic forensic methodology consists of: – Acquire the evidence without altering or damaging the original Look for evidence Recover evidence Handle evidence with care Preserve evidence – Authenticate that your recovered evidence is the same as the originally seized data – Analyze the data without modifying it. Kizza - Guide to Computer Network Security 4 Acquire the Evidence Keep in mind that every case is different Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system. Consider the following issues: – Handling the evidence- if you do not take care of the evidence, the rest of the investigation will be compromised. – Chain of custody – the goal of maintaining a good chain of custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to: Who collected it How and where Who took possession of it how was it stored and protected in storage Who took it out of storage and why? Kizza - Guide to Computer Network Security 5 Storage Media Hard Drives – Make an image copy and then restore the image to a freshly wiped hard drive for analysis – Remount the copy and start to analyze it. – Before opening it get information on its configuration – Use tools to generate a report of lists of the disk’s contents ( PartitionMagic) – View operating system logs. Kizza - Guide to Computer Network Security 6 Handle Evidence With Care – Collection You want the evidence to be so pure that it supports your case. – Identification Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled. – Transportation Evidence is not supposed to be moved so when you move it be extremely careful. – Storage Keep the evidence in a cool, dry, and appropriate place for electronic evidence. – Documenting the investigation Most difficult for computer professionals because technical people are not good at writing down details of the procedures. Kizza - Guide to Computer Network Security 7 Authenticating evidence Authenticating evidence is difficult because: – Crime scenes change – Evidence is routinely damaged by environmental conditions – Computer devices slowly deteriorate Keep proof of integrity and timestamp the evidence through encryption of files of data – Two algorithms (MD5 and SHA-1) are in common use today Kizza - Guide to Computer Network Security 8 Analysis Use any well known analysis tools. Make two backups Kizza - Guide to Computer Network Security 9 Data Hiding There are several techniques that intruders may hide data. – Obfuscating data through encryption and compression. – Hiding through codes, steganoraphy, deleted files, slack space, and bad sectors. – Blinding investigators through changing behavior of system commands and modifying operating systems. Use commonly known tools to overcome Kizza - Guide to Computer Network Security 10 Network Forensics Unlike computer forensics that retrieves information from the computer’s disks, network forensics, in addition retrieves information on which network ports were used to access the network. There are several differences that separate the two including the following: – Unlike computer forensics where the investigator and the person being investigated, in many cases the criminal, are on two different levels with the investigator supposedly on a higher level of knowledge of the system, the network investigator and the adversary are at the same skills level. – In many cases, the investigator and the adversary use the same tools: one to cause the incident, the other to investigate the incident. In fact many of the network security tools on the market today, including NetScanTools Pro, Tracroute, and Port Probe used to gain information on the network configurations, can be used by both the investigator and the criminal. – While computer forensics, deals with the extraction, preservation, identification, documentation, and analysis, and it still follows welldefined procedures springing from law enforcement for acquiring, providing chain-of-custody, authenticating, and interpretation, network forensics on the other hand has nothing to investigate unless steps were in place ( like packet filters, firewalls, and intrusion detection systems) prior to the incident. Kizza - Guide to Computer Network Security 11 Network Forensics Intrusion Analysis Network intrusions can be difficult to detect let alone analyze. A port scan can take place without a quick detection, and more seriously a stealthy attack to a crucial system resource may be hidden by a simple innocent port scan. So the purpose of intrusion analysis is to seek answers to the following questions: – Who gained entry? – Where did they go? – How did they do it? Kizza - Guide to Computer Network Security 12 Damage Analysis It is difficult to effectively assess damage caused by system attacks. It provides a trove of badly needed information showing how widespread the damage was, who was affected and to what extent. Kizza - Guide to Computer Network Security 13 To achieve a detailed report of an intrusion detection, the investigator must carry out a post mortem of the system by analyzing and examining the following: – System registry, memory, and caches. To achieve this, the investogator can use dd for Linux and Unx sytems. – Network state to access computer networks accesses and connections. Here Netstat can be used. – Current running processes to access the number of active processes. Use ps for both Unix and Linux. – Data acquisition of all unencrypted data. This can be done using MD5 and SHA-1 on all files and directories. Then store this data in a secure place. Kizza - Guide to Computer Network Security 14 Forensic Electronic Toolkit Computer and network forensics involves and requires: – – – – Identification Extraction Preservation Documentation A lot of tools are needed for a thorough work The “forensically sound “ method is never to conduct any examination on the original media. Before you use any forensic software, make sure you know how to use it, and also that it works. Tools: – Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic) – File Viewers – to thumb through stacks of data and images looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus) Kizza - Guide to Computer Network Security 15 More tools (cont.) Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins. CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics Text – because text data can be huge, use fast scans tools like dtSearch. Other kits: – Forensic toolkit – command-line utilities used to reconstruct access activities in NT File systems – Coroner toolkit - to investigate a hacked Unix host. – ForensiX – an all-purpose set of data collection and analysis tools that run primarily on Linux. – New Technologies Incorporated (NTI) – EnCase – Hardware- Forensic-computers.com Kizza - Guide to Computer Network Security 16