91.580.203 Computer & Network Forensics Xinwen Fu Chapter 1 Computer Forensics and Investigations as a Profession Outline Understand computer forensics Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 2 Understanding Computer Forensics Computer forensics involves obtaining and analyzing digital information from individual computers for use as evidence in civil, criminal, or administrative cases Network forensics yields information about how a perpetrator or hackers gained access to a network The Fourth Amendment to the U.S. Constitution protects everyone’s rights to be secure in their person, residence, and property from search and seizure What happened in O.J. Simpson’s case? 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 3 Understanding Computer Forensics (continued) When preparing to search for evidence in a criminal case, include the suspect’s computers and its components in the search warrant Computer forensics is a very complicated process; there are legal, political, business and technical factors that will shape every investigation Prison Break - politics 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 4 CSIRT: Computer Security Incident Response Team Manage investigations and conduct forensic analysis of systems Draw on resources from those involved in vulnerability assessment risk management network intrusion detection incident response Resolve or terminate all case investigations 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 5 Components of CSIRT Vulnerability assessment and risk management Computer investigations & network intrusion detection Incident response CSIRT 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 6 Vulnerability Assessment and Risk Management Test and verify the integrity of standalone workstations and network servers Examine physical security of systems and the security of operating systems (OSs) and applications Test for known vulnerabilities of OSs Launch attacks on the network, workstations, and servers to assess vulnerabilities 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 7 Computer Investigations Involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court The evidence can be inculpatory or exculpatory – Duke lacrosse team rape charge Objective is different from that of data recovery or disaster recovery Investigating computers includes: Securely collecting/searching computer data Examining suspect data to determine details such as origin and content Presenting computer-based information to courts Applying laws to computer practice 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 8 Network Intrusion Detection and Incident Response Functions Detect intruder attacks using automated tools and monitoring network firewall logs manually Track, locate, and identify the intruder Deny further access to the network Collect evidence for civil or criminal litigation against the intruders 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 9 Course Outline CSIRT: Computer Security Incident Response Team Incident occurs: Point-in-Time or Ongoing Investigate the incident pre-incident preparation Formulate Detection Initial Response of Response Strategy Incidents 91.580.203 INFA721/CIS418-BIS@DSU Data Data Reporting Collection Analysis Resolution Recovery Dr. Xinwen Fu Implement Security Measures 10 A Brief History of Computer Forensics Mainframe era Well-known crimes ― one-half cent $12.234 PC era By the early 1990s, specialized tools for computer forensics were available ASR Data created the tool Expert Witness for the Macintosh Recover deleted files and file fragments EnCase by one member of ASR Data FTK (Access Data's Forensic Toolkit) iLook (reading disk images) 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 11 Outline Understand computer forensics Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 12 Computer Investigations and Forensics Public investigations Target criminal cases Conducted by government agencies Follow the law of search and seizure/enforcement www.usdoj.gov/criminal/cybercrime Private or corporate investigations Target civil cases Conducted by private companies/lawyers Follow private or corporate policies 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 13 Outline Understand computer forensics Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 14 Understanding Enforcement Agency Investigations Understand local city, county, state, and federal laws on computer-related crimes Until 1993, laws defining computer crimes did not exist States have added specific language to their criminal codes to define crimes that involve computers "Computers and networks are only tools that can be used to commit crimes and are, therefore, no different from the lockpick a burglar uses to break into a house" Possible computer crimes: data theft, child molestation images, drug transaction information on a hard disk 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 15 Legal Process for Computer Crimes A criminal case follows three stages: Complaint Investigation Someone files a complaint A specialist investigates the complaint Prosecution Prosecutor collects evidence and builds a case Complaint 91.580.203 INFA721/CIS418-BIS@DSU Investigation Dr. Xinwen Fu Prosecution 16 Levels of Law Enforcement Expertise for a Police (CTIN) Level 1 (street police officer) Level 2 (detective) Acquiring and seizing digital evidence Managing high-tech investigations Teaching the investigator what to ask for Understanding computer terminology What can and cannot be retrieved from digital evidence Level 3: (computer forensics expert) Specialist training in retrieving digital evidence 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 17 Typical Affidavit of Search Warrant for Seizing Evidence 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 18 Outline Understand computer forensics Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 19 Understanding Corporate Investigations Business must continue with minimal interruption from your investigation Investigation is secondary to stopping the violation and minimizing the damage or loss to the business Can Microsoft shutdown their servers for forensics purposes? 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 20 Establishing Company Policies Company policies are built in order to avoid litigation Without defined policies, a business risks exposing itself to litigation by current or former employees Policies provide: Rules for using company computers and networks 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 21 Displaying Policy Warning Banners Avoid litigation displaying a warning banner on computer screens A banner: Informs users that the organization can inspect computer systems and network traffic at will Voids right of privacy Establishes authority to conduct an investigation 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 22 Displaying Warning Banners (continued) 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 23 Displaying Warning Banners (continued) Types of warning banners: For internal employee access (intranet Web page access) External visitor accesses (Internet Web page access) 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 24 Displaying Warning Banners (continued) Examples of warning banners: Access to this system and network is restricted Use of this system and network is for official business only Systems and networks are subject to monitoring at any time by the owner Using this system implies consent to monitoring by the owner Unauthorized or illegal users of this system or network will be subject to discipline or prosecution 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 25 Banner Example in Reality Recall: why do we need policies and warning banners? Courts have ruled that company-owned equipment does not contain any “personal information” Without them, your authority to inspect might conflict with the user's expectation of privacy, and a court might have to determine the issue of authority to inspect 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 26 Mercury.cs.uml.edu Banner 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 27 Texas A&M CS Department Banner 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 28 SSHD Banner By default sshd server turns off this feature Login as root user; then create your login banner file 91.580.203 Edit /etc/ssh/sshd-banner Edit /etc/sshd/sshd_config and add Banner /etc/ssh/sshd-banner Save file and restart the sshd server /etc/init.d/sshd restart Dr. Xinwen Fu 29 INFA721/CIS418-BIS@DSU http://www.cyberciti.biz/tips/how-to-force-sshd-server-to-display-login-banner-before-login-change-the-ssh-server-sshd-login-banner.html Linux Console Login Banner File /etc/issue, default information 1. Fedora Core release 3 (Heidelberg) 2. Kernel \r on an \m \r – OS release such as “Kernel 2.6.17” \m – Machine such as “i686” 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 30 Windows XP Logon Warning Message 1. Click Start/Control Panel 2. Double-click Administrative Tools / Local Security Policies / Security Options 3. Set Interactive Logon: Message text for users attempting to log on 4. Set Interactive Logon: Message title for users attempting to log on 5. Logoff/Logon to test 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu http://www.ciac.org/ciac/bulletins/j-043.shtml 31 http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Miscellaneous/LogonBanner-DisplayingWarningMessage.html Designating an Authorized Requester Not everyone should be an investigator Establish a line of authority Specify an authorized requester who has the power to conduct investigations Groups who can request investigations: Corporate Security Investigations Corporate Ethics Office Corporate Equal Employment Opportunity Office Internal Auditing The general counsel or legal department 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 32 Conducting Security Investigations Public investigations search for evidence to support criminal allegations Private investigations search for evidence to support allegations of abuse of a company’s assets and criminal complaints Abuse or misuse of corporate assets E-mail abuse/Malicious e-mail Excessive private Internet abuse Employee company startup Porn site 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 33 Employee Abuse of Computer Privilege 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 34 Distinguishing Personal and Company Property PDAs and personal notebook computers Employee hooks up his PDA device to his company computer Company gives PDA to employee as bonus What is your opinion of company policies on those items? 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 35 Outline Understand computer forensics Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations Maintain professional conduct 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 36 Maintaining Professional Conduct Professional conduct determines credibility Ethics Morals Standards of behavior Conduct with integrity Maintain objectivity and confidentiality Enrich technical knowledge 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 37 Maintaining Objectivity Sustain unbiased opinions of your cases Avoid making conclusions about the findings until all reasonable leads have been exhausted you considered all the available facts Ignore external biases to maintain the integrity of the fact-finding in all investigations 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 38 Keep the Case Confidential Until you are designated as a witness or required to release a report at the direction of the attorney or court 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 39 Enrich Technical Knowledge Stay current with the latest technical changes in computer hardware and software, networking, and forensic tools Learn about the latest investigation techniques that can be applied to the case Record fact-finding methods in a journal Include dates and important details that serve as memory triggers Develop a routine of regularly reviewing the journal to keep past achievements fresh 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 40 Enrich Technical Knowledge (continued) Attend workshops, conferences, and vendor-specific courses conducted by software manufacturers Monitor the latest book releases and read as much as possible about computer investigations and forensics Computer Technology Investigators Northwest (CTIN) High Technology Crime Investigation Association (HTCIA) LISTSERV or Majordomo: mailing lists Certificate: EC-Council - CHFI Computer Hacking Forensic Investigator 91.580.203 INFA721/CIS418-BIS@DSU Dr. Xinwen Fu 41