1 / 53

CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics. Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks:

cjamerson
Télécharger la présentation

CSE 4482: Computer Security Management: Assessment and Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE 4482: Computer Security Management: Assessment and Forensics Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J. Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE Learning, 2010, 4th Edition.

  2. Performing RAID Data Acquisitions Size is the biggest concern Many RAID systems now have terabytes of data What is RAID and what is it used for? Redundant array of independent (formerly “inexpensive”) disks (RAID) Computer configuration involving two or more disks Originally developed as a data-redundancy measure 2

  3. Raid Techniques

  4. RAID: Mirroring 4

  5. RAID : Bit-level Striping 5

  6. RAID versions RAID 0 Provides rapid access and increased storage Lack of redundancy RAID 1 Designed for data recovery More expensive than RAID 0 RAID 2 Similar to RAID 1 Data is written to a disk on a bit level Has better data integrity checking than RAID 0 Slower than RAID 0 6

  7. RAID: Block level striping 7

  8. RAID versions II RAID 3 Uses data striping and dedicated parity RAID 4 Data is written in blocks RAID 5 Similar to RAIDs 0 and 3 Places parity recovery data on each disk RAID 6 Redundant parity on each disk RAID 10, or mirrored striping Also known as RAID 1+0 Combination of RAID 1 and RAID 0 8

  9. Acquiring RAID Disks Concerns How much data storage is needed? What type of RAID is used? Do you have the right acquisition tool? Can the tool read a forensically copied RAID image? Can the tool read split data saves of each RAID disk? Older hardware-firmware RAID systems can be a challenge when you’re making an image 9

  10. Acquiring RAID Disks (continued) Vendors offering RAID acquisition functions Technologies Pathways ProDiscover Guidance Software EnCase X-Ways Forensics Runtime Software R-Tools Technologies Occasionally, a RAID system is too large for a static acquisition Retrieve only the data relevant to the investigation with the sparse or logical acquisition method 10

  11. Using Remote Network Acquisition Tools You can remotely connect to a suspect computer via a network connection and copy data from it Remote acquisition tools vary in configurations and capabilities Drawbacks LAN’s data transfer speeds and routing table conflicts could cause problems Gaining the permissions needed to access more secure subnets Heavy traffic could cause delays and errors 11

  12. Remote Acquisition with ProDiscover With ProDiscover Investigator you can: Preview a suspect’s drive remotely while it’s in use Perform a live acquisition Encrypt the connection Copy the suspect computer’s RAM Use the optional stealth mode ProDiscover Incident Response additional functions Capture volatile system state information Analyze current running processes Locate unseen files and processes Remotely view and listen to IP ports Run hash comparisons Create a hash inventory of all files remotely 12

  13. Remote Acquisition with ProDiscover (continued) PDServer remote agent ProDiscover utility for remote access Needs to be loaded on the suspect PDServer installation modes Trusted CD Preinstallation Pushing out and running remotely PDServer can run in a stealth mode Can change process name to appear as OS function 13

  14. Remote Acquisition with ProDiscover (continued) Remote connection security features Password Protection Encryption Secure Communication Protocol Write Protected Trusted Binaries Digital Signatures 14

  15. Remote Acquisition with EnCase Enterprise Remote acquisition features Remote data acquisition of a computer’s media and RAM data Integration with intrusion detection system (IDS) tools Options to create an image of data from one or more systems Preview of systems A wide range of file system formats RAID support for both hardware and software 15

  16. Remote Acquisition with R-Tools R-Studio R-Tools suite of software is designed for data recovery Remote connection uses Triple Data Encryption Standard (3DES) encryption Creates raw format acquisitions Supports various file systems 16

  17. Remote Acquisition with Runtime Software Utilities DiskExplorer for FAT DiskExplorer for NTFS HDHOST Features for acquisition Create a raw format image file Segment the raw format or compressed image Access network computers’ drives 17

  18. Using Other Forensics-Acquisition Tools Tools SnapBack DatArrest SafeBack DIBS USA RAID ILook Investigator IXimager Vogon International SDi32 ASRData SMART Australian Department of Defence PyFlag 18

  19. SnapBack DatArrest Columbia Data Products Old MS-DOS tool Can make an image on three ways Disk to SCSI drive Disk to network drive Disk to disk Fits on a forensic boot floppy SnapCopy adjusts disk geometry 19

  20. NTI SafeBack Reliable MS-DOS tool Small enough to fit on a forensic boot floppy Performs an SHA-256 calculation per sector copied Creates a log file Functions Disk-to-image copy (image can be on tape) Disk-to-disk copy (adjusts target geometry) Copies a partition to an image file Compresses image files 20

  21. More tools DIBS USA RAID (Rapid Action Imaging Device) Makes forensically sound disk copies Portable computer system designed to make disk-to-disk images Copied disk can then be attached to a write-blocker device ILook Investigator IXimager Runs from a bootable floppy or CD Designed to work only with ILook Investigator Can acquire single drives and RAID drives 21

  22. More tools II Vogon International SDi32 Creates a raw format image of a drive Write-blocker is needed when using this tool Password Cracker POD Device that removes the password on a drive’s firmware card ASRData SMART Linux forensics analysis tool that can make image files of a suspect drive Capabilities Robust data reading of bad sectors on drives Mounting suspect drives in write-protected mode Mounting target drives in read/write mode Optional compression schemes 22

  23. Next: Network Forensics Guide to Computer Forensics and Investigations, Third Edition, Chapter 11 23

  24. Objectives Describe the importance of network forensics Explain standard procedures for performing a live acquisition Explain standard procedures for network forensics Describe the use of network tools 24

  25. Network Forensics Overview Network forensics Systematic tracking of incoming and outgoing traffic To ascertain how an attack was carried out or how an event occurred on a network Intruders leave trail behind Determine the cause of the abnormal traffic Internal bug Attackers 25

  26. Securing a Network Layered network defense strategy Sets up layers of protection to hide the most valuable data at the innermost part of the network Defense in depth (DiD) Similar approach developed by the NSA Modes of protection People Technology Operations 26

  27. Securing a Network (continued) Testing networks is as important as testing servers You need to be up to date on the latest methods intruders use to infiltrate networks, and methods internal employees use to sabotage networks 27

  28. Performing Live Acquisitions Live acquisitions are especially useful when you’re dealing with active network intrusions or attacks Live acquisitions done before taking a system offline are also becoming a necessity Because attacks might leave footprints only in running processes or RAM Live acquisitions don’t follow typical forensics procedures Order of volatility (OOV) How long a piece of information lasts on a system 28

  29. Performing Live Acquisitions (continued) Steps Create or download a bootable forensic CD Make sure you keep a log of all your actions A network drive is ideal as a place to send the information you collect Copy the physical memory (RAM) The next step varies, depending on the incident you’re investigating Be sure to get a forensic hash value of all files you recover during the live acquisition 29

  30. Performing a Live Acquisition in Windows Several bootable forensic CDs are available Such as Helix and DEFT Helix operates in two modes: Windows Live (GUI or command line) and bootable Linux The Windows Live GUI version includes a runtime prompt for accessing the command line GUI tools are easy to use, but resource intensive 30

  31. Performing a Live Acquisition in Windows (continued) 31

  32. Performing a Live Acquisition in Windows (continued) 32

  33. Developing Standard Procedures for Network Forensics Long, tedious process Standard procedure Always use a standard installation image for systems on a network Close any way in after an attack Attempt to retrieve all volatile data Acquire all compromised drives Compare files on the forensic image to the original installation image 33

  34. Developing Standard Procedures for Network Forensics II Computer forensics Work from the image to find what has changed Network forensics Restore drives to understand attack Work on an isolated system Prevents malware from affecting other systems 34

  35. Reviewing Network Logs Record ingoing and outgoing traffic Network servers Routers Firewalls Tcpdump tool for examining network traffic Can generate top 10 lists Can identify patterns Attacks might include other companies Do not reveal information discovered about other companies 35

  36. Using Network Tools Sysinternals A collection of free tools for examining Windows products Examples of the Sysinternals tools: RegMon shows Registry data in real time Process Explorer shows what is loaded Handle shows open files and processes using them Filemon shows file system activity 36

  37. Using Network Tools (continued) 37

  38. Using Network Tools (continued) Tools from PsTools suite created by Sysinternals PsExec runs processes remotely PsGetSid displays security identifier (SID) PsKill kills process by name or ID PsList lists details about a process PsLoggedOn shows who’s logged locally PsPasswd changes account passwords PsService controls and views services PsShutdown shuts down and restarts PCs PsSuspend suspends processes 38

  39. Using UNIX/Linux Tools Knoppix Security Tools Distribution (STD) Bootable Linux CD intended for computer and network forensics Knoppix-STD tools Dcfldd, the U.S. DoD dd version memfetch forces a memory dump photorec grabs files from a digital camera snort, an intrusion detection system oinkmaster helps manage your snort rules 39

  40. Using UNIX/Linux Tools (continued) Knoppix-STD tools (continued) john chntpw resets passwords on a Windows PC tcpdump and ethereal are packet sniffers With the Knoppix STD tools on a portable CD You can examine almost any network system 40

  41. Using UNIX/Linux Tools (continued) 41

  42. Using UNIX/Linux Tools (continued) The Auditor Robust security tool whose logo is a Trojan warrior Based on Knoppix and contains more than 300 tools for network scanning, brute-force attacks, Bluetooth and wireless networks, and more Includes forensics tools, such as Autopsy and Sleuth Easy to use and frequently updated 42

  43. Using Packet Sniffers Packet sniffers Devices or software that monitor network traffic Most work at layer 2 or 3 of the OSI model Most tools follow the PCAP format Some packets can be identified by examining the flags in their TCP headers 43

  44. Using Packet Sniffers (continued) 44

  45. Using Packet Sniffers (continued) Tools Tcpdump Tethereal Snort Tcpslice Tcpreplay Tcpdstat Ngrep Etherape Netdude Argus Ethereal 45

  46. Using Packet Sniffers (continued) 46

  47. Examining the Honeynet Project Attempt to thwart Internet and network hackers Provides information about attacks methods Objectives are awareness, information, and tools Distributed denial-of-service (DDoS) attacks A recent major threat Hundreds or even thousands of machines (zombies) can be used 47

  48. Examining the Honeynet Project (continued) 48

  49. Examining the Honeynet Project (continued) Zero day attacks Another major threat Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available Honeypot Normal looking computer that lures attackers to it Honeywalls Monitor what’s happening to honeypots on your network and record what attackers are doing 49

  50. Examining the Honeynet Project (continued) Its legality has been questioned Cannot be used in court Can be used to learn about attacks Manuka Project Used the Honeynet Project’s principles To create a usable database for students to examine compromised honeypots Honeynet Challenges You can try to ascertain what an attacker did and then post your results online 50

More Related