Network ForensicsAn example of a computer crime – VIRTUAL crime that needs computer forensic expertise. Your company has recently hired a new salesman. Six months after his hire, he leaves your company and forms a competing interest, sending letters to all of your clients. You may think this a bit odd and contact an attorney to consider filing a suit. What has occurred is a virtual theft -- the salesman stole a copy of your client database. Note that this is a VIRTUAL theft -- since you were not deprived of any property (he didn't delete it, just copied it) you will likely not be able to prosecute him criminally.
What is Computer Forensics? • Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. • Arose as a result of the growing problem of computer crimes. • Computer crimes fall into two categories: • Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes. • Investigation into these crimes often involves searching computers suspected to be involved. • Computer itself is a victim of a crime – this commonly referred to as incident response. • It refers to the examination of systems that have been remotely attacked. • Forensics experts follow clear, well-defined mythologies and procedures
Computer forensics started a few years ago- when it was simple to collect evidence from a computer. • While basic forensic methodologies remain the same, technology itself is rapidly changing – a challenge to forensic specialists. • Basic forensic methodology consists of: • Acquire the evidence without altering or damaging the original • Authenticate that your recovered evidence is the same as the originally seized data • Analyze the data without modifying it.
Acquire the Evidence • Keep in mind that every case is different • Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system. • Consider the following issues: • Handling the evidence- if you do not take care of the evidence, the rest of the investigation will be compromised. • Chain of custody – the goal of maintaining a good chain of custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to: • Who collected it • How and where • Who took possession of it • how was it stored and protected in storage • Who took it out of storage and why?
Collection • You want the evidence to be so pure that it supports your case. • Identification • Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled. • Transportation • Evidence is not supposed to be moved so when you move it be extremely careful. • Storage • Keep the evidence in a cool, dry, and appropriate place for electronic evidence. • Documenting the investigation • Most difficult for computer professionals because technical people are not good at writing down details of the procedures.
Authenticating evidence • It is difficult because • Crime scenes change • Evidence is routinely damaged by environmental conditions • Computer devices slowly deteriorate • Keep proof of integrity and timestamp the evidence through encryption of files of data • Two algorithms (MD5 and SHA) are in common use today • Analysis • Make two backups • Use any well known analysis tools.
Tracking the Offender • Keep in mind that cyber sleuths often have to track their offenders across a digital matrix • Also that digital forensic techniques and tools are largely undeveloped- so you have little to run on. • Tracing IP addresses • For http addresses in dotted quad ( base 256) use a ping to covert it to digit decimal (base 10) • For MAC address use the ARP tables ( be aware that MAC addresses can be changed by software) and NIC can be changed/removed/replaced. • Beware of DNS – may resolve and query with IP addresses. • After getting some information, try to traceroute • Learn to read an email trail. • NetBIOS – a Windows protocol that used to run exclusively on LANS ( instead of TCP/IP) now running on top of TCP/IP to cover WANs, has a nbstat function that can display protocol statistics for all TCP/IP connctions. • Other tracing tools include: Neotrace and Netscan Pro. These can do a trace route • Use IDS logs
Storage Media • Hard Drives • Make an image copy and then restore the image to a freshly wiped hard drive for analysis • Remount the copy and start to analyze it. • Before opening it get information on its configuration • Use tools to generate a report of lists of the disk’s contents ( PartitionMagic) • View operating system logs.
Encryption and Forensics • Many times the evidence may be encrypted. Find a way to decrypt it while preserving the its integrity. • In addition to encryption codes and compression of data may make the forensic work difficult. • Find a way to overcome data compression and use of code.
Data Hiding • There are several techniques that intruders may hide data. • Obfuscating data through encryption and compression. • Hiding through codes, steganoraphy, name embedding, obscurity and nonames on files • Blinding investigators through changing behavior of system commands and modifying operating systems. • Use commonly known tools to overcome
Hostile Code • Any unauthorized code on your computer. It is becoming increasing significant. • Hostile code fall into two categories: • Manual – like network tools that allow unauthorized access (NetBus, BackOrifice, IRC), fix utilities that seamlessly replace legitimate binary code with a hostile version, log manipulators, vulnerability scanners, DDoS, • Autonomous – viruses(Melissa, time bombs), DDoS, and IRC bots.
Forensic Electronic Toolkit • Computer and network forensics involves and requires: • Identification • Extraction • Preservation • Documentation • A lot of tools are needed for a thorough work • The “forensically sound “ method is never to conduct any examination on the original media. • Before you use any forensic software, make sure you know how to use it, and also that it works. • Tools: • Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic) • File Viewers – to thumb through stacks of data and images looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus)
More tools (cont.) • Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins. • CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics • Text – because text data can be huge, use fast scans tools like dtSearch. • Other kits: • Forensic toolkit – command-line utilities used to reconstruct access activities in NT File systems • Coroner toolkit - to investigate a hacked Unix host. • ForensiX – an all-purpose set of data collection and analysis tools that run primarily on Linux. • New Technologies Incorporated (NTI) • EnCase • Hardware- Forensic-computers.com
Forensics based on OS Brands • Investigating • Windows computers – pay attention to the Registry. It contains a wealth of information • Unix – take a look at the password files, the shell, the filesystem,
Internet Data Incident Response Guidelines • Restore service safely • Estimate extent and cost of incident • Identify source of attack and their motivation • Deter future crime • Recover loss • Protect public image • Conduct due diligence • Assume corporate responsibility • Increase understanding of security landscape.
Roles and Responsibilities • To facilitate teamwork the organization’s roles must be assigned as fallows: • Corporate security and incident team • Security investigator • Emergency response core team • Application owner • Application developer • System owner/administrator • Network administrator • Firewall administrator • Security consultants