940 likes | 1.28k Vues
CSE 4482: Computer Security Management: Assessment and Forensics. Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks:
E N D
CSE 4482: Computer Security Management: Assessment and Forensics Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J. Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE Learning, 2010, 4th Edition.
GFCI Ch 1: Computer Forensics Objectives Define computer forensics Describe how to prepare for computer investigations and explain the difference between law enforcement agency and corporate investigations Explain the importance of maintaining professional conduct 2
What is Computer Forensics? Definition: Involves obtaining and analyzing digital information, often as evidence in civil, criminal, or administrative cases Computer forensics: Investigates data that can be retrieved from a computer’s hard disk or other storage media Task of recovering data that users have hidden or deleted and using it as evidence Evidence can be inculpatory (“incriminating”) or exculpatory 3
Computer Forensics Versus Other Related Disciplines Network forensics Yields information about how a perpetrator or an attacker gained access to a network Data recovery Recovering information that was deleted by mistake, or lost during a power surge or server crash Typically you know what you’re looking for 4
Computer Forensics Versus Other Related Disciplines (continued) Disaster recovery Uses computer forensics techniques to retrieve information their clients have lost Investigators often work as a team to make computers and networks secure in an organization 5
Digital Evidence • Locard’s principle: “every contact leaves a trace” • any information, stored or transmitted in digital form, that a party to a court case may use at a trial To be accepted in court, digital evidence must meet certain criteria … • Admissibility • Authenticity
Case study • In this case, American Express (Amex) claimed that Mr. Vinhnee had failed to pay his credit card debts, and took legal action to recover the money. But the trial judge determined that Amex failed to authenticate its electronic records, and therefore Amex could not admit its own business records into evidence. Among other problems, the court said that Amex failed to provide adequate information about its computer policy & system control procedures, control of access to relevant databases & programs, how changes to data were recorded or logged, what backup practices were in place, and how Amex could provide assurance of continuing integrity of their records. • The judge pointed out that, "... the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record so as to assure that the document being proffered is the same as the document that originally was created ...“ • http://www.proofspace.com/technology/discovery.php
Lessons • Document your access control and backup procedures and policies and test effectiveness of your controls. • Have the changes to your databases and content/record management system routinely recorded and logged. • Protect your electronic record from post-archival tampering with modern data integrity and trusted time-stamping technologies. • Document the audit procedures you use to provide assurance of the continuing authenticity of the records. • http://www.proofspace.com/technology/discovery.php
Computer Forensics: A Brief History By the 1970s, electronic crimes were increasing, especially in the financial sector Most law enforcement officers didn’t know enough about computers to ask the right questions Or to preserve evidence for trial • 1980s • PCs gained popularity and different OSs emerged • Disk Operating System (DOS) was available • Forensics tools were simple, and most were generated by government agencies 10
A Brief History (1980s) Mid-1980s Xtree Gold appeared on the market Recognized file types and retrieved lost or deleted files Norton DiskEdit soon followed And became the best tool for finding deleted file • 1987 Apple Mac SE - A Macintosh with an external EasyDrive hard disk with 60 MB of storage 11
A Brief History (1990s) Tools for computer forensics were available International Association of Computer Investigative Specialists (IACIS) Training on software for forensics investigations IRS created search-warrant programs ExpertWitness for the Macintosh First commercial GUI software for computer forensics Created by ASR Data ExpertWitness for the Macintosh Recovers deleted files and fragments of deleted files Large hard disks posed problems for investigators Other software iLook AccessData Forensic Toolkit (FTK) 12
Understanding Case Law Technology is evolving at a very rapid pace Existing laws and statutes cannot keep up Case law used when statutes or regulations don’t exist Case law allows legal counsel to use previous cases similar to the current one Because the laws don’t yet exist Each case is evaluated on its own merit and issues Computer Crime & Intellectual Property document at US DoJ:http://www.cybercrime.gov/ssmanual/index.html 13
Case study • “… an investigator viewing computer files by using a search warrant related to drug dealing. While viewing the files, he ran across images of child pornography. Instead of waiting for a new warrant, he kept searching. As a result, all evidence regarding the pictures was excluded. Investigators must be familiar with recent rulings to avoid making similar mistakes.” • case law does not involve creating new criminal offenses
Developing Computer Forensics Resources know more than one computing platform Such as DOS, Windows 9x, Linux, Macintosh, and current Windows platforms Join many computer user groups - Computer Technology Investigators Network (CTIN) Meets monthly to discuss problems that law enforcement and corporations face High Technology Crime Investigation Association (HTCIA) Exchanges information about techniques related to computer investigations and security 15
Developing Computer Forensics Resources (continued) User groups can be helpful Build a network of computer forensics experts and other professionals And keep in touch through e-mail Outside experts can provide detailed information you need to retrieve digital evidence 16
Case Study A user group helped convict a child molester in Pierce County, Washington, in 1996. The suspect installed video cameras throughout his house, served alcohol to young women to intoxicate them, and secretly filmed them playing strip poker. When he was accused of molesting a child, police seized his computers and other physical evidence. The investigator discovered that the computers used CoCo DOS, an OS that had been out of use for years. The investigator contacted a local user group, which supplied the standard commands and other information needed to gain access to the system. On the suspect’s computer, the investigator found a diary detailing the suspect’s actions over the past 15 years, including the molestation of more than 400 young women. As a result, the suspect received a longer sentence than if he had been convicted of molesting only one child.
Investigating Computers Typically includes • collecting computer data securely, • examining suspect data to determine details such as origin and content, • presenting compute-based information to courts, and • applying laws to computer practice. Two distinct categories • Public investigations • Private or corporate investigations
Public investigations Involve government agencies responsible for criminal investigations and prosecution Organizations must observe legal guidelines Law of search and seizure: Protects rights of all people, incl. suspects 19
Private Investigations Private or corporate investigations Deal with private companies, non-law-enforcement government agencies, and lawyers Aren’t governed directly by criminal law or Fourth Amendment issues Governed by internal policies that define expected employee behavior and conduct in the workplace Private corporate investigations also involve litigation disputes Investigations are usually conducted in civil cases 20
Understanding Law Enforcements Agency Investigations In a criminal case, a suspect is tried for a criminal offense Such as burglary, murder, or molestation Computers and networks are only tools that can be used to commit crimes Many states have added specific language to criminal codes to define crimes involving computers Following the legal process Legal processes depend on local custom, legislative standards, and rules of evidence 21
Understanding LEA Investigations (continued) Criminal case follows three stages: The complaint, the investigation, and the prosecution 22
Understanding LEA Investigations (continued) A criminal case begins when someone finds evidence of an illegal act Complainant makes an allegation, an accusation or supposition of fact A police officer interviews the complainant and writes a report about the crime Police blotter provides a record of clues to crimes that have been committed previously Investigators delegate, collect, and process the information related to the complaint 23
Understanding LEA Investigations (continued) After a case is built, the information is turned over to the prosecutor Affidavit Sworn statement of support of facts about or evidence of a crime Submitted to a judge to request a search warrant Have the affidavit notarized under sworn oath Judge must approve and sign a search warrant, it can be used to collect evidence 24
Understanding Corporate Investigations Private or corporate investigations Involve private companies and lawyers who address company policy violations and litigation disputes Corporate computer crimes can involve: E-mail harassment Falsification of data Gender and age discrimination Embezzlement Sabotage Industrial espionage 26
Preventive measures Establishing company policies One way to avoid litigation is to publish and maintain policies that employees find easy to read and follow Published company policies provide a line of authority For a business to conduct internal investigations Well-defined policies Give computer investigators and forensic examiners the authority to conduct an investigation Displaying Warning Banners Another way to avoid litigation Usually appears when a computer starts or connects to the company intranet, network, or virtual private network 27
Preventive measures (continued) Warning banner Informs end users that the organization reserves the right to inspect computer systems and network traffic at will Establishes the right to conduct an investigation As a corporate computer investigator Make sure company displays well-defined warning banner 28
More on Corporate Investigations Designating an authorized requester Authorized requester has the power to conduct investigations Policy should be defined by executive management Groups that should have direct authority to request computer investigations Corporate Security Investigations Corporate Ethics Office Corporate Equal Employment Opportunity Office Internal Auditing The general counsel or Legal Department 29
Ch 2: Understanding Computer Investigations Objectives: • Explain how to prepare a computer investigation • Apply a systematic approach to an investigation • Describe procedures for corporate high-tech investigations • Explain requirements for data recovery workstations and software • Describe how to conduct an investigation • Explain how to complete and critique a case
Preparing a Computer Investigation Role of computer forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect’s computer Preserve the evidence on a different computer Follow an accepted procedure to prepare a case Chain of custody: Route the evidence takes from the time you find it until the case is closed or goes to court 31
Case study: CD Universe Prosecution Failure • “An extortion attempt involving credit card numbers stolen from the computers of Internet retailer CD Universe occurred in January 2000. Someone calling himself “Maxim” said that he had copied 300,000 credit card numbers from their database in December 1999. Maxim threatened to post that confidential data on the Internet unless he was paid $100,000 …Six months after Maxim had broken into CD Universe, US authorities were unable to find him. Even if law enforcement had found him, they probably would not have been able to prosecute the case because e-evidence collected from the company’s computers had not been properly protected. The chain of custody had not been properly established. • Although it was not clear exactly how the CD Universe evidence was compromised, it seemed that in the initial rush to learn how Maxim got into the company’s network, FBI agents and employees from three computer security firms accessed original files instead of working from a forensic copy. …”
An Overview of a Computer Crime Computers can contain information that helps law enforcement determine: Chain of events leading to a crime Evidence that can lead to a conviction Law enforcement officers should follow proper procedure when acquiring the evidence Digital evidence can be easily altered by an overeager investigator Information on hard disks might be password protected Guidelines: Ch 1, 2 inhttp://www.cybercrime.gov/ssmanual/index.html 33
An Overview of a Company Policy Violation Employees misusing resources can cost companies millions of dollars Misuse includes: Surfing the Internet Sending personal e-mails Using company computers for personal tasks Example: Two employees have gone missing… 35
Taking a Systematic Approach Steps for problem solving Make an initial assessment about the type of case you are investigating Determine a preliminary design or approach Create a detailed checklist Determine the resources you need Obtain and copy an evidence disk drive Identify the risks Mitigate or minimize the risks Test the design 36
Taking a Systematic Approach II Steps for problem solving (continued) Analyze and recover the digital evidence Investigate the data you recover Complete the case report Critique the case 37
Assessing the Case Systematically outline the case details Situation Nature of the case Specifics of the case Type of evidence Operating system Known disk format Location of evidence Based on case details, you can determine the case requirements Type of evidence Computer forensics tools Special operating systems 38
Planning an Investigation A basic investigation plan should include: Acquire the evidence Complete an evidence form and establish a chain of custody Transport the evidence to a computer forensics lab Secure evidence in an approved secure container Prepare a forensics workstation Obtain the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools 39
Securing Your Evidence Use evidence bags to secure and catalog the evidence Use computer safe products Antistatic bags Antistatic pads Use well padded containers Use evidence tape to seal all openings Floppy disk or CD drives Power supply electrical cord Write your initials on tape to prove that evidence has not been tampered with Consider computer specific temperature and humidity ranges 40
Procedures for Corporate High-Tech Investigations Develop formal procedures and informal checklists, to cover all issues important to high-tech investigations Majority of investigative work for termination cases involves employee abuse of corporate assets 41
Internet abuse investigations To conduct an investigation you need: Organization’s Internet proxy server logs Suspect computer’s IP address Suspect computer’s disk drive Your preferred computer forensics analysis tool Recommended steps Use standard forensic analysis techniques and procedures Use appropriate tools to extract all Web page URL information Contact the network firewall administrator and request a proxy server log Compare the data recovered from forensic analysis to the proxy server log Continue analyzing the computer’s disk drive data 42
E-mail abuse investigations To conduct an investigation you need: An electronic copy of the offending e-mail that contains message header data If available, e-mail server log records For e-mail systems that store users’ messages on a central server, access to the server Access to the computer for performing forensic analysis Your preferred computer forensics analysis tool Recommended steps Use the standard forensic analysis techniques Obtain an electronic copy of the suspect’s and victim’s e-mail folder or data For Web-based e-mail investigations, use tools such as FTK’s Internet Keyword Search option to extract all related e-mail address information Examine header data of all messages of interest 43
Attorney-Client Privilege Investigations Under attorney-client privilege (ACP) rules for an attorney You must keep all findings confidential The extra secrecy introduces additional problems 44
Media Leak Investigations In the corporate environment, controlling sensitive data can be difficult Consider the following for media leak investigations Examine e-mail Examine Internet message boards Examine proxy server logs Examine known suspects’ workstations Examine all company telephone records Steps to take for media leaks Interview management privately To get a list of employees who have direct knowledge of the sensitive data Identify media source that published the information Review company phone records Obtain a list of keywords related to the media leak Perform keyword searches on proxy and e-mail servers 45
Media Leak Investigations II Steps to take for media leaks (continued) Discreetly conduct forensic disk acquisitions and analysis From the forensic disk examinations, analyze all e-mail correspondence And trace any sensitive messages to other people Expand the discreet forensic disk acquisition and analysis Consolidate and review your findings periodically Routinely report findings to management 46
Industrial Espionage Investigations All suspected industrial espionage cases should be treated as criminal investigations Staff needed Computing investigator who is responsible for disk forensic examinations Technology specialist who is knowledgeable of the suspected compromised technical data Network specialist who can perform log analysis and set up network sniffers Threat assessment specialist (typically an attorney) Many guidelines in the text. 47
Understanding Data Recovery Workstations and Software Investigations are conducted on a computer forensics lab (or data-recovery lab) Computer forensics and data-recovery are related but different Computer forensics workstation Specially configured personal computer Loaded with additional bays and forensics software To avoid altering the evidence use: Forensics boot floppy disk Write-blockers devices 48
Setting Up your Computer for Computer Forensics Basic requirements A workstation running Windows XP or Vista A write-blocker device Computer forensics acquisition tool Computer forensics analysis tool Target drive to receive the source or suspect disk data Spare PATA or SATA ports USB ports Additional useful items Network interface card (NIC) Extra USB ports FireWire 400/800 ports SCSI card Disk editor tool Text editor tool Graphics viewer program Other specialized viewing tools 49
Bit-Stream Copies Bit-stream copy Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments Bit-stream image File containing the bit-stream copy of all data on a disk or partition Also known as forensic copy Copy image file to a target disk that matches the original disk’s manufacturer, size and model 50