240 likes | 328 Vues
Computer Forensics in Practice. Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005. Communication and Information System Control and Operation Centre Information Security Centre. InfoSec Centre Chief mjr. Ing. Albert VAJÁNYI Division Chief
E N D
Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005
Communication and Information System Control and Operation CentreInformation Security Centre InfoSec Centre Chief mjr. Ing. Albert VAJÁNYI Division Chief 1Lt. Ing. Boris ZEMEK (c) May 2005
What is computer forensics anyway? The application of computer investigations and analysis techniques in the interests of determining potential legal evidence. Computer specialists can draw on an array of methods for discovering deleted, encrypted or damaged file information. (Rorrins, 1997)
You don’t know what happened on your network. A network forensic analysis tool can effectively answer the difficult question “What happened?” in the aftermath of a security incident. That tool provides a passive network monitoring solution that visualizes the network activity. A network forensics analysis tool can visualize and analyze data from firewalls, IDS, IPS, syslogs, audit systems and more.
Key Features of Forensic Tools • Data collection and visualization • Monitor and analyze data from all seven layers of the Open Systems Interconnection (OSI) stack • Relational, Tree ontology for knowledge base • TCP dump recording: records traffic being monitored in an unprocessed, binary state • Pattern and content analysis • Powerful visualizations expose anomalous activities, providing visibility into network communications before, during and after a suspicious event • Functions irrespective of language using n-gram analysis
Key Features of Forensic Tools • Forensic analysis and investigation - Graphical arrangements include source, destination, time, type and duration of communication and content - Rebuild crime pattern - Playback events - Generate reports and visual representations of the suspicious activity - Report on key security and network parameters
Forensics Technology Services – FTS • Digital Evidence Recovery It is a technique of finding and extraction evidence. A lot of times the legislative designates how to confidence a digital evidence. • Cyber Forensics Some specialists score incidents to the network. Cyber Forensics shows who made an attack.
Forensics Technology Services – FTS • Forensic Data Analysis It is an interpretation of vast multiple data by using visualization techniques. • Document Management Services Making documents accessible helps sharing essential knowledge. In your investigations you can draw upon modern document management tools that allow you to archive, search, find, organising and reproduce documents.
Requirements for Forensics Tools COLLECTING ANALYZING 2D or 3D VISUALIZATION Real-Time Post Event Data Visualization Knowledge Base Meta Data and Content Analysis Context Analyzer Traffic Analysis Database
Types of Collecting Data All logs are collecting to the Central logs base!!! Types: - IDS/IPS logs - Firewall logs - Sys logs - SQUID logs - Audit system logs - and more
Server Farm Server Farm Server Farm Server Farm Security operation centre Network operation centre Network monitoring Security Alarms Service Alarms Central logs base Security Information Management System Any Public Network Intranet
Security Information Management What is Security Information Management (SIM)? SIM provides a simple mechanism that allows security teams to collect and analyze vast amounts of security alert data. More specifically, SIM solutions collect, analyze and correlate – in real-time – all security device information across an entire enterprise. Correlated results are then displayed on a centralized real-time console that is part of an intuitive graphical user interface.
Security Information Management SIM can be divided into four different phases: • Normalization • Aggregation • Correlation • Visualization SIM utilizes normalization, aggregation, and correlation to siftthrough mountains of security activity data on a real-time basis –correlating events, flagging and rating the potential seriousness ofall attacks, compromises, and vulnerabilities. The power of SIM technology allows a relatively small security staff to dramaticallyreduce the time between attack and response. .
Security Information Management Normalization is the process ofgathering individual security device data and putting it into a context that iseasier to understand,mapping differentmessages about the same security eventsto a common alarm ID. Keeping in mindthat there are no standards in the securitydevice industry, normalization alone is atremendous asset to security teams. Aggregation eliminates redundant orduplicate event data from the securityevent data stream, refining and optimizingthe amount of information that ispresented to security analysts.
Security Information Management Correlation uses software technologyto analyze aggregated data, in real-time, to determine if specific patterns exist.These patterns of similar security events often correspond to specific securityattacks – whether denial of service,anti virus, or some other form of attack. Visualization, the final step in SIM, isthe graphical representation of correlatedinformation in a single, real-time console. Effective visualization lets security operatorsquickly identify and respond to securitythreats as they occur, before they createproblems within the enterprise.
Changed to 100 NF types 9 categories of NF alarms Original logs from systems - around 20 000 types Sep 27 16:22:43 dmzserver su(pam_unix)[10983]: session opened for user nf by root(uid=0) Access / Authentication / Authorization Forbidden Database Access Application Exploit Configuration / System Status Privilege Escalation Evasion Policy Violations Security Policy Change Reconnaissance Sep 27 16:36:12 [192.168.177.1] Sep 27 2004 16:36:12: %PIX-6-605005: Login permitted from 192.168.177.2/44743 to inside:192.168.177.1/ssh for user "pix_ADMIN“ Attempts Authentication succeed Unknown / Suspicious Virus / Trojan Systems alarms remapping
Server Farm Server Farm Server Farm Server Farm Security operation centre Network operation centre Place Forensics Tool in Network Security Alarms Service Alarms Security Information Management System Central logs base Any Public Network Forensics Tool Intranet
Network Forensics Analyzer Examples of Visualization
Visualization of Firewall Data • Quickly visualize and understand relationships in firewall data across time • Source_IP ——— # of occurrences ——— Dest_IP
Source_IP versus Firewall Action • Source_IP ——— # of occurrences——— Firewall Action • Green = Accept Red = Reject Blue = Drop
Event Correlation Blocked Firewall Traffic VPN Traffic Events Overlay Intrusion Detection System Alerts
Thank You ! E – mail:infosec@mil.sk