Lecture Security+ Certification: Chapter 11 - Trung tâm Athena

Chapter 11 - Incident response. The main contents of this chapter include all of the following: Incident response overview, computer forensics defined, contemporary issues in computer forensics, forensic process, forensic tools, forensic problems, the future of computer forensics.

Chapter 11

Incident Response

 Incident Response Overview

Incident Response –

Why is it Critical?

• Find out what happened

• How it happened

• Who did it

 Create a record of the incident for later use

ATHENA

• Find out what happened

• How it happened

• Who did it

 Create a record of the incident for later use

Elements of Incident Response

The process of determining whether or not anincident has occurred and the nature of anincident Identification may occur through theuse of automated network intrusion

equipment or by a user or SA

Identification is a difficult process Noticing thesymptoms of an incident is often difficult

There are many false positives However,noticing an anomaly should drive the observer

to investigate further

ATHENA

The process of determining whether or not anincident has occurred and the nature of anincident Identification may occur through theuse of automated network intrusion

equipment or by a user or SA

Identification is a difficult process Noticing thesymptoms of an incident is often difficult

There are many false positives However,noticing an anomaly should drive the observer

to investigate further

Who can identify an Incident

my files have changed

files missing, accounts add/deleted, weird stuffhappening , anomalies in the logs

Automatically ID violations to policies

ATHENA

my files have changed

files missing, accounts add/deleted, weird stuffhappening , anomalies in the logs

Automatically ID violations to policies

Possible Incident Classifications

 Unauthorized Privileged (root) Access – Access gained to a system and the use of root privileges without authorization.

 Unauthorized Limited (user) Access – Access gained to a system and the use of user privileges without authorization.

 Unauthorized Unsuccessful Attempted Access – Repeated attempt to gain access as root or user on the same host, service, or system with a certain number of connections from the same source.

Possible Incident Classifications

(cont.)

 Unauthorized Probe – Any attempt to gather information about

a system or user on-line by scanning a site and accessing ports through operating system vulnerabilities.

 Poor Security Practices – Bad passwords, direct privileged

logins, etc, which are collected from network monitor systems.

 Denial of Service (DOS) Attacks – Any action that preempts or degrades performance of a system or network affecting the mission, business, or function of an organization.

ATHENA

 Unauthorized Probe – Any attempt to gather information about

a system or user on-line by scanning a site and accessing ports through operating system vulnerabilities.

 Poor Security Practices – Bad passwords, direct privileged

logins, etc, which are collected from network monitor systems.

 Denial of Service (DOS) Attacks – Any action that preempts or degrades performance of a system or network affecting the mission, business, or function of an organization.

 Malicious Logic – Self-replicating software that is

viral in nature; is disseminated by attaching to ormimicking authorized computer system files; or acts

as a trojan horse, worm, malicious scripting, or a logicbomb Usually hidden and some may replicate

Effects can range from simple monitoring of traffic tocomplicated automated backdoor with full system

rights

Possible Incident Classifications (cont.)

ATHENA

 Malicious Logic – Self-replicating software that is

viral in nature; is disseminated by attaching to ormimicking authorized computer system files; or acts

as a trojan horse, worm, malicious scripting, or a logicbomb Usually hidden and some may replicate

Effects can range from simple monitoring of traffic tocomplicated automated backdoor with full system

rights

Possible Incident Classifications

The process of limiting the scope and magnitude of anincident

As soon as it is recognized that an incident has occurred

or is occurring, steps should immediately be taken tocontain the incident

ATHENA

The process of limiting the scope and magnitude of anincident

As soon as it is recognized that an incident has occurred

or is occurring, steps should immediately be taken tocontain the incident

Containment - Example

 Incidents involving using malicious code are common, and since malicious code incidents can spread rapidly, massive destruction and

compromise of information is possible.

 It is not uncommon to find every workstation connected to a LAN infected when there is a virus outbreak.

• Internet Worm of 1988 attacked 6,000 computers in the U.S in one day.

• LoveBug Virus affected over 10Million computers with damage estimated between $2.5B-$10B US

• Kournikova worm affects still being analyzed

ATHENA

 Incidents involving using malicious code are common, and since malicious code incidents can spread rapidly, massive destruction and

compromise of information is possible.

 It is not uncommon to find every workstation connected to a LAN infected when there is a virus outbreak.

• Internet Worm of 1988 attacked 6,000 computers in the U.S in one day.

• LoveBug Virus affected over 10Million computers with damage estimated between $2.5B-$10B US

• Kournikova worm affects still being analyzed

• For a virus – anti-virus software is best

• For a network may involve block/filter IP address at the router/firewall

• Ideally, but difficult, best eradicated by bringing the perpetrators into legal custody and convicting them in a court of law.

ATHENA

• For a virus – anti-virus software is best

• For a network may involve block/filter IP address at the router/firewall

• Ideally, but difficult, best eradicated by bringing the perpetrators into legal custody and convicting them in a court of law.

 Critical

 Activities Include:

• Analyze the Incident and the Response

• Analyze the Cost of the Incident

• Prepare a Report

• Revise Policies and Procedures

ATHENA

 Critical

 Activities Include:

• Analyze the Incident and the Response

• Analyze the Cost of the Incident

• Prepare a Report

• Revise Policies and Procedures

What is Computer Forensics?

Computer Forensics can be defined simply,

as a process of applying scientific and analytical techniques to computer

Operating Systems and File Structures in determining the potential for Legal

Evidence.

ATHENA

Computer Forensics can be defined simply,

as a process of applying scientific and analytical techniques to computer

Operating Systems and File Structures in determining the potential for Legal

Evidence.

Why is Evidence important?

 In the legal world, Evidence is

EVERYTHING.

 Evidence is used to establish facts.

 The Forensic Examiner is not biased.

ATHENA

Who needs Computer Forensics?

Who are the Victims?

ATHENA

 ID the perpetrator.

 ID the method/vulnerability of the network that allowed the perpetrator to gain access into the system.

victimized network.

 Preserve the Evidence for Judicial action.

Reasons for a Forensic Analysis

ATHENA

 ID the perpetrator.

 ID the method/vulnerability of the network that allowed the perpetrator to gain access into the system.

victimized network.

 Preserve the Evidence for Judicial action.

 Disk Forensics

 E-mail Forensics

 Internet (Web) Forensics

Types of Computer Forensics

ATHENA

 Disk Forensics

 E-mail Forensics

 Internet (Web) Forensics

Disk Forensics

 Disk forensics is the process of acquiring and analyzing the data stored on some form of physical storage media.

deleted data

• Includes file identification, which is theprocess used to identify who created aparticular file or message

– Melissa Virus

ATHENA

 Disk forensics is the process of acquiring and analyzing the data stored on some form of physical storage media.

deleted data

• Includes file identification, which is theprocess used to identify who created aparticular file or message

– Melissa Virus

Network Forensics

 Network forensics is the process of examining network traffic It includes:

• After the fact analysis of transaction logs

• After the fact analysis of transaction logs

– Sniffers

– Real-time tracing

E-mail Forensics

content of electronic mail as evidence

• It includes the process of identifying the actual sender and recipient of a message, the date and time it was sent, and where it was sent from.

• E-mail has turned out to be the Achilles Heal for many individuals and organizations.

• Many time issues of sexual harassment, racial and religious prejudice, or unauthorized activity are tied to e-mail.

ATHENA

content of electronic mail as evidence

• It includes the process of identifying the actual sender and recipient of a message, the date and time it was sent, and where it was sent from.

• E-mail has turned out to be the Achilles Heal for many individuals and organizations.

• Many time issues of sexual harassment, racial and religious prejudice, or unauthorized activity are tied to e-mail.

Internet Forensics

 Internet or Web forensics is the process ofpiecing together where and when a user hasbeen on the Internet

• For example, it is used to determine whether the download of pornography was accidental or not.

ATHENA

 Internet or Web forensics is the process ofpiecing together where and when a user hasbeen on the Internet

• For example, it is used to determine whether the download of pornography was accidental or not.

Source Code Forensics

 Source code forensics is used to determine software ownership or software liability issues.

• It is not merely a review of the actual source code.

• It is an examination of the entire development process, including development procedures, review

of developer time sheets, documentation review and the review of source code revision practices.

ATHENA

 Source code forensics is used to determine software ownership or software liability issues.

• It is not merely a review of the actual source code.

• It is an examination of the entire development process, including development procedures, review

of developer time sheets, documentation review and the review of source code revision practices.

Technological Progress

Sense of Anonymity

Sense of Anonymity

Technological Progress

Albert Einstein said “Technological

progress is like an axe in the hands

of a pathological criminal.”

ATHENA

Albert Einstein said “Technological

progress is like an axe in the hands

of a pathological criminal.”

• Crime Without Punishment

• Crime Without Punishment

• Media Sensationalism

• Public Apathy

• Easy to Commit

What is Cyber Crime?

 A crime in which technology plays

an important, and often a necessary, part.

• The computer is:

– the target of an attack

– the tool used in an attack

– used to store data related to criminal activity

ATHENA

 A crime in which technology plays

an important, and often a necessary, part.

• The computer is:

– the target of an attack

– the tool used in an attack

– used to store data related to criminal activity

Types of Cyber Crime

 Forgery and Counterfeiting

 Internet Fraud – “Imposter Sites”

 SEC Fraud and Stock Manipulation

 Child Pornography

 Stalking & Harassment

 Credit Card Fraud & Skimming

 Forgery and Counterfeiting

 Internet Fraud – “Imposter Sites”

 SEC Fraud and Stock Manipulation

 Child Pornography

 Stalking & Harassment

 Credit Card Fraud & Skimming

Contemporary Issues in Computer Forensics

Handle High-Tech Crime

• Shortage of Trained Investigators & Analysts

• Lack of Forensic Standards

• Large Disk Drives and Disk Arrays

• High Speed Network Connections

ATHENA

Handle High-Tech Crime

• Shortage of Trained Investigators & Analysts

• Lack of Forensic Standards

• Large Disk Drives and Disk Arrays

• High Speed Network Connections

Contemporary Issues in Computer Forensics

Must not Violate the following:

ATHENA

Must not Violate the following:

 Ensure that all software tools utilized for the analysisare tested and widely accepted for use in the forensicscommunity.

 Ensure that all software tools utilized for the analysisare tested and widely accepted for use in the forensicscommunity

 Protect the integrity of the evidence Maintain control until final disposition.

 Prior to Booting target computer,

DISCONNECT HDD and verify CMOS.

ATHENA

 Utilize disk “imaging” software to make an

exact image of the target media Verify the image.

 When conducting an analysis of target media, utilize the restored image of the target media; never utilize the actual target media.

ATHENA

 Utilize disk “imaging” software to make an

exact image of the target media Verify the image.

 When conducting an analysis of target media, utilize the restored image of the target media; never utilize the actual target media.

 “The Scene”

 Utilize Screen Capture/Copy Suspected files

 All apps for Analysis/apps on Examined

 Utilize Screen Capture/Copy Suspected files

 All apps for Analysis/apps on Examined

system.

Forensic Tools

 Forensic Tool Kit

 Forensic Software

ATHENA

 Forensic Tool Kit

 Forensic Software

Forensic Tool Kit

ATHENA

Forensic System Hardware

• Image MASSter 500 & 1000

• Image MASSter 500 & 1000

Strap

 UPS

Media Options

room for expansion and external media

Systems

ATHENA

Media Options

 Internal Hard Disk

 Tape Media

• QIC Tape Drive

• Travan Tape Drive

• QIC Tape Drive

• Travan Tape Drive

Disk Imaging Hardware

 Supports IDE & SCSI

 Sector by Sector Copy

• DOS, Windows 3.1,

• Windows 95, NT, SCO,

• UNIX, OS/2 & Mac O/S

 Full Read/Write Verification &

Reporting

 Logging Capability

 No Writing to Master Disk

ATHENA

 Supports IDE & SCSI

 Sector by Sector Copy

• DOS, Windows 3.1,

• Windows 95, NT, SCO,

• UNIX, OS/2 & Mac O/S

 Full Read/Write Verification &

Reporting

 Logging Capability

 No Writing to Master Disk

Forensic Software

 Search & Recovery Utilities

 File Viewing Utilities

 Cracking Software

 Archive & Compression Utilities

ATHENA

 Search & Recovery Utilities

 File Viewing Utilities

 Cracking Software

 Archive & Compression Utilities

Disk Imaging Software

 Bit Level Copy of the Disk, not File Level

 Bit Level Copy of the Disk, not File Level

• EnCase

• SafeBack

• SnapBack

Search Utilities

 Forensic Software

 File System Utilities

 Norton Utilities

ATHENA

 Forensic Software

 File System Utilities

 Norton Utilities

File Viewing Utilities

 Quick View Plus

 Drag & View

ATHENA

Forensic Analysis

• Lock the Disk

• Create an Image of the Disk(s)

• File System Authentication

• List Disk Directories and File Systems

• Locate Hidden or Obscured Data

• Cluster Analysis

ATHENA

• Lock the Disk

• Create an Image of the Disk(s)

• File System Authentication

• List Disk Directories and File Systems

• Locate Hidden or Obscured Data

• Cluster Analysis

File System Authentication

 Integrity of data related to any seizure is

File System Authentication

ATHENA

List Directories and Files

ATHENA

Identify Suspect Files

Hidden & Obscure Data

 Hidden File Attributes

Steganography Denies the Data Exists

ATHENA

Steganography Denies the Data Exists

Slack Space

ATHENA

Evidence Protection

• Provides shielding from electrostatic discharge by safely enveloping static sensitive devices in a

humidity-independent Faraday cage The nickel

shielding layer creates a Faraday type shield Meets

MIL-B-81705 and DoD-STD-1686A

ATHENA

• Provides shielding from electrostatic discharge by safely enveloping static sensitive devices in a

humidity-independent Faraday cage The nickel

shielding layer creates a Faraday type shield Meets

MIL-B-81705 and DoD-STD-1686A