1 / 43

Incident Response and E-Mail Investigations

2. Discussion Overview. Incident Response Procedures:Kruse Appendix BCasey Chapter 19E-Mail Investigations:Various sources from the Recommended Texts . 3. Part One. Incident Response Procedures. 4. Incident Response Procedures . Goals of Incident Respon

dana
Download Presentation

Incident Response and E-Mail Investigations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. 1 Incident Response and E-Mail Investigations Instructor: LT Dan Finnegan Spring 2011

    2. 2 Discussion Overview Incident Response Procedures: Kruse – Appendix B Casey – Chapter 19 E-Mail Investigations: Various sources from the Recommended Texts

    3. 3 Part One Incident Response Procedures

    4. 4 Incident Response Procedures Goals of Incident Response: Restore service safely Estimate extent and cost of incident Identify source of attack and their motivation Deter future crime Recover from the loss/damage Protect public image Conduct due diligence Assume corporate responsibility Increase understanding of security landscape

    5. 5 Incident Response Procedures (1) Organizations and individuals involved: Corporate Security Incident Response Team Security Investigator Emergency Response Core Team Application Owner Application Developer/Administrator System Owner/Administrator Network Administrator Firewall Administrator Security Consultant

    6. 6 Incident Response Procedures (2) Data Center Application Profile Predefined response priority System criticality determined by level of damage caused by an incident Severity of Computer Security Incidents See Table A-2 for example IR priorities for an Internet Service Provider Includes priorities for both events and types of servers involved

    7. 7 Incident Response Procedures (3) Incident Response Process: Discovery and reporting Incident confirmation Investigation Recovery Lessons learned and recommendations All of which are equally important

    8. 8 Incident Response Procedures (4) Incident Discovery and Reporting Who notices the problem? User, Application Owner, System Owner, etc. Incident Confirmation User Incident Handling Application Incident Handling System Incident Handling

    9. 9 Incident Response Procedures (5) Investigation Process differs depending on the type of incident (i.e. DoS attack, malware, unauthorized access or modification, network probing, etc) Recovery Contact authorities, if necessary Recover the affected systems, if necessary Lessons Learned and Recommendations Identify process weaknesses and areas for improvement

    10. 10 Part Two E-Mail Investigations

    11. 11 E-Mail Investigations Two environments: Internet vs. LAN Client/Server Architecture Protected accounts Similar to other types of investigations Investigative Goals: Determine who is behind the crime Collect the evidence Present your findings Build a case

    12. 12 Identifying E-mail Crimes and Violations Becoming commonplace Depend on the city, state, or country Spam/UCE Always consult with an attorney Examples of crimes involving e-mails: Narcotics trafficking Extortion Sexual harassment Unsolicited Commercial EmailUnsolicited Commercial Email

    13. 13 Examining E-mail Messages Access victim’s computer and retrieve evidence Use victim’s e-mail client Find and copy evidence in the e-mail Access protected or encrypted material Print e-mails Guide victim on the phone Open and copy e-mail including headers Sometimes you will need to deal with deleted e-mails

    14. 14 Viewing E-mail Headers Learn how to find e-mail headers in: GUI clients Command-line clients Web-based clients Headers contain useful information, such as: Unique identifying numbers IP address of the sending server Sending time

    15. 15 Viewing E-mail Headers (continued) MS-Outlook Open the Message Options dialog box Copy headers Paste them to any text editor MS-Outlook Express Open the message properties dialog box Select Message Source Copy and paste the headers to any text editor

    16. 16 Viewing E-mail Headers (continued) Eudora Click the BLAH BLAH BLAH button Copy and paste the e-mail header AOL Open e-mail Details dialog window Copy and paste headers

    17. 17 Viewing E-mail Headers (continued) Hotmail Click Options, Preferences in menu Click Advanced Headers Copy and paste headers Yahoo Click Mail Options Click General Preferences and Show All headers on incoming messages Gmail Show Original under arrow next to Reply button

    18. 18 Examining E-mail Headers Gather supporting evidence and track suspect The return path Recipient’s e-mail address Type of sending e-mail service IP address of sending server Name of the e-mail server Unique message number Date and time e-mail was sent File attachment information

    19. 19 Additional E-mail Files E-mail messages are saved on the client side or left at the server Microsoft Outlook .pst and .ost files Personal address book UNIX e-mail groups Members read same messages Web-based mail files and folders History, Cookies, Cache, and Temp files

    20. 20 Tracing an E-mail Message Contact those responsible for the sending server Finding domain names point of contact www.arin.net www.internic.com www.freeality.com Find suspect’s contact information Verify your findings against network logs

    21. 21 Using Network Logs Confirm e-mail route Router logs Record all incoming and outgoing traffic Have rules in place to allow or disallow traffic Firewall logs Filter e-mail traffic Verify whether the e-mail passed through You can use any text editor or specialized tools

    22. 22 Understanding E-mail Servers Computer running server OS and e-mail package E-mail storage formats: Database Flat file Types of logs: Default or manual Continuous and circular

    23. 23 Understanding E-mail Servers (continued) Log information E-mail content Sending IP address Receiving and reading date and time System-specific information Contact suspect’s network as soon as possible Servers can recover deleted e-mails Similar to deletion of files on a hard drive

    24. 24 E-mail Forensics Tools Popular Tools include: AccessData’s FTK EnCase Paraben FINALeMAIL Sawmill-GroupWise DBXtract MailBag Assistant

    25. 25 Who, When, and Where? We are going to figure out Who sent the email When it was sent Where it was sent from

    26. 26 How e-Mail works An email is composed and sent using a mail client, like Yahoo mail, Eudora, or Outlook. The client sends the message to a Mail Transfer Agent (MTA), which is a server running the Simple Mail Transfer Protocol (SMTP). The MTA locates the advertised mail server for the recipient and passes the message along.

    27. 27 Email (cont) Every MTA the message passes through adds a timestamp to the message. These timestamps are a critical piece of the investigation! Example: Received: from smtp109.sbc.mail.re2.yahoo.com (68.142.229.96) by mir1.mail.vip.sc5.yahoo.com with SMTP, 26 Oct 2005 07:56:20 -0000 In the final steps of the process, the recipient accesses their mail server using a protocol such as POP3 or IMAP and downloads the message to their email client.

    28. 28

More Related