430 likes | 745 Views
2. Discussion Overview. Incident Response Procedures:Kruse Appendix BCasey Chapter 19E-Mail Investigations:Various sources from the Recommended Texts . 3. Part One. Incident Response Procedures. 4. Incident Response Procedures . Goals of Incident Respon
E N D
1. 1 Incident Response and E-Mail Investigations Instructor: LT Dan Finnegan
Spring 2011
2. 2 Discussion Overview Incident Response Procedures:
Kruse – Appendix B
Casey – Chapter 19
E-Mail Investigations:
Various sources from the Recommended Texts
3. 3 Part One Incident Response Procedures
4. 4 Incident Response Procedures Goals of Incident Response:
Restore service safely
Estimate extent and cost of incident
Identify source of attack and their motivation
Deter future crime
Recover from the loss/damage
Protect public image
Conduct due diligence
Assume corporate responsibility
Increase understanding of security landscape
5. 5 Incident Response Procedures (1) Organizations and individuals involved:
Corporate Security Incident Response Team
Security Investigator
Emergency Response Core Team
Application Owner
Application Developer/Administrator
System Owner/Administrator
Network Administrator
Firewall Administrator
Security Consultant
6. 6 Incident Response Procedures (2) Data Center Application Profile
Predefined response priority
System criticality determined by level of damage caused by an incident
Severity of Computer Security Incidents
See Table A-2 for example IR priorities for an Internet Service Provider
Includes priorities for both events and types of servers involved
7. 7 Incident Response Procedures (3) Incident Response Process:
Discovery and reporting
Incident confirmation
Investigation
Recovery
Lessons learned and recommendations
All of which are equally important
8. 8 Incident Response Procedures (4) Incident Discovery and Reporting
Who notices the problem?
User, Application Owner, System Owner, etc.
Incident Confirmation
User Incident Handling
Application Incident Handling
System Incident Handling
9. 9 Incident Response Procedures (5) Investigation
Process differs depending on the type of incident (i.e. DoS attack, malware, unauthorized access or modification, network probing, etc)
Recovery
Contact authorities, if necessary
Recover the affected systems, if necessary
Lessons Learned and Recommendations
Identify process weaknesses and areas for improvement
10. 10 Part Two E-Mail Investigations
11. 11 E-Mail Investigations Two environments: Internet vs. LAN
Client/Server Architecture
Protected accounts
Similar to other types of investigations
Investigative Goals:
Determine who is behind the crime
Collect the evidence
Present your findings
Build a case
12. 12 Identifying E-mail Crimes and Violations Becoming commonplace
Depend on the city, state, or country
Spam/UCE
Always consult with an attorney
Examples of crimes involving e-mails:
Narcotics trafficking
Extortion
Sexual harassment Unsolicited Commercial EmailUnsolicited Commercial Email
13. 13 Examining E-mail Messages Access victim’s computer and retrieve evidence
Use victim’s e-mail client
Find and copy evidence in the e-mail
Access protected or encrypted material
Print e-mails
Guide victim on the phone
Open and copy e-mail including headers
Sometimes you will need to deal with
deleted e-mails
14. 14 Viewing E-mail Headers Learn how to find e-mail headers in:
GUI clients
Command-line clients
Web-based clients
Headers contain useful information, such as:
Unique identifying numbers
IP address of the sending server
Sending time
15. 15 Viewing E-mail Headers (continued) MS-Outlook
Open the Message Options dialog box
Copy headers
Paste them to any text editor
MS-Outlook Express
Open the message properties dialog box
Select Message Source
Copy and paste the headers to any text editor
16. 16 Viewing E-mail Headers (continued) Eudora
Click the BLAH BLAH BLAH button
Copy and paste the e-mail header
AOL
Open e-mail Details dialog window
Copy and paste headers
17. 17 Viewing E-mail Headers (continued) Hotmail
Click Options, Preferences in menu
Click Advanced Headers
Copy and paste headers
Yahoo
Click Mail Options
Click General Preferences and Show All headers on incoming messages
Gmail
Show Original under arrow next to Reply button
18. 18 Examining E-mail Headers Gather supporting evidence and track suspect
The return path
Recipient’s e-mail address
Type of sending e-mail service
IP address of sending server
Name of the e-mail server
Unique message number
Date and time e-mail was sent
File attachment information
19. 19 Additional E-mail Files E-mail messages are saved on the client side or left at the server
Microsoft Outlook .pst and .ost files
Personal address book
UNIX e-mail groups
Members read same messages
Web-based mail files and folders
History, Cookies, Cache, and Temp files
20. 20 Tracing an E-mail Message Contact those responsible for the sending server
Finding domain names point of contact
www.arin.net
www.internic.com
www.freeality.com
Find suspect’s contact information
Verify your findings against network logs
21. 21 Using Network Logs Confirm e-mail route
Router logs
Record all incoming and outgoing traffic
Have rules in place to allow or disallow traffic
Firewall logs
Filter e-mail traffic
Verify whether the e-mail passed through
You can use any text editor or specialized tools
22. 22 Understanding E-mail Servers Computer running server OS and e-mail package
E-mail storage formats:
Database
Flat file
Types of logs:
Default or manual
Continuous and circular
23. 23 Understanding E-mail Servers (continued) Log information
E-mail content
Sending IP address
Receiving and reading date and time
System-specific information
Contact suspect’s network as soon as possible
Servers can recover deleted e-mails
Similar to deletion of files on a hard drive
24. 24 E-mail Forensics Tools Popular Tools include:
AccessData’s FTK
EnCase
Paraben
FINALeMAIL
Sawmill-GroupWise
DBXtract
MailBag
Assistant
25. 25 Who, When, and Where? We are going to figure out
Who sent the email
When it was sent
Where it was sent from
26. 26 How e-Mail works An email is composed and sent using a mail client, like Yahoo mail, Eudora, or Outlook.
The client sends the message to a Mail Transfer Agent (MTA), which is a server running the Simple Mail Transfer Protocol (SMTP).
The MTA locates the advertised mail server for the recipient and passes the message along.
27. 27 Email (cont) Every MTA the message passes through adds a timestamp to the message.
These timestamps are a critical piece of the investigation!
Example:
Received: from smtp109.sbc.mail.re2.yahoo.com (68.142.229.96) by mir1.mail.vip.sc5.yahoo.com with SMTP, 26 Oct 2005 07:56:20 -0000
In the final steps of the process, the recipient accesses their mail server using a protocol such as POP3 or IMAP and downloads the message to their email client.
28. 28