1 / 114

CS 491 -Digital Forensics Fall 2013

CS 491 -Digital Forensics Fall 2013. History of Computer Forensics. Timeline. 1970s First crime cases involving computers, mainly financial fraud 1980’s Financial investigators and courts realize that in some cases all the records and evidences were only on computers.

helenkelly
Download Presentation

CS 491 -Digital Forensics Fall 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CS 491 -Digital ForensicsFall 2013 History of Computer Forensics

  2. Timeline • 1970s • First crime cases involving computers, mainly financial fraud • 1980’s • Financial investigators and courts realize that in some cases all the records and evidences were only on computers. • Norton Utilities, “Un-erase” tool created

  3. Timeline • Association of Certified Fraud Examiners began to seek training in what became computer forensics • SEARCH - High Tech Crimes training created • Regular classes began to be taught to Federal agents in California and at FLETC in Georgia • HTCIA formed in Southern California

  4. Timeline • 1984 • FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART) • FBI • 1987 • Access Data – Cyber Forensic Company formed

  5. Timeline • 1988 • Creation of IACIS, the International Association of Computer Investigative Specialists • First Seized Computer Evidence Recovery Specialists (SCERS) classes held • 1993 • First International Conference on Computer Evidence held

  6. Timeline • 1995 • International Organization on Computer Evidence (IOCE) formed • 1997 • The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address high-tech crimes”.

  7. Timeline • 1998 • In March G8 appointed IOCE to create international principles, guidelines and procedures relating to digital evidence • 1998 • INTERPOL Forensic Science Symposium • 1999 • FBI CART case load exceeds 2000 cases, examining 17 terabytes of data

  8. Timeline • 2000 • First FBI Regional Computer Forensic Laboratory established • 2003 • FBI CART case load exceeds 6500 cases, examining 782 terabytes of data

  9. Timeline • 2012 • Code name: Sentinel • Case management system • $450 million • 6 years of development • Oracle Exadata appliances

  10. Summary To better understand history of computer forensics must know the phases of CF: • Ad-hoc phase which was characterized by a lack of structure, a lack of clear goals, and a lack of adequate tools, processes and procedures. Furthermore there was huge legal issues on how to proceed with digital evidence

  11. Summary • Structured phase is complex solution for computer forensic, from accepted procedures, special tools developed, and what is more important enabling criminal legislation to wide use of digital evidences. • Enterprise phase – We can notice it nowadays. Three areas of this phase are real-time collection of evidence, developing field collections tools and Forensics becoming a service in companies.

  12. Passwords

  13. Authentication vs. Authorization • Authentication • Proving you are who you say you are • Tools: passwords, biometrics • Authorization • Given who you say you are, do you have privilege to do a particular action / affect a particular object? • Tools: access control lists, privileges

  14. Password Security/Policy Issues • Length • Required Characters (Letters, Letters plus Digits, Letters plus Digits plus Special Chars, etc. • Prohibited Constructs (e.g., Dictionary Words) • User Changeability (Require/Prevent User From Changing) • How often? • How password remembered (memory, written, on system, etc.)

  15. Classic Techniques – Possible but Impractical • Try all possible passwords • Difficult, as most systems disconnect after small number of attempts, lock out after more • Break the encryption scheme • Difficult with current one-way encryption methods

  16. Classic Techniques – What’s Used • Find password file and compare encrypted possible passwords • Linux - /etc/passwd, world-readable, but passwords encrypted • E.g., zatoichi:3#aVu5O1:2510:10: :/home/zatoichi:/bin/bash username encrypteduseridgrpid comments passwd home dir default shell (salt)

  17. Shadow passwd file • World-readable password encrypted file is not secure. • Solution: shadow password files with only root access • E.g., • line from unshadowed /etc/passwd: zatoichi:3#aVu5O1:2510:10::/home/zatoichi:/bin/sh • line from shadowed /etc/passwd: zatoichi:x:2510:10::/home/zatoichi:/bin/sh • Therefore must go to shadow passswd file to resolve passwds

  18. Shadow passwds • Used for security of passwds on computer systems. • Passwds are traditionally stored in /etc/passwdfile. • Passwd file is accessible to everyone. • Cannot make passwd file root access only because data in file is used for useruserid mappings, environment variable access, etc. • Solution: create another shadowpasswd file that has passwd hashes and leave other (readable) data in original passwd file. • See Shadow Suite.

  19. Shadow Passwd Files • One-way hash function (OWH): • OWH function: easy to compute in one direction but almost impossible to calculate in reverse direction. • OWH is used in Linux/UNIX with unshadowedpasswds.

  20. Shadowed /etc/passwd File root:*:0:0:root:/root:/bin/tcsh bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: adm:*:3:4:adm:/var/adm: mail:*:8:12:mail:/var/spool/mail: news:*:9:13:INN (NNTP Server) Admin ID, 525-2525:/usr/local/lib/inn:/bin/ksh uucp:*:10:14:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico operator:*:0:0:operator:/root:/bin/tcsh postmaster:*:14:12:postmaster:/var/spool/mail:/bin/tcsh nobody:*:65535:100:nobody:/dev/null: nomad:*:501:100:Simple Nomad, 525-5252:/home/nomad:/bin/bash webadmin:*:502:100:Web Admin Group ID:/home/webadmin:/bin/bash thegnome:*:503:100:Simple Nomad's Old Account:/home/thegnome:/bin/tcsh dorkus:*:504:100:Alternate account for Fred:/home/dorkus:/bin/tcsh Some of the more interesting things about this password file are: - User "operator" has a user ID of zero, so this user is equivalent to root. - 8 accounts have interactive shells, so you have 8 targets for direct shell access. - Multiple services, such as news, web, etc. - User "nomad" apparently has an older account called "thegnome" which may not be currently in use, making it a prime target for attack. - User "webadmin" looks to be an account that is shared among multiple people. - The phone prefix is 525(fire up the wardialer and look for a modem). - Suspicious "dorkus" account. There may be an account for Fred on another box (check for .rhosts, etc).

  21. Hashes and Salts • “*" token in place of one way encrypted password. • Real password is located in a different file, typically called the shadow file. • Different tokens used in different shadow password implementations. • On many Unix systems, the password file is still located in /etc but called shadow • Some systems even place the shadow in a different directory. • Examples of location of the shadow, and the token. • System Shadow Token • AIX /etc/security/passwd * • BSD /etc/master.passwd * • HP-UX /.secure/etc/passwd * • IRIX /etc/shadow x • Linux /etc/shadow * • SCO /tcb/auth/files/[first letter of username]/[username] * • Solaris /etc/shadow * • System V < 4.2 /etc/shadow x • System V >= 4.2 /etc/security/* database x • zatoichi:x:2510:10::/home/zatoichi:/bin/sh • zatoichi:*:2510:10::/home/zatoichi:/bin/sh

  22. Hashes and Salts • Alice’s usrname = alice; passwd = residentevil • Password hash (residentevil, easily reversed) = • 382e336446c8f65d2748c683d3f72a37 • Salt = (usrname+email addr+uid) • Hash with salt (passwd + salt, not as easily reversed): • a7d5c234335b9762416808e2ace8064e • Defense against rainbow tables

  23. Shadow Files • tanjs:$1$fnfffc$hRHwueyhhdjBjufffVeX:14563:0:99999:7: :: • (b) (c) (d) (e) (f) (g) (h) • Hashing algorithm and salt • - 1 = MD5 • - 2 = Blowfish • - 5 = SHA-256 • - 6 = SHA-512 or crypt (DES) depending on distros • (b) encrypted password. • (c) last password change: Days since Jan 1, 1970 that password was last • changed • (d) min number of days required between password changes. • (e) max number of days the password is valid • number of days before password is to expire that user is warned that • password must be changed • (g) number of days after password expires that account is disabled • (h) Number of days since Jan 1, 1970 that account is disabled i.e., an absolute • date specifying when the login may no longer be used

  24. Possible Password Sources • Regular dictionary • Special cracker dictionary • Common phrases, names, bands, slang, etc. • Combinations of relevant numbers and constructs from above sources • Knowledge about user

  25. Comparison re: Length/Content • 6 chars, Letters (52 upper and lower) • 526 = 19.7 billion possibilities • Easier to crack • 8 chars, Letters plus Digits plus Special (approximately 82 characters) • 828 = 2 quadrillion possibilities • 100,000 times harder to crack

  26. Enforcing Password Policies - Linux • System utilities • passwd • npasswd (replacement for passwd) • File: /etc/login.defs • 3rd party tools

  27. Enforcing Password Policies - Windows • Windows System – Group Policy Editor • Start/Run: gpedit.msc • Computer Configuration • Windows Settings • Security Settings • Account Policies • Password Policy • Items to control: keep password history, min and max age, min and max length, complexity requirement, encryption

  28. Password Encryption Techniques and Tools - Linux • Crypt – tool for encrypting many passwords under Unix/Linux • Based on DES • PAM – Pluggable Authentication Modules • Supports dynamic configuration of authentication for multiple applications

  29. Password Encryption Techniques and Tools - Windows • Passwords stored in protected part of registry (SAM file) • rdisk command – can back up SAM • Can analyze this backup file • Other tools can directly access SAM file • E.g., SAMInside

  30. Issues • Weakest Link Theory • One weak password on system jeopardizes other users, system • Security officer should check all passwords periodically to make sure there aren’t potential problems

  31. Password Cracking Tools • Several • aircrack • John the Ripper • L0phtCrack • Cain and Abel • THC Hydra • Medusa • fgdump

  32. Cryptography

  33. Basic Terminology • Plaintext (decrypted) • Ciphertext (encrypted) • Cryptography – keeping messages secure • Cryptanalysis – breaking encrypted messages • Cryptology – Cryptography + Cryptanalysis • Cryptographic algorithm (a.k.a. cipher) – an algorithm for encryption

  34. Goals of Secure Communication Channel • Alice and Bob want to communicate securely • Goals • No information/content leakage • Only messages from Alice and Bob get delivered • Messages are delivered in order, or not at all

  35. Goals (2) • What if Eve has access to the channel? • Eve may be able to inspect, modify or drop any message • Goals stand as before • No information/content leakage • Only messages from Alice and Bob get delivered • Messages are delivered in order or not at all

  36. Cryptographic Algorithms • Symmetric • Same key used for encryption, decryption • A.k.a. private key • Examples: • Substitution Ciphers • Caesar cipher (ROT3) • ROT13 (used in Usenet) • Transposition Ciphers • same text, but reordered • Rotor machines • changing substitution • Enigma machine • XOR • Problem: need to securely transmit the key

  37. Cryptographic Algorithms (2) • Public-Key Systems • No symmetric key • Two keys • Public key (encryption) • Private key (decryption) • Private key cannot be calculated (easily) from public key

  38. Babington Plot Queen Mary 1 of Scotland (Mary Queen of Scots) wanted to assassinate Queen Elizabeth I of England, and so began exchanging letters and messages with her co-conspirators, including Anthony Babington.

  39. Babington Plot

  40. Babington Plot

  41. DES • Data Encryption Standard (DES) • Used since 1976 • Combination of bit permutation, expansion, substitution

  42. S-Boxes • SW function: • Swaps left 4 bits with right 4 bits From SW, do fK, and F again with K2

  43. S-Boxes p0,0 p0,3 = (00) = 0 (represents row) p01 p0,2 = (10) = 2 (represents column), i.e., left input = 0010 • S0,2 = 11 (why 11?) • Because S0 is pre-determined at 0 1 2 3 0 1 0 3 2 S0 = 1 3 2 1 0 2 0 2 1 3 3 3 1 3 1 S0 produces 2 bits,  Si,k ≤ 3 i.e., 0010  11

  44. Problems with DES • Key length • 56 bit key => 256 possible keys • Brute force key attack on 56 bit keys • Machine built in 1998, cracked in 56 hours • Possible back doors • Unknown at this point

  45. Improving DES • Triple DES • Process • Ek1[ Dk2[ Ek1[P] ] ] • Encrypt once with key-1 • Decrypt with key-2 • Encrypt again with key-1 • Benefits • Search space now 2112 keys • Brute force attack currently impossible

  46. Next Generation Private Key Encryption • DES is no longer secure for small keys • Time will lessen its use with large keys • Late 1990s – NIST had contest to choose new algorithm • Many  15  5  1 • Rijndael algorithm chosen as winner • Renamed (Advanced Encryption Standard, AES), standard as of 2001

  47. AES • Similarities to DES • Multiple cycles (“rounds”) • Substitution, shifting, bit manipulations • Differences • 128 bit key to start • Can use 256 bit key • Number of rounds not fixed to algorithm • Can be increased for additional security

  48. Public Key Cryptography • Diffie/Hellman • 1976 – described public key cryptography • RSA (Rivest, Shamir, Adelman) • 1978 – introduced implementation algorithm • based on difficulty of factoring products of large (100-200 digit) prime numbers • Idea: public and private key are related, but not in a way that’s easily discovered

More Related