1 / 27

Digital Evidence Incident Response and Computer Forensics

Preparing for Incident Response. Digital Evidence Incident Response and Computer Forensics. Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.

kiersten
Download Presentation

Digital Evidence Incident Response and Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preparing for Incident Response Digital EvidenceIncident Response and Computer Forensics Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. Gene Spafford

  2. What do you see?

  3. Preparing for Incident Response • Establish Security Policies • Enumerate Assets to be Protected • Identify Risks Faced by Assets • Establish Security Procedures • Host and Network Security • Establish Incident Response Policies and Objectives • Create a CISRT and Toolkit

  4. Establish Security Policies • InfoSec Policies Are: • High-level, Strategic goals of InfoSec • Not operational (“How to”) • Read Scott Barman’s • Writing Information Security Policies • Keep them Short and Tight • Bad Policies can be a GOOJF Card*

  5. Establish Security Practices • Standards, Guidelines and Procedures • Enumerate the “How To” • Delegate to Department Level if Possible • Audit for Compliance with InfoSec Policies • Update Regularly

  6. Train Employees • To comply with Policies • To spot and report incidents • Strategies • Teamwork Model • Carrot Model • Stick Model

  7. Enumerate Assets • Can we afford to protect everything? • What is really important? • People – Leadership, Critical Workers • Processes – Money, Information Transfers • Technology – Systems, Networks • Items of Potentially Intangible Worth • Corporate Reputation • Intellectual Property • Non-Public Personally Identifiable Information • OCTAVE Methodology

  8. Risk Management • Risk = Threat x Vulnerability • What Are the Vulnerabilities? • Establish Mitigating Controls • What threats are faced by: • Corporate Reputation • Intellectual Property • Non-Public Personally Identifiable Information • Monitoring, Intelligence and Analysis

  9. Security Procedures - Hosts • Record Cryptographic Checksums • National Software Reference Library • MD5, SHA-1, Tripwire, md5deep • Enable Host Logging or Auditing • Est. Secure Backup Procedures • Educate Users on Host Security • Establish a SEAT Program

  10. Cryptographic checksums • A reductive hash function algorithm applied to reduce input data to unique signature output value • Useful for verifying integrity and authenticity of digital evidence or file system information • “Collisions” are possible

  11. Common Hash Functions • Message Digest 5 • MD5 = 128 Bit Hash • Secure Hash Algorithm • SHA1 = 160 Bit Hash • SHA256 = 256 Bit Hash

  12. Labs • Md5sum Hash Function Lab • SHA256 Lab • Jesse Kornblum AFOSI • Md5deep • Multiple Hash Functions • MD5, SHA1, SHA256, Tiger, Whirlpool • Allows for recursive hash functions • Man page

  13. Windows Logging • Obfuscated Binary Format (grr) • Requires Event to Syslog Translators

  14. Linux/Unix Logging • Unix / Linux Log to Syslog • Edit /etc/syslog.conf or /etc/syslog.d files • Enable Cisco Syslog Logging • Most Devices Support Syslog • Syslog Is Not Forensically Sound • UDP – Port 514 • Write Only Logging Configuration

  15. Securing Syslog Infrastructure • Inter-Site Logging  Over VPN • Multi-homed Host • NIC1 - Write Only Configuration • NIC2 – Management • Hardened System • No Other Services on the Host • Syslog-NG • Secure Syslog

  16. Netflow & Log Infrastructure • A network flow is a unidirectional sequence of packets all sharing the same source and destination IP address, source and destination port, and IP protocol • Protocol supported by most Cisco gear • Ntop tracks these flows in round-robin database application • For what could this be used?

  17. Creating the IRT

  18. Establishing Incident Response Policies • Establish a Protocol • Establish Reporting Procedures • Helpdesk, Managers, etc • Establish Initial Response Procedures • Escalation and Handoff

  19. Goals of Incident Response • Avoid negative publicity • Protect shareholder value • Defend against legal challenges • Defend against further attacks • Arrest and prosecute offenders

  20. Possible Reactions • Call Law Enforcement • Call in Private Investigators* (GA Law) • Ignore the Incident • Implement Mitigating Controls • Surveillance and Counter-Intelligence • Identify and Disable the Attackers*

  21. Guiding Principles of Incident Management – Part I • Business Effect of the Event • Downtime, Exposure, Publicity • Legal Issues and Constraints • Policy V Law - Internal V External Handling • National, Regional, State and Local Laws • Trap and Trace • Requires Consent of One of the Parties or a Court Order • Potential ECPA Violations

  22. Guiding Principles of Incident Management – Part II • Political Considerations • Internal & External • Technical Capabilities of the Team • Funding / Available Resources • Does the organizational will exist to see the event through to a legal conclusion?

  23. Coordinating the Response • Internet Service Providers • Establish SLE’s • Establish Contact with NOC • Abuse Contacts With Foreign ISP’s • Good luck! • Pre-Establish Contact with LE if Possible • Consider a Public Relations IRT Member

  24. Incident Response Hardware • Laptops* – Extra Hard Disks • Lots of Storage (Portable RAID Array) • Hardware Drive Copiers • Write Blocking Hardware • Diverse Array of IDE, SCSI Adapters • Cameras – Digital V Analog • Voice Recorders for Notes • Video Camera w/ Removable Microphone

  25. Software • Disk Analysis • FBI Uses Access Data FTK (*Academic) • EnCase is Popular and $3000 • Sleuthkit and Autopsy are widely accepted • Helix – Bootable CD-Based Forensic Toolkit • Network Analysis • Snort/tcpdump, NetIntercept, NetWitness • Understanding the operation of tools is very important. However, being too tool focused can cost one objectivity.

  26. Helix – Forensic Toolkit • Helix – An Open Source Toolkit • Developed by Drew Fahey • Former AFOSI / FBI Investigator • Includes • The Coroner’s Toolkit • Sleuthkit / Autopsy • Command-line Carving Tools • Live Response Tools • Trusted Binaries for Windows, Linux and Solaris

  27. End

More Related