150 likes | 495 Views
Kizza - Computer Network Security. 2. Computer Forensics. Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.Arose as a result of the growing problem of computer crimes.Computer crimes fall into two categories:Computer is a tool used in a crime
E N D
1. Chapter 13: Computer and Network Forensics Computer Network Security
2. Kizza - Computer Network Security 2 Computer Forensics Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.
Arose as a result of the growing problem of computer crimes.
Computer crimes fall into two categories:
Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes.
Investigation into these crimes often involves searching computers suspected to be involved.
Computer itself is a victim of a crime – this commonly referred to as incident response.
It refers to the examination of systems that have been remotely attacked.
Forensics experts follow clear, well-defined mythologies and procedures
3. Kizza - Computer Network Security 3 History Of Computer Forensics
Computer forensics started a few years ago- when it was simple to collect evidence from a computer.
While basic forensic methodologies remain the same, technology itself is rapidly changing – a challenge to forensic specialists.
4. Kizza - Computer Network Security 4 Basic forensic methodology consists of:
Acquire the evidence without altering or damaging the original
Look for evidence
Recover evidence
Handle evidence with care
Preserve evidence
Authenticate that your recovered evidence is the same as the originally seized data
Analyze the data without modifying it.
5. Kizza - Computer Network Security 5 Acquire the Evidence Keep in mind that every case is different
Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system.
Consider the following issues:
Handling the evidence- if you do not take care of the evidence, the rest of the investigation will be compromised.
Chain of custody – the goal of maintaining a good chain of custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to:
Who collected it
How and where
Who took possession of it
how was it stored and protected in storage
Who took it out of storage and why?
6. Kizza - Computer Network Security 6 Storage Media Hard Drives
Make an image copy and then restore the image to a freshly wiped hard drive for analysis
Remount the copy and start to analyze it.
Before opening it get information on its configuration
Use tools to generate a report of lists of the disk’s contents ( PartitionMagic)
View operating system logs.
7. Kizza - Computer Network Security 7 Handle Evidence With Care Collection
You want the evidence to be so pure that it supports your case.
Identification
Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled.
Transportation
Evidence is not supposed to be moved so when you move it be extremely careful.
Storage
Keep the evidence in a cool, dry, and appropriate place for electronic evidence.
Documenting the investigation
Most difficult for computer professionals because technical people are not good at writing down details of the procedures.
8. Kizza - Computer Network Security 8 Authenticating evidence Authenticating evidence is difficult because:
Crime scenes change
Evidence is routinely damaged by environmental conditions
Computer devices slowly deteriorate
Keep proof of integrity and timestamp the evidence through encryption of files of data
Two algorithms (MD5 and SHA-1) are in common use today
9. Kizza - Computer Network Security 9 Analysis Use any well known analysis tools.
Make two backups
10. Kizza - Computer Network Security 10 Data Hiding There are several techniques that intruders may hide data.
Obfuscating data through encryption and compression.
Hiding through codes, steganoraphy, deleted files, slack space, and bad sectors.
Blinding investigators through changing behavior of system commands and modifying operating systems.
Use commonly known tools to overcome
11. Kizza - Computer Network Security 11 Network Forensics Unlike computer forensics that retrieves information from the computer’s disks, network forensics, in addition retrieves information on which network ports were used to access the network.
There are several differences that separate the two including the following:
Unlike computer forensics where the investigator and the person being investigated, in many cases the criminal, are on two different levels with the investigator supposedly on a higher level of knowledge of the system, the network investigator and the adversary are at the same skills level.
In many cases, the investigator and the adversary use the same tools: one to cause the incident, the other to investigate the incident. In fact many of the network security tools on the market today, including NetScanTools Pro, Tracroute, and Port Probe used to gain information on the network configurations, can be used by both the investigator and the criminal.
While computer forensics, deals with the extraction, preservation, identification, documentation, and analysis, and it still follows well-defined procedures springing from law enforcement for acquiring, providing chain-of-custody, authenticating, and interpretation, network forensics on the other hand has nothing to investigate unless steps were in place ( like packet filters, firewalls, and intrusion detection systems) prior to the incident.
12. Kizza - Computer Network Security 12 Network Forensics Intrusion Analysis Network intrusions can be difficult to detect let alone analyze. A port scan can take place without a quick detection, and more seriously a stealthy attack to a crucial system resource may be hidden by a simple innocent port scan.
So the purpose of intrusion analysis is to seek answers to the following questions:
Who gained entry?
Where did they go?
How did they do it?
13. Kizza - Computer Network Security 13 Damage Analysis It is difficult to effectively assess damage caused by system attacks.
It provides a trove of badly needed information showing how widespread the damage was, who was affected and to what extent.
14. Kizza - Computer Network Security 14 To achieve a detailed report of an intrusion detection, the investigator must carry out a post mortem of the system by analyzing and examining the following:
System registry, memory, and caches. To achieve this, the investogator can use dd for Linux and Unx sytems.
Network state to access computer networks accesses and connections. Here Netstat can be used.
Current running processes to access the number of active processes. Use ps for both Unix and Linux.
Data acquisition of all unencrypted data. This can be done using MD5 and SHA-1 on all files and directories. Then store this data in a secure place.
15. Kizza - Computer Network Security 15 Forensic Electronic Toolkit Computer and network forensics involves and requires:
Identification
Extraction
Preservation
Documentation
A lot of tools are needed for a thorough work
The “forensically sound “ method is never to conduct any examination on the original media.
Before you use any forensic software, make sure you know how to use it, and also that it works.
Tools:
Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic)
File Viewers – to thumb through stacks of data and images looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus)
16. Kizza - Computer Network Security 16 More tools (cont.) Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins.
CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics
Text – because text data can be huge, use fast scans tools like dtSearch.
Other kits:
Forensic toolkit – command-line utilities used to reconstruct access activities in NT File systems
Coroner toolkit - to investigate a hacked Unix host.
ForensiX – an all-purpose set of data collection and analysis tools that run primarily on Linux.
New Technologies Incorporated (NTI)
EnCase
Hardware- Forensic-computers.com