180 likes | 196 Views
Investigate the complexities of digital security breaches, from sophisticated intruders to rootkits, and the role of forensic specialists in uncovering the perpetrators. Learn about the tools, hindrances, and multidisciplinary teams involved in these investigations.
E N D
Investigating SophisticatedSecurity Breaches Digital Forensics has proven tough in the age of sophisticated Intruders
Security Breaches • What’s going on? • Data is being compromised • Information is being placed in inappropriate places (i.e. Swastika on a Jewish site) • Code manipulation (i.e. Altering code being utilized in security without developer knowledge) • Personal identities
Security Breaches • Who is doing it? • Programmers • Hackers • Governments (China, Russia) • Terrorists
Security Breaches • What is happening? • Workplace theft • Phishing scams • Email Scams • Utilization of Rootkits (coming up) • Network Intrusions
Security Breaches • Who Investigates? • Company Security Personnel • Forensic Scientist (Digital and Traditional) • Governments • Police Departments • Digital Forensic Specialization companies
Network Intrusions • Among the most challenging kinds of computer crime to investigate • Dynamic nature of networks • Time is evidence lost • Investigate without interrupting organization • Find what was stolen (taken) • Find out who did it
Network Intrusions • Hindrances to investigation • Smarter and younger generation of hackers • Sophisticated programs • Dynamic nature of networks • Large amounts of data to go through • Time zone differences • Foreign location of systems/persons • Encoded Communications between hosts
Investigation Tools • The companies Security personnel (if they weren’t fired!) • Command, Control, Communications, and Concealment systems (Analysts Notebook) • Sniffers (Packet, Node, etc…) • Custom Programs
Analysts Notebook Image Credit given to Jessica Reust
Rootkits • A rootkit is a set of software tools used to legitimately (and not legitimately) conceal running processes. • They modify parts of the operating system (Including, UNIX, Linux, Solaris, and Windows) • The term rootkit is used due to its origins in UNIX and since it allows an intruder to maintain ‘root’, the secure level of the UNIX operating system (‘ps, netstat, w, passwd)
Rootkits • Used to hide files • Rootkits are a technology • Threats that utilize Rootkits generally try to maintain control of one system (Zombie host) • Used for • DOS Attacks • Email attacks • Spam Attacks
The Investigative Team • Multidisciplinary teams are needed to catch sophisticated intruders • Range from 3 to 8 personnel • All have their own expertise • May include outside help (Local police, Forensics labs, etc) • May also include a liaison to other law enforcement agencies • Keep track of incoming information (not easy)
The Need For Speed • Success is very dependant on system logs and backups the organization has in place. • Capture of logs by freezing • Capture data backups by utilizing the organizations personnel • Ghost hard drives and memory spaces • Capturing network traffic • Disabling rootkits if still active to reveal any of the above needed data
Organization Issues • Rarely prepared for a digital forensic investigation • Investigators seldom have knowledge of the victim network • Preservation effort is heavily dependant on information gathered from the victim IT staff • All of this data is collected in a forensically sound manner
Challenges Faced • Gathering Memory Dumps • Capturing Virtual Memory • Looking for comparable hints • Discovering the Method of Operation (MO) of the intruder. • Searching network level logs • Hacking back
Conclusion • Ill prepared networks allow for controlled systems to attack the more prepared networks • The more sophisticated the networks become, the more sophisticated the intruders become • Programmers wake-up
Informative Sites • Kernel Control Software • Hxdef.czweb.org • Development of Anti-forensic tools • www.metasploit.com/projects/antiforensics • Investigating Company • Global Digital Forensics • www.evestigate.com • Digital Forensic Research Workshop • www.dfrws.org
References • Casey, Eoghan, Investigating sophisticated security breaches; February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press • Richard, Golden, Roussev, Vassil, Next-generation cyber forensics; February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press • Burmester, Mike, Mulholland, Judie, The Advent of Trusted Computing: Implications for Digital Forensics; April 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press • Mohay, Gearge, Technical Challenges and Direction for Digital Forensics; 2005, Proceed or the first International Workshop on Systemic Approches to Digital Forensics • Lasavio, Micheal, The Law of Digital Objects: Dominion and Control Issues for Digital Forensics Investigations and Prosecutions; 2005, Proceed or the first International Workshop on Systemic Approches to Digital Forensics