1 / 72

Forensics Book 4: Investigating Network Intrusions and Cybercrime

Forensics Book 4: Investigating Network Intrusions and Cybercrime. Chapter 1: Network Forensics and Investigating Logs. Objectives. Look for evidence Perform an end-to-end forensic investigation Use log files as evidence Evaluate log file accuracy and authenticity

sileas
Download Presentation

Forensics Book 4: Investigating Network Intrusions and Cybercrime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 1: Network Forensics and Investigating Logs

  2. Objectives • Look for evidence • Perform an end-to-end forensic investigation • Use log files as evidence • Evaluate log file accuracy and authenticity • Understand the importance of audit logs

  3. Objectives (continued) • Understand syslog • Understand Linux process accounting • Configure Windows logging • Understand NTP

  4. Case Example • In August 2005, a Moroccan named Farid Essebar and a Turk named Atilla Ekici were arrested in their respective home countries on the charges of creating and distributing the Zotob, Rbot, and Mytob worms • The Mytob worm affected a wide range of Windows systems, including Windows NT, 2000, XP, and Server 2003 • The Zotob worm affected the systems of corporate giants, such as the New York Times Company, CNN, ABC News, Caterpillar Inc., and General Electric Co • Within 12 days of the release of the worm, the culprits were arrested

  5. Introduction to Network Forensics and Investigating Logs • This module: • Focuses on network forensics and investigating logs • Starts by defining network forensics and describing the tasks associated with a forensic investigation • Covers log files and their use as evidence • Concludes with a discussion about time synchronization

  6. Network Forensics • Network forensics • The capturing, recording, and analysis of network events in order to discover the source of security attacks • Capturing network traffic over a network is simple in theory, but relatively complex in practice • Because recording network traffic involves a lot of resources, it is often not possible to record all of the data flowing through the network

  7. Analyzing Network Data • The most critical and most time-consuming task • There are not enough automated analysis tools that an investigator can use for forensic purposes • There is no foolproof method for discriminating bogus traffic generated by an attacker from genuine traffic • Network forensics can reveal the following: • How an intruder entered the network • The path of intrusion • The intrusion techniques an attacker used • Traces and evidence

  8. The Intrusion Process • Network intruders can enter a system using the following methods: • Enumeration • Vulnerabilities • Viruses • Trojans • E-mail infection • Router attacks • Password cracking

  9. Looking for Evidence • An investigator can find evidence from: • The attack computer and intermediate computers • Firewalls • Internetworking devices • The victim computer

  10. End-to End Forensic Investigation • Involves following basic procedures from beginning to end • Some of the elements of an end-to-end forensic trace: • The end-to-end concept • Locating evidence • Pitfalls of network evidence collection • Event analysis

  11. Log Files as Evidence • Log files • Primary recorders of a user’s activity on a system and of network activities • Provide clues to investigate • Basic problem with logs: they can be altered easily • An investigator must be able to prove in court that logging software is correct • Computer records are not normally admissible as evidence • Must meet certain criteria to be admitted at all

  12. Legality of Using Logs • Legal issues involved with creating and using logs: • Logs must be created reasonably contemporaneously with the event under investigation • Log files cannot be tampered with • Someone with knowledge of the event must record the information • Logs must be kept as a regular business practice • Random compilations of data are not admissible • Logs instituted after an incident has commenced do not qualify under the business records exception • If an organization starts keeping regular logs now, it will be able to use the logs as evidence later

  13. Legality of Using Logs (continued) • Legal issues: (continued) • A custodian or other qualified witness must testify to the accuracy and integrity of the logs • A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used • Including the logging software • A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence • If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspected

  14. Legality of Using Logs (continued) • Legal issues: (continued) • In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization • An organization’s own logging and monitoring software must be made available to the court • So that the defense has an opportunity to examine the credibility of the records • The original copies of any log files are preferred • A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors come equipped with USB or SCSI interfaces

  15. Examining Intrusion and Security Events • Monitoring for intrusion and security breach events is necessary to track down attackers • Examining intrusion and security events includes both passive and active tasks • Post-attack detection or passive intrusion detection • Detection of an intrusion that occurs after an attack has taken place • Inspection of log files is the only medium that can be used to evaluate and rebuild the attack techniques • Usually involve a manual review of event logs and application logs

  16. Examining Intrusion and Security Events (continued) • Active intrusion detection • Detects attack attempts as soon as the attack takes place • Administrator or investigator follows the footsteps of the attacker and looks for known attack patterns or commands • Intrusion detection • Process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data • There are various types of intrusions

  17. Using Multiple Logs as Evidence • Recording the same information in two different devices makes the evidence stronger • Logs from several devices collectively support each other • Firewall logs, IDS logs, and TCPDump output can contain evidence of an Internet user connecting to a specific server at a given time

  18. Maintaining Credible IIS Log Files • Questions before presenting IIS logs in court: • What would happen if the credibility of the IIS logs was challenged in court? • What if the defense claims the logs are not reliable enough to be admissible as evidence? • Investigator must secure the evidence and ensure that it is accurate, authentic, and accessible • In order to prove that the log files are valid: • Investigator needs to present them as acceptable and dependable by providing convincing arguments, which makes them valid evidence

  19. Maintaining Credible IIS Log Files (continued) • Log file accuracy • The accuracy of IIS log files determines their credibility • Accuracy here means that the log files presented before the court of law represent the actual outcome of the activities related to the IIS server being investigated • Logging everything • In order to ensure that a log file is accurate, a network administrator must log everything • IIS logs must record information about Web users

  20. Maintaining Credible IIS Log Files (continued) • Extended logging in IIS server • Limited logging is set globally by default • So any new Web sites created have the same limited logging • An administrator can change the configuration of an IIS server to use extending logging

  21. Keeping Time • With the Windows Time service, a network administrator can synchronize IIS servers by connecting them to an external time source • Using a domain makes the time service synchronous to the domain controller

  22. Maintaining Credible IIS Log Files (continued) • UTC Time • IIS records logs using UTC time, which helps in synchronizing servers in multiple zones • Windows offsets the value of the system clock with the system time zone to calculate UTC time • A network administrator can verify a server’s time zone setting by looking at the first entries in the log file

  23. Maintaining Credible IIS Log Files (continued) • Avoiding missing logs • When an IIS server is offline or powered off, log files are not created • When a log file is missing, it is difficult to know if the server was actually offline or powered off, or if the log file was deleted • To combat this problem, an administrator can schedule a few hits to the server using a scheduling tool

  24. Maintaining Credible IIS Log Files (continued) • Log file authenticity • IIS log files are simple text files that are easy to alter • The date and time stamps on these files are also easy to modify • They cannot be considered authentic in their default state • Logs should be moved to a master server and then moved offline to secondary storage media such as a tape or CD-ROM

  25. Maintaining Credible IIS Log Files (continued) • Working with copies • Investigator should create copies before performing any post-processing or log file analysis • When using log files as evidence in court, an investigator is required to present the original files in their original form • Access control • In order to prove the credibility of logs, an investigator or network administrator needs to ensure that any access to those files is audited • The investigator or administrator can use NTFS permissions to secure and audit the log files

  26. Maintaining Credible IIS Log Files (continued) • Chain of custody • The chain of custody must be maintained for log files • When an investigator or network administrator moves log files from a server, and after that to an offline device, he or she should keep track of where the log file went and what other devices it passed through • IIS centralized binary logging • Process in which many Web sites write binary and unformatted log data to a single log file • A parsing tool is required to view and analyze the data • Decreases the amount of system resources that are consumed during logging

  27. Maintaining Credible IIS Log Files (continued) • ODBC logging • Records a set of data fields in an ODBC-compliant database like Microsoft Access or Microsoft SQL Server • When ODBC logging is enabled, IIS disables the HTTP.sys kernel-mode cache • Tool: IISLogger • Provides additional functionality on top of standard IIS logging • Produces additional log data and sends it using syslog • IISLogger is an ISAPI filter that is packaged as a DLL embedded in the IIS environment

  28. Maintaining Credible IIS Log Files (continued) Figure 1-1 IISLogger provides additional IIS logging functionality.

  29. Importance of Audit Logs • Reasons audit logs are important: • Accountability • Reconstruction • Intrusion detection • Problem detection

  30. Syslog • Syslog • A combined audit mechanism used by the Linux operating system • Permits both local and remote log collection • Allows system administrators to collect and distribute audit data with a single point of management • Controlled on a per machine basis with the file /etc/syslog.conf • The format of configuration lines is: • facility.level <Tab><Tab> action

  31. Syslog (continued) • Primary advantage of syslog • All reported messages are collected in a message file • Logging priorities can be enabled by configuring /var/log/syslog • Remote logging • Centralized log collection makes simpler both day-to-day maintenance and incident response • Causes the logs from multiple machines to be collected in one place • Advantages include more effective auditing, secure log storage, easier log backups, and an increased chance for analysis across multiple platforms

  32. Syslog (continued) • Log replication may also be used to audit logs • Log replication copies the audit data to multiple remote-logging hosts • Preparing the server for remote logging • Central logging server should be set aside to perform only logging tasks • Server should be kept in a secure location behind the firewall • Make sure that no unnecessary services are running on the server • Delete any unnecessary user accounts

  33. Syslog (continued) • Configuring remote logging • Run syslogd with the -r option on the server that is to act as the central logging server • Allows the server to receive messages from remote hosts via UDP • Three files that must be changed: • /etc/rc.d/init.d/syslog • /etc/sysconfig/syslog • /etc/services • A reference should appear in the var/log/messages file indicating that the remote syslog server is running • The syslog server can be added to the /etc/syslogd.conf file in the client

  34. Tool: Syslog-ng • A flexible and scalable audit-processing tool • Offers a centralized and securely stored log for all the devices on a network • Features of Syslog-ng: • Guarantees the availability of logs • Compatible with a wide variety of platforms • Used in heavily firewalled environments • Offers proven robustness • Allows a user to manage audit trails flexibly • Has customizable data mining and analysis capabilities • Allows a user to filter based on message content

  35. Tool: Syslog-ng (continued) Figure 1-2 An administrator can use Syslog-ng to manage logs for all devices on a network.

  36. Tool: Syslog-ng (continued) • Tool: Socklog • Small and secure replacement for syslogd • Runs on Linux (glibc 2.1.0 or higher, or dietlibc), OpenBSD, FreeBSD, Solaris, and NetBSD • Tool: Kiwi Syslog Daemon • Freeware syslog daemon for Windows • Receives logs and displays and forwards syslog messages from routers, switches, UNIX hosts, and any other syslog-enabled device

  37. Tool: Syslog-ng (continued) Figure 1-3 Kiwi Syslog Daemon offers administrators a wealth of customizable options.

  38. Tool: Microsoft Log Parser • A powerful, versatile, robust command-line tool • Offers a SQL interface to various log file formats • Fast enough for log file analysis of many Web sites • Features of Microsoft Log Parser: • Enables a user to run SQL-like queries against log files of any format • Produces the desired information either on the screen, in a file, or in a SQL database • Allows multiple files to be piped in or out as source or target tables • Generates HTML reports and MS Office objects • Supports conversion between SQL and CSV formats

  39. Tool: Microsoft Log Parser (continued) Figure 1-4 Microsoft Log Parser allows a user to analyze log files using SQL-like queries.

  40. Tool: Microsoft Log Parser (continued) • Microsoft Log Parser Architecture • Log Parser provides a global query access to text-based data such as IIS log files, XML files, text files, and CSV files, and key data sources like the Windows Event Log, the registry, the file system, user plug-ins, and Active Directory • Operating systems for Microsoft Log Parser: • Windows 2000 • Windows Server 2003 • Windows XP Professional

  41. Tool: Firewall Analyzer • Web-based firewall monitoring and log analysis tool • Collects, analyzes, and reports information on enterprise-wide firewalls, proxy servers, and RADIUS servers • Features of Firewall Analyzer include: • Bandwidth usage tracking • Intrusion detection • Traffic auditing • Anomaly detection through network behavioral analysis • Web site user access monitoring

  42. Tool: Firewall Analyzer (continued) Figure 1-5 This is the main screen of Firewall Analyzer.

  43. Tool: Adaptive Security Analyzer (ASA) Pro • Security and threat intelligence application • Continuously monitors dynamic, high-volume, heterogeneous security-related data • Recognizes and quantifies the extent of event abnormality • Advises security personnel of the factors that contributed most to the event’s classification • Features of ASA Pro include: • Accelerates threat response • Has improved preemptive capabilities • Expands resource capacity • Maximizes return on security and other IT assets

  44. Tool: Adaptive Security Analyzer (ASA) Pro (continued) Figure 1-6 ASA Pro provides extensive details about security events.

  45. Tool: GFI EventsManager • Collects data from all devices that use Windows event logs, W3C, and syslog • Applies rules and filtering to identify key data • Provides administrators with real-time alerting when critical events arise • Suggests remedial action

  46. Tool: GFI EventsManager (continued) • Features of GFI EventsManager: • Network-wide analysis of event logs • Explanations of cryptic Windows events • Centralized event logging • High-performance scanning engine • Real-time alerts • Advanced event filtering features • Report viewing for key security information happening on the network

  47. Tool: GFI EventsManager (continued) • How does GFI EventsManager work? • GFI EventsManager divides the events management process in two stages: • Event collection • Event processing

  48. Tool: GFI EventsManager (continued) Figure 1-7 GFI EventsManager manages events in two stages.

  49. Tool: Activeworx Security Center • Security information and event management product • Monitors security-related events for a variety of devices from one central console • Allows for the discovery of threats, the correlation of relevant security information, and the analysis of vulnerabilities and attacks • Provides intelligence for security personnel to act upon

  50. Tool: Activeworx Security Center (continued) Figure 1-8 GFI EventsManager manages events in two stages.

More Related