410 likes | 641 Views
91.580.203 Computer & Network Forensics . Xinwen Fu. Chapter 1 Computer Forensics and Investigations as a Profession. Outline. Understand computer forensics Prepare for computer investigations Understand enforcement agency investigations Understand corporate investigations
E N D
91.580.203 Computer & Network Forensics Xinwen Fu Chapter 1 Computer Forensics and Investigations as a Profession
Outline • Understand computer forensics • Prepare for computer investigations • Understand enforcement agency investigations • Understand corporate investigations • Maintain professional conduct Dr. Xinwen Fu
Understanding Computer Forensics • Computer forensicsinvolves obtaining and analyzing digital information from individual computers for use as evidence in civil, criminal, or administrative cases • Network forensics yields information about how a perpetrator or hackers gained access to a network • The Fourth Amendmentto the U.S. Constitution protects everyone’s rights to be secure in their person, residence, and property from search and seizure • What happened in O.J. Simpson’s case? Dr. Xinwen Fu
Understanding Computer Forensics (continued) • When preparing to search for evidence in a criminal case, include the suspect’s computers and its components in the search warrant • Computer forensics is a very complicated process; there are legal, political, business and technical factors that will shape every investigation • Prison Break - politics Dr. Xinwen Fu
CSIRT: Computer Security IncidentResponse Team • Manage investigations and conductforensic analysis of systems • Draw on resources from those involved in • vulnerability assessment • risk management • network intrusion detection • incident response • Resolve or terminate all case investigations Dr. Xinwen Fu
Computer Components of CSIRT • Vulnerability assessment and risk management • Computer investigations & network intrusion detection • Incident response CSIRT Dr. Xinwen Fu
Vulnerability Assessment and Risk Management • Test and verify the integrity of standalone workstations and network servers • Examine physical security of systems and the security of operating systems (OSs) and applications • Test for known vulnerabilities of OSs • Launch attacks on the network, workstations, and servers to assess vulnerabilities Dr. Xinwen Fu
Computer Investigations • Involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court • The evidence can be inculpatory or exculpatory – Duke lacrosse team rape charge • Objective is different from that of data recovery or disaster recovery • Investigating computers includes: • Securely collecting/searching computer data • Examining suspect data to determine details such as origin and content • Presenting computer-based information to courts • Applying laws to computer practice Dr. Xinwen Fu
Network Intrusion Detection and Incident Response Functions • Detect intruder attacks using automated tools and monitoring network firewall logs manually • Track, locate, and identify the intruder • Deny further access to the network • Collect evidence for civil or criminal litigation against the intruders Dr. Xinwen Fu
Course Outline CSIRT: Computer Security Incident Response Team Incident occurs: Point-in-Time or Ongoing Investigate the incident Reporting Data Collection Data Analysis Initial Response Formulate Response Strategy pre-incident preparation Detection of Incidents Resolution Recovery Implement Security Measures Dr. Xinwen Fu
A Brief History of Computer Forensics • Mainframe era • Well-known crimes ― one-half cent • $12.234 • PC era • By the early 1990s, specialized tools for computer forensics were available • ASR Data created the tool Expert Witness for the Macintosh • Recover deleted files and file fragments • EnCase by one member of ASR Data • FTK (Access Data's Forensic Toolkit) • iLook (reading disk images) Dr. Xinwen Fu
Outline • Understand computer forensics • Prepare for computer investigations • Understand enforcement agency investigations • Understand corporate investigations • Maintain professional conduct Dr. Xinwen Fu
Computer Investigations and Forensics • Public investigations • Target criminal cases • Conducted by government agencies • Follow the law of search and seizure/enforcement • www.usdoj.gov/criminal/cybercrime • Private or corporate investigations • Target civil cases • Conducted by private companies/lawyers • Follow private or corporate policies Dr. Xinwen Fu
Outline • Understand computer forensics • Prepare for computer investigations • Understand enforcement agency investigations • Understand corporate investigations • Maintain professional conduct Dr. Xinwen Fu
Understanding Enforcement Agency Investigations • Understand local city, county, state, and federal laws on computer-related crimes • Until 1993, laws defining computer crimes did not exist • States have added specific language to their criminal codes to define crimes that involve computers • "Computers and networks are only tools that can be used to commit crimes and are, therefore, no different from the lockpick a burglar uses to break into a house" • Possible computer crimes: data theft, child molestation images, drug transaction information on a hard disk Dr. Xinwen Fu
Legal Process for Computer Crimes • A criminal case follows three stages: • Complaint • Someone files a complaint • Investigation • A specialist investigates the complaint • Prosecution • Prosecutor collects evidence and builds a case Complaint Investigation Prosecution Dr. Xinwen Fu
Levels of Law Enforcement Expertise for a Police (CTIN) • Level 1 (street police officer) • Acquiring and seizing digital evidence • Level 2 (detective) • Managing high-tech investigations • Teaching the investigator what to ask for • Understanding computer terminology • What can and cannot be retrieved from digital evidence • Level 3: (computer forensics expert) • Specialist training in retrieving digital evidence Dr. Xinwen Fu
Typical Affidavit of Search Warrant for Seizing Evidence Dr. Xinwen Fu
Outline • Understand computer forensics • Prepare for computer investigations • Understand enforcement agency investigations • Understand corporate investigations • Maintain professional conduct Dr. Xinwen Fu
Understanding Corporate Investigations • Business must continue with minimal interruption from your investigation • Investigation is secondary to stopping the violation and minimizing the damage or loss to the business • Can Microsoft shutdown their servers for forensics purposes? Dr. Xinwen Fu
Establishing Company Policies • Company policies are built in order to avoid litigation • Without defined policies, a business risks exposing itself to litigation by current or former employees • Policies provide: • Rules for using company computers and networks Dr. Xinwen Fu
Displaying Policy Warning Banners • Avoid litigation displaying a warning banner on computer screens • A banner: • Informs users that the organization can inspect computer systems and network traffic at will • Voids right of privacy • Establishes authority to conduct an investigation Dr. Xinwen Fu
Displaying Warning Banners (continued) Dr. Xinwen Fu
Displaying Warning Banners (continued) • Types of warning banners: • For internal employee access (intranet Web page access) • External visitor accesses (Internet Web page access) Dr. Xinwen Fu
Displaying Warning Banners (continued) • Examples of warning banners: • Access to this system and network is restricted • Use of this system and network is for official business only • Systems and networks are subject to monitoring at any time by the owner • Using this system implies consent to monitoring by the owner • Unauthorized or illegal users of this system or network will be subject to discipline or prosecution Dr. Xinwen Fu
Banner Example in Reality • Recall: why do we need policies and warning banners? • Courts have ruled that company-owned equipment does not contain any “personal information” • Without them, your authority to inspect might conflict with the user's expectation of privacy, and a court might have to determine the issue of authority to inspect Dr. Xinwen Fu
Mercury.cs.uml.edu Banner Dr. Xinwen Fu
Texas A&M CS Department Banner Dr. Xinwen Fu
SSHD Banner • By default sshd server turns off this feature • Login as root user; then create your login banner file • Edit /etc/ssh/sshd-banner • Edit /etc/sshd/sshd_config and add Banner /etc/ssh/sshd-banner • Save file and restart the sshd server/etc/init.d/sshd restart Dr. Xinwen Fu http://www.cyberciti.biz/tips/how-to-force-sshd-server-to-display-login-banner-before-login-change-the-ssh-server-sshd-login-banner.html
Linux Console Login Banner • File /etc/issue, default information • Fedora Core release 3 (Heidelberg) • Kernel \r on an \m • \r – OS release such as “Kernel 2.6.17” • \m – Machine such as “i686” Dr. Xinwen Fu
Windows XP Logon Warning Message • Click Start/Control Panel • Double-click Administrative Tools / Local Security Policies / Security Options • Set Interactive Logon: Message text for users attempting to log on • Set Interactive Logon: Message title for users attempting to log on • Logoff/Logon to test Dr. Xinwen Fu http://www.ciac.org/ciac/bulletins/j-043.shtml http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Miscellaneous/LogonBanner-DisplayingWarningMessage.html
Designating an Authorized Requester • Not everyone should be an investigator • Establish a line of authority • Specify anauthorized requesterwho has the power to conduct investigations • Groups who can request investigations: • Corporate Security Investigations • Corporate Ethics Office • Corporate Equal Employment Opportunity Office • Internal Auditing • The general counsel or legal department Dr. Xinwen Fu
Conducting Security Investigations • Public investigations search for evidence to support criminal allegations • Private investigations search for evidence to support allegations of abuse of a company’s assets and criminal complaints • Abuse or misuse of corporate assets • E-mail abuse/Malicious e-mail • Excessive private Internet abuse • Employee company startup • Porn site Dr. Xinwen Fu
Employee Abuse of Computer Privilege Dr. Xinwen Fu
Distinguishing Personal and Company Property • PDAs and personal notebook computers • Employee hooks up his PDA device to his company computer • Company gives PDA to employee as bonus • What is your opinion of company policies on those items? Dr. Xinwen Fu
Outline • Understand computer forensics • Prepare for computer investigations • Understand enforcement agency investigations • Understand corporate investigations • Maintain professional conduct Dr. Xinwen Fu
Maintaining Professional Conduct • Professional conductdetermines credibility • Ethics • Morals • Standards of behavior • Conduct with integrity • Maintain objectivity and confidentiality • Enrich technical knowledge Dr. Xinwen Fu
Maintaining Objectivity • Sustain unbiased opinions of your cases • Avoid making conclusions about the findings until • all reasonable leads have been exhausted • you considered all the available facts • Ignore external biases to maintain the integrity of the fact-finding in all investigations Dr. Xinwen Fu
Keep the Case Confidential • Until you are designated as a witness or required to release a report at the direction of the attorney or court Dr. Xinwen Fu
Enrich Technical Knowledge • Stay current with the latest technical changes in computer hardware and software, networking, and forensic tools • Learn about the latest investigation techniques that can be applied to the case • Record fact-finding methods in a journal • Include dates and important details that serve as memory triggers • Develop a routine of regularly reviewing the journal to keep past achievements fresh Dr. Xinwen Fu
Enrich Technical Knowledge (continued) • Attend workshops, conferences, and vendor-specific courses conducted by software manufacturers • Monitor the latest book releases and read as much as possible about computer investigations and forensics • Computer Technology Investigators Northwest (CTIN) • High Technology Crime Investigation Association (HTCIA) • LISTSERV or Majordomo: mailing lists • Certificate: EC-Council - CHFI Computer Hacking Forensic Investigator Dr. Xinwen Fu