350 likes | 534 Views
Lesson 9 Initial Response Initial Assessment Computer Forensics. Roesch on the Threat. “The propagation of automated tools for auto-hacking with the fact that less and less sophisticated attackers getting their hands on these tools is really going to cause big problems.” Martin Roesch
E N D
Lesson 9Initial ResponseInitial AssessmentComputer Forensics
Roesch on the Threat • “The propagation of automated tools for auto-hacking with the fact that less and less sophisticated attackers getting their hands on these tools is really going to cause big problems.” • Martin Roesch CEO, Sourcefire SNORT Lead Developer
Off-scene Response • Freeze the Incident Scene • Verbally contain the scene with instructions such as: • “Take your hands off the keyboard and step away from the computer.” • “Physically disconnect the computer from the network.” • “What is your name, office and telephone number.” • “What is the hardware and operating system?” • “I’m going to fax you a set of instruction. What is your Fax number?”
Incident Response Checklist • Version 1.0 • Date: • Time: • Name: • Telephone Number: • Nature of Incident: • Time of Incident: • How was the incident detected: • Current Impact of Incident: • Future Impact of incident: • Description of the incident: • Hardware/OS/Software involved: • IP and network addresses of compromised systems: • Network Type: • Modem: • Criticality of Information: • Physical location: • System Administrator Name and Number: • Current status of machine: • Description of Hacker Actions • Ongoing activity: • Source Address: • Malicious program involved: • Denial of Service • Vandalism: • Indication of insider or outsider:
Incident Response Checklist Continued • Version 1.0 • Client Actions • Network disconnected: • Remote access available: • Local Access available: • Audit logs available and examined: • Any changes to firewall: • Any changes to ACL: • Who has been notified: • Other actins taken: • Available Tools • Third party host auditing: • Network monitoring: • Network Auditing: • Additional Contacts • Users: • System Administrators: • Network Administrators: • Special Information • Who should not know about this incident: • Response Team Member Signature/Date:__________________________________
Incident Response Team Fax • Version 1.0 • Date:_____________ • Time:____________ • Name:_______________________ • Thank you for notifying the incident response team and agreeing to help. Please do not touch the affected computer(s) unless told to do so by a member of the Incident Response team. Please remain within sight of the computer until a member of the Incident Response Team arrives and assure that no one touches the computer. • Please help us by detailing as much information about the incident as possible. Please complete the following items. If additional space is required use a separate sheet of paper. • Witnesses: • 1. • 2. • 3. • What indicators lead you to notice and/or report the incident. Be as specific as possible. • Incident Indicators: • The next section is important so be as accurate as possible. From the time you noticed the incident to the time you took your hands from the computer, list every command you typed and any file you accessed. • Commands typed and Files accessed: • Response Team Member Signature:______________________________________-
On-scene Response • Physically contain the scene • Two personnel, if possible, should immediately respond to the scene • Incident Scene Survey (1st Member) • Use a portable tape recorder to: 1. Record the scene 2. Everyone present • Order everyone to leave the scene who is not directly involved in the incident 3. Interview the individual who reported the incident 4. Record, intermittently, the actions of the 2nd individual 5. Assist the 2nd Member
On-Scene Response Continued • Contain the System (2nd Member) • Ask the System Administrator to assist. • Back up the system. • Do this with forensic type tool that does bit-by-bit backup such as SafeBack at http://www.forensics-intl.com • Alternatively, remove the drive and seal it in a plastic bag with your notes and the notes of the individual who reported the incident • Attempt to identify the changed files through: • Tripwire http://www.tripwire.org/ or alternatively • Expert Witness at http://www.asrdata.com.
Incident Investigation & Assessment
Knowing Architecture and Policies • Review Network Topology • External connectivity • Internet • Extranet • Dial-up • Remote Sites • Network Devices: Routers, Firewall, IDS • Broadcast domains • Review the Corporate Policies with regard to • Acceptable use policies • Network Monitoring • Computer Forensics
Conducting Personnel Interviews • System administrator selected questions include: • Unusual Activity? • Administrative Access to System?. • Remote Access to Systems? • Logging Capabilities? • Current Security Precautions? • Managers selected questions include: • On-going Security tests? • Disgruntled employees? • Recently fired employee? • History of current employees? • Sensitive data or applications on the systems? • End users selected questions include: • Anomalous Behavior or Suspicious activity?
Initial Assessment • Assess the potential security Incident • What are the incident symptoms? • Is it a security incident? • A system problem? • Power outage • Faulty software • Communication problems • Procedural problem • Training Problem
Initial Evaluation • Evaluate the severity & scope of incident • What specifically happened? • What was the entry point? • What local computers/networks were affected? • What remote computers/networks were affected? • What information was affected? • What was its value to the organization? • What further can possibly occur? • Who else knows about the incident? • What are the estimated time/resources required to handle the incident.
Incident Indications • A new account • Passwords were changed on existing accounts • The protection changed on selected files/devices • New SUID and SGID programs have been found • System programs have been added/modified • Analias has been installed in the E-Mail system to run a program • New features have been added to your news or UUCP system • Password sniffer was found (Steal passwords to use Crack) • File dates have been modified • Login files have been modified • The system has an unexplained crash • Accounting discrepancies • Denial of Service • Unexplained poor system performance • Suspicious probes/browsing
Incident Indications continued • Undocumented changes or upgrades to programs • Unexplained user account chargesor changes • Security Access compromise (passwords, etc) • Unauthorized use of computer facilities • Unexplained network/computer crashes • Unexplained corrupted files or services • Theft/missing computer/storage equipment • Unexplained Performance/response problems • Unexplained High utilizationof equipment, storage • or network resources • Unexplained loss of critical/sensitive data • Unexplaineduser account lockouts • Unexplained Network traps/alarms • Unexplained Firewall/IDS alerts/alarms
Initial Steps • All systems/networks are suspect until the actual extent of the incident is known • Verify integrity of all site computers • Verify integrity of all site networks • Verify integrity of all files/directories (checksums) • Compare system files with backups or initial distributions • Compare software application with the baseline • Analyze the documentation, files and security logs Be careful not to contaminate the crime scene
Pathways All data leaves a trail. The search for data leaves a trail. The erasure of data leaves a trail. The absence of data, under the right circumstances, can leave the clearest trail of all. “This Alien Shore”, C. S. Friedman (C) 1998
Investigate as if LE will be called in and the attackers will be prosecuted Basic Principles Computer Forensics • Principle 1 • - Preserve the evidence in an unchanged state • Principle 2 • - Document the investigative process…thoroughly • and completely
Forensics Terminology • Evidence Media: Original media that needs to be investigated • Target Media: the media that the evidence media is duplicated onto • Restored Image: Copy of the forensic image restored to bootable form • Native Operating System: OS utilized when the evidence media or forensic duplicate is booted for analysis • Live Analysis: A analysis conducted on the original evidence media • Off-line Analysis: Analysis conducted on the forensic image • Trace Evidence: Fragments of information from the free space, etc.
Best Evidence Rule • Common Mistakes include: • Altering time and date stamps • Killing rogue processes • Patching the system before the investigation • Not recording commands executed on the system • Using un-trusted commands and binaries • Writing over potential evidence: • Installing software on the evidence media • Running program that store output on evidence media. • FRE 1001(3) "...if data are stored on a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'Original.'"
Evidence Chain of Custody • Prosecution is responsible for proving that which is presented in court is that which was originally collected. An Evidence Chain of Custody must be maintained • Create an Evidence Tag at the time of collection • A designated Evidence Custodian with a Laptop to generate the Evidence Tags • Date and Time • Case Number • Evidence Tag number • Evidence Description • Individual receiving the evidence and Date • Each time the evidence moves from one person to another or from one media to another must be recorded
Forensic Image • Initial Response: power system down or work it online? • Volatile Data: if powered down then volatile data lost • Memory • State of of Network connections • State of running Processes • UsefulWindows NT/2000 commands/utilities • date, time, loggedon, netstat, fport, pslist, nbtstat, and doskey • http://www.sysinternals.com • Useful Unix commands • w, netstat -amp, lsof, ps, netstat, script
Throughout the forensics process do not forget the basics…assume nothing. BIOS Review • Review the Basic Input/Output System (BIOS) before beginning a duplication to determine: • Basic geometry of the hard drive on the target System • Document the hard drive setting to include maximum capacity, cylinders, heads, and sectors • For proper recovery by the original OS the partitions should be aligned on the cylinder boundaries • Determine the Boot Sequence on the target System • - Floppy drives - Network - PCMCIA Card • - CD-Rom - Hard Drive
Forensic Duplication • Three Forensic Duplication Approaches • 1. Remove the storage media and connect it to a Forensics Workstation • Document the system details to include serial number, jumper settings, visible damage, etc • Remove media from target system and connect it to the forensics workstation • Image the media using Safeback, the Unix dd utility or EnCase Forensics Workstations http://www.computer-forensics.com Safeback http://www.forensics-intl.com/safeback.html EnCase http://guidancesoftware.com DiskPro http://www.e-mart.com/www/cnr.html
Don’t forget to document the process you used Forensic Duplication Continued • 2. Attach a hard drive to the Target Computer • Make sure the target computer works as expected • 3. Image the storage media by transmitting the disk image over a closed network to the forensics Workstation • Establish a point-to-point interface from evidence system to forensics workstation using an Ethernet Switch of Ethernet cross-connect cable • Perform MD5 computation on both the original and target system
The Computer Forensic Process Restore Safeback Image Files to a Separate Hard Drive for Analysis Use Safeback Create DOS Controlled Boot Floppy Make Safeback Image Files (.SFB) If the drive is Windows OS, will likely have to restore drive to separate media. Use dd Create Linux Controlled Boot Floppy Make dd Duplication File Forensic duplication? Yes Use EnCase Operating Environment to Analyze Drive Content Use EnCase Create DOS Controlled Boot Floppy Make EnCase Evidence Files (.E00) Use Other Forensic Software ?? ?? ??
Forensic Analysis • Physical Analysis--performed on the forensic image only! • Perform a String Search • Sting Search http://www.maresware.com/maresware/forensic1.htm • Perform a Search and Extract • Looks for file types • File Formats http://www.wotsit.org/ • Extract File slack and/Free Space • Free Space: Hard Drive space not allocated to a file and deleted file fragments. • Slack Space: Space left when a minimum block size is not filled by a write operation. • NTI Tool Suite http://www.forensics-intl.com/
Forensic Analysis Continued • Logical Analysis. • Partition by partition analysis of each file • Typical process includes: • Mount each partition in read-only mode under Linux • Export the partition via SAMBA to the forensics system • Examine each file with the appropriate file viewer • Typical Lists created: • Web Sites • E-mail addresses • Specific Key words, etc Quick View Plus http://www.jasc.com/product.asp?pf_id=006 HandyVuehttp://shop.store.yahoo.com/repc/handyvue.html
Plan, control, document, report Common Forensics Mistakes • Failure to Maintain through complete documentation • Failure to control access to digital information • Underestimate the scope of the incident • Failure to report the incident in a timely manner • Failure to provide accurate information • No incident response plan
Closing Thought • “If an organization is going to make the effort to secure its systems it must make every effort to respond to security breaches…the only failure to good security planning is to fail to plan a response action for a breach in that security.” • Rob Kaufman
Summary • Prepare for incidents • Perform initial assessment • Evaluate crime scene • Conduct forensics--D3