91.580.203 computer & network forensics chapter 1 computer forensics and investigations as a...
Post on 19-Dec-2015
225 views
TRANSCRIPT
91.580.203 Computer & Network
Forensics
Chapter 1Computer Forensics and
Investigations as a Profession
Xinwen Fu
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 2
Outline Understand computer forensics Prepare for computer investigations
Understand enforcement agency investigations Understand corporate investigations
Maintain professional conduct
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 3
Understanding Computer Forensics Computer forensics involves obtaining and
analyzing digital information from individual computers for use as evidence in civil, criminal, or administrative cases
Network forensics yields information about how a perpetrator or hackers gained access to a network
The Fourth Amendment to the U.S. Constitution protects everyone’s rights to be secure in their person, residence, and property from search and seizure What happened in O.J. Simpson’s case?
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 4
Understanding Computer Forensics (continued)
When preparing to search for evidence in a criminal case, include the suspect’s computers and its components in the search warrant
Computer forensics is a very complicated process; there are legal, political, business and technical factors that will shape every investigation Prison Break - politics
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 5
CSIRT: Computer Security IncidentResponse Team Manage investigations and conduct forensic
analysis of systems
Draw on resources from those involved in vulnerability assessment risk management network intrusion detection incident response
Resolve or terminate all case investigations
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 6
Components of CSIRT Vulnerability assessment and risk management Computer investigations & network intrusion
detection Incident response
Computer
CSIRT
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 7
Vulnerability Assessment and Risk Management
Test and verify the integrity of standalone workstations and network servers
Examine physical security of systems and the security of operating systems (OSs) and applications
Test for known vulnerabilities of OSs
Launch attacks on the network, workstations, and servers to assess vulnerabilities
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 8
Computer Investigations Involves scientifically examining and analyzing
data from computer storage media so that the data can be used as evidence in court The evidence can be inculpatory or exculpatory – Duke
lacrosse team rape charge Objective is different from that of data recovery or disaster
recovery Investigating computers includes:
Securely collecting/searching computer data Examining suspect data to determine details such as
origin and content Presenting computer-based information to courts Applying laws to computer practice
91.580.203
INFA721/CIS418-BIS@DSU9Dr. Xinwen Fu
Network Intrusion Detection and Incident Response Functions Detect intruder attacks using automated
tools and monitoring network firewall logs manually
Track, locate, and identify the intruder
Deny further access to the network
Collect evidence for civil or criminal litigation against the intruders
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 10
Course Outline
Incident occurs: Point-in-Time or Ongoing
pre-incidentpreparation
pre-incidentpreparation
Detectionof
Incidents
Detectionof
Incidents
Initial Response
Initial Response
FormulateResponseStrategy
FormulateResponseStrategy
DataCollection
DataCollection
DataAnalysis
DataAnalysis ReportingReporting
Investigate the incident
ResolutionRecovery
Implement Security Measures
ResolutionRecovery
Implement Security Measures
CSIRT:ComputerSecurityIncident
ResponseTeam
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 11
A Brief History of Computer Forensics Mainframe era
Well-known crimes ― one-half cent $12.234
PC era By the early 1990s, specialized tools for
computer forensics were available ASR Data created the tool Expert Witness for
the Macintosh Recover deleted files and file fragments
EnCase by one member of ASR Data FTK (Access Data's Forensic Toolkit) iLook (reading disk images)
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 12
Outline Understand computer forensics Prepare for computer investigations
Understand enforcement agency investigations Understand corporate investigations
Maintain professional conduct
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 13
Computer Investigations and Forensics
Public investigations Target criminal cases Conducted by government agencies Follow the law of search and seizure/enforcement
www.usdoj.gov/criminal/cybercrime
Private or corporate investigations Target civil cases Conducted by private companies/lawyers Follow private or corporate policies
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 14
Outline Understand computer forensics Prepare for computer investigations
Understand enforcement agency investigations Understand corporate investigations
Maintain professional conduct
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 15
Understanding Enforcement Agency Investigations Understand local city, county, state, and federal
laws on computer-related crimes Until 1993, laws defining computer crimes did not
exist States have added specific language to their
criminal codes to define crimes that involve computers "Computers and networks are only tools that can be
used to commit crimes and are, therefore, no different from the lockpick a burglar uses to break into a house"
Possible computer crimes: data theft, child molestation images, drug transaction information on a hard disk
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 16
Legal Process for Computer Crimes A criminal case follows three stages:
Complaint Someone files a complaint
Investigation A specialist investigates the complaint
Prosecution Prosecutor collects evidence and builds a case
InvestigationComplaint Prosecution91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 17
Levels of Law Enforcement Expertise for a Police (CTIN) Level 1 (street police officer)
Acquiring and seizing digital evidence
Level 2 (detective) Managing high-tech investigations Teaching the investigator what to ask for Understanding computer terminology What can and cannot be retrieved from
digital evidence
Level 3: (computer forensics expert) Specialist training in retrieving digital
evidence
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 18
Typical Affidavit of Search Warrant for Seizing Evidence
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 19
Outline Understand computer forensics Prepare for computer investigations
Understand enforcement agency investigations Understand corporate investigations
Maintain professional conduct
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 20
Understanding Corporate Investigations Business must continue with minimal
interruption from your investigation Investigation is secondary to stopping the
violation and minimizing the damage or loss to the business
Can Microsoft shutdown their servers for forensics purposes?
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 21
Establishing Company Policies Company policies are built in order to
avoid litigation Without defined policies, a business risks
exposing itself to litigation by current or former employees
Policies provide: Rules for using company computers and
networks
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 22
Displaying Policy Warning Banners Avoid litigation displaying a warning
banner on computer screens A banner:
Informs users that the organization can inspect computer systems and network traffic at will
Voids right of privacy Establishes authority to conduct an
investigation
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 23
Displaying Warning Banners (continued)
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 24
Displaying Warning Banners (continued) Types of warning banners:
For internal employee access (intranet Web page access)
External visitor accesses (Internet Web page access)
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 25
Displaying Warning Banners (continued) Examples of warning banners:
Access to this system and network is restricted Use of this system and network is for official
business only Systems and networks are subject to
monitoring at any time by the owner Using this system implies consent to
monitoring by the owner Unauthorized or illegal users of this system or
network will be subject to discipline or prosecution
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 26
Banner Example in Reality Recall: why do we need policies and
warning banners? Courts have ruled that company-owned
equipment does not contain any “personal information”
Without them, your authority to inspect might conflict with the user's expectation of privacy, and a court might have to determine the issue of authority to inspect
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 27
Mercury.cs.uml.edu Banner
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 28
Texas A&M CS Department Banner
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 29
SSHD Banner By default sshd server turns off this
feature Login as root user; then create your login
banner file Edit /etc/ssh/sshd-banner Edit /etc/sshd/sshd_config and add
Banner /etc/ssh/sshd-banner Save file and restart the sshd server
/etc/init.d/sshd restart
http://www.cyberciti.biz/tips/how-to-force-sshd-server-to-display-login-banner-before-login-change-the-ssh-server-sshd-login-banner.html
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 30
Linux Console Login Banner File /etc/issue, default information
1. Fedora Core release 3 (Heidelberg)2. Kernel \r on an \m
\r – OS release such as “Kernel 2.6.17” \m – Machine such as “i686”
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 31
Windows XP Logon Warning Message1. Click Start/Control Panel 2. Double-click Administrative Tools / Local
Security Policies / Security Options 3. Set Interactive Logon: Message text for
users attempting to log on 4. Set Interactive Logon: Message title for
users attempting to log on 5. Logoff/Logon to test
http://www.ciac.org/ciac/bulletins/j-043.shtml
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Miscellaneous/LogonBanner-DisplayingWarningMessage.html
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 32
Designating an Authorized Requester Not everyone should be an investigator
Establish a line of authority Specify an authorized requester who has the power to
conduct investigations
Groups who can request investigations: Corporate Security Investigations Corporate Ethics Office Corporate Equal Employment Opportunity Office Internal Auditing The general counsel or legal department
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 33
Conducting Security Investigations Public investigations search for evidence
to support criminal allegations Private investigations search for evidence
to support allegations of abuse of a company’s assets and criminal complaints Abuse or misuse of corporate assets E-mail abuse/Malicious e-mail Excessive private Internet abuse Employee company startup Porn site
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 34
Employee Abuse of Computer Privilege
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 35
Distinguishing Personal and Company Property PDAs and personal notebook computers Employee hooks up his PDA device to his
company computer Company gives PDA to employee as bonus What is your opinion of company policies
on those items?
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 36
Outline Understand computer forensics Prepare for computer investigations
Understand enforcement agency investigations Understand corporate investigations
Maintain professional conduct
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 37
Maintaining Professional Conduct Professional conduct determines credibility
Ethics Morals Standards of behavior Conduct with integrity Maintain objectivity and confidentiality Enrich technical knowledge
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 38
Maintaining Objectivity Sustain unbiased opinions of your cases Avoid making conclusions about the
findings until all reasonable leads have been exhausted you considered all the available facts
Ignore external biases to maintain the integrity of the fact-finding in all investigations
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 39
Keep the Case Confidential Until you are designated as a witness or
required to release a report at the direction of the attorney or court
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 40
Enrich Technical Knowledge Stay current with the latest technical changes in
computer hardware and software, networking, and forensic tools
Learn about the latest investigation techniques that can be applied to the case
Record fact-finding methods in a journal Include dates and important details that serve as
memory triggers Develop a routine of regularly reviewing the journal to
keep past achievements fresh
91.580.203
INFA721/CIS418-BIS@DSUDr. Xinwen Fu 41
Enrich Technical Knowledge (continued) Attend workshops, conferences, and vendor-specific
courses conducted by software manufacturers Monitor the latest book releases and read as much
as possible about computer investigations and forensics
Computer Technology Investigators Northwest (CTIN)
High Technology Crime Investigation Association (HTCIA)
LISTSERV or Majordomo: mailing lists Certificate: EC-Council - CHFI Computer Hacking
Forensic Investigator
91.580.203