Computer Forensics in Practice

Armed Forces of the Slovak Republic

mjr. Ing. Albert VAJÁNYI

1Lt. Ing. Boris ZEMEK

(c) May 2005

Communication and Information System Control and Operation Centre

Information Security Centre

InfoSec Centre Chiefmjr. Ing. Albert VAJÁNYI

Division Chief1Lt. Ing. Boris ZEMEK

(c) May 2005

What is computer forensics anyway?

The application of computer investigations and analysis techniques in the interests of determining potential legal evidence.

Computer specialists can draw on an array of methods for discovering deleted, encrypted or damaged file information.

(Rorrins, 1997)

You don’t know what happened on your network.

A network forensic analysis tool can effectively answer the difficult

question “What happened?” in the aftermath of a security incident.

That tool provides a passive network monitoring solution that visualizes

the network activity.

A network forensics analysis tool can visualize and analyze data from

firewalls, IDS, IPS, syslogs, audit systems and more.

Key Features of Forensic Tools

• Data collection and visualization– Monitor and analyze data from all seven layers of the Open

Systems Interconnection (OSI) stack– Relational, Tree ontology for knowledge base– TCP dump recording: records traffic being monitored in an

unprocessed, binary state

• Pattern and content analysis– Powerful visualizations expose anomalous activities, providing

visibility into network communications before, during and after a suspicious event

– Functions irrespective of language using n-gram analysis

Key Features of Forensic Tools

• Forensic analysis and investigation

- Graphical arrangements include source, destination, time, type and duration of communication and content

- Rebuild crime pattern

- Playback events

- Generate reports and visual representations of the suspicious activity

- Report on key security and network parameters

Forensics Technology Services – FTS

• Digital Evidence Recovery

It is a technique of finding and extraction evidence. A lot of times the

legislative designates how to confidence a digital evidence.

• Cyber Forensics

Some specialists score incidents to the network. Cyber Forensics

shows who made an attack.

Forensics Technology Services – FTS

• Forensic Data Analysis

It is an interpretation of vast multiple data by using visualization

techniques.

• Document Management Services

Making documents accessible helps sharing essential knowledge. In

your investigations you can draw upon modern document management

tools that allow you to archive, search, find, organising and reproduce

documents.

COLLECTING ANALYZING 2D or 3D VISUALIZATION

Traffic Analysis KnowledgeBase

KnowledgeBase

Data Visualization

DatabaseMeta Data and

Content Analysis

Real-Time Post Event

ContextAnalyzerContextAnalyzer

Requirements for Forensics Tools

Types of Collecting Data

Types:

- IDS/IPS logs

- Firewall logs

- Sys logs

- SQUID logs

- Audit system logs

- and more

All logs are collecting to the Central logs base!!!

Network monitoring

Network operation centre Security operation centre

Intranet

Any Public

Network

Central logs base

Server Farm

Server Farm

Server Farm

Server Farm

Service AlarmsSecurity Alarms

Security Information Management System

What is Security Information Management (SIM)?

SIM provides a simple mechanism that allows security teams

to collect and analyze vast amounts of security alert data.

More specifically, SIM solutions collect, analyze and correlate – in real-time – all security device information across an entire enterprise.

Correlated results are then displayed on a centralized real-time console that is part of an intuitive graphical user interface.

Security Information Management

Security Information Management

SIM can be divided into four different phases:

1) Normalization 2) Aggregation3) Correlation4) Visualization

SIM utilizes normalization, aggregation, and correlation to sift through mountains of security activity data on a real-time basis – correlating events, flagging and rating the potential seriousness of all attacks, compromises, and vulnerabilities. The power of SIM technology allows a relatively small security staff to dramatically reduce the time between attack and response.

.

Security Information Management

Normalization is the process of gathering individual security device

data and putting it into a context that is easier to understand, mapping

different messages about the same security events to a common alarm

ID. Keeping in mind that there are no standards in the security device

industry, normalization alone is a tremendous asset to security teams.

Aggregation eliminates redundant or duplicate event data from the

security event data stream, refining and optimizing the amount of

information that is presented to security analysts.

Security Information Management

Correlation uses software technology to analyze aggregated data, in real-time,

to determine if specific patterns exist. These patterns of similar security events

often correspond to specific securityattacks – whether denial of service,anti

virus, or some other form of attack.

Visualization, the final step in SIM, is the graphical representation of

correlated information in a single, real-time console.

Effective visualization lets security operators quickly identify and respond to

security threats as they occur, before they create problems within the

enterprise.

Systems alarms remapping

Original logs from systems - around 20 000 types

Sep 27 16:22:43 dmzserver

su(pam_unix)[10983]: session opened for user

nf by root(uid=0)

Sep 27 16:22:43 dmzserver

su(pam_unix)[10983]: session opened for user

nf by root(uid=0)

Sep 27 16:36:12 [192.168.177.1] Sep 27 2004 16:36:12: %PIX-6-

605005: Login permitted from

192.168.177.2/44743 to inside:192.168.177.1/ssh for user "pix_ADMIN“

Sep 27 16:36:12 [192.168.177.1] Sep 27 2004 16:36:12: %PIX-6-

605005: Login permitted from

192.168.177.2/44743 to inside:192.168.177.1/ssh for user "pix_ADMIN“

Changed to 100 NF types

Forbidden Database Access

Privilege Escalation

Security Policy Change

Authentication succeed

9 categories of NF alarms

Access / Authentication / Authorization

Application Exploit

Configuration / System Status

Evasion

Policy Violations

Reconnaissance

AttemptsUnknown / Suspicious

Virus / Trojan

Place Forensics Tool in Network

Network operation centre Security operation centre

Intranet

Any Public

Network

Central logs base

Server Farm

Server Farm

Server Farm

Server Farm

Service AlarmsSecurity Alarms

Security Information Management System

Forensics Tool

Network Forensics Analyzer

Examples of Visualization

Visualization of Firewall Data

• Quickly visualize and understand relationships in firewall data across time• Source_IP ——— # of occurrences ——— Dest_IP

Source_IP versus Firewall Action

• Source_IP ——— # of occurrences ——— Firewall Action• Green = Accept Red = Reject Blue = Drop

VPN Traffic Events

Overlay Intrusion Detection

System Alerts

Blocked FirewallTraffic

Event Correlation

Exercises of anomaly

Exercises of anomaly

E – mail: infosec@mil.sk