first responders course - session 4 - forensic readiness [2004]
DESCRIPTION
The fourth session from a two day course I ran for potential first responders in a large financial services client.TRANSCRIPT
First Responders Course:4 Forensic Readiness
Phil HugginsFebruary 2004
Forensic Readiness
The goals of Forensic Readiness are to decrease the time and cost of Forensic Analysis (and Scope Assessment) while increasing the effectiveness.
The main idea in Forensic Readiness is to build an infrastructure that supports the needs (data) of an investigation
The main areas include: Logging and monitoring Build Management & Inventory User Policies Reporting forms
Forensic Readiness Theory Data is critical to Forensic Analysis If the needed data is not being
recorded, then it can not be used in the investigation.
Forensic Readiness assesses what network and system information should be recorded every day and what should be recorded during an incident
Forms
Goal: To create data entry forms that will contain the information that needs to be gathered during an incident
Every action performed during an incident should be documented
Forms help to ensure that the proper data is recorded Examples:
Chain of Custody: Records who has control of the data at a given time
System Acquisition Form: When the response team takes a system from its owner, this records the system description and owner signature
Hard Disk Form: Records the history of each drive used during the incident, including serial numbers and what systems it was installed in
Investigator Log: Allows the responder to document their actions
Form templates are included in your course handbook and will be included on the course cd-rom.
Chain of Custody Example
System Acquisition Form Example
Hard Disk Form Example
Investigator Log Example
Logging
Log data can be crucial to the investigation
There are two major issues with logging and forensics:1.Many incidents involve someone having
unauthorized privileged user access and most logs can be modified or deleted by such a user.
2.Not all systems are logging the needed information that is useful to an investigation
Centralized Log Servers
All servers send a copy of their log data to a dedicated log server
Server can be on the normal network or a dedicated network
Server is secured to only allow log data (syslog) and SSH access and is considered a critical asset when patching systems
Syslog Example: UNIX servers are configured to redirect syslog
output Windows servers use 3rd party tools to send
event logs to server
Centralized Log Server Benefits All logs can be analyzed on a periodic basis to
detect anomalies Makes it more difficult for attacker to modify the
logs It is important to correlate events from multiple
sources, so we can compare the locally stored logs and the remotely stored logs
This server will be the target of many attacks, which may alert one to other attacks if it is watched closely
Windows to syslog
Windows stores logs in event files 3rd party programs run on a scheduler and send
new event entries to the syslog server: Event Reporter (www.eventreporter.com) NT Syslog (www.ntsyslog.sourceforge.net) evlogsys.pl (perl script) Back Log (NT-Only)
There is a slight window of opportunity with this model for the attacker to delete the logs before the collection tool runs
Logging Readiness Steps Goal: To ensure that the proper data is logged and
that it is stored in a method that can be used during forensics
Send logs to central server to secure them during an attack
Ensure log files have strict permissions so only a privileged user can write to them.
If possible, only allow the log to be appended to and deny all read access
Identify what OS events should be logged: User Logins System Reboots As much as possible, based on space requirements Process logging can require large amounts of storage
Logging Readiness Steps Identify which application events should be logged:
As much as possible, based on space requirements Log all network devices:
Firewalls VPNs Routers Dialups Servers
Use Network Time Protocol (NTP) to make log processing across multiple machines easier
Log by IP, do not resolve hostname
Logging Readiness Steps Log Integrity
Generate MD5 sums of log files when they are saved and rolled over
Use a secure (crypto-based) logging system: Core SDI syslog-ng IETF Secure Syslog
Network Monitoring
Goal: To record needed network traffic to provide new evidence and correlate activity. This is from the investigation perspective, not detection.
An IDS system can be used to record all events, but not generate alerts
A general sniffer can record all raw data tcpdump Ethereal
Protocol analyzers can process raw output of tcpdump NetWitness Ethereal
Network Monitoring
Available storage will be the only limitation of how much data can be stored
Specialized hardware or a SAN could be worthwhile
If monitoring is not always on, a dedicated system should exist that can start monitoring when an incident occurs
Host Monitoring
Goal: To record host activity, not already being logged, which will assist in a forensic investigation.
This level of recording is needed for only the most sensitive systems
Keystroke recorders can be either: software: Run as services and can hide data in an
encrypted file or will email them to a remote location hardware: Device that the keyboard plugs into and saves
the keystrokes in hardware (does not record the window title)
Change Management
Goal: To document a system’s state A common task in forensics is to identify which
binaries were replaced with a trojan version Change management identifies which patch-level
the systems should be MD5 checksums can be calculated for each
machine and stored off-line (similar to Tripwire) Configurations are recorded to identify which
services are supposed to be running and which are backdoors
Inventory
Goal: To document ownership of hardware and addresses
This is most useful with internal investigations
Allows one to identify the system with a given MAC address (from DHCP logs)
Allows one to identify who has a given hostname (which is found in system logs)
Privacy Policies Goal: To set users expectation of
privacy appropriately An investigation may need access to a
users mailbox or other “private” data Identifying how much privacy users
have should be discussed before an incident occurs
Data Protection Act requires users to be notified and to accept any monitoring and for monitoring to be a normal administration task. Suddenly increasing monitoring is not acceptable under the DPA.
Forensics Lab
Goal: To build the infrastructure needed for an in-house forensics lab (if one does not outsource it)
The forensics lab has unique requirements from other technology labs because of its legal requirements
Location: Little traffic Secured by key badge or other auditable mechanism Camera surveillance Separate computer network A safe for long-term data storage (with sign-out sheets)
Forensics Lab Equipment
Contents will vary depending on supported platforms
At least one system of each supported platform Linux can mount most file system images and
tools exist for more advanced analysis (The Sleuth Kit)
Windows does not have many tools native to it, but specialized tools exist for analysis of windows systems (EnCase etc.)
Binary analysis capabilities Malicious code monitoring capabilities
Summary
Many proactive steps can be performed to effectively handle incidents
Readiness forces an organization to consider how to handle an incident before it occurs
The amount of documentation required will depend on the organization