proactive n reactive forensics - rediris · qwhat is digital forensics? – incident response –...
TRANSCRIPT
11
Proactive & Reactive Proactive & Reactive ForensicsForensics
Jess García
Forensics, Forensics, Antiforensics Antiforensics & Automation& AutomationSecurity Instructor – The SANS InstituteConsultant – Jessland Enterprise Security Services
http://www.jessland.net
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 2
AgendaAgenda
IR & ForensicsIR & ForensicsAntiforensicsAntiforensicsForensics ReadinessForensics ReadinessAutomated ForensicsAutomated Forensics
22
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 3
Digital ForensicsDigital Forensics
What is Digital Forensics?What is Digital Forensics?– Incident response– Computer Forensic Investigations– Forensic preparedness– Secure Data Recovery
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 4
Incident ResponseIncident Response
PreparationPreparationIdentificationIdentificationContainmentContainmentEradicationEradicationRecoveryRecoveryFollowFollow--upup
The 6The 6--Step IR ProcessStep IR Process
33
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 5
The Forensics The Forensics ProcessProcess
Seizure
Preliminary Analysis
Investigation
Analysis
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 6
EvidenceEvidence
Evidence Types:Evidence Types:– Human Testimony– Physical Evidence– Network Evidence– Host Evidence
MemoryNetwork ConnectionsProcessesOpen PortsDisksFilesystemsExternal Devices
44
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 7
Real Life ProblemsReal Life Problems
Lack of trainingLack of trainingPoor EvidencePoor EvidenceTime consuming processTime consuming processLack of logging & tracking capabilitiesLack of logging & tracking capabilitiesLack of containment capabilitiesLack of containment capabilitiesLack of appropriate Forensics environmentLack of appropriate Forensics environment
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 8
AntiforensicsAntiforensics
PerspectivesPerspectives– Unintentional
Quality of evidence deteriorates quicklyThe Human Factor
– The User– The Investigator
– Malicious
Antiforensics Antiforensics is the “art” of reducing theis the “art” of reducing theQuantity and Quality of Forensics DataQuantity and Quality of Forensics Data
55
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 9
AntiforensicsAntiforensics
Forensics’ Analysts IssuesForensics’ Analysts Issues– Short on time– Short on Technical Skills– Slave to their Tools
Tools IssuesTools Issues– Filesystem’s Restrictions and Bugs– Vulnerabilities
Data IssuesData Issues– Encryption– Propietary Formats
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 10
AntiforensicsAntiforensics
StrategiesStrategies– Data Destruction or Manipulation
Data itselfMeta-data
– Data HidingInserting Data where it does not belong
– Data ContraceptionIn memory ExecutionSmall Footprint tools
66
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 11
Forensics ReadinessForensics Readiness
Forensics Readiness is the “art” of Forensics Readiness is the “art” of Maximizing an Environment’s Ability to Collect Maximizing an Environment’s Ability to Collect
Credible Digital EvidenceCredible Digital Evidence
No system or network is secure enoughNo system or network is secure enough
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 12
Forensics ReadinessForensics ReadinessPreparing IR Capabilities
Building your IR CapabilitiesBuilding your IR Capabilities– The Lab
Isolated NetworkIsolated SystemsForensics Servers Disk ServersShort and Long Term Secure Storage
– The Jump BagBlank MediaDisk DuplicatorsNetworking Gear… !!! …
– The ToolsForensics Software Processes
77
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 13
Forensics ReadinessForensics ReadinessPreparing the IR Team
The IR TeamThe IR Team– Processes
Crime Scene ProceduresChain of CustodyLegalities
– Forensics Tools TrainingCommercial ToolsFree ToolsOperating Systems & ApplicationsHardware and Physical Devices
– Real-Life Cases TrainingHoneynetsHoneynet Project’s SoftmReto Forense RedIRIS / UNAM
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 14
VA / Forensics/
FW Manager
Workstations
Servers
External Services
ID Network
IDSManagement & Analysis
Log Server/ SEM
Honeynet
Forensics ReadinessForensics ReadinessPreparing Systems & Networks Traffic Capturing Devices
Rotation time >= Response time
88
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 15
Preparing Systems & Networks:Preparing Systems & Networks:– Use Turn on & Maximize logging capabilities– Enable Remote Logging– Enable Kernel & Filesystem Accounting– Good Practices for Filesystems Separation– Host-based Firewalls– NIDS & HIDS– Profiling– Periodical Auditing– Forensics-friendly Filesystems– Analysis of the Impact of Forensics Tools
Forensics ReadinessForensics ReadinessPreparing Systems & Networks
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 16
Forensics ReadinessForensics ReadinessPreparing for Containment
The NetworkThe Network– Good Practices for Network Design– Choke Points
The SystemsThe Systems– Host-based Firewalls
The PeopleThe People– Restricted Investigative Team
99
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 17
The Forensics ProcessThe Forensics Process(Revisited)(Revisited)
Seizure
Preliminary Analysis
Investigation
Analysis
VERY Time consumingVERY Time consuming
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 18
Forensics ResponseForensics Response
What Type of IR/Forensics do you want/need?What Type of IR/Forensics do you want/need?What type of incidents do you expect?
TraditionalSlowManualMore accurate (if done properly)More Forensically SoundOlder evidence
ReactiveFasterManual / AutomatedRisk of False Positives / NegativesLess Forensically Sound (?)Fresher evidence
1010
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 19
Automated ResponseAutomated Response
1. Identify Attack1. Identify Attack
2. Trigger Automated Incident Response2. Trigger Automated Incident Response
3. Verify Incident3. Verify Incident
4. Trigger Automated Forensics Collection4. Trigger Automated Forensics Collection
5. Pre5. Pre--analyze dataanalyze data
6. Trigger alert6. Trigger alert
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 20
Automated ForensicsAutomated Forensics
What is automated forensics?What is automated forensics?– Automate the most typical steps of the Forensics
Analysis
Perspectives:Perspectives:– Automated Forensics Tools– Automated Forensics Process– Live Forensics:
IDS / IPS ToolProcedural Tool
– Dead Forensics
1111
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 21
Automated ForensicsAutomated Forensics
Objectives:Objectives:– Help identify actual intrusions– Collect more evidence– Collect better evidence– Reduce Analysis Time– Forensically Sound– Help stop attack– Helps with difficult to handle scenarios:
EncryptionStrange hardware (e.g. RAID arrays)
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 22
Automated ForensicsAutomated Forensics
The Process:The Process:– Automated IR Analysis
MemoryNetwork ConnectionsProcessesOpen PortsDisksFilesystemsExternal Devices
– Automated Disk & Filesystem Seizure– Automated Memory Seizure– Automated Integrity/Rootkit Checks
1212
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 23
Automated ForensicsAutomated Forensics
The Process:The Process:– Automated Profiling and Auditing– Automated Traffic Analysis– Automated Filesystem Analysis
MactimesDeleted Files IdentificationData RecoveryArtifacts Recovery
– Automated Memory AnalysisProcesses RecoveryArtifacts Recovery
– Automated Artifacts Analysis
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 24
Risks & Limitations of Risks & Limitations of Automated ForensicsAutomated Forensics
BenefitsBenefits– Fast
Possibility of Early DetectionIf nothing else, better than no response
– Earlier Evidence– Optimizes Analysis Time– Allows for more In-Depth Analysis
Requirements:Requirements:– Preserve Evidence
Avoid using local binaries and libraries: push statically compiled binariesIn memory execution (ftrans, userland exec)
1313
Proactive & Reactive Forensics – © Copyright 2005, Jess García – http:// www.jessland.net – 25
Risks & Limitations of Risks & Limitations of Automated ForensicsAutomated Forensics
Risks & LimitationsRisks & Limitations– False Sense of Security– Assimetry:
Positive Results -> Probable break-inNegative results do not mean unsuccessful break-in
– False Positives & False Negatives– May not stand in Court