1 / 52

EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 Frank DeCandido, CPA, Vice President Prudential Financial

COMPUTER FORENSICS. EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 Frank DeCandido, CPA, Vice President Prudential Financial Thomas Doughty, First Vice President, Manager – Information Security Prudential Financial. COMPUTER FORENSICS. Table of Contents.

aren
Download Presentation

EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 Frank DeCandido, CPA, Vice President Prudential Financial

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMPUTER FORENSICS EMERGING TECHNOLOGIES COMMITTEEJUNE 17, 2002Frank DeCandido, CPA, Vice PresidentPrudential Financial Thomas Doughty, First Vice President, Manager – Information SecurityPrudential Financial Emerging Technologies Committee - 6/17/02

  2. COMPUTER FORENSICS Table of Contents Content Page # • Evolution of Fraud 3-5 • 2002 FBI/Computer Security Institute Annual Survey 6-8 • Incident Response 9-42 • Congressional Statutes 43-45 • What’s Next 46 • Computer Crime Organizations 47 • Other Websites 48 • Website of the Month for June 2002 49 • Presenters 50 • Bibliography 51-52 Emerging Technologies Committee - 6/17/02

  3. COMPUTER FORENSICS Evolution of Fraud • CPE Classes used to concentrate on Corporate Fraud • Check Kiting • Check Fraud • Credit Card Fraud • Advise: do not write checks with Felt Pen Emerging Technologies Committee - 6/17/02

  4. COMPUTER FORENSICS Evolution of Fraud • Over the years Computer Fraud became more prevalent • Hackers • Viruses • Firewalls Emerging Technologies Committee - 6/17/02

  5. COMPUTER FORENSICS Evolution of Fraud • Evolution of the Internet has opened up the flood gates in the way of access to personal and business information. Emerging Technologies Committee - 6/17/02

  6. COMPUTER FORENSICS 2002 FBI/Computer Security Institute Annual Survey7 • Computer Security Institute--Computer Security Institute (CSI) http://www.gocsi.com/is the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional. • Started Survey in 1995 • On April 7, 2002 issued the results of its Seventh Annual “Computer Crime and Security Survey” • Heaviest concentration in High Tech (19%) and Financial Services (19%) Emerging Technologies Committee - 6/17/02

  7. COMPUTER FORENSICS 2002 FBI/Computer Security Institute Annual Survey7 • Results: • 90% of respondents detected computer security breaches with the last 12 months; • 80% acknowledged financial losses due to computer breaches; • 44% were willing to and/or able to quantify their losses ($445 million); • Most serious financial losses occurred through the theft of proprietary information and financial fraud; • For the 5th year in a row, more respondents cited their Internet connection as a frequent point of attack than cited their internet systems as a frequent point of attack; • 34% - reported the intrusions to law enforcement (1996-16%); • 44% - systems penetration from the outside; • 44% - denial of service attacks; • 78% - employee abuse of Internet access privileges (downloading); • 85% - detected computer viruses Emerging Technologies Committee - 6/17/02

  8. COMPUTER FORENSICS 2002 FBI/Computer Security Institute Annual Survey7 If your Organization Has Experienced Computer Intrusion(s) Within the Last Twelve Months, Which of the Following Actions Did You Take: 77% Patched Holes 40% Did Not Report 34% Reported to Law Enforcement 19% Reported to Legal Counsel Emerging Technologies Committee - 6/17/02

  9. COMPUTER FORENSICS Incident Response • Methodologies 1: • Definition of Computer Forensics • **Pre-Incident Preparation • Detection • Initial Reponses • **Strategies (Tom Doughty to Discuss) • **Forensic Process • Investigation • Security Measure Implementation • Network Monitoring • Recovery • Reporting • Follow-up Emerging Technologies Committee - 6/17/02

  10. COMPUTER FORENSICS Computer Forensics • fo·ren·sics6Pronunciation Key  (f -r n s ks, -z ks)n.(used with a sing. verb) • The art or study of formal debate; argumentation. • The use of science and technology to investigate and establish facts in criminal or civil courts of law. _____________________________________________________________________ Computer Forensic Service deals with preservation, identification, extraction and documentation of computer related evidence on computer storage media.5 Process of unearthing data of probative value from computer and information systems.1 Computer Forensics is the collection, preservation, analysis and court presentation of computer related evidence.12 Emerging Technologies Committee - 6/17/02

  11. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation1-Why is it important?-Common Themes • Preparation of a computer related incident will • help create an infrastructure that provides quick resolutions after an incident occurs; (Computer Data is easily altered, erased) • help in the preservation of the evidence; • provide thorough, complete documentation needed to verify integrity of files; • help provide technical and procedural measures that need to be in place so some of the basic but vital questions can be answered quickly to expedite the collection of evidence; • Preserve Chain of Custody; • prevent poor performance; • University studies have found that more than 90% of all information is now created in digital form (University of Berkley – 93%) Emerging Technologies Committee - 6/17/02

  12. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation 1 (con’t): • Establish Computer Incident Response Team: • Point of Contact? • During business hours, after business hours, holidays and weekends • 24/7 Availability • Establish Team’s Mission • Members of the Team: • Systems • Human Resources • Corporate Security • Legal (Internal) • Accounting (Financial Fraud) • Outside Consultants (Incident by Incident) • Law Enforcement (Incident by Incident) • Senior Management (Incident by Incident) Emerging Technologies Committee - 6/17/02

  13. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation 1(con’t): • Preparation steps to take to verify integrity of files: • Response Tool Kit: • Hardware (see page 14) • Software (Safeback, EnCase, or other Forensic software packages)(see page 15) • Network Monitoring Platform • Create a “known-good” copy of the system on a regular basis. Allows the comparability of the known-good files to the corrupted files. • Cryptographic Checksums/Fingerprint • Created by applying an algorithm to a file; • Unique to that file; • Create Checksums for critical files BEFORE an incident occurs and compare to the file after the incident occurs • Most commonly used is the MD5 Algorithm (SAVE OFFLINE) Emerging Technologies Committee - 6/17/02

  14. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation 1(con’t): • Hardware Needed: Emerging Technologies Committee - 6/17/02

  15. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation 1(con’t): • Software Needed Emerging Technologies Committee - 6/17/02

  16. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation 1(con’t): • Preparation steps to take to verify integrity of files: • Increase or Enable Secure Audit Logging-Configuring log files can make them more complete and less likely to be corrupted. • UNIX: Controlling Logging, Remote Logging and Process Accounting • WINDOWS: Security Auditing, Auditing File and Directory Actions, Remote Logging • Topology/Architecture Maps • The arrangement in which the nodes of a LAN are connected to each other • Enhance Host and Network Logging to make sure that backups are performed on a regular basis. Emerging Technologies Committee - 6/17/02

  17. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation 1(con’t): • What are the threats to your organization? • Types of Damage: Loss of Business? Reputation? • Concerned about loss of Intellectual Property? • Destruction of Databases? • Who poses a threat? • Do you fear an outside intrusion? Emerging Technologies Committee - 6/17/02

  18. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation 1 (con’t): • Preparation steps to take to verify integrity of files: • Others (Security): • Firewalls/Intrusion Detection • Ford Levy, CPA from Maxwell, Shmerler & Company will be presenting a session on Firewalls on Tuesday, July 9, 2002 @ 9am. • Perform a Trap and Trace (check legal requirements) • Monitoring at the User Level • Violation Logs • Improperly Configured Devices • Exception Processes • Monitor Internet Activity • Monitor Employee Modems Emerging Technologies Committee - 6/17/02

  19. COMPUTER FORENSICS Incident Response • Pre-Incident Preparation 1 (con’t): • Preparation steps to take to verify integrity of files: • Others (Security): • Scanning Network; • Back up critical data; • Access Control Lists on Routers; • Encrypt Network Traffic; • Build Up Your Hosts Defense-Use the latest release and make sure that all patches, hot fixes and updates are installed; • Educate Users • No external software Emerging Technologies Committee - 6/17/02

  20. COMPUTER FORENSICS Incident Response • Detection 1: • Alerts about suspicious activities should be made through Firewall/Intrusion Detection Systems(IDS) • Alert should be immediate; • Black Ice at the Individual level Emerging Technologies Committee - 6/17/02

  21. COMPUTER FORENSICS Incident Response • Initial Response 1: • Use of Notification Checklist to list all pertinent details: • Point of Contact • Assemble Response Team • Which hardware/software? • What time/place? • Nature? • Record all pertinent facts (Platform, Ports/IP Address, etc) • Immediate Actions to be taken from the standpoint of who is monitoring • Network Mapping confirming an incident has or is occurring; • Evaluation of incident (use of Cryptographic Checksums/Fingerprint); • Type of Incident and Business Impact is determined. Emerging Technologies Committee - 6/17/02

  22. COMPUTER FORENSICS Incident Response • Strategies 1: • Denial of Service: Reconfigure Routers; • Virus Outbreak: Isolate machine as soon as possible; • If a workstation in a development population is affected, segregate the network(turn off choke points); • Awareness/Communication/Documentation of Policies; • Factors: • Critical Systems Affected? • Sensitivity of the compromised information? • Who are the perpetrators and what is their skill level? • Is the incident known to the public? • Dollar lose involved? • Tolerance of user and system downtime? Emerging Technologies Committee - 6/17/02

  23. COMPUTER FORENSICS Incident Response • Strategies 1 (Con’t): • Host Based Intrusion Detection: • Response Focused/Overhead Maintenance Intensive • Perimeter Based Intrusion Detection • Easier to administer • Review Risk Assessment Policies. Emerging Technologies Committee - 6/17/02

  24. COMPUTER FORENSICS Incident Response • Forensics Process 1: • Also known as Digital Evidence Analysis or Computer Media Analysis; • Common Themes • Preservation of Evidence is key; • Thorough documentation; • Look at the Judicial Process; Emerging Technologies Committee - 6/17/02

  25. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Maintain Chain of Custody of evidence • Create evidence tags: • Time and Date of the action • Number assigned to the case • Evidence Tag # • Was consent required? • Who the evidence belonged to? • Description of the evidence • Who received the evidence and signature? • Track any transfers of evidence • E.g. hard drives to CD-Rom Emerging Technologies Committee - 6/17/02

  26. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Maintain Chain of Custody of evidence • Document Information about the Item(s): • E.g. duplication of mail servers: • Occupants of the office; • Names of employees who have access to the office; • Location of computer systems in the room; • State of systems(powered on or not); • People present in the room at the time of the forensic duplication; • Serial numbers, models and makes of the hard drives; • Peripherals attached to the systems. Emerging Technologies Committee - 6/17/02

  27. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Maintain Chain of Custody of evidence • Initial Response: • Steps before Forensic Duplication3: • If the Computer is OFF, DO NOT TURN ON; • If the Computer is ON, (1) DO NOT POWER DOWN-items will be lost such as memory contents, state of network connections, state of running processes, contents of the storage media and contents of removable and backup media1 (2) Photograph screen and disconnect all power sources; unplug from the back of the computer; (3) Interrupting power from the back of the computer will defeat an uninterruptible power supply; Emerging Technologies Committee - 6/17/02

  28. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Maintain Chain of Custody of evidence • Initial Response: • Steps before Forensic Duplication (con’t): • For Laptops, locate and remove the battery pack if the laptop does not shutdown when the power cord is removed; • Place evidence tape over each drive slot; • Photograph/diagram and label back to computer components with existing connections; • Label all connector/cable ends to allow reassembly as needed; • If transporting is required, package components and transport/store components as fragile cargo; • Keep away from magnets, radio transmitters and other potentially damaging elements; Emerging Technologies Committee - 6/17/02

  29. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Maintain Chain of Custody of evidence • Initial Response: • Steps before Forensic Duplication (con’t): • Collect all peripheral devices, cables, keyboards and monitors; • Collect all instructional manuals, documentation and notes (user notes may contain passwords) • On Networked or Business Computers – Secure the scene. Do not let anyone touch except Network trained personnel; • Pulling the plug could severely damage the system, disrupt legitimate business and create officer and department liability Emerging Technologies Committee - 6/17/02

  30. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Performing Forensic Duplication1: • Perform all analysis on a copy restored from the duplicate image; • When is Forensic duplication necessary? • Likely to be judicial action • High Profile Incident • Significant dollar loss • Will you need to undelete data or search free or slack space to unearth evidence • If you said yes to any of these questions, then you would need to perform a forensic backup Emerging Technologies Committee - 6/17/02

  31. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Performing Forensic Duplication1: • Approaches: • Remove from the suspect computer and attaching it to a forensics workstation; • Traditional; • Safeback, UNIX dd command, EnCase; • Attaching a hard drive to the suspect computer; • Just as common as the first; • Same methodology as first; • Forensics experts typically carry a forensics workstation-minimizes hardware and software problems; • Sending the disk image over a closed network to the forensics workstation as it is created. • Usually done when a UNIX system is used as the imaging platform. Emerging Technologies Committee - 6/17/02

  32. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Performing Forensic Duplication1: • Requirements for Forensic Duplication Tools: • Must image every byte of data on the storage medium from beginning of the drive to the maintenance track; • Handle read errors in a robust manner; • Must not make changes to the original evidence; • Must be able to be held up to scientific testing and analysis; • Results must be repeatable and verifiable by a third party; • File created using a checksum or hashing algorithm; • This functionality may be performed concurrent to the creation of a the file or at the end of the imaging process Emerging Technologies Committee - 6/17/02

  33. COMPUTER FORENSICS Incident Response • Forensics Process 1 (Con’t): • Performing Forensic Analysis1: • Divided into two layers: • Physical Analysis • String Searches • Search and Extract • Extracting File Slack and Free Space • Logical Analysis • Understanding Where Evidence Resides: • The Physical Layer • Data Classification Layer • Blocking Format Layer • Storage Space Allocation Layer • Information Classification and Application Storage Layers Emerging Technologies Committee - 6/17/02

  34. COMPUTER FORENSICS Incident Response • Investigation: • Conducted on a forensic duplication of a relevant system; • Collecting information stage; • What was harmed? • How was if damaged? • Who was to blame? Establishing identity behind the people on a network is increasingly difficult; • How to fix the compromise. • The proper collection and analysis of computer evidence through accepted computer science protocol is a critical component to any internal investigation or audit where the results have potential to be presented in legal proceedings12 Emerging Technologies Committee - 6/17/02

  35. COMPUTER FORENSICS Incident Response • Investigation: • Windows NT/20001 • Review all pertinent logs; • Perform keyword searches; • Review relevant files; • Identify unauthorized user accounts of groups; • Identify rogue processes; • Look for unusual or hidden files; • Check for unauthorized access points; • Examine jobs run by the scheduler service; • Analyze trust relationships; • Review security identifiers. Emerging Technologies Committee - 6/17/02

  36. COMPUTER FORENSICS Incident Response • Investigation: • UNIX1 • Review all pertinent logs; • Perform keyword searches; • Review relevant files; • Identify unauthorized user accounts of groups; • Identify rogue processes; • Check for unauthorized access points; • Analyze trust relationships. Emerging Technologies Committee - 6/17/02

  37. COMPUTER FORENSICS Incident Response • Security Measure Implementation1: • If you are accumulating evidence for potential civil, criminal, or administrative action, obtain that evidence BEFORE you implement any security measures. • Isolation and Containment; • Prevent attackers from continuing their activities; • Could be as simple as disconnecting compromised computer from the network; • Problem here is that you may have to still monitor the attacker’s activities to gather evidence for criminal prosecution • Electronically isolate the computer, removing other computers from the same broadcast domain will limit the exposure of other systems; • Network filtering (“fishbowling”) will allow you to continue monitoring malicious activity while limiting further activity; Emerging Technologies Committee - 6/17/02

  38. COMPUTER FORENSICS Incident Response • Network Monitoring1: • Should start during the initial response and continue until the recovery is complete; • It allows you to track the attacker, gaining crucial evidence; • It provides assurance that there are no recurrences of similar incidents during recovery. • Comprehensive monitoring should be used on the subnet hosting the target computer (laptop configured with a sniffer that flags packet attributes as well as record content is most appropriate); • Less comprehensive monitoring should be considered at the network boundaries; • Decide what to monitor. • Log all traffic to and from the victim machine • Traffic originating at the victim system Emerging Technologies Committee - 6/17/02

  39. COMPUTER FORENSICS Incident Response • Recovery1: • Hot Backup on Critical Platforms; • Restoration of relevant systems to a secure, operational state; • Take into consideration both the level of compromise and the type and location of system compromised; • If the system compromised is part of a large trust environment, an attacker is likely to have cracked passwords for accounts that are valid across the domain. In that case every system that shares that account must be investigated and recovered; • Choosing a Recovery Strategy: • Rebuilding from “Known-good” media is essential; Emerging Technologies Committee - 6/17/02

  40. COMPUTER FORENSICS Incident Response • Recovery1: • Choosing a Recovery Strategy (con’t) • Securing (“hardening”) the system involves: • Turning off unused services; • Applying operating system and application patches; • Enabling strong passwords; • Continuing competent administration; • Backups can be used during recovery but only if you are sure that the incident occurred after a backup was made; • Security Countermeasures: • Host based controls, packet filters, firewalls, ISD, user education, and policy and procedures. Emerging Technologies Committee - 6/17/02

  41. COMPUTER FORENSICS Incident Response • Reporting1: • Goals: • Document • Document • Document • Reporting should be performed at every stage of Incident Response; • Tedious, Methodical Process; • Failure to do so will lead to faulty conclusions and inadequate response; • Reports may be subject to the eyes of a judge, jury and attorneys; • Reporting activities include supporting criminal or civil prosecutions, producing final reports and suggesting process development. Emerging Technologies Committee - 6/17/02

  42. COMPUTER FORENSICS Incident Response • Follow-up1: • Analyze the process conducted; • Record lessons learned; • Fix any problems; • Steps after an employee leaves: • An employee’s hard drive is imaged to CD-ROM disks upon resignation, termination or internal transfer should an examination need to take place at a later date • Recheck Policies • Training www.sans.org Emerging Technologies Committee - 6/17/02

  43. COMPUTER FORENSICS Congressional Statutes • Computer Fraud and Abuse Act (CFAA)4 • CFAA was first passed in 1984 • At its inception, the Act was directed at the protection of classified information that was maintained on federal government computers, as well as the protection of financial records and credit information on government and financial institution computers. • Broadened in 1986 when certain amendments extended protection to “federal interest computer”. • Amended in 1996, with the phrase “protected computer” replacing the previous concept of “federal interest computer”. Protection now covered all computers involved in interstate and foreign commerce, whether or not any federal government proprietary interest is implicated. Emerging Technologies Committee - 6/17/02

  44. COMPUTER FORENSICS Congressional Statutes • Computer Fraud and Abuse Act (CFAA)4 • Effects of the Shurgard Storage Centers vs. Safeguard Self Storage Case: • The judge agreed: “Unless otherwise agreed, the authority of any agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.” • The court found that “the authority of the plaintiff’s former employees ended when they allegedly became agents of the defendant.” • The employee could be subject to federal criminal sanction. • Employers can now defend themselves in proprietary rights agreements. • As a result, the disloyal employee was in effect treated as a hacker, from and after the time he started acting as an agent for Safeguard. Emerging Technologies Committee - 6/17/02

  45. COMPUTER FORENSICS Congressional Statutes • State Computer Crime Laws can be found at: • http://nsi.org/Library/Compsec/computerlaw/statelaws.html • Another general site for State Laws: • www.lawsource.com • “Incident Response”, by Kevin Mandia and Chris Prosise Emerging Technologies Committee - 6/17/02

  46. COMPUTER FORENSICS What’s Next • Smart Cards • VPNs (Virtual Private Networks) • Biometrics • Business To Customer Digital Certificates Emerging Technologies Committee - 6/17/02

  47. COMPUTER FORENSICS Computer Crime Organizations1 • Forum of Incident Response and Security Teams (FIRST) • www.first.org • Incident Response – Investigating Computer Crime • www.incidentresponsebook.com • Carnegie Mellon’s CERT Coordination Center • www.cert.org • Security Focus • www.securityfocus.com • National Infrastructure Protection Center • www.nipc.gov • Federal Computer Incident Response Center (FEDCIRC) • www.fedcirc.gov • Department of Defense Computer Emergency Response Team (DOD-CERT) • www.cert.mil Emerging Technologies Committee - 6/17/02

  48. COMPUTER FORENSICS Other Web Sites • Cisco Computer Security (www.ciscoisecurity.com.sg) • Search Security.com (www.searchsecurity.com) • Defaced Web Sites (www.attrition.org/mirror/attrition) • The Information Systems Audit and Control Association Foundation (www.isaca.org) • Association of Federal Fraud Examiners (www.cfenet.com) • Safeback (New Technologies) (www.forensics-intl.com) • EnCase (www.guidancesoftware.com) • Center for Computer Forensics (www.computer-forensics.net) • Computer Forensics Inc. (www.forensics.com) • SANS Institute (www.sans.org) • Computer Security Institute (www.gocsi.com) • Infragard (www.infragard.net) • Cyber Crime (www.cybercrime.gov) Emerging Technologies Committee - 6/17/02

  49. COMPUTER FORENSICS Web Site of the Month of June 2002 Emerging Technologies Committee - 6/17/02

  50. COMPUTER FORENSICS Presenters Frank J. DeCandido, CPA, Vice President, Prudential Financial Email: frank_decandido@prusec.com Phone 212-214-2037 Thomas Doughty, First Vice President, Prudential Financialemail: thomas_doughty@prusec.com Phone 212-778-4610 Emerging Technologies Committee - 6/17/02

More Related