1 / 55

INCID ENT RESPONSE

INCID ENT RESPONSE. BCIS 4630 Fundamentals of IT Security. Dr. Andy Wu. Be Prepared. Administrative measures Disaster recovery plan Business continuity plan Operational measures Alternate sites Technical measures Backups Incident response Handling potential evidence

kin
Download Presentation

INCID ENT RESPONSE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INCIDENT RESPONSE BCIS 4630 Fundamentals of IT Security Dr. Andy Wu

  2. Be Prepared • Administrative measures • Disaster recovery plan • Business continuity plan • Operational measures • Alternate sites • Technical measures • Backups • Incident response • Handling potential evidence • Types of evidence • Rules governing digital evidence

  3. Disaster Recovery & Biz Continuity • In addition to the threats that we’ve discussed previously, natural and human disasters can halt organizational operations for some length of time. • Fire, hurricane, earthquake, gas leak, riot, terrorism, etc. • The causes are not specifically aimed at a system(s) or organization. • The organization’s preparedness and plans to mitigate the disaster’s effects determine how long operations are disrupted. • “Availability” is the utmost concern in disaster recovery and business continuity planning.

  4. Disaster Recovery Plan (DRP) • A good DRP includes the processes and procedures needed to restore an organization and ensure continued operation. • They should be documented. • They should be reviewed and exercised on a periodic basis. • The DRP needs to be approved by management. • It is essential that they buy into the plan.

  5. Business Continuity Plan (BCP) • Aims to prevent interruptions to normal business activity and to minimize the effects of a disruptive event on an organization. • A BCP emphasizes the critical systems needed to operate. • Compared with BCP, a DRP has protection of human life as a major focus. • A DRP is carried out when everything is still in emergency mode. A BCP takes a broader approach and has a longer time frame. • DRP: Oh, my goodness! The sky is falling! • BCP: OK, the sky fell. Now, how do we stay in business until someone can put the sky back where it belongs?

  6. Alternate Sites • If an organization has suffered physical damage to a facility, having off-site storage of data is only part of the solution. • Data needs to be processed somewhere. • Backup computing facilities similar to those used in normal operations must be found. • Hot, warm, and cold sites

  7. Backups • Backup is a critical element in disaster recovery plans and business continuity plans, as well as in incident response. • Backup provides valid, uncorrupted data in the event of corruption or loss of the original file or media. • A good backup plan will consider more than just the data. It will include: • Application programs needed to process the data. • The operating system and utilities that the hardware platform requires to run the applications. • Personnel required for restoring the data. • Most files are not changed every day. To save time and resources, it is best to devise a backup plan that does not repeatedly backs up unchanged data.

  8. Archive Bit • Set (checked) after a file is created or modified. • Cleared (unchecked) after a file is backed up.

  9. Full Backup • All data files, application files and system files are copied regardless of the archive bit status. • The archive bit is then cleared once the file/folder has been backed up. • Slowest to backup, but fastest to restore. • Restoration is simple: all the files are copied back onto the system.

  10. Full Backup & Restoration

  11. Differential Backup • Only the files and software that have changed since the last full backup should be stored. • The archive bit is not cleared, so the next differential backup still will contain the same data in this differential backup plus any additional files that change between this and the next backup. • Takes longer to back up than an incremental backup. • Faster to restore than an incremental backup.

  12. Restoring from Differential Backup • Restoration requires two steps: • The last full backup is loaded. • The differential backup can be applied to update the files that have been changed since the full backup was conducted. • The time to accomplish the periodic differential backup is less than a full backup. • If the period of time between differential backups is long, or if files change frequently, the differential backup is like a full backup.

  13. Differential Backup & Restoration

  14. Incremental Backup • Backs up only the files and software that have changed since the last backup, which is either: • Last full backup (if this is the first incremental backup in the current backup cycle). • The most recent incremental backup since last full backup (if at least one incremental backup has been done in the current backup cycle). • The archive bit is cleared so that the file/folder will not be included in the next incremental backup. • Fastest to backup, slowest to restore.

  15. Restoring from Incremental Backup • To restore a system using this type of backup method requires more work. • Go back to the last full backup and reload the system with this data. • Then update the system with every incremental backup. • The advantage of this type of backup is that it requires less storage and time to accomplish. • The restoration process is more involved.

  16. Incremental Backup & Restoration

  17. Backup Retention • Multiple backups should be maintained. • Thus, it is easier to return to a point before some intrusion, security, or operational event occurred. • The most recent copy may be stored locally, as it is the most likely to be needed. • It should be stored in a fire-resistant, heat-resistant, and waterproof safe. • Other copies should be stored off-site. • Even if the current set is corrupted, the off-site sets can still be used for restoration.

  18. Incident Response • Make plans about actions to take before attacks actually occur. • Ensures that the right person is assigned to a particular task. • Allows quick response and recovery. • Prevents the incidents from reoccurring. • Forecast possible future attacks. • Prioritize the possible attacks. • Define what attacks will be serious enough to warrant calling in the incident response team. • Define what will warrant collection of legal evidence.

  19. PDCERF Model • It was created at the Invitational Workshop on Incident Response at the Software Engineering Institute (SEI) in July 1989 by the workshop participants, including the renowned security expert Eugene Schultz.

  20. PDCERF Model • Preparation • Detection • Containment • Eradication • Recovery • Follow-up

  21. Better Safe Than Sorry • Treat every incident as a criminal act. • Always assume that the evidence you collect will be used in a court case. • Otherwise, you probably won’t be able to seek remuneration from the attacker. • It’s a lot easier to loosen up the evidence collection standards, once you decide that there is no need to involve law enforcement, than it is to fix a sloppy collection effort after the fact. • Preservation of evidence must be conducted at the earliest stage of an investigation.

  22. Documentary Evidence • Written documentation. • Log files, database files, incident-specific files and reports, etc. • All documentary evidence must be authenticated. • Can be difficult to use when trying to convince non-technical jurors.

  23. Testimonial Evidence • Verbal or written testimony of a witness (in court, during deposition). • Example: system administrator testifying how logs were kept on the server involved. • A witness can help to reduce investigative work by providing/revealing clues.

  24. Demonstrative Evidence • It’s often necessary to use visual aids or other illustrations to help explain some of the more technical details of the evidence. • Does not stand on its own but exists to augment other evidence. • Often the necessary component to successful use of other evidence.

  25. Two Sides of the Coin • Computer evidence has common characteristics and differences with regular evidence. • Activities on computers leave a lot of traces – passwords, log entries, timestamps (MAC dates), etc. are written to various locations on the hard drive. • Computer records can be easily modified or erased. • Gives the defense attorney the basis to claim that the evidence may have been tempered with after it is collected.

  26. Admissibility of Evidence • Relevant • Evidence must prove or disprove facts in a case. • Admissible • Evidence must conform to all regulations and stature governing the collection of evidence. • Illegally collected evidence and contaminated evidence is not admissible.

  27. Best Evidence Rule • A rule for all types of evidence, not just computer crime evidence. • The original should be introduced, not a copy. • The purpose is to prevent evidence from tempering. • Expect to be asked about the actions you took to extract evidence. • This rule, however, may not be applicable to computer crimes readily. • The moment a hard drive is connected to the system and the OS loads, the drive is modified. • What is analyzed and presented in court is a copy of the drive.

  28. Representational Accuracy • You don’t have to present all the originals. • If data are stored in a computer or similar device, any authenticated printout or other output readable by sight, shown to reflect the data accurately, is treated as original (Federal Rule of Evidence 1001(3)). • This is important for computer forensics because digital evidence is often transferred to different media.

  29. Chain of Custody • Tracks evidence from its original source to what is offered as evidence in court • Shows that the evidence is authentic. • The evidence must be accounted for at all times. • The passage of evidence from one party to the next is fully documented. • The passage of evidence from one location to the next is fully documented.

  30. Leave No Trace • The principle is that you should be able to prove that your never modified the evidence in any way in your effort to contain damages, investigate the incident, collect evidence, and perform forensic analyses on the evidence. • Never perform analyses on the computer involved in the incident. • Make at least two copies of the hard drive.

  31. Write Blockers • Prevent data spoliation (the compromise of data integrity by intentionally or inadvertently altering the state of data from its original form). • A big concern in the court. • Example of hardware write blocker:

  32. Hardware Write Blockers • In certain circumstances it is possible to achieve read-only prevention at software (OS) level. • However, it is easier to visually and conceptually demonstrate the function of a hardware write blocker than to explain the esoteric aspects of OSes.

  33. Hardware Blockers • Often portable. • Works with IDE, SATA, SCSI on suspect hard drive. • May need adapters. • USB and Firewire commonly use for connecting to examination machine. • Example(WiebeTech) • http://www.cru-inc.com/products/wiebetech/forensic_ultradock_v4

  34. Forensic Hardware • Forensic duplicator • https://www.guidancesoftware.com/products/Pages/tableau/products/duplicators.aspx • Field kit • http://www.cru-inc.com/products/wiebetech/?family_name=Forensic%20Field%20Kits

  35. Media Sterilization • Spoliation challenges also extend to the duplicate evidence copy. • A common argument is any preexisting data artifacts on hard drives used to produce duplicates. • Those hard drives therefore must be “sterilized” prior to duplication. • The sterile state should be validated after the sterilization procedure.

  36. Data Destruction • If software destruction tool is used, make sure to validate the result. • Hardware devices are available to bulk-overwrite hard drives. • Adopt commonly defined “industry standard” practices for data destruction. • DoD 5220.22-M • Navy Security Operations P-5239-26 MFM/RLL • HMG InfoSec Standard No. 5 (UK)

  37. FAT Basics • Reserved area • Volume sector 0 is the boot sector. Sector 6 is backup copy of boot sector. • Sector 1 is File System Information (FSINFO). Sector 7 is its backup.

  38. Example of Boot Sector

  39. FAT Basics • File Allocation Table • By default, there are two FATs. • FAT1 begins immediately after the last sector of the reserved area. • FAT2 is backup and immediately follows FAT1. • After the FAT is Cluster 1, which is used to store the value for the “dirty” status of the file system.

  40. Example of FAT

  41. Cluster Chain • The FAT contains a map for the clusters. • Each entry for a file first starts by marking its first cluster. • What is stored in that “cell” is the position of the nextcluster that belongs in the same file. • This repeats for the rest of the clusters until the last cluster, which is then marked with an EOF (end of file). • Each entry in the FAT therefore is a “cluster chain” of a file. • By following the chain, the OS is able to locate all the parts that make up the file.

  42. File Deletion • When the file is “deleted”, Windows only changes the first character in the file name (to 0x5E) and zero out the cluster chain. • In the FAT, every cluster in the chain is marked “0”. • In the data area, the actual data is untouched, until new files are written over them. • The new file’s file slack, therefore, can contain the remnants of deleted files. • Data recovery tools, therefore, often can reconstruct at least part of a deleted file by rebuilding the cluster chain.

  43. Cluster Chain of Deleted File

  44. Directory Entries of Deleted File

  45. Beginning of Deleted File

  46. End of Deleted File

  47. Fixing File Name Entries in Directory

  48. Reconstructed Cluster Chain

  49. After Manual and Automatic Recovery • The dir command shows files recovered manually or by using automatic tools. • It’s a recommended practice to substitute the 0xE5 symbol with an underscore, instead of trying to guess the original character (e.g., in this case, it was obvious that the file name probably was Fred.doc). _red.doc was recovered manually. The other files were recovered with Unerase.

  50. Automatic Recovery • Many tools perform a process similar to the previous manual recovery to recover deleted files.

More Related