1 / 30

Lecture 2

Lecture 2. CSCE 590 Summer 2003. Forensics. Forensic science is the science exercised on behalf of the law in the just resolution of conflict Crime reconstruction is the process of gaining a more complete understanding of a crime using available evidence

qiana
Download Presentation

Lecture 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 2 CSCE 590 Summer 2003

  2. Forensics • Forensic science is the science exercised on behalf of the law in the just resolution of conflict • Crime reconstruction is the process of gaining a more complete understanding of a crime using available evidence • Forensics are only a subset of the Incident Response Process

  3. Incident Response • Prepare for incidents • Detect incidents • Investigate • Formulate response strategy • Respond • Follow up

  4. Prepare for Incidents • Compile incident response/forensic toolkits • Write, publish, and practice incident response procedures • Increase logging on machines and network • Backups • Cryptographic checksums • Patching, hardening, NTP • Banners • Network measures – IDS, access control/firewalls, document topologies, encryption, authentication • User education

  5. Preparation:Policies and procedures • Risk analysis • Determine response stance • Ignore incident – reinstall and go • Surveillance and counterintelligence data collection • Full investigation and prosecution • Issues for response stance • Business issues (publicity? Expensive investigation?) • Legal issues (employee privacy?) • Political issues (CEO surfin’ porn) • Technical capabilities

  6. Preparation:Policies and procedures • Policies that allow you to fully investigate instead of relying on default law • Trap and trace on your network • Full content monitoring of traffic • Search and review employee machine • Coordinating with upstream sites • Consent of user – AUPs • Employee vs. intruder consent • Stored communications vs. intercepted communications • The textbook was published in 2001! Beware!

  7. Detect Incidents • Intrusion detection systems • Unusual activity • User notice suspicious activity • Someone reports it (defacements or complaints) • Other logs – system logs, firewall logs, anti-virus • Periodic audits

  8. Investigate • Who, what, where, when, how, maybe why • Initial incident response: • Focuses on verification of an incident • Gathers evidence for later analysis • Issues: recovery and downtime • Triage to prevent further incidents • Mostly non-law enforcement involved at this point

  9. Response • Formulate response strategy – many factors may be taken into consideration, combined with response stance, and management approval • Respond – investigate, recover, report findings • Follow up – analyze process, implement new security measures or processes, lessons learned

  10. Investigation Analogy • Knife and bleeding, moaning, body in room found by staff member • Who do you call first, EMT or police? • How do they work together to preserve evidence and yet save the life? • If the EMT disturbs the evidence is it still admissible? • Are EMTs trained in how to preserve evidence? • Real EMTs can see a dead body, computer EMTs can’t necessarily see it • Sysadmins are trained to keep their systems running, not to preserve a crime scene

  11. Types of Clues • Relational: an object is in relation to other objects and how they interact with/to each other. Relational reconstruction can include geographic locations of computers and people and any communication between them.

  12. Types of Clues • Functional: the way something works or how it was used. How a particular system or application works and how it was configured at the time of the crime. Examining an exact replica to figure out how a rootkit works or an exploit.

  13. Types of Clues • Temporal: the times related to evidence and events. Timeline of events can identify patterns and gaps or lead to other sources of evidence. Various system clocks and time zones must be taken into account.

  14. Relationships of Source to Evidence • Production: the source produced the evidence • Email headers • MAC addresses • Segment: the source is split into parts and the parts of the whole are scattered. Key is linking fragments to the source • File fragment on a floppy • A few network packets

  15. Relationships of Source to Evidence • Alteration: the source is an agent or process that alters or modifies the evidence • Crowbar on a door leaves a characteristic impression • An exploit leaves impressions on the altered system. But an exploit can be copied and distributed to many offenders and they all leave the same impression • Location: the source is a point in space. Not so easy to find geographically in the digital realm

  16. Compare and Contrast • Comparison and significant difference: try to determine pieces of evidence came from the same source by similarities or significant differences • Decide if differences are significant • Total agreement between evidence and exemplar can't be practically expected • Want truly significant differences • Differences due to natural variation should be explained, otherwise the value of the match is diminished

  17. Four Computer Forensic Principles • Minimize data loss • Record everything, change nothing • analyze on copies • report findings

  18. Evidence Dynamics • Any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent, between the time the evidence is transferred and the time the case is adjudicated • Forensic examiners rarely get to examine digital evidence in its ‘original state’ and should expect anomalies

  19. Computer Related Evidence Dynamics: Examples • Offender covering behavior: perpetrator deletes logs and exploit files • Victim actions: victim deleting emails in distress or embarrassment • Secondary transfer: someone uses computer after crime and innocently alters or destroys evidence • Witnesses: a sysadmin could delete suspicious accounts to keep the intruder from using them • Nature/Weather: magnetic field, static electricity

  20. Computer Related Evidence Dynamics: Examples • Decomposition: tape decaying over time • Forensic examiners: may by accident or necessity, relocate, obscure, or obliterate evidence. (Scraping blood sample from a floppy resulting in damage and data loss) • Emergency response technicians: goal to prevent further damage. Can add artifact-evidence, obliterate patterns, relocate evidence, or cause transfers • Fire damage and resulting water damage • Secure from further misuse or attacks

  21. Difficulties Obtaining Evidence • Distributed nature of networks and jurisdiction, complex procedures for digital evidence exchange - only practical for serious crimes • Anonymity and deniability are easy with computers and networks • Easily deleted or changed- time is of the essence to preserve it - big log files, network traffic, volatile memory • Requires a wide range of technical expertise

  22. Difficulties Obtaining Evidence • Huge volumes of data – terabytes? • Decryption without keys • Steganography • Example: Rubberhose project (Marutukku) • combines encryption and data hiding in a filesystem that makes data recovery and reconstruction very difficult. • http://www.rubberhose.org/ - The Idiot Savants' Guide to Rubberhose

  23. Preserve the Crime Scene • Do not write to original media • Do not kill any processes • Do not accidentally touch time stamps • Do not use untrusted tools • Do not change the system before evidence seizure (power off, patch, update) • Could unplug network cable if necessary • Interview the people at the crime scene • Especially sys admin or person who found it

  24. Volatile Data Collection • Minimize data loss, record everything, change nothing. Uh-oh! That’s impossible! • Doing nothing also changes the system! • Do not pull power cord, you risk corrupting non-volatile data and lose volatile evidence: • Registers and cache contents • Contents of memory • Information about running processes • Network connections • Mounted file systems • Current users • Swap, page, and temporary files • A computer had explosives rigged to power switch

  25. Collect the Most Volatile Evidence First • Memory • Swap space or page file • Network status and connections • Processes running • Storage media • Removable media • Make sure all files are synched on media, processes aren’t using it, etc • Port scan? • Some backdoors and covert channeling tools log attempts and the IP address – system change

  26. Record Keeping • May have to duplicate setup in lab • Cameras • Explain how you took down the computer • May be called upon to testify – 2 years later • Notes can be used as a refresher • Can be admitted as evidence if you can’t remember what you did • Shows your methods were scientific and unbiased • Video or audio could show your mistakes in methodology or collection methods or a bias

  27. Chain of Custody • Establishes continuity of possession and proof of the integrity of handling of the collected evidence • Helps maintain strict access to it • Each piece of evidence should have a chain of custody log associated with it: • Tag hard drives separate from the system • use md5 hashes with electronic files, especially if they are being transferred across electronic medium

  28. Chain of Custody • Evidence tag: • Date and time it was seized • Case number and item (tag) number of evidence and any hash numbers • Consent required? If yes – signature of owner • Location and who it was obtained from (owner) • Make, model, and serial number • Name of person who collected the evidence • Description of evidence • Full name and signature of person receiving evidence

  29. The Chain • Log of people who handle the evidence during investigation • Record a transaction • Each time it changes possession • Each time it moves from one media type to another • What to record • Who it was received from and location it was in • Date of receipt • Reason evidence transferred custody • Who received it and where it was received or located

  30. Reading for Lectures 2-5: • Mandia/Prosise: Chapters 2-5, 9 • Casey: Chapter 2 (in Reading Room) • Homework 1: Due Monday, June 9, 2003

More Related