computer forensics l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Forensics PowerPoint Presentation
Download Presentation
Computer Forensics

Loading in 2 Seconds...

play fullscreen
1 / 110

Computer Forensics - PowerPoint PPT Presentation


  • 509 Views
  • Uploaded on

Computer Forensics 劉 立 民 老師 中原大學 應用數學系 Introduction Sharon Guthrie Case Sharon Guthrie, 54, drowned in the bathtub of her Wolsey, South Dakota home May 14. An autopsy revealed the contents of 10-20 capsules of Temazepan in her body, a sleeping pill that was prescribed for her husband.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer Forensics' - Samuel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer forensics

Computer Forensics

劉 立 民 老師

中原大學 應用數學系

sharon guthrie case
Sharon Guthrie Case
  • Sharon Guthrie, 54, drowned in the bathtub of her Wolsey, South Dakota home May 14. An autopsy revealed the contents of 10-20 capsules of Temazepan in her body, a sleeping pill that was prescribed for her husband.
  • Rev. Guthrie pleaded innocent. "A minister killing his wife in the bathtub? Impossible!" asserted the defense.
  • Judd Robbins, a computer forensics, found evidence that Guthrie had searched the Internet for painless and surefire killing methods.
  • Rev. Guthrie was sentenced to life imprisonment.
slide4
蠻牛千面人
  • 民國94年5月,“蠻牛”與“保力達B”遭人下毒,放置氰化物
  • 造成一無辜民眾物飲死亡
  • 警方由監視錄影中找到線索,順利逮捕一名嫌犯
  • 在嫌犯電腦中找出 “毒蠻牛” 的字樣與圖案以及為寄出的恐嚇信件
computer crime
Computer Crime
  • Computer misuse has two categories:
    • Computer is use to commit a crime
      • Child pornography
      • Threatening letters
      • Fraud
      • Theft of intellectual property
computer crime con t
Computer Crime (con’t)
  • Computer misuse has two categories:
    • Computer itself is a target of a crime.
      • AKA incident response
      • Started from mid-80s, attack was carried out over phone line through modems.
      • Internet
      • More sophisticated attacks
what is computer forensics
What is Computer Forensics
  • Computer forensics includes
    • Preservation,
    • Identification,
    • Extraction,
    • Documentation,
    • Interpretation of computer data.
what is computer forensics8
What is Computer Forensics
  • These evidence can be useful in many investigations:
    • Civil litigations such as divorce, harassment, and discrimination cases
    • Corporations seeking to embezzlement, fraud, or intellectual property theft issues
    • Individuals seeking evidence in age discrimination, wrongful termination, or sexual harassment claims
    • Insurance company investigations where evidence is required relating to insurance fraud, wrongful death, workerman’s compensation, and other cases.
types of incidents
Types of Incidents

Categories of incident defined by Federal Computer Incident Response Center (FedCIRC)

  • Malicious code attacks
  • Unauthorized access
  • Unauthorized utilization of services
  • Disruption of service
  • Misuse
  • Espionage
  • Hoaxes
malicious code attacks
Malicious code attacks
  • Malicious code:
    • Viruses
    • Trojan horse programs
    • Worms
    • Scripts used by crackers/hackers
  • Difficult to detect
  • Self replicating property
unauthorized access
Unauthorized access
  • Improperly logging into a user’s account
  • Unauthorized access to files and directories
  • Plating an unauthorized sniffer program or device
unauthorized utilization of services
Unauthorized utilization of services
  • Perpetrate an attack without access someone’s account
  • Using the NFS to mount the file system of a remove server machine
  • Interdomain access mechanisms in Windows NT files and directories
disruption of service
Disruption of service
  • Disrupt services in a variety of ways:
    • Erasing critical programs
    • Mail spamming
    • Altering system functionality by installing Trojan horse programs.
misuse espionage hoaxes
Misuse, Espionage, Hoaxes
  • Someone uses a computing system for other than official purposes
    • A legitimate user uses a government computer to store personal tax records.
  • Espionage is stealing information to subvert the interests of a corporation
  • Hoaxes occur when false information about incidents or vulnerabilities is spread
catching the criminal
Catching the criminal
  • US FBI delineates the following aspects of computer forensic science:
    • Data objects
    • Digital evidence
    • Physical items
    • Original digital evidence
    • Duplicate digital evidence
catching the criminal con t
Catching the criminal (con’t)
  • Data objects
    • Objects or information of potential probative value that are associated with physical items.
  • Digital evidence
    • Information of probative value that is stored or transmitted in digital form.
  • Physical items
    • Items on which data objects or information may be stored and/or through which data objects are transferred.
catching the criminal con t17
Catching the criminal (con’t)
  • Original digital evidence
    • Physical items and the data objects associated with such items at the time of acquisition or seizure
  • Duplicate digital evidence
    • An accurate digital reproduction of all data objects contained on an original physical item.
detecting intrusion
Detecting intrusion
  • The common approach to detecting intrusions is as follows:
    • Observe your systems for unexpected behavior or anything suspicious.
    • Investigate anything you consider to be unusual
    • Initiate your intrusion response procedures when you find you find something that isn’t explained by authorized activity.
    • Look for unusual or unauthorized user accounts or groups.
monitoring your windows system
Monitoring your Windows system
  • Look for unusual or unauthorized user accounts or groups.
    • Guest account should be disable
  • Check all groups for invalid user membership
  • Check log file for connections from unusual locations or for any unusual activity.
monitoring your windows system22
Monitoring your Windows system
  • Search for invalid user right.
    • Guest account should be disable
  • Check all groups for invalid user membership
  • Check log file for connections from unusual locations or for any unusual activity.
  • Check to see if unauthorized application are running.
monitoring your windows system24
Monitoring your Windows system
  • Look for invalid services
  • Monitor system startup folder
  • Inspect network configurations for unauthorized entries
  • Check your system program files for alterations
  • Check for unusual ports listing for connections from other hosts by using the netstat.
incident response team
Incident Response Team
  • All organizations need an incident response team to develop a complete incident response response capability
  • The team should have written procedures for incident response
    • What conditions warrant calling on local and/or federial law enforcement authorities.
the incident reporting process
The incident reporting process
  • Low-level incidents are least severe and should be resolved within one working day. Low-level incidents include
    • Loss of passwords
    • Suspected unauthorized sharing of accounts
    • Misuse of computer hardware
    • Unintentional computer actions
    • Unsuccessful scans or probes
the incident reporting process30
The incident reporting process
  • Mid-level incidents are more serious and should be handled within 2-4 hours. Mid-level incidents include
    • Property destruction related to a computer incident
    • Illegal download of copyrighted music/unauthorized software
    • Violation of special access
    • Unauthorized user of a system for processing of storing personal data
    • An act resulting from unfriendly employee termination
    • Illegal building access
    • Personal theft
the incident reporting process31
The incident reporting process
  • High-level incidents are the most serious and should be handled immediately. They include
    • Property destruction related to a computer incident
    • Child pornography
    • Pornography
    • Personal theft (higher value than a mid-level incident)
    • Suspected computer break-in
    • Denial of service (DoS) attacks
    • Illegal software download
    • Malicious code
    • Any violation of the law
internal reporting procedure
Internal reporting procedure
  • Every organization needs to develop one that requires following:
    • Preservation of evidence
    • Assessment
    • Containment and recovery actions
    • Damage determination
    • Report documentation
    • Lessons learned
    • Identification of corrective actions required by the organization’s security programs
forensic toolkit
Forensic Toolkit
  • Authenticity and Integrity
  • A tool to report any open TCP/UDP port and map them to the owning process or application
  • A tool to capture and analyze logs to identify and track who has gained access to a computer system
  • A utility to make a bit-stream back-up of a hard drive
  • A tool to examine files on a disk drive for unauthorized activity
  • A program used to document the CMOS system Time and Date on a computer seized as evidence
forensic toolkit con t
Forensic Toolkit (con’t)
  • A password-cracking utility
  • A text-search utility that can scan Windows systems and locate targeted keywords and/or strings of text in computer-related investigations and computer security reviews
  • A forensic binary data search tool that is used to identify targeted graphics file content and/or foreign language words and phrases stored in the form of computer data
  • A tool to discover hidden files, such as NTFS Alternate Data Streams
  • A data collection tool to capture file slack and unallocated (erased file) data
the role of nipc
The Role of NIPC
  • NIPC (National Infrastructure Protection Center) was established at 1998 located in the headquarter of the FBI.
  • The NIPC’s functions:
    • The NIPC is the national focal point for gathering information on threats to critical infrastructure,
    • Coordinating the federal government’s response to an incident, mitigating attacks, investigating threats.
    • The NIPC provides law enforcement and intelligence information and reports to relevant federal, state, and local agencies.
taiwan
Taiwan
  • 行政院下設立「國家資通安全會報」
    • 分為七個工作小組:綜合業務,技術服務、標準規範、稽核服務、網路犯罪、資訊蒐集、危機通報
  • 國家資通安全會報設有「國家資通安全應變中心」
    • 下轄行政機關、國防體系、事業機構、學術機構、民營機構六個分組
  • 台灣電腦網路危機處理中心(TWCERT/CC)
  • 政府憑證管理中心GCA的成立(1998年2月)
slide38
加拿大
  • 於2001年2月,成立「關鍵基礎建設防護與緊急應變辦公室」(Office of Critical Infrastructure & Emergency Preparedness ,OCIPEP)
  • OCIPEP 由國防部長主持,來防護加拿大關鍵基礎建設免受失效或被襲擾的風險
  • 於OCIPEP成立「基礎建設防護協調中心」
  • 加拿大政府定義的國家關鍵基礎建設,共有六大類:能源設施(如電力、天然氣及石油傳輸系統),通信(如電信及廣播系統),服務(如金融、食品、醫療),運輸(如陸上、水上、空中及鐵路),安全(如核安、搜救、急難救助),政府(如重要設施、資訊網路、及資產)。
slide39
英國
  • 於1999年12月,成立「國家基礎建設安全協調中心」(National Infrastructure Security Co-ordination Centre,NISCC)
  • 負責開發一些專案來防止國家關鍵基礎建設遭到電子攻擊(electronic attack)。
  • 重點放在:電信、金融、供水與下水道系統,能源、運輸、醫療服務、中央政府、急難救助 的資訊科技系統(IT systems)
  • 在NISCC之下設有
    • 「統一事件報告與警告小組」(Unified Incident Reporting & Alert Scheme,UNIRAS)以做為英國政府的電腦緊急應變小組
    • 「電子攻擊應變小組」(Electronic Attack Response Group,EARG)
related laws
Related laws
  • Disclosure law - “Title 18, Part I, Chapter 121, Sec. 2702 of the Federal Criminal Code”
  • Computer crimes will be considered breaking federal laws when it involves:
    • The theft or compromise of national defense, foreign relations, atomic energy, or other restricted information
    • A computer owned by a U.S. government department or agency
    • A bank or most other types of financial institutions
    • Interstate or foreign communications
    • People or computer in other states or countries
related laws con t
Related laws (con’t)
  • The “Computer Fraud and Abuse Act” was signed by President Reagan at 1986
  • Computer Abuse Amendments Act of 1994
  • The USA Patriot Act of 2001
slide42
相關法律
  • 著作權法
  • 刑法220,315,318,359,360等條文
    • 刑法第二百二十條在紙上或物品上之文字、符號、圖畫、照像,依習慣或特約,足以為表示其用意之證明者,關於本章及本章以外各罪,以文書論。錄音、錄影或電磁紀錄,藉機器或電腦之處理所顯示之聲音、影像或符號,足以為表示其用意之證明者,亦同。
    • 刑法第三百五十九條 無故取得、刪除或變更他人電腦或其相關設備之電磁紀錄,致生損害於公眾或他人者,處五年以下有期徒刑、拘役或科或併科二十萬元以下罰金。
forensic preparation44
Forensic Preparation
  • Network Operating Systems
  • Auditing and Logging
  • Logs cab help organizations by
    • Altering system administrators of any suspicious activity
    • Determining the extent of any damage caused by an intruder’s activity
    • Helping to quickly recover systems
    • Providing information or serving as evidence required for legal proceedings
centralized logging
Centralized logging
  • The location of the log data is centralized
  • The integrity of log data remains protected
  • This approach is easier to back up, secure, and analyze.
logging tools
Logging Tools
  • Kiwi Syslog Deamon by Kiwi Enterprise
    • Freeware for Windows plateform
    • www.kiwisyslog.com
  • GFI LANquard Security Event Log Monitor by GFI Software
    • Is able to analyzing Windows NT/2000 event logs in real time.
    • www.fgi.com
time synchronization
Time Synchronization
  • Automating the synchronization of system clocks save substantial time during an incident response.
  • IP based networks, Network Time Protocol (NTP) is the one most commonly used.
  • Tools on Windows:
    • Automachron by Guy Coding
    • NIST Internet Time Service (ITS)
    • World Time by PawPrint.net
memory dump on windows
Memory dump on Windows
  • The contents of the system memory should be printed or copied while it still resides in memory.
  • Windows 2000 and XP (not NT) include a handy feature to generate a memory dump file. However, it must first be configured to do so.
memory dump on unix
Memory dump on UNIX
  • The sysdump command
  • Crash utility
imaging hard drives
Imaging hard drives
  • Hard-drive imaging provides a mirror image or a snapshot of the data contained on the hard-drive.
  • The imaging process can be performed off-lined (OS is turned off).
  • NIST’s disk-imaging spec. includes the following guidelines:
    • The tool shall not alter the original disk
    • The tool shall be able to access both IDE and SCSI disks.
    • The tool shall log input/output (I/O) errors.
    • The tool’s documentation shall be correct.
    • :
business continuity and contingency planning
Business continuity and contingency planning
  • The NIST IT contingency planning guide
    • Develop the contingency-planning policy statement
    • Conduct the business impact analysis (BIA)
    • Identify preventive controls
    • Develop recovery strategies
    • Develop an IT contingency plan
    • Plan testing, training, and exercises
    • Plan maintenance
develop the contingency planning policy statement
Develop the contingency-planning policy statement
  • The contingency plan must be based on a clearly defined policy.
  • The contingency planning policy statement should define the agency’s overall contingency objectives and establish the org. framework and responsibilities.
  • The senior management (CIO, Chief Information Officer) must support a contingency program.
  • The contingency program should comply with federal guidance contained in the NIST SP 800-34
key policy elements
Key policy elements
  • Roles and responsibilities
  • Scope and applied to the type(s) of plateform(s) and organization functions subject to contingency planning
  • Resource requirements
  • Training requirements
  • Exercise and testing schedules
  • Plan maintenance schedule
  • Frequency of backup and storage of backup media
conduct the business impact analysis bia
Conduct the Business Impact Analysis (BIA)
  • The BIA is the key step in the contingency-planning process.
  • It enables the coordinator to fully characterize the system requirements, processes, and interdependencies.
  • The purpose of the BIA is to correlate specific system components with the critical services that they provide.
  • The BIA characterize the consequences of a disruption to the system components.
identity preventive controls
Identity preventive controls
  • Preventive methods are preferable to actions that may be necessary to recover the system after a disruption.
  • Preventive controls should be documented in the contingency plan.
  • Some common measures are listed here:
    • Appropriated size uninterruptible power supplies (UPS) to provide short-term backup power to all system components (including environmental and safety controls)
identity preventive controls58
Identity preventive controls
  • Gasoline-or diesel-powered generators to provide long-term failure power
  • Air-conditioning systems with adequate excess capacity to permit failure of certain components such as a compressors
  • Fire suppression systems
  • Fire and smoke detectors
  • Water sensors in the computer room ceiling and floor.
  • Plastic tarps that may be unrolled over IT equipment to protect it from water damage
identity preventive controls59
Identity preventive controls
  • Heat-resistant and waterproof containers for backup media and vital nonelectronic records
  • Emergency master system shutdown switch
  • Offsite storage of backup media, nonelectronic records, and system documentation
  • Technical security controls, such as cryptographic key management and least-privilege access controls
  • Frequent, scheduled backups
develop recovery strategies
Develop recovery strategies
  • Recovery strategies provide a means to restore IT operations quickly and effectively following a service disruptions.
  • Strategies should address disruption impacts and allowable outage times identified in the BIA.
  • Several alternatives should be considered when developing the strategy, including cost, allowable outage time, security, and integration with larger, organization-level contingency plans.
  • The strategy should include a combination of methods that complement one another to provide capability over the full spectrum of incidents.
develop an it contingency plan
Develop an IT contingency plan
  • The plain contains detailed roles, responsibilities, teams, and procedures associated with restoring an IT system.
  • The plan should document technical capabilities designed to support contingency operations.
  • The plan should comprise five main components: Supporting Information, Notification/Activation, Recovery, Reconstitution, and Plan Appendices.
plan testing training and exercises
Plan testing, training, and exercises
  • Testing enables plan deficiencies to be identified and addressed.
  • The following areas should be addressed in a contingency test:
    • System recovery on an alternate platform from backup media
    • Coordination among recovery teams
    • Internal and external connectivity
    • Restoration of normal operations
    • Notification procedures
plan maintenance
Plan maintenance
  • The contingency plan should be reviewed and updated regularly, as part of the organization’s change management process.
  • The plan should be reviewed for accuracy and completeness at least annually or whenever significant changes occur to any element of the plan.
  • Certain elements, such as contact lists, will require more frequent reviews.
the windows registry
The Windows Registry
  • The registry is used to store
    • Operating system configuration
    • Application configuration information
    • Hardware configuration information
    • User security information
    • Current user information
registry structure
Registry structure
  • The Registry has a hierarchy structure similar to the directory structure.
  • Each main branch is called a hive.
  • Located within those hives are keys.
  • Each key may contain other keys called subkeys along with their value. It is the values that contain the actual information that is stored within the Registry.
windows registry
Windows Registry
  • HKEY_CLASSES_ROOT contains
    • File-association types
    • Object Linking and Embedding (OLE) information
    • Shortcut data
  • HKEY_CURRENT_USER points to the section of HKEY_USERS appropriate for the user currently logged into the PC.
windows registry68
Windows Registry
  • HKEY_LOCAL_MACHINE
    • contains info about computer hardware, software, and other preferences for the local PC.
    • is used for all users who log onto this computer.
  • HKEY_USERS contains individual preferences for each user of the computer.
    • Each user is represented by a security identifier (SID) subkey.
windows registry69
Windows Registry
  • HKEY_CURRENT_CONFIG links to HKEY_LOCAL_MACHINE\Config for machine specific information.
  • HKEY_DYN_DATA contains info. that must be kept in RAM.
types of values
Types of values
  • String or REG_SZ
  • Binary or REG_BINARY
  • DWORD or REG_DWORD
  • Multistring value or REG_MULTI_SZ
  • Expandable string value or REG_EXPAND_SZ
the windows recycle bin
The Windows Recycle Bin
  • The purpose of the Recycle Bin was to provide users with the ability to reclaim deleted files.
  • Before users “empty” the Recycle Bin, the deleted files remains on disks.
  • Even the Recycle Bin is empty, but the actually information remains on its original place on the hard drive (until the OS overwrites it).
recovery utilities
Recovery Utilities
  • PC Inspector File Recovery
recovery utilities76
Recovery Utilities
  • EasyRecovery Professional www.ontrack.com
unix linux ext2 file system
UNIX/Linux ext2 File System
  • In ext2, the complete inode for a deleted file is preserved,
  • Only the name is removed from the directory and the time of the deletion in the inode is marked.
  • Using e2undel
analyzing abnormal system processes
Analyzing Abnormal System Processes
  • Monitors should look for the following signs:
    • Unusual resource utilization or process behavior
    • Missing processes
    • Added processes
    • Processes that have unusual user identification associated with them
causes of abnormal system processes
Causes of abnormal system processes
  • Programs that log a user’s keystrokes or monitor and steal passwords.
  • Malicious code (virus, Internet worms, and Trojan horse applications)
  • Spyware (software that transmits information back to a third party without notifying the user)
windows event viewer
Windows Event Viewer
  • Log files allows you to check for:
    • Unusual login entries
    • Failures of services
    • Abnormal processes
os and network logs
OS and Network Logs
  • When reviewing OS or network logs, look for the following:
    • Process consuming excessive resources
    • Processes starting or running at unexpected times
    • Unusual processes not the result of normal authorized activities
    • Previously inactive user accounts that suddenly begin to spawn processes and consume computer or network resources
os and network logs83
OS and Network Logs
  • Processes that prematurely terminate
  • Unexpected or previously disabled processes, which may indicate that a hacker or intruder has installed his own version of a process or service
  • A workstation or terminal that starts exhibiting abnormal input/output behavior
  • Multiple processes with similar names (Explorer.exe vs. explorer.exe)
  • An unusually larger number of running processes
default processes in windows nt 2000 and xp
Default processes in Windows NT, 2000, and XP
  • Csress.exe: is the Client/Server Run-time Subsystem.
  • Explorer.rxr: is the GUI for the taskbar and desktop environment.
  • Lsass.exe: handles security administration on the local computer.
  • Mstask.exe: is the task scheduler service.
  • Services.exe: is the Windows Services Control Manager, which is responsible for starting and stopping system services.
  • Smss.exe: is the Session Manager Subsystem, which is responsible for starting the user session.
default processes in windows nt 2000 and xp87
Default processes in Windows NT, 2000, and XP
  • Spoolsv.exe: is the Windows spooler service and is responsible for the management of spooled print and fax jobs.
  • Svchost.exe: is a generic process, which acts as a host for other processes running from DLLs.
  • System: permits system kernel-mode threads to run as the System process.
  • System Idle Process: is a single thread running on each processor. Its sole task is accounting for processor time when the system isn’t processing other threads.
gathering process information
Gathering Process Information
  • UNIX/Linux

ps -ef

  • Windows

PsToolscoded

www.sysinternals.com

unusual or hidden files
Unusual or Hidden Files
  • Start ->
  • Control Panel ->
  • View menu ->
  • Options
viewing hidden files under unix linux
Viewing Hidden Files under Unix/Linux
  • The find command is able to display files with unusual names such as “.. ” (dot-dot-space) or ..^G (dot-dot-control-G)

find / -name “.. ”–print –xdev

find / -name “.*”–print -xdev

  • Keep track of SUID programs

find / -type f –perm -4000 –print | mail root

rootkits and backdoors
Rootkits and Backdoors
  • “It takes a thief to catch a thief.”
  • Windows rootkits are usually detected by any reputable antivirus s/w.
  • Rootkit is one of the most widely used hackers tools and it contains
    • a suite of hacker utilities (log clean-up scripts and network packet sniffers) and
    • specialized replacements of core Unix/Linux utilities such as netstat, ifconfig, ps, and ls.
rootkits and backdoors93
Rootkits and Backdoors
  • Rootkit is used to accomplish the following functions:
    • Prevent logging of activity
    • Establish backdoors for reentry
    • Hide or remove evidence of initial entry
    • Hide specific contents of files
    • Hide files and directories
    • Gather intelligence (ex: usernames and passwords)
detecting rootkits on unix linux
Detecting Rootkits on Unix/Linux
  • Manual inspection
    • The strings command. It can produce readable data such as the names of files where intruder passwords are kept.
  • Rootkit detection programs
    • Chkrootkit

www.chkrootkit.org

    • Pedestal Software

www.pedestalsoftware.com

functions of a backdoor
Functions of a Backdoor
  • Main functions of a backdoor
    • Getting back into the system with the least amount of visibility.
    • Getting back into a machine even if the administrator tries to secure it
    • Permitting the hacker to regain entry into the system in the least amount of time.
detecting backdoors
Detecting Backdoors
  • Most reputable antivirus products are able to detect backdoor Trojans
  • Freeware tools are available
    • Fport.exe
    • Superscan (right)
    • Nmap.
    • Listdlls.exe
removing rootkits and trojans
Removing Rootkits and Trojans
  • The steps for removing a Trojan:
    • Identify the Trojan horse file on your system hard disk.
    • Find out how it is being initiated (ex: via Registry, Startup Folder, and so on) and take action(s) necessary to prevent it from being restarted after a reboot.
    • Reboot your machine and delete the Trojan horse.
removing rootkits and trojans98
Removing Rootkits and Trojans
  • The steps involved in recovering from a rootkit are:
    • Isolate the affected machine. (Disconnect it from the network and/or Internet.)
    • Determine the severity of the compromise. (Are other networked computers also infected?)
    • Begin the cleanup by reinstalling the OS and applications from a trusted backup..
detecting and defending against network sniffers
Detecting and Defending Against Network Sniffers
  • Nearly every rootkit includes utilities for sniffing network traffic.
  • Network adapters running in promiscuous mode receive not only the data directed to the machine hosting the software, but also all other data traffic on the physically connected local network.
  • The ifconfig command allows the privileged administrator to determine whether any interfaces are in promiscuous mode.
removing rootkits and trojans100
Removing Rootkits and Trojans
  • Unix/Linux
    • User ifconfig –a and look for the string PROMISC
  • Windows
    • PromiscDetect

www.ntsecurity.nu/toolbox/promiscdetect/

performing keyword searches
Performing Keyword Searches
  • Purposes of keyword searches
    • To locate occurrences of words or strings of text in data stored in files or slack and unallocated file space.
    • Internal audits to identify violations of corporate policy
    • To find evidence in corporate, civil, and criminal investigations, which involve computer related evidence.
    • To find embedded text in formatted word-processing documents or fragments of such documents.
industrial strength keyword searching programs
Industrial Strength Keyword-Searching Programs
  • AccessData Forensic Toolkit ($995)
  • Encase Forensic Pro Suite by Guidance Software, Inc. ($895)
  • Maresware Suite by Mares and Company, LLC ($375)
freeware keyword search tools
Freeware Keyword Search Tools
  • BinText by Foundstone, Inc. www.foundstone.com
  • Disk Investigator by Kevin Soloway www.theabsolute/sware/
  • SectorSpyXP by Nick McCamy home.carolina.rr.com/lexunfreeware
examining the windows swap file
Examining the Windows Swap File
  • The Windows swap file is space on a hard disk reserved for the OS to do paging.
  • The swap file is important when conducting a forensics investigation since a large volume of data can exist within the swap file.
  • Windows swap files can be dynamic or permanent.
locating and viewing the windows swap file
Locating and Viewing the Windows Swap File
  • Enable viewing the hidden files
  • Search the swap file (ex: pagefile.sys)
  • Tools for viewing swap files
    • Norton Commander
    • Norton DiskEdit
    • EnCase www.guidancesoftware.com
    • Filter_1 www.forensics-intl.com
tutorial on pc inspector file recovery
Tutorial on PC Inspector File Recovery
  • Download

http://www.pcinspector.de

  • Install
  • Delete files
  • Recover deleted files
tutorial on pstools
Tutorial on PsTools
  • Download

http://www.sysinternals.com

  • Install
  • Delete files
  • Recover deleted files
references
References
  • Incident Response-Computer Forensics Toolkit, by Douglas Schweitzer
  • Hacking Exposed Web Applications, by Joel Scambrey and Mike Shema
  • Computer Forensics, by
  • 「護好國家關鍵基礎建設,才能安心去拼經濟」- 國政基金會科經組顧問 陳友武
  • 電腦鑑識科學的現在與未來 - 台灣電腦網路危機處理暨協調中心(TWCERT/CC)