1 / 110

Computer Forensics

Computer Forensics 劉 立 民 老師 中原大學 應用數學系 Introduction Sharon Guthrie Case Sharon Guthrie, 54, drowned in the bathtub of her Wolsey, South Dakota home May 14. An autopsy revealed the contents of 10-20 capsules of Temazepan in her body, a sleeping pill that was prescribed for her husband.

Samuel
Download Presentation

Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics 劉 立 民 老師 中原大學 應用數學系

  2. Introduction

  3. Sharon Guthrie Case • Sharon Guthrie, 54, drowned in the bathtub of her Wolsey, South Dakota home May 14. An autopsy revealed the contents of 10-20 capsules of Temazepan in her body, a sleeping pill that was prescribed for her husband. • Rev. Guthrie pleaded innocent. "A minister killing his wife in the bathtub? Impossible!" asserted the defense. • Judd Robbins, a computer forensics, found evidence that Guthrie had searched the Internet for painless and surefire killing methods. • Rev. Guthrie was sentenced to life imprisonment.

  4. 蠻牛千面人 • 民國94年5月,“蠻牛”與“保力達B”遭人下毒,放置氰化物 • 造成一無辜民眾物飲死亡 • 警方由監視錄影中找到線索,順利逮捕一名嫌犯 • 在嫌犯電腦中找出 “毒蠻牛” 的字樣與圖案以及為寄出的恐嚇信件

  5. Computer Crime • Computer misuse has two categories: • Computer is use to commit a crime • Child pornography • Threatening letters • Fraud • Theft of intellectual property

  6. Computer Crime (con’t) • Computer misuse has two categories: • Computer itself is a target of a crime. • AKA incident response • Started from mid-80s, attack was carried out over phone line through modems. • Internet • More sophisticated attacks

  7. What is Computer Forensics • Computer forensics includes • Preservation, • Identification, • Extraction, • Documentation, • Interpretation of computer data.

  8. What is Computer Forensics • These evidence can be useful in many investigations: • Civil litigations such as divorce, harassment, and discrimination cases • Corporations seeking to embezzlement, fraud, or intellectual property theft issues • Individuals seeking evidence in age discrimination, wrongful termination, or sexual harassment claims • Insurance company investigations where evidence is required relating to insurance fraud, wrongful death, workerman’s compensation, and other cases.

  9. Types of Incidents Categories of incident defined by Federal Computer Incident Response Center (FedCIRC) • Malicious code attacks • Unauthorized access • Unauthorized utilization of services • Disruption of service • Misuse • Espionage • Hoaxes

  10. Malicious code attacks • Malicious code: • Viruses • Trojan horse programs • Worms • Scripts used by crackers/hackers • Difficult to detect • Self replicating property

  11. Unauthorized access • Improperly logging into a user’s account • Unauthorized access to files and directories • Plating an unauthorized sniffer program or device

  12. Unauthorized utilization of services • Perpetrate an attack without access someone’s account • Using the NFS to mount the file system of a remove server machine • Interdomain access mechanisms in Windows NT files and directories

  13. Disruption of service • Disrupt services in a variety of ways: • Erasing critical programs • Mail spamming • Altering system functionality by installing Trojan horse programs.

  14. Misuse, Espionage, Hoaxes • Someone uses a computing system for other than official purposes • A legitimate user uses a government computer to store personal tax records. • Espionage is stealing information to subvert the interests of a corporation • Hoaxes occur when false information about incidents or vulnerabilities is spread

  15. Catching the criminal • US FBI delineates the following aspects of computer forensic science: • Data objects • Digital evidence • Physical items • Original digital evidence • Duplicate digital evidence

  16. Catching the criminal (con’t) • Data objects • Objects or information of potential probative value that are associated with physical items. • Digital evidence • Information of probative value that is stored or transmitted in digital form. • Physical items • Items on which data objects or information may be stored and/or through which data objects are transferred.

  17. Catching the criminal (con’t) • Original digital evidence • Physical items and the data objects associated with such items at the time of acquisition or seizure • Duplicate digital evidence • An accurate digital reproduction of all data objects contained on an original physical item.

  18. FedCIRC incident activity summary for 2000

  19. Detecting intrusion • The common approach to detecting intrusions is as follows: • Observe your systems for unexpected behavior or anything suspicious. • Investigate anything you consider to be unusual • Initiate your intrusion response procedures when you find you find something that isn’t explained by authorized activity. • Look for unusual or unauthorized user accounts or groups.

  20. Monitoring your Windows system • Look for unusual or unauthorized user accounts or groups. • Guest account should be disable • Check all groups for invalid user membership • Check log file for connections from unusual locations or for any unusual activity.

  21. Computer management utility

  22. Monitoring your Windows system • Search for invalid user right. • Guest account should be disable • Check all groups for invalid user membership • Check log file for connections from unusual locations or for any unusual activity. • Check to see if unauthorized application are running.

  23. Edit Registry

  24. Monitoring your Windows system • Look for invalid services • Monitor system startup folder • Inspect network configurations for unauthorized entries • Check your system program files for alterations • Check for unusual ports listing for connections from other hosts by using the netstat.

  25. Common program startup locations

  26. HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run

  27. SuperScan 3.0 by Foundstone

  28. Incident Response Team • All organizations need an incident response team to develop a complete incident response response capability • The team should have written procedures for incident response • What conditions warrant calling on local and/or federial law enforcement authorities.

  29. The incident reporting process • Low-level incidents are least severe and should be resolved within one working day. Low-level incidents include • Loss of passwords • Suspected unauthorized sharing of accounts • Misuse of computer hardware • Unintentional computer actions • Unsuccessful scans or probes

  30. The incident reporting process • Mid-level incidents are more serious and should be handled within 2-4 hours. Mid-level incidents include • Property destruction related to a computer incident • Illegal download of copyrighted music/unauthorized software • Violation of special access • Unauthorized user of a system for processing of storing personal data • An act resulting from unfriendly employee termination • Illegal building access • Personal theft

  31. The incident reporting process • High-level incidents are the most serious and should be handled immediately. They include • Property destruction related to a computer incident • Child pornography • Pornography • Personal theft (higher value than a mid-level incident) • Suspected computer break-in • Denial of service (DoS) attacks • Illegal software download • Malicious code • Any violation of the law

  32. Internal reporting procedure • Every organization needs to develop one that requires following: • Preservation of evidence • Assessment • Containment and recovery actions • Damage determination • Report documentation • Lessons learned • Identification of corrective actions required by the organization’s security programs

  33. Forensic Toolkit • Authenticity and Integrity • A tool to report any open TCP/UDP port and map them to the owning process or application • A tool to capture and analyze logs to identify and track who has gained access to a computer system • A utility to make a bit-stream back-up of a hard drive • A tool to examine files on a disk drive for unauthorized activity • A program used to document the CMOS system Time and Date on a computer seized as evidence

  34. Forensic Toolkit (con’t) • A password-cracking utility • A text-search utility that can scan Windows systems and locate targeted keywords and/or strings of text in computer-related investigations and computer security reviews • A forensic binary data search tool that is used to identify targeted graphics file content and/or foreign language words and phrases stored in the form of computer data • A tool to discover hidden files, such as NTFS Alternate Data Streams • A data collection tool to capture file slack and unallocated (erased file) data

  35. Considerations of the Law Enforcements

  36. The Role of NIPC • NIPC (National Infrastructure Protection Center) was established at 1998 located in the headquarter of the FBI. • The NIPC’s functions: • The NIPC is the national focal point for gathering information on threats to critical infrastructure, • Coordinating the federal government’s response to an incident, mitigating attacks, investigating threats. • The NIPC provides law enforcement and intelligence information and reports to relevant federal, state, and local agencies.

  37. Taiwan • 行政院下設立「國家資通安全會報」 • 分為七個工作小組:綜合業務,技術服務、標準規範、稽核服務、網路犯罪、資訊蒐集、危機通報 • 國家資通安全會報設有「國家資通安全應變中心」 • 下轄行政機關、國防體系、事業機構、學術機構、民營機構六個分組 • 台灣電腦網路危機處理中心(TWCERT/CC) • 政府憑證管理中心GCA的成立(1998年2月)

  38. 加拿大 • 於2001年2月,成立「關鍵基礎建設防護與緊急應變辦公室」(Office of Critical Infrastructure & Emergency Preparedness ,OCIPEP) • OCIPEP 由國防部長主持,來防護加拿大關鍵基礎建設免受失效或被襲擾的風險 • 於OCIPEP成立「基礎建設防護協調中心」 • 加拿大政府定義的國家關鍵基礎建設,共有六大類:能源設施(如電力、天然氣及石油傳輸系統),通信(如電信及廣播系統),服務(如金融、食品、醫療),運輸(如陸上、水上、空中及鐵路),安全(如核安、搜救、急難救助),政府(如重要設施、資訊網路、及資產)。

  39. 英國 • 於1999年12月,成立「國家基礎建設安全協調中心」(National Infrastructure Security Co-ordination Centre,NISCC) • 負責開發一些專案來防止國家關鍵基礎建設遭到電子攻擊(electronic attack)。 • 重點放在:電信、金融、供水與下水道系統,能源、運輸、醫療服務、中央政府、急難救助 的資訊科技系統(IT systems) • 在NISCC之下設有 • 「統一事件報告與警告小組」(Unified Incident Reporting & Alert Scheme,UNIRAS)以做為英國政府的電腦緊急應變小組 • 「電子攻擊應變小組」(Electronic Attack Response Group,EARG)

  40. Related laws • Disclosure law - “Title 18, Part I, Chapter 121, Sec. 2702 of the Federal Criminal Code” • Computer crimes will be considered breaking federal laws when it involves: • The theft or compromise of national defense, foreign relations, atomic energy, or other restricted information • A computer owned by a U.S. government department or agency • A bank or most other types of financial institutions • Interstate or foreign communications • People or computer in other states or countries

  41. Related laws (con’t) • The “Computer Fraud and Abuse Act” was signed by President Reagan at 1986 • Computer Abuse Amendments Act of 1994 • The USA Patriot Act of 2001

  42. 相關法律 • 著作權法 • 刑法220,315,318,359,360等條文 • 刑法第二百二十條在紙上或物品上之文字、符號、圖畫、照像,依習慣或特約,足以為表示其用意之證明者,關於本章及本章以外各罪,以文書論。錄音、錄影或電磁紀錄,藉機器或電腦之處理所顯示之聲音、影像或符號,足以為表示其用意之證明者,亦同。 • 刑法第三百五十九條 無故取得、刪除或變更他人電腦或其相關設備之電磁紀錄,致生損害於公眾或他人者,處五年以下有期徒刑、拘役或科或併科二十萬元以下罰金。

  43. Forensic Preparation

  44. Forensic Preparation • Network Operating Systems • Auditing and Logging • Logs cab help organizations by • Altering system administrators of any suspicious activity • Determining the extent of any damage caused by an intruder’s activity • Helping to quickly recover systems • Providing information or serving as evidence required for legal proceedings

  45. Enable auditing and logging on Windows

  46. Log files on Windows

  47. Centralized logging • The location of the log data is centralized • The integrity of log data remains protected • This approach is easier to back up, secure, and analyze.

  48. Logging Tools • Kiwi Syslog Deamon by Kiwi Enterprise • Freeware for Windows plateform • www.kiwisyslog.com • GFI LANquard Security Event Log Monitor by GFI Software • Is able to analyzing Windows NT/2000 event logs in real time. • www.fgi.com

  49. Time Synchronization • Automating the synchronization of system clocks save substantial time during an incident response. • IP based networks, Network Time Protocol (NTP) is the one most commonly used. • Tools on Windows: • Automachron by Guy Coding • NIST Internet Time Service (ITS) • World Time by PawPrint.net

  50. Memory dump on Windows • The contents of the system memory should be printed or copied while it still resides in memory. • Windows 2000 and XP (not NT) include a handy feature to generate a memory dump file. However, it must first be configured to do so.

More Related