Computer Crime • The corporate world is beginning to understand that computers are just another medium for crime. • According to the 1999 CSI/FBI survey • average bank robbery yields $2,500 • average computer crime nets $500,000 • Security breaches are the cause of an estimated $1.6 trillion in damage worldwide.
Predictions for the future • There will be an increasing use of the Internet to commit everyday crimes. • New forms of cybercrime will continue to occur. • Identity theft and fraud will increase. • Cyberextortion will become a mainstay. • Manipulation of corporate data to meet various ends will become more sophisticated. • Acts of Hactivism will rise. • Dave Morrow, April 2001 SC Magazine, “Computer Forensics”
Computer Forensics • Computer Forensics Principles. • P1: Preserve the evidence in an unchanged state. • P2: Thoroughly and completely document the Investigative Process. Recommendation: Handle the corporate investigation as if Law enforcement will be called in and the attackers will be prosecuted.
Computer Forensics Definitions • Evidence Media: The original media to be investigated whether subject or victim. • Target Media: A forensic duplicate of the evidence media. The forensic evidence transferred to the target media. • Restored Image: A copy of the forensic image restored to its bootable form. • Native Operating System: The OS utilized when the evidence media or forensic duplicate is booted for analysis. • Live Analysis: A analysis conducted on the original evidence media. • Offline Analysis: Analysis conducted on the Forensic Image. • Trace Evidence: Fragments of information from thefree space, etc.
Best Evidence Rule • "...if data are stored on a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'Original.'" • Common Mistakes include: • Altering time and date stamps. • Killing rogue processes. • Patching the system before the investigation. • Not recording commands executed on the system. • Using untrusted commands and binaries. • Writing over potential evidence by: • Installing software on the evidence media • Running programs that store their output on the evidence media.
Evidence Chain of Custody • The prosecution is responsible for proving that whatever is presented in court is what was originally collected. An Evidence Chain of Custody must be maintained. • Create an Evidence Tag at the time of evidence collection. • A designated Evidence Custodian with a Laptop to generate the Evidence Tags. • Date and Time • Case Number • Evidence Tag number • Evidence Description • Individual receiving the evidence and Date • Each time the evidence moves from one person to another or from one media to another it must be recorded.
Forensic Image • Initial Response: Power the system down or work it live? • Volatile Data. If the system is powered down then volatile data will be lost. • Memory • State of of Network connections • State of running Processes. • Useful Windows NT/2000 commands/utilities • date, time, loggedon, netstat, fport, pslist, nbtstat, and doskey. • http://www.sysinternals.com • Useful Unix commands • w, netstat -amp, lsof, ps, netstat, script. • Recommendation: If you need to work a live system then create a command script and stick to it.
BIOS Review • Review the Target Basic Input/Output System (BIOS) before beginning a duplication to determine: • Basic geometry of the hard drive on the target System. • Document the hard drive setting to include maximum capacity, cylinders, heads, and sectors. • For proper recovery by the original OS the partitions should be aligned on the cylinder boundaries. • Determine the Boot Sequence on the target System. • Floppy drives. • CD-Rom • Hard Drive. • PCMCIA Card.
Forensic Duplication • Three Forensic Duplication Approaches. • 1. Remove the storage media and connect it to a Forensics Workstation. • Document the system details to include serial number, jumper settings, visible damage, etc. • Remove media from he target system and connect it to the Forensics workstation. • Image the media using Safeback, the Unix dd utility or EnCase. Forensics Workstations http://www.computer-forensics.com Safeback http://www.forensics-intl.com/safeback.html EnCase http://guidancesoftware.com DiskPro http://www.e-mart.com/www/cnr.html
Forensic Duplication Cont. • Three Forensic Duplication Approaches Cont. • 2. Attach a hard drive to the Target Computer. • Make sure the target computer works as expected. • 3. Image the storage media by transmitting the disk image over a closed network to the forensics Workstation. • Establish a point-to-point interface from evidence system to forensics workstation using an Ethernet Switch of Ethernet cross-connect cable. • Perform MD5 computation on both the original and target system.
Forensic Analysis • Physical Analysis. Performed on the forensic Image. • Perform a String Search • String Search http://www.maresware.com/maresware/forensic1.htm • Perform a Search and Extract. • Looks for file types. • File Formats http://www.wotsit.org/ • Extract File slack and/Free Space. • Free Space: Hard Drive space not allocated to a file and deleted file fragments. • Slack Space: Space left when a minimum block size is not filled by a write operation. • NTI Tool Suite http://www.forensics-intl.com/
Forensic Analysis Cont. • Logical Analysis. • A partition by partition analysis of each file. • A typical process includes: • Mount each partition in Read-Only mode under Linux. • Export the partition via SAMBA to the Forensics System. • Examine each file with the appropriate file viewer. • Typical Lists created: • Web Sites • E-mail addresses • Specific Key words, etc
Common Forensics Mistakes • Failure to Maintain thorough complete documentation. • Failure to control access to digital information. • Underestimate the scope of the incident., • Failure to report the incident in a timely manner. • Failure to provide accurate information. • No incident response plan.
Definitions • Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor. • Silent Sniffers will not respond to any received packets. • Illegal Sniffers violate 18 USC 2511 dealing with wiretaps. • Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network. • A normal NIC only intercepts packets packets addressed to its IP address and Broadcasts address. • Transactional (Noncontent) information consists only of header information. For example, IP, TCP or UDP headers. • Same as a LE Trap and Trace or Pen Register. • Content Information consists of not only the headers but also part or all of the encapsulated data.
Network Forensics Data • Network data can come from: • Routers, Firewalls, Servers, IDS, DHCP Servers, etc. • These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody. • Chain of Custody • Strictly controlled network monitoring can maintain a proper chain of custody. • Electronic evidence requires tighter control than most other types of evidence because it can be easily altered. • A broken chain can affect admissibility.
Chain of Custody • Network data Chain of Custody should include: • Date and time Recorded. • Make, model, serial number and description of recording device. • Names of individual recording or the name of individuals recovering the logs. • Description of the logs. • Name, Signature and date of individual receiving the data. • Evidence Tag for this item. • Hash value (MD5) of each log file.
Monitoring The Network • What are the Network Monitoring goals? • Monitor traffic to and from a Host? • Monitor traffic to and from a Network? • Monitor a specific person? • Verify an Intrusion Attempt? • Monitor attack signatures? • Monitor a specific protocol? • Monitor a specific port? • Check with corporate legal counsel prior to starting the monitor. Note: Make sure the corporate policy supports the type of monitoring to be performed!
Monitoring The Network Cont. • Possible Network Monitors. • tcpdump, Ethereal and Snort. • Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer • NetMon, Network Tracing and Logging and Cisco IDS. • Network Monitor Location. • Host Monitoring - On the same Hub or switch. The switch should have Switch Port Analysis (SPAN). • Network Monitoring - At the network perimeter. • A Physically secure location. Note: Run a Sniffer detection tool prior to connecting yours.
Some Notes • Run a Sniffer detection tool prior to connecting yours. • Someone may already be listening to the network. • Capture the network traffic as close to the source host as possible. • Hackers use bounce sites to attack hosts. • Have the capability of viewing the captured data as a continuous stream. • This provides an overview of what the hacker is attempting to do. • Reconstruct documents, etc • Have the capability of viewing the packets at the lowest level. • High-level analyzers will sometimes strip off data that is not important for fault analysis but could be important for investigative purposes. • Options and fields to identify the OS. • Typing speed of user. • Printer variables, X display variables , etc.
Common Forensics Mistakes • Failure to Monitor. • ICMP Traffic • SMTP, POP and IMAP Traffic. • UseNet Traffic • Files saved to external media. • Web Traffic • Senior Executives Traffic. • Internal IP Traffic. • Failure to Detect: • ICMP Covert Channels. • UDP Covert Channels. • HTTP Covert Channels.
Common Forensics Mistakes Cont. • Failure to PlayBack. • Encrypted traffic. • Graphics • Modeling and Simulation traffic. • Failure to Trace: • Denial-of-Service. • Distributed Denial of Services. • Spoofed EMail. • Failure to Detect. • Steganography. • Erasing Logs • File Encryption. • Binary Trojans
Monitoring Tools Dsniff http://www.monkey.org/~dugsong/dsniff tcpdump http://www.tcpdump.org/ WinDump http://netgroup-serv.polito.it/windump/ ethereal http://www.ethereal.com/ Snort http://www.snort.org/
Some Basics To Remember • Freeze and image the hard drive before anything else is done, remembering that freezing a system is best done when its workings are not critical to business needs. • Get the intruders out of the network or close the holes so they cannot breach the system through the same vulnerability in the future. This can be achieved by collecting and correlating information from system, web, and other log files. • Determine how bad the breach really is and decide what information should be divulged to the public. This is where legal counsel from an experienced and knowledgeable person can help. • Chris Wysopal, director of research and development for @Stake
Volatile Data • “When an incident is reported, certain steps need to be taken on a live system before you perform forensic duplication of that system.” • “The initial response is an effort to obtain as much volatile data as possible before you power down the evidence system for forensic duplication.” • Volatile (and possibly useful) data can be found in: • Registers, cache contents • Memory contents • State of network connections • State of running processes
Important Note! • “A computer changes states through user interaction, process execution, data transfers, and power cycles; therefore, data in memory and storage is going to change. It is vitally important to understand the changes that will occur when you perform a command or operation. As you respond at the console, make sure that you document every step in detail.” • “Before you review a ‘live’ system, create a step-by-step plan and stick to it like a script.”
Extracting File Slack and Free Space • “File system residue exists, to some extent, in all file systems. The types of residue fall into two categories”: • Free space – unallocated space • May be space never before allocated to a file, or • Space that was created when a file was deleted • Slack space – “occurs when data is written to a storage medium in chunks that fail to fill the minimum block size defined by the operating system.” • If you want this info, you need a tool that is aware of the particular file system structure.
Common Incidents • Denial-of-Service attack • e.g. TFN • Unauthorized use • e.g. Use of systems to surf porn sites • Vandalism • e.g. defaced web site • Theft of information • e.g. stolen credit card info from customer DB • Computer intrusion • e.g. remote administrative access
A thought -- “Remember, the first to discover a problem is likely to be your company’s lowest paid system administrator on the night shift. If this person cannot get guidance -- preferably prior guidance, he or she might decide to call the police or worse, the media. The plan should include who to call, who not to call, what to do with the machines, priorities -- (for example,) is keeping the data center up a higher priority than preserving evidence? You decide as much as possible what the trade-offs are, based on you understanding of your vulnerabilities or consultation with experts in the field.” -- Computer Forensics, April 2001 SC Magazine
An Incident is any event that disrupts normal operating procedure and precipitates some level of crisis. • A Computer Intrusion. • Denial of Service Attack. • Theft of information. • Computer Misuse. • A power failure. • Investigator(s) gather facts, analyze and resolve the incident. Incident Definitions
Goals of Incident Response • Confirms or dispels whether an incident occurred • Promotes the accumulation of accurate information • Establishes controls for proper retrieval and handling of evidence • Protects privacy rights established by law and policy • Minimizes disruption to business and network operations • Allows for legal or civil recriminations against perpetrators • Provides accurate reports and useful recommendations
Incident Response • In developing an incident response roadmap, companies should plan: • How to secure or preserve evidence, whether making an image copy or locking up the original until computer forensic specialists arrive. • How or where to search for evidence, be it on the local drive, back-up system, home computers or laptops. • A list of topics to consider when preparing a thorough report. • A list of outside agencies and resources to consult or report to given a particular situation. • A recommended list of software to be used internally for investigations. • A recommended list of experts with whom to consult. • “Computer Forensics”, April 2001 SC Magazine • Consider creating a Computer Incident Response Team (CIRT)
Computer Incident Response Team • Mission • Provide a rapid response capability to address (suspected) intrusions/security incidents. • Composition • Core – Manager, IT staff, legal counsel, support personnel. • Support – specific area experts • Forensic Best practices • Tools • Organizations • FIRST, CERT, CIAC, SANS, ISSA, NIPC…
Respond to all security incidents with a formal investigative process based upon the Incident Response Plan and Corporate policies. • Conduct a bias free investigation. • Determine if a true incident did occur. • Assess the damage and scope of the incident. • Control and contain the incident. • Document the incident and maintain a chain of custody. • Protect Privacy Rights by law and corporate policy. • Liaison to law Enforcement and Legal Authorities. • Provide Expert Testimony. • Provide recommendation to senior level management. Incident Response Team Mission
Team Composition depends upon: • Number and type of hosts involved. • Number and type of networks involved. • Number and type of Operating Systems involved. • Attack sophistication. • Incident Publicity. • Internal Politics. • Corporate Liability. Incident Response Team
Team Manager. - Single Point of Contact - Leader/decision maker - Clear authority to act/decide. - Assess potential impact/loss - Upper management support - Spokesman - Documents team actions. Computer Specialist - System Administrator - Systems Operator/Programmer - Technically Tracks intruder - Monitors on-going system activity. - Reconstructs crime. - Documents technical aspects of crime. Network Specialist Advisor - Advises computer specialist - Network protocol specialist - As Required Computer Crime Investigator - CI Investigator w/jurisdiction. - Collects/documents evidence. - Advises on investigative aspects. - This may be a team of investigators. Company Attorney - Legal advice - Case preparation - Adjunct to Team Public Affairs - Advise senior management on PR - Press Spokesperson - Adjunct to Team Security Auditor - Assists Computer specialist. - Audit trails/logs - Assess Economic impact - Adjunct to Team Computer Incident Response Team (CIRT)
9 Steps to Incident Response • Emergency Action Card • Preparation • Identification • Investigation and Containment • Eradication • Recovery • Follow-up • Incident Record Keeping • Incident Specific Procedures
Steps to take when an incident happens • Remain Calm !!! • Document everything • Notify appropriate personnel and get help • Enforce “need to know” policy • If compromise has occurred, use “out of band” communication channels • First priority should be to contain problem • Make backup copies of systems for possible prosecution purposes • Identify problem/vulnerability, patch • Get back to business • Prosecute/follow-up
Has a lot to do with just securing your system • Risk Management. • Host preparation. • Network Preparation. • Network Policies and Procedures. • A Response toolkit. • The Incident Response Team. Incident Preparation
Detection of Incident Process Firewall Logs DETECT IDS Logs Activate CIRT Begin IR Checklist Suspicious user System Admin
Incident Detection • Intruder discovery • Strange activities • System crashes • Unusual hard disk activity. • Unexplained Reboots. • Account discrepancies • Sluggish response • Strange login hours. • Failed logins with bad passwords. • Unusual activity with the su command. • A message from a remote System Administrator
Incident Detection Cont. • System monitoring: • Another superuser logs in. • A user on vacation who is logged in. • Deleted or corrupted log files. • A user who is not a programmer but is running compilers. • Network connections from unknown machines. • Unauthorized changes to system programs. • New account entries in /etc/passwd file. • Analysis tools such as Tripwire. • The System Administrator should investigate any strange activity. • Various UNIX commands can be employed to explore who is doing what on the system.
Incident Detection Cont. • Stopping the Intruder. • Power Down? • Interrupts users. • Deletes evidence • Damage the file systems. • Ask him to leave? • He may damage the system to prevent being caught. • Kill his/her processes? • Use the ps command to list all his/her processes. • Change all compromised account passwords. • Use the kill command to terminate the processes. • Check for backdoors/sniffers/undesired programs. • Break the connection? • Interrupts other users.
Incident Reporting • Incident Response Team Leader is notified. • Notifies the organization Computer Incident Response Team. • Briefs senior level management • Coordinates the response activities • Notifies all Points of contact. • Local System Administrators/Network Managers. • Remote System Administrators/Network Managers. • Internet Service Provider managers/technicians. • Law Enforcement Computer Crime specialists. • Public Affairs specialist. • Legal Affairs officer.
Incident Reporting Cont. • Incident notification Guidelines. • Use explicit language that is clear, concise and fully qualified. • No smoke screens. • No generalities • Use factual language.. • No false information • No incomplete information. • Use matter a fact language. • No emotion • No inflammatory language
Initial Response • Freeze the Incident Scene. • Verbally contain the scene with instructions such as: • “Take your hands off the keyboard and step away from the computer.” • “Physically disconnect the computer from the network.” • “What is your name, office and telephone number.” • “What is the hardware and operating system?” • “I’m going to fax you a set of instruction. What is your Fax number?”
Incident Response Checklist • Version 1.0 • Date: • Time: • Name: • Telephone Number: • Nature of Incident: • Time of Incident: • How was the incident detected: • Current Impact of Incident; • Future Impact of incident: • Description of the incident: • Hardware/OS/Software involved: • IP and network addresses of compromised systems: • Network Type: • Modem: • Criticality of Information: • Physical location: • System Administrator Name and Number: • Current status of machine: • Description of Hacker Actions • Ongoing activity: • Source Address: • Malicious program involved: • Denial of Service • Vandalism: • Indication of insider or outsider:
Incident Response Checklist Cont. • Version 1.0 • Client Actions • Network disconnected: • Remote access available: • Local Access available: • Audit logs available and examined: • Any changes to firewall: • Any changes to ACL: • Who has been notified: • Other actins taken: • Available Tools • Third party host auditing: • Network monitoring: • Network Auditing: • Additional Contacts • Users: • System Administrators: • Network Administrators: • Special Information • Who should not know about this incident: Response Team Member Signature/Date:__________________________________