We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJazmin Berman
Modified over 2 years ago
Copyright © Sanda International Corp. Investigating Internet Security Incidents A Brief Introduction to Cyber Forensic Analysis Peter Stephenson
Copyright © Sanda International Corp. Agenda o Intrusion approaches o Investigative tool kit o Investigative approaches o End-to-end tracing o Evidence collection and preservation o Forensic use of RMON2-based tools for documenting the path of an attack
Copyright © Sanda International Corp. What is Cyber Crime? o Crimes directed against a computer o Crimes where the computer contains evidence o Crimes where the computer is used to commit the crime
Copyright © Sanda International Corp. The Nature of Computer Related Crime in Today’s Organizations Source: 1998 CSI/FBI Study
Copyright © Sanda International Corp. There Are Only 4 Kinds of Attacks o Denial of service o Social engineering o Technical o Sniffing
Copyright © Sanda International Corp. Intrusion Approaches o Target selection, research and background info l Internet searches l Whois, nslookup o Preliminary probing - avoid logging - get passwords l POP probe l Sniffing l DNS zone transfer l SMTP probe l Other simple probes o Search for back doors o Technical attack or social engineering
Copyright © Sanda International Corp. Cleaning Up After an Attack o Delete tools and work files o Modify logs (Unix example) l Syslog l messages files (especially the mail log) l su log l lastlog (including wtmp and utmp) l daemon logs l transfer logs
Copyright © Sanda International Corp. INVESTIGATIVE AXIOM: Treat every incident as if it will end up in a criminal prosecution.
Copyright © Sanda International Corp. Your Investigative Tool Kit o Policies o Criminal profiling o Tracing tools o Log analysis o Crime scene (victim computer) analysis o header analysis o News group header analysis
Copyright © Sanda International Corp. The Role of Policies o They define the actions you can take o They must be clear and simple to understand o The employee must acknowledge that he or she read them, understands them and will comply with them o They can’t violate law
Copyright © Sanda International Corp. Electronic Communications Privacy Act - Your Enabling Law o Owner may intercept communications between an intruder and that owner's computer system o Owner providing others with the ability to use that computer to communicate with other computer systems may: l make routine backups and perform other routine monitoring l intercept with prior consent of the user l intercept portions of communications necessary to determine origin and destination l intercept where necessary to protect owners rights or property l disclose to law-enforcement any communications inadvertently discovered which reveal criminal activity
Copyright © Sanda International Corp. Criminal Profiling o Criminal profiling is the process of using available information about a crime and crime scene to compose a psychological portrait of the unknown perpetrator of the crime o Classical profiling goals - to provide: l a social and psychological assessment of the offender l a psychological evaluation of relevant possessions found with suspected offenders l strategies that should be used when interviewing offenders
Copyright © Sanda International Corp. Crime Scene Analysis o Branch of profiling using standard investigative techniques to analyze crime scenes o Investigators are usually most comfortable with this approach o Very useful in computer incidents
Copyright © Sanda International Corp. Developing a Profile of an Intruder o Crime scene analysis l how was access obtained? What skills were required? l how did the intruder behave on the system? Damage? Clean-up? Theft? o Investigative psychology l motivation l personality type
Copyright © Sanda International Corp. Goals of an Investigation o To ensure that all applicable logs and evidence are preserved o To understand how the intruder is entering the system o To obtain the information you need to justify a trap and trace of the phone line the intruder is using or to obtain a subpoena to obtain information from an ISP o To discover why the intruder has chosen the computer o To gather as much evidence of the intrusion as possible o To obtain information that may narrow your list of suspects o To document the damage caused by the intruder o Gather enough information to decide if law enforcement should be involved.
Copyright © Sanda International Corp. Immediate Objective: PRESERVE THE EVIDENCE !!! o Begin a traceback to identify possible log locations o Contact system administrators on intermediate sites to request log preservation o Contain damage o Collect local logs o Image disks on victim computers
Copyright © Sanda International Corp. Building an Incident Hypothesis o Start with witness accounts o Consider how the intruder could have gained access l eliminate the obvious l use logs and other physical evidence F consider the skill level or inside knowledge required o Create mirrors of affected computers
Copyright © Sanda International Corp. Building an Incident Hypothesis o Develop a profile of the intruder o Consider the path into the victim computer o Recreate the incident in the lab l use real mirrors whenever possible o Consider alternative explanations l test alternatives
Copyright © Sanda International Corp. Incident Reconstruction o Physical l use mirrors of the actual involved systems l useful for single computers o Logical l use similar systems l useful for networks where you have access to the entire network o Theoretical l hypothesize intermediate computers l necessary when you can’t access all involved computers
Copyright © Sanda International Corp. Back Tracing o Elements of a back trace l end points l intermediate systems l and packet headers l logs o Objective: to get to a dial-in POP o The only messages that can’t be back traced are those using a true anonymizer and those where no logs are present
Copyright © Sanda International Corp. Enabling Relationships DIAL INTERNET PENETRATE HOST ATTACK VICTIM OUR LOGS ISP’s LOGS TELCO LOGS
Copyright © Sanda International Corp. Obtaining Subpoenas o Notify involved organization that you are going to subpoena and request that they preserve evidence - find out who to deliver the subpoena to o File John/Jane Doe lawsuit with an emergency order to subpoena appropriate records o Subpoena the logs you need l Get everything you can on the first pass l May need depositions
Copyright © Sanda International Corp. Requirements for Logs to be used as Evidence o Must not be modifiable l Spool off to protected loghost l Optical media l Backups o Must be complete l All superuser access l Login and logout l Attempts to use any controlled services l Attempts to access critical resources l details o Appropriate retention
Copyright © Sanda International Corp. Tracing Headers (3) Received: from mailhost.example.com ([XXX.XXX ]) by smtp.exampl.com; Sat, 12 Sep :25: (2) Received: from web03.iname.net by mailhost.example.com (AIX 3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep :31: (1) Received: (from by web03.iname.net (8.8.8/8.8.0) id SAA29949; Sat, 12 Sep :25: (EDT) Date: Sat, 12 Sep :25: (EDT) (4) From: fake user Message-Id: Content-Type: text/plain Mime-Version: 1.0 To: Content-Transfer-Encoding: 7bit Subject: This is a forged message
Copyright © Sanda International Corp. Performing the Trace Contact iname’s Security Officer Connect account name, time, & message ID to source IP address Get logs from source IP Who was connected at the time of the ? Locate ISP & contact Security Officer
Copyright © Sanda International Corp. Evidence Collection & Preservation o Forensic evidence l Safeback - creates physical images and mirrors of affected computers o Forensic analysis l NTI tools o NEVER work directly on the evidence l Never contribute to the evidence o Ensure chain of custody
Copyright © Sanda International Corp. RMON2 Tracing Tools o Requires RMON2 devices o Use ODS Networks Secure Switch Investigator o Looks for evidence of alien conversations served from within the victim’s perimeter o By moving “outwards” a step at a time, determine source of attack
Copyright © Sanda International Corp. MCI DoSTracker o Attempts to trace source forged packets, starting at a victim location, and tracing backwards to the possible source o Attack must be in progress o Process - login to starting edge router l Deploy access control list in debug mode for victim IP l Clear victim subnet cache l Look for forged packets by comparing to route table l Spawn separate process to log into next hop router and continue
Copyright © Sanda International Corp. CMDS - Abuse at the Host o Manager-Agent architecture o Responds to violations of policies o Analyzes usage patterns l Identifies rogue users l Identifies masqueraders o Available from ODS Networks
Copyright © Sanda International Corp. Summary o Ensure appropriate policies o Preserve the crime scene (victim computer) o Act immediately to identify and preserve logs on intermediate systems o Conduct your investigation o Obtain subpoenas or contact law enforcement
1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be.
COEN 152 Computer Forensics Introduction to Computer Forensics.
The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
Cyber Crimes. Introduction Definition Types Classification.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
By Jason Swoyer. Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Network security policy: best practices Ref: document ID
Cybercrime What is it, what does it cost, & how is it regulated?
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
An Introduction to Computer Forensics Jim Lindsey Western Kentucky University September 28, 2007.
& SELECTED TOPICS: DIGITAL FORENSICS Xinwen Fu, UMass Lowell, USA Center for Cyber Forensics, UMass Lowell.
COEN 252 Computer Forensics Introduction to Computer Forensics Thomas Schwarz, S.J
Intrusion Detection Systems and Practices Chapter 13.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.
Unit 6 Tracking Internet Crime. Tracing In general, is also going to be one of the easiest forms to track and trace. service providers.
BCCO PCT #4 PowerPoint INTERMEDIATE CRIME SCENE SEARCH TCOLE Course # to 40 hours AND UNIT THREE.
INTERNET and CODE OF CONDUCT Access to the Internet has been provided to employees for the benefit of the organization and its customers. It allows.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Cyber crime & Security Prepared by : Rughani Zarana.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
COEN 252 Computer Forensics Introduction to Computer Forensics Thomas Schwarz, S.J w/ T. Scocca.
CIT 180 Security Fundamentals Computer Forensics.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2013 CCH Incorporated. All Rights Reserved W. Peterson Ave.
Forensics Application of scientific knowledge to a problem Computer Forensics Application of the scientific method in reconstructing a sequence.
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
May 11, 2009 Golden Gate University EFF 2009 Bootcamp 2.0 Best Practices for OSPs: Law Enforcement Information Requests Kurt Opsahl, Senior Staff Attorney.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security Network Perimeter Security Intrusion Detection and Prevention.
ISA 3200 NETWORK SECURITY Chapter 6: Packet Filtering.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
© 2017 SlidePlayer.com Inc. All rights reserved.