Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 1998-1999 Sanda International Corp. Investigating Internet Security Incidents A Brief Introduction to Cyber Forensic Analysis Peter Stephenson.

Similar presentations


Presentation on theme: "Copyright © 1998-1999 Sanda International Corp. Investigating Internet Security Incidents A Brief Introduction to Cyber Forensic Analysis Peter Stephenson."— Presentation transcript:

1 Copyright © Sanda International Corp. Investigating Internet Security Incidents A Brief Introduction to Cyber Forensic Analysis Peter Stephenson

2 Copyright © Sanda International Corp. Agenda o Intrusion approaches o Investigative tool kit o Investigative approaches o End-to-end tracing o Evidence collection and preservation o Forensic use of RMON2-based tools for documenting the path of an attack

3 Copyright © Sanda International Corp. What is Cyber Crime? o Crimes directed against a computer o Crimes where the computer contains evidence o Crimes where the computer is used to commit the crime

4 Copyright © Sanda International Corp. The Nature of Computer Related Crime in Today’s Organizations Source: 1998 CSI/FBI Study

5 Copyright © Sanda International Corp. There Are Only 4 Kinds of Attacks o Denial of service o Social engineering o Technical o Sniffing

6 Copyright © Sanda International Corp. Intrusion Approaches o Target selection, research and background info l Internet searches l Whois, nslookup o Preliminary probing - avoid logging - get passwords l POP probe l Sniffing l DNS zone transfer l SMTP probe l Other simple probes o Search for back doors o Technical attack or social engineering

7 Copyright © Sanda International Corp. Cleaning Up After an Attack o Delete tools and work files o Modify logs (Unix example) l Syslog l messages files (especially the mail log) l su log l lastlog (including wtmp and utmp) l daemon logs l transfer logs

8 Copyright © Sanda International Corp. INVESTIGATIVE AXIOM: Treat every incident as if it will end up in a criminal prosecution.

9 Copyright © Sanda International Corp. Your Investigative Tool Kit o Policies o Criminal profiling o Tracing tools o Log analysis o Crime scene (victim computer) analysis o header analysis o News group header analysis

10 Copyright © Sanda International Corp. The Role of Policies o They define the actions you can take o They must be clear and simple to understand o The employee must acknowledge that he or she read them, understands them and will comply with them o They can’t violate law

11 Copyright © Sanda International Corp. Electronic Communications Privacy Act - Your Enabling Law o Owner may intercept communications between an intruder and that owner's computer system o Owner providing others with the ability to use that computer to communicate with other computer systems may: l make routine backups and perform other routine monitoring l intercept with prior consent of the user l intercept portions of communications necessary to determine origin and destination l intercept where necessary to protect owners rights or property l disclose to law-enforcement any communications inadvertently discovered which reveal criminal activity

12 Copyright © Sanda International Corp. Criminal Profiling o Criminal profiling is the process of using available information about a crime and crime scene to compose a psychological portrait of the unknown perpetrator of the crime o Classical profiling goals - to provide: l a social and psychological assessment of the offender l a psychological evaluation of relevant possessions found with suspected offenders l strategies that should be used when interviewing offenders

13 Copyright © Sanda International Corp. Crime Scene Analysis o Branch of profiling using standard investigative techniques to analyze crime scenes o Investigators are usually most comfortable with this approach o Very useful in computer incidents

14 Copyright © Sanda International Corp. Developing a Profile of an Intruder o Crime scene analysis l how was access obtained? What skills were required? l how did the intruder behave on the system? Damage? Clean-up? Theft? o Investigative psychology l motivation l personality type

15 Copyright © Sanda International Corp. Goals of an Investigation o To ensure that all applicable logs and evidence are preserved o To understand how the intruder is entering the system o To obtain the information you need to justify a trap and trace of the phone line the intruder is using or to obtain a subpoena to obtain information from an ISP o To discover why the intruder has chosen the computer o To gather as much evidence of the intrusion as possible o To obtain information that may narrow your list of suspects o To document the damage caused by the intruder o Gather enough information to decide if law enforcement should be involved.

16 Copyright © Sanda International Corp. Immediate Objective: PRESERVE THE EVIDENCE !!! o Begin a traceback to identify possible log locations o Contact system administrators on intermediate sites to request log preservation o Contain damage o Collect local logs o Image disks on victim computers

17 Copyright © Sanda International Corp. Building an Incident Hypothesis o Start with witness accounts o Consider how the intruder could have gained access l eliminate the obvious l use logs and other physical evidence F consider the skill level or inside knowledge required o Create mirrors of affected computers

18 Copyright © Sanda International Corp. Building an Incident Hypothesis o Develop a profile of the intruder o Consider the path into the victim computer o Recreate the incident in the lab l use real mirrors whenever possible o Consider alternative explanations l test alternatives

19 Copyright © Sanda International Corp. Incident Reconstruction o Physical l use mirrors of the actual involved systems l useful for single computers o Logical l use similar systems l useful for networks where you have access to the entire network o Theoretical l hypothesize intermediate computers l necessary when you can’t access all involved computers

20 Copyright © Sanda International Corp. Back Tracing o Elements of a back trace l end points l intermediate systems l and packet headers l logs o Objective: to get to a dial-in POP o The only messages that can’t be back traced are those using a true anonymizer and those where no logs are present

21 Copyright © Sanda International Corp. Enabling Relationships DIAL INTERNET PENETRATE HOST ATTACK VICTIM OUR LOGS ISP’s LOGS TELCO LOGS

22 Copyright © Sanda International Corp. Obtaining Subpoenas o Notify involved organization that you are going to subpoena and request that they preserve evidence - find out who to deliver the subpoena to o File John/Jane Doe lawsuit with an emergency order to subpoena appropriate records o Subpoena the logs you need l Get everything you can on the first pass l May need depositions

23 Copyright © Sanda International Corp. Requirements for Logs to be used as Evidence o Must not be modifiable l Spool off to protected loghost l Optical media l Backups o Must be complete l All superuser access l Login and logout l Attempts to use any controlled services l Attempts to access critical resources l details o Appropriate retention

24 Copyright © Sanda International Corp. Tracing Headers (3) Received: from mailhost.example.com ([XXX.XXX ]) by smtp.exampl.com; Sat, 12 Sep :25: (2) Received: from web03.iname.net by mailhost.example.com (AIX 3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep :31: (1) Received: (from by web03.iname.net (8.8.8/8.8.0) id SAA29949; Sat, 12 Sep :25: (EDT) Date: Sat, 12 Sep :25: (EDT) (4) From: fake user Message-Id: Content-Type: text/plain Mime-Version: 1.0 To: Content-Transfer-Encoding: 7bit Subject: This is a forged message

25 Copyright © Sanda International Corp. Performing the Trace Contact iname’s Security Officer Connect account name, time, & message ID to source IP address Get logs from source IP Who was connected at the time of the ? Locate ISP & contact Security Officer

26 Copyright © Sanda International Corp. Evidence Collection & Preservation o Forensic evidence l Safeback - creates physical images and mirrors of affected computers o Forensic analysis l NTI tools o NEVER work directly on the evidence l Never contribute to the evidence o Ensure chain of custody

27 Copyright © Sanda International Corp. RMON2 Tracing Tools o Requires RMON2 devices o Use ODS Networks Secure Switch Investigator o Looks for evidence of alien conversations served from within the victim’s perimeter o By moving “outwards” a step at a time, determine source of attack

28 Copyright © Sanda International Corp. MCI DoSTracker o Attempts to trace source forged packets, starting at a victim location, and tracing backwards to the possible source o Attack must be in progress o Process - login to starting edge router l Deploy access control list in debug mode for victim IP l Clear victim subnet cache l Look for forged packets by comparing to route table l Spawn separate process to log into next hop router and continue

29 Copyright © Sanda International Corp. CMDS - Abuse at the Host o Manager-Agent architecture o Responds to violations of policies o Analyzes usage patterns l Identifies rogue users l Identifies masqueraders o Available from ODS Networks

30 Copyright © Sanda International Corp. Summary o Ensure appropriate policies o Preserve the crime scene (victim computer) o Act immediately to identify and preserve logs on intermediate systems o Conduct your investigation o Obtain subpoenas or contact law enforcement


Download ppt "Copyright © 1998-1999 Sanda International Corp. Investigating Internet Security Incidents A Brief Introduction to Cyber Forensic Analysis Peter Stephenson."

Similar presentations


Ads by Google