Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tan COMPUTER FORENSICS.

Published byJasper Casey Modified over 9 years ago

Similar presentations

Presentation on theme: "Tan COMPUTER FORENSICS."— Presentation transcript:

1 Tan (tan@atstake.com)tan@atstake.com COMPUTER FORENSICS

2 FORENSICS IS A FOUR STEP PROCESS  Acquisition  Identification  Evaluation  Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm, by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm

3 GROUND ZERO – WHAT YOU CAN DO  do not start looking through files  establish an evidence custodian - start a journal with the date and time, keep detailed notes  Designate equipment as “off-limits” to normal activity (if possible) – especially back-ups (with dump or other backup utilities), locally or remotely scheduled house-keeping, and configuration changes.  collate mail, DNS and other network service logs to support host data  capture exhaustive external TCP and UDP port scans of the host (unless tcp-wrapped)  contact security department or CERT,management,police or FBI, affected sites*  packaging/labeling and shipping  short-term storage

4 Incident Response – What the Pros Do  Identify designate or become the evidence custodian  Review any journal of what has been done to the system already and how the intrusion was detected  Start or maintain existing journal  Install a sniffer  Backdoors  If possible without rebooting, make two byte by byte copies of the physical disk  Capture network info  Capture process listings and open files  Capture configuration information to disk and notes  Receipt and signing of data

5 Data Collection with dd, TCT & cryptcat Script started on Fri Sep 29 16:39:41 2000 # grave-robber –v –F –i –l –M –m –O –P –S –s –t –V / # tar –c $TCT_HOME/data/`hostname` |cryptcat –k f0renzikz juarez 33 ^C punt! # df -k Filesystem kbytes used avail capacity Mounted on /proc 0 0 0 0% /proc /dev/dsk/c0t0d0s0 240302 37942 178330 18% / /dev/dsk/c0t0d0s6 2209114 324049 1840883 15% /usr fd 0 0 0 0% /dev/fd /dev/dsk/c0t0d0s1 480620 2983 429575 1% /var /dev/dsk/c0t0d0s7 961257 94 903488 1% /export/home swap 196312 832 195480 1% /tmp #./dd if=/dev/dsk/c0t0d0s0 bs=1024 |cryptcat -k f0renzikz juarez 37737 farm9crypt_init: f0renzikz 256095+0 records in 256095+0 records out ^C punt! # exit script done on Fri Sep 29 16:57:51 2000 Script started on Fri Sep 29 16:35:37 2000 juarez% cryptcat –k f0renzikz –l –p 33 >jezabelle_gr.tar ^C punt! Bus error (core dumped) juarez% df -k. Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0t8d0s7 9344221 5836607 3414172 64% /export/home juarez% cryptcat -k f0renzikz -l -p 37737 >jezabelle.c0t0d0s0 ^C punt! Bus error (core dumped) juarez% exit script done on Fri Sep 29 16:54:53 2000 Sending Side Receiving Side

6 Acquisition – Takin’ it Off-Line  SLR – take pictures  Considerations before pulling the plug  Unplug the system from the network  If possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented  Unplug the system (power)  Packaging/labeling  Shipping

7 FBI List of Computer Forensic Laboratory Services  Content (what type of data)  Comparison (against known data)  Transaction (sequence)  Extraction (of data)  Deleted Data Files (recovery)  Format Conversion  Keyword Searching  Password (decryption)  Limited Source Code (analysis or compare)  Storage Media (many types)

8 Summarization of acquisition (1)

9 Summarization of acquisition (2)

10 Summarization of acquisition (3)

11 Summarization of acquisition (4)

12 Extraction with Lazarus Script started on Sat Sep 30 16:23:03 2000 [root@plaything forensics]#../tct-1.03/bin/lazarus -B -h -H../www -D../blocks -w../www -t./valencia.hda1 [root@plaything www]# cd../www [root@plaything www]# netscape./valencia.hda1.html

13 Summarization of extraction (1)

14 Summarization of extraction (2)

15 Summarization of extraction (3)

16 Correlating Log Files  Where to look  What do log entries mean?  How to narrow your search  How reliable is the data?

17 Shipping and Storage  UPS/FEDEX Requirements  Laboratory Requirements  Latent Materials  Tamper Evident Packaging  Restricted Access and Low Traffic, Camera Monitored Storage.  Sign In/Out for Chain of Custody

18 Thinking Strategic  Preparing with procedures and checklists  Having an evidence locker  OS Accounting turned on  Log IP Numbers - DO NOT RESOLVE!  Clocks synchronized to GPS on GMT  Evidence Server  Use of encrypted file systems  Tools and materials

19 Pocket Security Toolkit

20 ADDITIONAL RESOURCES  RCMP Article on the Forensic Process. http://www.rcmp- grc.gc.ca/tsb/pubs/bulletins/bull41_3.htmhttp://www.rcmp- grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm  Lance Spitzner’s Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html http://www.enteract.com/~lspitz/pubs.html  Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/http://www.fish.com/forensics/  The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htmhttp://www.ntobjectives.com/forensic.htm  Cryptcat. http://www.farm9.com/Free_Tools/Cryptcathttp://www.farm9.com/Free_Tools/Cryptcat  Long Play Video Recorders. http://www.pimall.com/nais/vrec.htmlhttp://www.pimall.com/nais/vrec.html  FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm http://www.fbi.gov/programs/lab/handbook/intro.htm  Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl  Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/security-improvement/implementations/i003.01.html http://www.cert.org/security-improvement/implementations/i003.01.html  ONCTek List of possible Trojan/Backdoor Activity http://www.onctek.com/trojanports.html http://www.onctek.com/trojanports.html  Sixteen Tips for Testifying in Court from the “PI Mall” http://www.pimall.com/nais/n.testify.html http://www.pimall.com/nais/n.testify.html

21 Thank you … … very much.

Download ppt "Tan COMPUTER FORENSICS."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts.

COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Network security policy: best practices

Network security policy: best practices
Security Guidelines and Management

Security Guidelines and Management
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge

NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google