Tan COMPUTER FORENSICS
FORENSICS IS A FOUR STEP PROCESS Acquisition Identification Evaluation Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)
GROUND ZERO – WHAT YOU CAN DO do not start looking through files establish an evidence custodian - start a journal with the date and time, keep detailed notes Designate equipment as “off-limits” to normal activity (if possible) – especially back-ups (with dump or other backup utilities), locally or remotely scheduled house-keeping, and configuration changes. collate mail, DNS and other network service logs to support host data capture exhaustive external TCP and UDP port scans of the host (unless tcp-wrapped) contact security department or CERT,management,police or FBI, affected sites* packaging/labeling and shipping short-term storage
Incident Response – What the Pros Do Identify designate or become the evidence custodian Review any journal of what has been done to the system already and how the intrusion was detected Start or maintain existing journal Install a sniffer Backdoors If possible without rebooting, make two byte by byte copies of the physical disk Capture network info Capture process listings and open files Capture configuration information to disk and notes Receipt and signing of data
Data Collection with dd, TCT & cryptcat Script started on Fri Sep 29 16:39: # grave-robber –v –F –i –l –M –m –O –P –S –s –t –V / # tar –c $TCT_HOME/data/`hostname` |cryptcat –k f0renzikz juarez 33 ^C punt! # df -k Filesystem kbytes used avail capacity Mounted on /proc % /proc /dev/dsk/c0t0d0s % / /dev/dsk/c0t0d0s % /usr fd % /dev/fd /dev/dsk/c0t0d0s % /var /dev/dsk/c0t0d0s % /export/home swap % /tmp #./dd if=/dev/dsk/c0t0d0s0 bs=1024 |cryptcat -k f0renzikz juarez farm9crypt_init: f0renzikz records in records out ^C punt! # exit script done on Fri Sep 29 16:57: Script started on Fri Sep 29 16:35: juarez% cryptcat –k f0renzikz –l –p 33 >jezabelle_gr.tar ^C punt! Bus error (core dumped) juarez% df -k. Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0t8d0s % /export/home juarez% cryptcat -k f0renzikz -l -p >jezabelle.c0t0d0s0 ^C punt! Bus error (core dumped) juarez% exit script done on Fri Sep 29 16:54: Sending Side Receiving Side
Acquisition – Takin’ it Off-Line SLR – take pictures Considerations before pulling the plug Unplug the system from the network If possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented Unplug the system (power) Packaging/labeling Shipping
FBI List of Computer Forensic Laboratory Services Content (what type of data) Comparison (against known data) Transaction (sequence) Extraction (of data) Deleted Data Files (recovery) Format Conversion Keyword Searching Password (decryption) Limited Source Code (analysis or compare) Storage Media (many types)
Summarization of acquisition (1)
Summarization of acquisition (2)
Summarization of acquisition (3)
Summarization of acquisition (4)
Extraction with Lazarus Script started on Sat Sep 30 16:23: forensics]#../tct-1.03/bin/lazarus -B -h -H../www -D../blocks -w../www -t./valencia.hda1 www]# cd../www www]# netscape./valencia.hda1.html
Summarization of extraction (1)
Summarization of extraction (2)
Summarization of extraction (3)
Correlating Log Files Where to look What do log entries mean? How to narrow your search How reliable is the data?
Shipping and Storage UPS/FEDEX Requirements Laboratory Requirements Latent Materials Tamper Evident Packaging Restricted Access and Low Traffic, Camera Monitored Storage. Sign In/Out for Chain of Custody
Thinking Strategic Preparing with procedures and checklists Having an evidence locker OS Accounting turned on Log IP Numbers - DO NOT RESOLVE! Clocks synchronized to GPS on GMT Evidence Server Use of encrypted file systems Tools and materials
Pocket Security Toolkit
ADDITIONAL RESOURCES RCMP Article on the Forensic Process. grc.gc.ca/tsb/pubs/bulletins/bull41_3.htmhttp:// grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm Lance Spitzner’s Page: Forensic Analysis, Building Honeypots Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts. The Forensic Toolkit (NT). Cryptcat. Long Play Video Recorders. FBI Handbook of Forensic Services. Solaris Fingerprint Database for cryptographic comparison of system binaries. Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. ONCTek List of possible Trojan/Backdoor Activity Sixteen Tips for Testifying in Court from the “PI Mall”
Thank you … … very much.