Computer Forensics 101 & Incident Response

Transcription

1 The Leader in Computer Forensics and Incident Response Solutions Computer Forensics 101 & Incident Response Wednesday, October 1, 2003 Richard Cummings Manager of Security Engineering Jake Lowry Enterprise Business manager

2 A few statistics 65% of attacks succeed Source: Defense Information Systems Agency CSI/FBI 2003 Computer Crime and Security Survey Source: Computer Security Institute Largest dollar loss reported: $70,195,900: Theft of IP Likely Source of Attacks: 2002 Hacker: 82% Disgruntled Employee: 75% 2003 Hacker: 82% Disgruntled Employee: 77% 93% of all information produced is digital Source: UC Berkeley Study

3 Threats to the Enterprise Internal: Hacking tools and discovery tools Mishandling and theft of IP Unauthorized applications Theft of customer information Unauthorized communications Harassment Counterfeiting/ fraud Possession of Inappropriate material Rogue servers and services Computer file deletion/destruction Wrongful Termination External: Unauthorized users/ intruders Vandalism DoS attacks IP piracy

4 Sources of Liabilities Liability To Customers/ Compromise of Information Liability to Regulators -Mandated Incident Response Process -Internal Controls Due Diligence Liability to Shareholders -Loss of IP, Internal Fraud -Uncontained Security Incident Downstream Liability Destruction of Evidence

5 Mandated Incident Response Plans FTC Safeguards Rule Requires covered entities to maintain information security program that includes Detecting, Preventing and Responding to Attacks, Intrusions, or Other Systems Failures. (16 CFR Part 314.4(b)(3)) Office of Comptroller of the Currency (OCC) Requires subject banking institutions to implement: Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies. (12 CFR Part 30, Appendix B, III(C)(g)). Health Insurance Security Standards (HIPAA Requirements) Requires subject health care institutions to: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. (45 CFR Part (a)(6))

6 The Legislation California, SB 1386/ Civil Code Mandates full disclosure to California residents of any compromised customer data Law is triggered upon an computer Security Incident Identifying and documenting what happened determines compliance Delayed disclosure allowed for referral to law enforcement or reasonable internal investigation Sarbanes-Oxley Act of 2002 Severe liability for destruction of electronic records up to $25 million fines, 20-year prison terms Important due diligence mechanism for internal controls NASD Rule of Conduct 3110 Brokers/Dealers must retain all s/communications with customers ISO Outlines comprehensive incident response and internal investigation procedures Detailed provisions on computer evidence preservation and handling

7 Legal Issues when Dealing with an Incident Does the incident (case) create potential liability to customers, employees, shareholders, regulators, downstream sources? What level of practice/diligence is required to avoid liability? What evidence should be preserved? Are there reporting obligations?

8 What is Computer Forensics? Acquisition Authentication Analysis Documentation Court Presentation of Computer Evidence

9 Why is computer forensics important? Computer data is fragile, complex, but must be preserved and authenticated. Courts, & State / Federal regulatory mandates for best practices in handling electronic evidence Gates Rubber Co. v. Bando Chemical Indus., Ltd 167 F.R.D. 90 (D.C. Col., 1996) ISO 17799: section

10 Why use Forensic Tools? Your data iceberg The data found by common tools (such as Explorer) The additional data found by EnCase Enterprise (Deleted, renamed, hidden, difficult to locate.)

11 Goal Data of seen Forensic using Investigations Forensic tools The nature of data storage on computer disks often allows recovery of data from: Unallocated space File slack Hidden files Temporary files Formatted disks History files

12 Goal of Forensic Investigations Conduct structured investigation Preserve and secure electronic data using methods that withstood judicial scrutiny Obtain all data potentially relevant to a matter Minimize cost and business disruption Obtain relevant information Document Integrate into litigation function

13 Uses of Forensic Software Protect Intellectual property Protect customer data Identify misuse Document employee actions Verify customer/employee privacy Discover unauthorized applications

14 What is Incident Response Ability to Identify and respond to: Compromise of integrity Denial of service Misuse (unauthorized use) Damage Intrusions List taken from [Schultz Jr. et al. 1990]:

15 Goals of Incident Response Confirm whether an incident occurred Provide accurate, relevant, and timely information Implement controls to secure the crime scene Protect individual rights established by policy and law Minimize downtime and effect to business and network services Enable legal and law enforcement to prosecute malicious entities Provide recommendations to Sr. Management Understand, correct and protect from future compromise

16 Business Requirements of IR Business continues un-interrupted Evidence preserved quickly Reach well-informed decisions sooner Reach geographically dispersed systems Investigate on a need-to-know basis Follow a repeatable forensic methodology

17 Technical Requirements of IR Bypass security layers to access the physical drive/devices, volumes Perform forensic level discovery of running system without modifying target Ability to locate, preview, and acquire all relevant data on the drive, regardless of whether it is deleted, fragmented, damaged, or encrypted To identify data by file type & content with powerful key word and hash set searches To Simultaneous investigate multiple running systems

18 Technical Requirements of IR To visually identify data change over time View TCP/IP endpoints Name/number, Protocol (TCP/UDP) address (local and remote) and state View Active Processes (PID and thread count) Open Files Live Windows Registry ( logged on users) Process to port information Acquire/Investigate RAM Trust tool providing information

19 Comprehensive Security Model

20 Real world IR Examples Computer Intrusion System compromised (configuration, vulnerability) Web Defacement Virus or worm outbreak Identification of unauthorized applications Encryption and stegonagraphy tools Hacker discovery tools Denial-of-service attack Theft of intellectual property Unauthorized use of systems by employees or external entities Gambling or Pornography sites Launching ground for attacks Internal & External policy compliance Pending government legislation (GLBA, HIPPA, CA SB 1386, S-O) Corporate usage policy enforcement and containment Employees spreading rumors

21 Challenges of Incident Response Systems are taken off-line impacting services If remote, IR team travels to location IR investigations which span different time zones hard to construct accurate timeline prone to human error Use of disjointed tools time consuming large margin of error Various system and media types NTFS, Ext 2/3, Reiser, FAT, HFS Compound File types Extremely Large Hard Disks External Media Encrypted File Systems RAID Systems (redundant array of inexpensive disks)

22 Challenges of Incident Response Volatile Information lost if system shutdown Dealing with Foreign languages Hard to determine scope of compromise Restoration of systems and services Resource intensive (people, process, and technology) Chain of custody and evidence handling Containment of potential compromise Controlling release of information about compromise

23 How is Forensics handled today? 1. Secure the target computer 2. Conduct an external inspection (note attached devices) 3. Open the computer and conduct an interior inspection. 4. Disconnect the hard disk drive(s) power cable(s), and data cable(s). 5. Insert the trusted boot diskette and turn on the computer. 6. Run the CMOS setup routine 7. Make sure that the computer is set to boot from the floppy drive. 8. Exit, save changes and record any changes that were made.

24 How is Forensics Handled today? 9. Allow the boot sequence to continue to confirm that the floppy drive is operable and that the boot will occur from the floppy drive. 10. Turn the power off 11. Reconnect the hard disk drive power cable(s) and data cable(s). 12. Turn on the computer and allow the computer to boot from the Encase boot CD/diskette. 13. At the (A:\) prompt, type EN to run EnCase for DOS. EnCase will load and present a list of the drives and logical volumes that are attached to the computer 14. Investigate or Acquire

25 How is Forensics Handled today? Local analysis = 1 analyst : 1 target computer Forensic Examiner Target Node Forensic Examiner Target Node Target Node Forensic Examiner

26 How is Incident Response handled today? System is taken offline (removed from net) If remote, CERT team travels to location Delayed Response = Damage Proliferation Do nothing Analysis of system using disjointed tools Modify critical artifacts Unable to find hidden information Time consuming Hard to repeat process Not comprehensive Large margin of error System is restored To previous backup of files or applications Or system is determined clean No resolution Forensic analysis is an afterthought

27 Typical Incident Response Process IDS alert Intruder detected Server hacked Data is altered Remote Sites Internet Business Unit(s) A A Perimeter What files are open? What was changed or left behind? How and why did this happen? What was accessed? Where did it originate? What processes are running?

28 Where do I begin to Look? File System Artifacts File Permissions Time stamps Deleted files Hidden Log files Operating System Logs (event logs) Application Logs (ERP, web, ftp, peer-to-peer,mail, database, etc) Back Door Accounts (new administrator accts, escalated privileges) Deviations from Trusted Baseline MD5 Hashes File Signature analysis Keywords in (Slack space, Logical file space, compound docs, Unicode)

29 Where do I begin to Look? (cont) Volatile data Dynamic Registry RAM Network session Running processes Open files Upstream ISP s, Business Suppliers Router logs and configurations Switches (logs and configs) Firewalls (logs and configs) Network and Host Based Intrusion Detection (logs and configs) Security Event Managers (logs and configs) Sniffers (trace files, packet captures)

30 Tools of the Forensic IR Investigator MD5 Hash Creation and Analysis Keyword searches (physically and logically) Unicode search capability File signature analysis Deleted file recovery Timeline Viewer Granular Filtering and Compound Querying Reporting capabilities

31 Tools of the Forensic IR Investigator Automated scripts to harvest common key information Preview without Acquiring data Forensic acquisition capabilities View data in HEX and Text File attribute analysis (MACD) Internal and External File viewers Logged on users (registry info) Open Files TCP/IP endpoints (port info) Process List Network connections Process to Port

32 Network Enabled Forensics Local analysis = 1 analyst : 1 target computer Target Node EnCase Enterprise Examiner Network-enabled analysis = N analysts : N target computers Target Nodes EnCase Enterprise Examiner

33 Network Enable Forensic IR Process 1. Immediately connect 2. Analyze and Document volatile data Remote Sites Business Unit(s) 3. Review, analyze and acquire any data; deleted or hidden at rest 4. Identify what was modified Internet A A 5. Look for malware or backdoors Perimeter 6. Search, Hash, 7. Document EnCase Enterprise 8. Acquire if necessary Anywhere anytime investigations for the Enterprise

34 IRFAD (Incident Response, Forensic Analysis, & Discovery) Customer information Employee Disputes Target Nodes Corporate Secrets 10 Q Litigation EnCase Enterprise Examiner Rogue applications Criminal Activity

35 Benefits of Network Enabled Forensic IR Capabilities Business continues un-interrupted Quickly Identify suspect artifacts if present Determine scope of breach Evidence preserved quickly Reach well-informed decisions sooner Reach geographically dispersed systems Conduct Investigations on need-to-know basis Follow a repeatable forensic methodology

36 Bottom Line from Best practices to Law Confirm, document and contain internal incidents and breaches Protect customer data and privacy Discover unauthorized access and report breaches Enable the enterprise to defend or prosecute its interests in court Adhere to Policy and legislation

37 Resources Incident Response, Electronic Discovery, and Computer Forensics The Federal Computer Incident Response Center (FedCIRC The Canadian Office of Critical Infrastructure Protection and Emergency Preparedness Incident Handling Links & Documents (75 links) SEI: Handbook for Computer Security Incident Response Teams CERT/CC: Computer Security Incident Response CERT/CC: Responding to Intrusions AuCERT: Forming an Incident Response Team SANS: S.C.O.R.E

38 Resources SANS Reading Room: Incident Handling SANS Forum: Incident Handling and Hacker Exploits Forum NIST SP 800-3: Establishing a Computer Security Incident Response Capability CIAC: Incident Reporting Procedures FIRST: Forum of Incident Response and Security Teams IETF: RFC The Site Security Handbook (Chapter 5) IETF: RFC Expectations for Computer Security Incident Response CIO: CyberThreat Response and Reporting Guidelines ISS: Computer Security Incident Response Planning Incident Response: Managing Security at Microsoft ons/msit/security/msirsec.asp

39 Hands on Lab Discuss Scenario Install Encase v 4.15 Basic EnCase navigation of user interface We will walk through most of the analysis capabilities of EnCase followed by student exercises The class will conclude with a practical exam! You can take everything (software and manuals) with you! Gratis!

40 Questions? Richard Cummings Manager of Security Engineering Guidance Software