INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Transcription

1 " - * INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION CHRIS PROSISE KEVIN MANDIA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

2 CONTENTS Foreword Acknowledgments Introduction xxi xxiii xxv.... v i.- ".-.'!* ^^nm^fjssgt..,-./ - ;. T 1 Real-World Incidents 3 Factors Affecting Response 4 International Crime 5 Welcome to Invita 5 The PathStar Conspiracy 6 Traditional Hacks 7 So What? 9 T 2 Introduction to the Incident Response Process 11 What Is a Computer Security Incident? 12 What Are the Goals of Incident Response? 13 Who Is Involved in the Incident Response Process? 13 Incident Response Methodology 14 xi

3 vil Jill Incident Response ft Computer Forensic* Pre-Incident Preparation 16 Detection of Incidents 17 Initial Response 18 Formulate a Response Strategy 20 Investigate the Incident 24 Reporting 30 Resolution 31 So What? 32 Questions 32 T 3 Preparing for Incident Response 33 Overview of Pre-incident Preparation 34 Identifying Risk 35 Preparing Individual Hosts 36 Recording Cryptographic Checksums of Critical Files Increasing or Enabling Secure Audit Logging 39 Building Up Your Host's Defenses 46 Backing Up Critical Data 47 Educating Your Users about Host-Based Security 48 Preparing a Network 49 Installing Firewalls and Intrusion Detection Systems Using Access Control Lists on Your Routers 50 Creating a Network Topology Conducive to Monitoring.. 50 Encrypting Network Traffic 52 Requiring Authentication 52 Establishing Appropriate Policies and Procedures 53 Determining Your Response Stance 54 Understanding How Policies Can Aid Investigative Steps. 56 Developing Acceptable Use Policies 63 Designing AUPs 64 Developing Incident Response Procedures 66 Creating a Response Toolkit 66 The Response Hardware 67 The Response Software 68 The Networking Monitoring Platform 68 Documentation 69 Establishing an Incident Response Team 69 Deciding on the Team's Mission 69 Training the Team 70 So What? 73 Questions 73

4 Contents T 4 After Detection of an Incident 75 Overview of the Initial Response Phase 76 Obtaining Preliminary Information 77 Documenting Steps to Take 77 Establishing an Incident Notification Procedure 77 Recording the Details after Initial Detection 78 Initial Response Checklists 78 Case Notes 80 Incident Declaration 80 Assembling the CSIRT 81 Determining Escalation Procedures 82 Implementing Notification Procedures 83 Scoping an Incident and Assembling the : Appropriate Resources 84 Performing Traditional Investigative Steps 86 Conducting Interviews 87 Getting Contact Information 88 : Interviewing System Administrators 88 \ Interviewing Managers 89 i Interviewing End Users 90 ' Formulating a Response Strategy 90 Response Strategy Considerations 90 < Policy Verification 91 ; So What? 92 Questions 92 T 5 Live Data Collection from Windows Systems 95 Creating a Response Toolkit 96 Gathering the Tools 97 Preparing the Toolkit 98 Storing Information Obtained during the Initial Response 100 Transferring Data with netcat 100 Encrypting Data with cryptcat 102 Obtaining Volatile Data 103 Organizing and Documenting Your Investigation 103 Collecting Volatile Data 104 Scripting Your Initial Response 114 Performing an In-Depth Live Response 115 Collecting the Most Volatile Data 115

5 Incident Response ft Computer Forenslcs Creating an In-Depth Response Toolkit 115 Collecting Live Response Data 116 Is Forensic Duplication Necessary? 123 So What? 123 Questions 124 T 6 Live Data Collection from Unix Systems 125 Creating a Response Toolkit 126 Storing Information Obtained During the Initial Response Obtaining Volatile Data Prior to Forensic Duplication 128 Collecting the Data 128 Scripting Your Initial Response 137 Performing an In-Depth, Live Response 138 Detecting Loadable Kernel Module Rootkits 138 Obtaining the System Logs During Live Response 140 Obtaining Important Configuration Files 141 Discovering Illicit Sniffers on Unix Systems 141 Reviewing the /Proc File System 144 Dumping System RAM 147 So What? 148 Questions Forensic Duplication 151 Forensic Duplicates As Admissible Evidence 152 What Is a Forensic Duplicate? 153 What Is a Qualified Forensic Duplicate? 153 What Is a Restored Image? 153 What Is a Mirror Image? 154 Forensic Duplication Tool Requirements 155 Creating a Forensic Duplicate of a Hard Drive 157 Duplicating with dd and dcfldd 157 Duplicating with the Open Data Duplicator (ODD) 159 Creating a Qualified Forensic Duplicate of a Hard Drive 163 Creating a Boot Disk 163 Creating a Qualified Forensic Duplicate with SafeBack Creating a Qualified Forensic Duplicate with EnCase So What? 172 Questions 172 T 8 Collecting Network-based Evidence 173 What Is Network-based Evidence? 174 What Are the Goals of Network Monitoring? 174

6 Contents xv Types of Network Monitoring 175 Event Monitoring 175 Trap-and-Trace Monitoring 175 Full-Content Monitoring 176 Setting Up a Network Monitoring System 177 Determining Your Goals 177 Choosing Appropriate Hardware 178 Choosing Appropriate Software 180 Deploying the Network Monitor 184 Evaluating Your Network Monitor 185 Performing a Trap-and-Trace 186 Initiating a Trap-and-Trace with tcpdump 187 Performing a Trap-and-Trace with WinDump 188 Creating a Trap-and-Trace Output File 190 Using tcpdump for Full-Content Monitoring 190 Filtering Full-Content Data 191 Maintaining Your Full-Content Data Files 192 Collecting Network-based Log Files 193 So What? 194 Questions 194 T 9 Evidence Handling 197 What Is Evidence? 198 The Best Evidence Rule 198 Original Evidence 199 The Challenges of Evidence Handling 199 Authentication of Evidence 200 Chain of Custody 200 Evidence Validation 201 Overview of Evidence-Handling Procedures 202 Evidence System Description 203 Digital Photos 203 Evidence Tags 205 Evidence Labels 207 Evidence Storage 207 The Evidence Log 210 Working Copies 211 Evidence Backups 211 Evidence Disposition 212 Evidence Custodian Audits 212 So What? 213 Questions 213

7 Incident Response ft Computer Forensics T 10 Computer System Storage Fundamentals 217 Hard Drives and Interfaces 218 The Swiftly Moving ATA Standard 218 SCSI (Not Just a Bad-Sounding Word) 223 Preparation of Hard Drive Media 227 Wiping Storage Media 227 Partitioning and Formatting Storage Drives 228 Introduction to File Systems and Storage Layers 231 The Physical Layer 232 The Data Classification Layer 233 The Allocation Units Layer 234 The Storage Space Management Layer 234 The Information Classification and Application-level Storage Layers 236 So What? 236 Questions 237 T 11 Data Analysis Techniques 239 Preparation for Forensic Analysis 240 Restoring a Forensic Duplicate 241 Restoring a Forensic Duplication of a Hard Disk 241 Restoring a Qualified Forensic Duplication of a Hard Disk. 244 Preparing a Forensic Duplication for Analysis In Linux 248 Examining the Forensic Duplicate File 249 Associating the Forensic Duplicate File with the Linux Loopback Device 250 Reviewing Image Files with Forensic Suites 253 Reviewing Forensic Duplicates in EnCase 253 Reviewing Forensic Duplicates in the Forensic Toolkit Converting a Qualified Forensic Duplicate to a Forensic Duplicate 257 Recovering Deleted Files on Windows Systems 260 Using Windows-Based Tools To Recover Files on FAT File Systems 260 Using Linux Tools To Recover Files on FAT File Systems Running Autopsy as a GUI for File Recovery 264 Using Foremost to Recover Lost Files 268 Recovering Deleted Files on Unix Systems 271 Recovering Unallocated Space, Free Space, and Slack Space Generating File Lists 278

8 Contents Listing File Metadata 278 Identifying Known System Files 282 Preparing a Drive for String Searches 282 Performing String Searches 284 So What? 288 Questions 289 T 12 Investigating Windows Systems 291 Where Evidence Resides on Windows Systems 292 Conducting a Windows Investigation 293 Reviewing All Pertinent Logs 294 Performing Keyword Searches 302 Reviewing Relevant Files 303 Identifying Unauthorized User Accounts or Groups 320 Identifying Rogue Processes 320 Looking for Unusual or Hidden Files 321 Checking for Unauthorized Access Points 323 Examining Jobs Run by the Scheduler Service 326 Analyzing Trust Relationships 327 Reviewing Security Identifiers (SIDs) 328 File Auditing and Theft of Information 328 Handling the Departing Employee 331 Reviewing Searches and Files Used 332 Conducting String Searches on Hard Drives 332 So What? 333 Questions 333 T 13 Investigating Unix Systems 335 An Overview of the Steps in a Unix Investigation 336 Reviewing Pertinent Logs 337 Network Logging 337 Host Logging 340 User Activity Logging 341 Performing Keyword Searches 342 String Searches with grep 343 File Searches with find 344 Reviewing Relevant Files 344 Incident Time and Time/Date Stamps 345. Special Files 347 Identifying Unauthorized User Accounts or Groups 350 User Account Investigation 350 Group Account Investigation 351

9 will *" " incident Response ft Computer Forenslcs Identifying Rogue Processes 351 Checking for Unauthorized Access Points 352 Analyzing Trust Relationships 352 Detecting Trojan Loadable Kernel Modules 353 LKMs on Live Systems 354 LKM Elements 354 LKM Detection Utilities 355 So What? 358 Questions Analyzing Network Traffic 359 Finding Network-Based Evidence 360 Tools for Network Traffic Analysis 360 Reviewing Network Traffic Collected with tcpdump Generating Session Data with tcptrace 362 Parsing a Capture File 362 Interpreting the tcptrace Output 363 Using Snort to Extract Event Data 364 Checking for SYN Packets 365 Interpreting the Snort Output 369 Reassembling Sessions Using tcpflow 369 Focusing on FTP Sessions 369 Interpreting the tcpflow Output 370 Reviewing SSH Sessions 374 Reassembling Sessions Using Ethereal 376 Refining tcpdump Filters 378 So What? 379 Questions Investigating Hacker Tools 385 What Are the Goals of Tool Analysis? 386 How Files Are Compiled 386 Statically Linked Programs 387 Dynamically Linked Programs 387 Programs Compiled with Debug Options 387 Stripped Programs 389 Programs Packed with UPX 389 Compilation Techniques and File Analysis 392 Static Analysis of a Hacker Tool 394 Determining the Type of File 394 Reviewing the ASCII and Unicode Strings 395 Performing Online Research 397 Performing Source Code Review 398

10 Contents x * x Dynamic Analysis of a Hacker Tool 399 Creating the Sandbox Environment 399 Dynamic Analysis on a Unix System 401 Dynamic Analysis on a Windows System 409 So What? 413 Questions 413 T 16 Investigating Routers 415 Obtaining Volatile Data Prior to Powering Down 416 Establishing a Router Connection 417 Recording System Time 417 Determining Who Is Logged On 417 Determining the Router's Uptime 418 Determining Listening Sockets 419 Saving the Router Configuration 420 Reviewing the Routing Table 421 Checking Interface Configurations 422 Viewing the ARP Cache 423 Finding the Proof 423 Handling Direct-Compromise Incidents 423 Handling Routing Table Manipulation Incidents 425 Handling Theft of Information Incidents 426 Handling Denial-of-Service (DoS) Attacks 426 Using Routers as Response Tools 428 Understanding Access Control Lists (ACLs) 428 Monitoring with Routers 430 Responding to DDoS Attacks 431 So What? 433 Questions 433 T 17 Writing Computer Forensic Reports 435 What Is a Computer Forensics Report? 436 What Is an Expert Report? 436 Report Goals 437 Report Writing Guidelines 439 Document Investigative Steps Immediately and Clearly Know the Goals of Your Analysis 440 Organize Your Report 441 Follow a Template 441 Use Consistent Identifiers 441 Use Attachments and Appendixes 442 Have Co-workers Read Your Reports 442 Use MD5 Hashes 443 Include Metadata 443

11 XX Incident Response ft Computer Forenslcs A Template for Computer Forensic Reports 444 Executive Summary 445 Objectives 445 Computer Evidence Analyzed 446 Relevant Findings 447 Supporting Details 448 Investigative Leads 451 Additional Report Subsections 451 So What? 452 Questions 453 T A Answers to Questions * 457 Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter B Incident Response Forms 481 T Index 491