ISACA-Mumbai Chapter CYBER FORENSICS RAKESH M GOYAL. (rakesh@sysman.in)

ISACA-Mumbai Chapter CYBER FORENSICS RAKESH M GOYAL (rakesh@sysman.in) DIRECTOR, CENTRE FOR RESEARCH AND PREVENTION OF COMPUTER CRIMES, (CRPCC) INDIA & MANAGING DIRECTOR, SYSMAN COMPUTERS (P) LTD., INDIA url : www.sysman.in 28 August 2010

COMPUTER (CYBER / DIGITAL) FORENSICS

AGENDA What is Forensics What is Cyber Forensics Who uses Types and details Skills needed

WHAT IS FORENSICS - FORENSIC SCIENCE Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action.

WHAT IS FORENSICS - The use of science and technology to investigate and establish facts in criminal or civil courts of law. (Sherlock Holmes / Perry Mason / Vyomkesh Bakshi / Agatha Christie / Insp. Ghote / Feluda / Karam Chand / ACP Pradyuman)

WHAT IS FORENSICS Physical Sciences Forensics Fingerprint analysis Forensic accounting Ballistics Body identification DNA profiling Forensic arts Forensic toxicology Forensic footwear evidence Questioned document examination Fire investigation Vehicular accident reconstruction

WHAT IS FORENSICS Cyber forensics (Digital or Computer forensics) Data forensics Application forensics Network and peripherals email / social-networking forensics Social Engineering forensics Mobile device forensics Other related disciplines Forensic engineering Forensic linguistics Forensic materials engineering Forensic polymer engineering

WHAT IS FORENSICS Physiological sciences Forensic pathology Forensic dentistry Forensic anthropology Forensic entomology Forensic archaeology Social sciences Forensic psychology Forensic psychiatry

WHAT IS COMPUTER FORENSICS - Computer forensics involves the 1. identification, 2. preservation, 3. extraction, 4. documentation, 5. interpretation and 6. presentation of computer data in such a way that it can be legally admissible.

WHAT IS COMPUTER FORENSICS - Computer Forensics - Commonly defined as the collection, preservation, analysis and court presentation of computer-related evidence. Proper Acquisition and Preservation of Computer Evidence. Authentication of Collected Data for Court Presentation Recovery of All Available Data, Including delete files.

The lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of data and meta-data derived from digital devices which may contain information that is notable and perhaps of evidentiary value to the trier of fact in managerial, administrative, civil and criminal investigations. - Larry Leibrock, PhD

COMPUTER FORENSICS IS NOT - PRO-ACTIVE (SECURITY), BUT REACTIVE TO AN EVENT OR REQUEST ABOUT FINDING THE BAD GUY BUT FINDING THE EVIDENCE OF VALUE FUN IT NEEDS PROPER EXPERTISE QUICK n TERABYTE DRIVES ARE AVAILABLE (DATA UNIVERSE - 161 EXABYTE IN 2006 TO 988 EXABYTE IN 2010)

CRIMINALS EXPLOIT WEAK LINKS Weak Links may be - User Technology / Application Implementation Policies / Procedures JOB OF FORENSICS EXAMINER IS TO FIND WHAT, HOW, WHEN, AND WHERE

CONTROLS IN I.T. Over 600 controls to handle in IT environment Forensics should be geared to cater to these 600 risk

WHAT IS DONE GOING BACK IN TIME AND SPACE VISUALISE ALL HAPPENINGS BUILD THE CHAIN OF CUSTODY (CoC) DOCUMENT ALL OBSERVATIONS, HYPOTHESIS, METHODOLOGY, STEPS, PROCESS, ANALYSIS, REASONING, OPTIONS, CONCLUSIONS OR FINDINGS

OBJECTIVE FIND FACTS AND PRESENT FOR JUSTICE PROSECUTION LEGALLY ADMISSIBLE, DEFENSE MUST NOT DEMOLISH THE CASE DEFENSE FIND HOLES, WRONG REPRESENTATION, SHABBY / TEMPER PRONE INVESTIGATION / CONCLUSIONS -> BENEFIT OF DOUBT.

WHO USES COMPUTER FORENSICS - MANY TYPES OF CIVIL AND CRIMINAL PROCEEDING NEED USE OF COMPUTER FORENSICS EXAMINERS - CRIMINAL JUSTICE AGENCIES / SYSTEM REVENUE / ENFORCEMENT / REGULATORY DEPARTMENTS CORPORATE CHIEFS / CEO CRIMINAL / CORPORATE COUNSELS BANKS / INSURANCE COMPANIES AUDITORS INDIVIDUAL CRACKER / HACKERS

CRIMINAL PROSECUTION - USE COMPUTER EVIDENCE IN A VARIETY OF CRIMES WHERE INCRIMINATING DOCUMENTS CAN BE FOUND: HOMICIDES, FINANCIAL FRAUD, DRUG AND EMBEZZLEMENT, HARASSMENT, RECORDKEEPING, AND CHILD PORNOGRAPHY. CIVIL LITIGATIONS CAN READILY MAKE USE OF PERSONAL AND BUSINESS RECORDS FOUND ON COMPUTER SYSTEMS THAT BEAR ON: FRAUD, DIVORCE, DISCRIMINATION, AND HARASSMENT CASES. INSURANCE COMPANIES MAY BE ABLE TO MITIGATE COSTS BY USING DISCOVERED COMPUTER EVIDENCE OF POSSIBLE FRAUD IN ACCIDENT, ARSON, AND WORKMAN'S COMPENSATION CASES.

CORPORATIONS OFTEN HIRE COMPUTER FORENSICS EXAMINERS TO ASCERTAIN EVIDENCE RELATING TO FRAUDS, EMBEZZLEMENT, BLACKMAIL, SEXUAL HARASSMENT, THEFT OR MISAPPROPRIATION OF TRADE SECRETS AND OTHER INTERNAL/CONFIDENTIAL INFORMATION, HARASSMENT BY (EX)-EMPLOYEES. REVENUE / ENFORCEMENT / REGULATOR FREQUENTLY REQUIRE ASSISTANCE IN POST-SEIZURE HANDLING OF THE COMPUTER ASSETS. COUNSELS / INDIVIDUALS SOMETIMES HIRE COMPUTER FORENSICS EXAMINERS TO SUPPORT THE DEFENCE FOR CLAIMS OF WRONGFUL TERMINATION, BLACKMAIL, SEXUAL HARASSMENT OR LEGAL ACTION.

TYPE OF COMPUTER FORENSICS - DATA / INFORMATION NETWORK AND PERIPHERALS E-MAIL / WEBPAGES / SOCIAL NETWORKS SOFTWARE / APPLICATION / MALICIOUS CODE IMAGE / STEGANOGRAPHY DIGITAL IMAGE / SOUND / VIDEO / WATERMARK / ENCRYPTION COMPUTER RESOURCES DATA COMMUNICATION

COMPUTER FORENSICS - DATA / INFORMATION PINPOINT THE RELEVANT DATA FROM LARGE VOLUME OF DATA MULTIPLE LOCATIONS MULTIPLE SERVERS MULTIPLE DESKTOPS / NODES MULTIPLE BACKUP MEDIA / ARCHIVED DATA MULTIPLE OS / RDBMS / FILES-TYPES

COMPUTER FORENSICS - DATA / INFORMATION SEARCHING THE NEEDLE IN THE HAY

COMPUTER FORENSICS - DATA / INFORMATION ORIGINAL MEDIA NOT TO BE ALTERED TO BE MADE EXACT MIRROR IMAGE MIN. 2 BIT-BY-BIT OR SECTOR-BY-SECTOR COPY OF ORIGINAL MEDIA ALL BITS COPY NOT MOST OF THE BITS NOT BY NORMAL FILE / DIRECTOR / DISK COPY MEMORY DUMP

COMPUTER FORENSICS - DATA / INFORMATION COPY METHODS - AFTER MEMORY DUMP REMOVE AND MIRROR ON FORENSICS COMPUTER CONNECT IDENTICAL MEDIA AND MIRROR CONNECT THROUGH NETWORK AND MIRROR THE TOOL MUST BE ABLE TO COPY EVERY BIT IN SAME ORDER NO CHANGE IN ORIGINAL VERIFIABLE AND RESPECTABLE CHECKSUM AND ALGORITHM PROTECTION

COMPUTER FORENSICS - DATA RECOVERY NORMAL FILES / E-MAILS HIDDEN FILES DELETED / PURGED / WIPED / ERASED FILES FILES HIDDEN IN ADDITIONAL TRACKS ATTRIBUTES AS SYSTEM / TEMP / SPOOL / RENAMED / INSTALLATION FILES / EXTENSION-CHANGED ENCRYPTED / STEGANOGRAPHED FAT ENTRY

DATA FORENSICS PROCESS STAGES 1) ONSITE / OFF-SITE NON-DESTRUCTIVE DATA COLLECTION, IMAGING ETC; 2) RECOVERY OF ACTIVE, HIDDEN FILES, DELETED FILES(to the extent possible), PASSWORD PROTECTED FILES, STEGANALYSIS etc. 3) ANALYSIS 4) DOCUMENTATION

COMPUTER FORENSICS - DATA ANALYSIS

COMPUTER FORENSICS -

COMPUTER FORENSICS - NETWORK

Holes In Network 1. Inadequate Router Access Control Internet Border Router 8. Mis-configured Firewall or Router Internal Router 6. User Accts with Excessive Privileges Workstation 4. Running Unnecessary Services (FTP, DNS, SMTP) Internal LAN 5. Weak or Reused Passwords 3. Information Leakage Via Zone Transfer & Services (SMTP, Telnet) Internet/DMZ/Servers 7. Mis-configured Internet Servers Mobile/home user Remote Access Servers 2. Unsecured / Unmonitored Remote Access 10. Excessive File & Directory Access Controls 9. Un-patched, Outdated Software with Default Configurations

NETWORK FORENSICS - Computer networks. Firewall logs NIDS logs http,ftp,. logs

COMPUTER FORENSICS - EMAIL THREATS / OBSCENE / DEFAMATORY SPAM / FRAUDS (419 / ADVANCE FEE) / PHISHING LOADED WITH MALWARE PASSWORD HIJACKING / MAIL FORWARD WEBPAGES DEFACEMENT / DOS (or DDOS) ATTACK MALICIOUS CONTENT MALWARE DISTRIBUTOR PERSONAL INFO GRABBER

Tracing E-Mail Headers (3) Received: from mailhost.example.com ([XXX.XXX.178.66]) by smtp.exampl.com; Sat, 13 Sep 2007 15:25:54-0700 (2) Received: from web03.iname.net by mailhost.example.com (AIX 3.2/UCB 5.64/4.03) id AA07400; Sat, 13 Sep 2007 15:31:55-0700 (1) Received: (from root@localhost) by web03.iname.net (8.8.8/8.8.0) id SAA29949; Sat, 13 Sep 2007 18:25:13-0400 (EDT) Date: Sat, 13 Sep 2007 18:25:13-0400 (EDT) (4) From: fake user name@iname.com Message-Id: <199809122225.SAA29949@web03.iname.net> Content-Type: text/plain Mime-Version: 1.0 To: victim@smtp.example.com Content-Transfer-Encoding: 7bit Subject: This is a forged e-mail message

COMPUTER FORENSICS - EMAIL TRACING ISSUES SENDER ADDRESS SPOOFED ORIGINATE FROM BOTNET / ZOMBIES NEED ISPs ACTIVE HELP (IT ACT-2000 EMPOWER POLICE FOR THAT) ACCOUNTS HACKED / HIJACKED

COMPUTER FORENSICS - SOFTWARE APPLICATION SOFTWARE - BUGS SYSTEM PROGRAM CODING SECURITY MALICIOUS CODE (TROJAN / TRAP DOOR / BOMB) PATCH MANAGEMENT ZERO DAY VULNERABILITIES PROCESSING LOGS

COMPUTER FORENSICS - SOFTWARE EXTRA / ONE TIME PROGRAMS VERSION O/S LOGS DATABASE LOGS ACCESS MANAGEMENT AND LOGS TROJANS / KEYLOGGERS / MONITORS / VIRUS / WORMS / BACK-DOORS REVERSE ENGG / WHO IS AUTHOR?

COMPUTER FORENSICS - IMAGE / STEGANOGRAPHY DIGITAL IMAGE / SOUND / VIDEO / WATERMARK / ENCRYPTION

COMPUTER FORENSICS - RECOVERY TOOL

COMPUTER FORENSICS - COMPUTER RESOURCES THEFT OF DIGITAL RESOURCES USING AS BOTNET / ZOMBIE REMOTE CONTROLLING MISUSAGE / UNAUTHORIZED STORAGE THEFT / DELETE / ALTERATION OF CONFIDENTIAL DATA OVERLOADING / DENIAL OF SERVICE ESTONIAIZATION

COMPUTER FORENSICS - COMMUNICATION TAPPING / LISTENING / SNIFFING MAN-IN-THE-MIDDLE ATTACK DECRYPTION HACKING / CRACKING FIREWALL / IDS CRACKING

Sources of Data

Sources of Data COMPUTER FORENSICS -

THE LAST LINE OF DEFENSE LEGAL ACTION IF EVIDENCE IS NOT HANDLED PROPERLY IT BECOMES INADMISSIBLE IN A COURT OF LAW IF THERE IS NO EVIDENCE OF A CRIME, THERE IS NO CRIME IN THE EYES OF LAW

CONDUCTING AN INVESTIGATION 7 STEP SYSTEM SPEED HANDLED QUICKLY TO AVOID EVIDENCE DAMAGE STEALTH INVESTIGATION QUIETLY SYSTEM SECURITY NO FURTHER DAMAGE SECURE EVIDENCE CHAIN OF CUSTODY SUSPICIOUS/SUSPECT EMPLOYEES MOST THEFTS ARE DONE BY EMPLOYEES SHOW and TELL REPORTING HOW TO MAKE REPORT UNDERSTANDABLE SEARCH WARRANTS

POINTS TO CONSIDER REGARDING DIGITAL EVIDENCE NO EVIDENCE IS DAMAGED, DESTROYED, OR OTHERWISE COMPROMISED BY THE PROCEDURES USED TO INVESTIGATE THE COMPUTER, EVIDENCE IS PROPERLY HANDLED, A CONTINUING CHAIN OF CUSTODY IS ESTABLISHED AND MAINTAINED, ALL PROCEDURES AND FINDINGS ARE THOROUGHLY DOCUMENTED.

STEPS TAKEN BY COMPUTER FORENSIC EXPERT PROTECT THE SUBJECT SYSTEM DURING EXAMINATION FROM ALTERATION, DAMAGE, DATA CORRUPTION OR VIRUS INTRODUCTION DISCOVER & RECOVER ALL FILES ACCESS THE CONTENTS OF PROTECTED OR ENCRYPTED FILES ANALYZE ALL RELEVANT DATA PRINTOUT AN OVERALL ANALYSIS PROVIDE TESTIMONY IN COURT OF LAW

CARDINAL RULES OF COMPUTER FORENSICS NEVER MISHANDLE EVIDENCE NEVER WORK ON ORIGINAL EVIDENCE USE PROPER SOFTWARE UTILITIES NEVER TRUST THE SUBJECT OPERATING SYSTEM DOCUMENT EVERYTHING

UK LEGAL GUIDELINES In order to comply with the need to maintain the integrity of digital evidence Examiners follow guidelines issued by the Association of Chief Police Officers (ACPO). The guidelines consist of four principles: 1. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. 2. In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

UK LEGAL GUIDELINES In order to comply with the need to maintain the integrity of digital evidence Examiners follow guidelines issued by the Association of Chief Police Officers (ACPO). The guidelines consist of four principles: 3. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. 4. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

SOME TOOLS EnCase FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE Selective file dumper (many free/commercial) manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.

SOME TOOLS BY CDAC CyberCheck Suite Disk Forensics Tools TrueBack V3.1 on Linux Disk Imaging Tool TrueBack V1.0 on Windows Disk Imaging Tool CyberCheck V3.2 on Windows Data Recovery and Analysis Tool NetForce Suite Network Forensics Tools CyberInvestigator V1.0 on Windows Forensic Log Analyzer NeSA V1.0 on Linux Network Session Analyzer EmailTracer V3.0 on Windows Tool for tracing sender of email

SOME TOOLS BY CDAC DeviceAnalyst Suite Device Forensics Tools PDA Imager & Analyzer Tool for imaging and analyzing PDA contents SIM Card Imager & Analyzer Tool for imaging and analyzing GSM SIM Cards CDR Analyzer Tool for analyzing Call Data Records Cyber Forensics Hardware Tools TrueImager High speed H/W based Disk Imaging Tool TrueLock H/W based drive lock for write protecting IDE/SATA disks

FORENSIC EXAMINER MUST UNDERSTAND / HAVE BUSINESS PROCESS TECHNOLOGY LAW AND LEGAL PROCESS (LOCAL/INTL) HUMAN BEHAVIOUR LATEST DEVELOPMENTS IN IT AND CRIME SCENARIO COMMON SENSE / SIXTH SENSE HUMAN RELATIONS SKILLS REPORTING / DOCUMENTATION SKILLS

FORENSIC CERTIFICATES CFE (CERTIFIED FRAUD EXAMINER) GCFA (GIAC CERTIFIED FORENSICS ANALYST) CCCI CCCI (CERTIFIED COMPUTER CRIMES INVESTIGATOR) CCE (CERTIFIED COMPUTER EXAMINER) CCFE (CERTIFIED COMPUTER FORENSICS EXAMINER) For network etc CCNA / CCNP etc. helps For application programming / database skill helps

Want to get updated on IS Security issues Subscribe to CRPCC newsletter at google-group Control-Computer-Crimes (3 times a week newsletter) 100000 subscribers Read the books - Information Technology Act 2000 Digital Signatures Case Studies in Information Security Sankat Mochan Yojana (download from www.sysman.in) Securing Wi-Fi Networks (download from www.sysman.in)

Rakesh Goyal (Managing Director Sysman Computers P Ltd. & Director Center for Research and Prevention of Computer Crimes) AMIE (Gold Medallist), MBA (IIMB, Gold Medallist), Chartered Engineer, Certified Management Consultant, Certified Information System Auditor (4 th rank in world), Certified Computer Crime Investigator Certified Fraud Examiner 37 yrs Industry / Consulting experience 28 yrs in IT Software Development 19 yrs in IT / Computer Security since 1991

Rakesh Goyal Pioneer in IT Security in India Author of the books Computer Crimes (1993), Digital Signatures (2004), I T Act-2000 (2005), Sanket Mochan Yojana (2005), Wi-Fi Security (2006) 50 articles and research papers 2100+ Assignments in Computer Crimes Forensics, Investigation & Prevention since 1991 Member of committee created IT Act in India and later defining PKI standards Member of various Government and RBI committees Black belt in Karate

About SYSMAN Incorporated in 1985: 25 year old Firm Part Equity held by the IDBI (Premier Financial Institution of Govt. of India) One of the only 7 Empanelled Auditors under Information Technology Act, 2000 (2001-2007) Empanelled Auditors with CERT-In, GoI Published books: COMPUTER CRIMES, CASES ON INFORMATION SYSTEMS SECURITY, Digital Signatures, I T Act-2000, Wi-Fi Security and Bank Computerisation. First Mumbai-based ISO17799 Associate Consultant of British Standards Institution, UK for Implementation of ISMS 7799.

About SYSMAN Registered with World Bank, Asian Dev. Bank, African Dev. Bank, Reserve Bank of India, EXIM Bank, several Large Banks etc. Over 1,900 Human Years of experience Oldest Indian IS Security Firm Completed 2100+ IS Audit & IS Security Projects since 1991 Client Sectors: Banks, Multi National Corporations, Indian Corporates, Law Enforcement & Revenue Departments

Thank You For Your Attention. Contact : Rakesh Goyal SYSMAN COMPUTERS (P) LTD. Mumbai, India Tel: +91-99672-47000 / 9967248000 e-mail: sysman@sysman.in and rakesh@sysman.in URL: www.sysman.in