Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident Response Flowchart Digital Forensics An Actual Incident Table Top Exercises 2 Computer Forensics Topics What is Computer Forensics? Why do we need Computer Forensics? Live Analysis Versus Static Analysis Capturing a Drive Image The Organization of Hard Disks The Organization of File Systems The FAT File System The NTFS File System The EXT3 File System Where s the Data? Forensic Tools 1
Why does an organization need a CSIRT? An organization needs a CSIRT if they utilize computers, no matter what the size of the organization. No matter how well trained, an employee is still vulnerable. Non existent security policies and processes also contribute to vulnerabilities. No matter how well protected, a computer is still vulnerable. www.wysiwygventures.com 4 Who s on the team? The CSIRT members come from all areas of the organization: Information Technology Help Desk Human Resources Public Relations Legal Fiscal Facilities External Consultant www.clipartbest.com 5 Initial Steps Starting up the CSIRT involves the following steps: Obtain approval from upper management to create the CSIRT. Invite the initial members to meet. Explain the purpose of the CSIRT and core services provided. Describe the role of each member of the team. Assign a CSIRT leader / main point of contact. Develop a detailed project plan for implementation. Execute the project plan and become operational. Evaluate CSIRT effectiveness. 6 2
Detailed Project Plan The detailed project plan involves the following steps: Establish team communication method. Decide on hours of operation. Determine incident reporting and tracking procedures. Devise the incident response flowchart. Perform table top exercises. Establish how an incident is escalated. Develop CSIRT policies. Determine QA metrics. Partner with another CSIRT. Roll out CSIRT to organization. www.emrisk.com Incident Response Flowchart Incident Response Flowchart 3
Incident Response Flowchart Incident Response Flowchart What is Computer Forensics? Computer Forensics is a process used to locate digital information that may be used to help prove guilt or innocence. Computer Forensics procedures must be properly followed to avoid contamination (altering) of the evidence (information). Very important to maintain the Chain of Custody. 4
Digital Forensics Digital Forensics is performed to record the state of a system at the time of an incident, assist law enforcement, and help determine how an incident occurred and what happened. In the event that digital forensics are required, there are several procedures to follow. In all parts of the activity, proper documentation should be maintained, such as recording the time and date the evidence was handled, who handled the evidence, and the reason the evidence was handled. First, determine if live or static forensics are required on a system: Live Forensics: Performed on a running system. Static Forensics: Performed on an evidence image. 13 Digital Forensics Live Forensics: This is performed on a running system. There is digital evidence present on a running system that is not present on a system that has been off. This evidence includes: Time / date Logged on user Remote users Windows clipboard data What is on the Desktop Running processes and services The contents of RAM Mapped network drives Network traffic and open connections In addition to this evidence, everything covered under static forensics can also be examined. 14 Digital Forensics Static Forensics: This is performed on an image of a hard disk collected using appropriate law enforcement techniques (chain of custody maintained, a write blocker used during image capture, the use of hashing to verify the integrity of the forensic image). This evidence includes examining: Existing files: User created files, such as Office documents and photos Internet history IM logs System Event logs Hidden files and folders Encrypted files The Registry PAGEFILE.SYS and HIBERFIL.SYS Deleted files File slack space Unallocated disk space 15 5
An Actual Incident Names were changed to protect the innocent. Prior to the CSIRT being established, a company experienced a security incident involving ransomware. A remote staff member was reading email and clicked on a link that opened a ZIP file containing a PDF document. When she opened the PDF, her system became quite unresponsive. Even though her system was connected to the organization via a VPN, she became concerned and called Help Desk. Help Desk had her disconnect her system from the VPN. 16 An Actual Incident The system was still slow and unresponsive while Help Desk asked routine questions. Then a ransom message appeared, informing the staff member that her files have been encrypted and the amount of money to be paid via BitCoin in order to obtain the decryption key. 17 An Actual Incident 18 6
An Actual Incident At no time during this process did the endpoint protection software indicate the presence of malware. Help Desk informed the staff member to mail her system back to the organization as they would provide a new system. When the Help Desk team member got off the phone, he informed the head network engineer of the situation. Since remote employees connecting over VPN have one or more organizational hard drives mapped to the remote system, the network engineer thought it was likely that files on the organizations file servers may have been encrypted as well. 19 An Actual Incident The network engineer looked up the affected staff member in Active Directory to determine her role and the files and folder permissions in effect for her. Because permission was properly limited to only the files she needed to access to perform her work, the number of encrypted files encountered on the organizations systems was very small. These files were restored from backup. As a result of this incident, additional security awareness training for all employees was conducted, with emphasis on safe use of email and web browsing. 20 Table Top Exercises Table top exercises consist of mock scenarios that are used to test the effectiveness of the incident response flowchart. Here is a short list of scenarios: 1. Web page defacement 2. Malware / Ransomware infection 3. Social Engineering activity 4. Unknown Remote Desktop activity 5. Distributed Denial of Service attack underway 6. New Security Advisory 7. Unauthorized Access / Compromised Accounts 8. Employee engaging in inappropriate activity 9. Information Asset theft / Data breach discovered 10. Rogue wireless access point discovered 11. Intentional damage to equipment 21 7
Table Top Exercises Here are some sample questions that may help direct the discussion of the scenario: Who decides how many incident response team members would participate in handling this incident? Besides the incident response team, what groups within the organization would be involved in handling this incident? To which external parties would the incident be reported? When would each report occur? How would each report be made? What other communications with external parties may occur? Report to another CSIRT? What tools and resources are necessary to handle this incident? What aspects of the response would be different if the incident occurs at a different day and time (on hours versus off hours)? What aspects of the response would be different if the incident occurs at a different location (onsite versus offsite)? 22 Hands on Activity Break into small groups. Choose a table top scenario. Discuss whether it is an event or an incident. If it is an incident, go through the incident response flowchart and gauge the effectiveness of the flowchart in handling all aspects of the incident. Share your findings with the other groups. 23 Why do we need Computer Forensics? Support law enforcement. Many types of documents are now stored electronically. Learn about the techniques used by cybercriminals. Computers may be the instrument used in a crime or the victim of a crime. 8
Live Analysis Versus Static Analysis Live Analysis: Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown? Static Analysis: Forensics performed on a copy of the data from a system. This type of analysis is done most often. Live Analysis Things to record: System time and date. User s logged on to the system. Open network connections. Network drives mapped to the system. Processes that are running. What is on the Desktop and Clipboard. Static Analysis Things to look for: Registry entries. Hidden files and folders, encrypted files. Images, emails, IM logs, other files. Misnamed files. Deleted files. Data in unallocated space and Slack space. 9
Capturing a Drive Image A write blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware. Entire drive is imaged, including unallocated space, to a clean drive. Image must be verified to guarantee integrity. This is done using a hash function. Capturing a Drive Image One bit is a 0 or a 1. One byte is 8 bits. One KB (Kilo Byte) is 1024 bytes. One MB (Mega Byte) is 1024 KB. One GB (Giga Byte) is 1024 MB. A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!). One TB (Terra Byte) is 1024 GB. Capturing a Drive Image Drive may be imaged via a USB or FireWire connection, or over the network. The size of the drive being imaged affects the time required to perform the capture. The speed of the connection also affects the time required to image the drive. A 500 GB drive may require 8 hours or several days to acquire. 10
Image is Verified via a Hash What is a File System? Establishes a logical organization for file storage over a wide range of physical storage devices. Makes it easy for users (and programs) to create, alter, copy, and delete files. Provides long term, high speed access to files. Enables file sharing over a network. www.linuxexplore.com 32 File System vs Operating System A file system is not an operating system. A file system needs an operating system in order to be useful. An operating system supports one or more file systems: Windows: FAT, NTFS Linux: EXT, FAT Mac OS X: HFS, FAT electroniclighthouse.com.au 33 11
File System vs Operating System 34 The Organization of Hard Disks A hard disk contains one or more platters. Each platter contains two sides (surfaces). Each surface contains circular tracks divided into sectors. Each track may contain 64 sectors. Each sector contains 512 bytes of data. A 500 GB hard drive contains over 1 billion sectors. Typical Hard Drive 12
Typical Hard Drive The Organization of Hard Disks The hard disk spins at a fast rate (5400 rpm or 7200 rpm). A read/write head hovers over the surface and picks up the magnetized 1s and 0s stored on the surface. Data is transferred between the disk and main memory on the motherboard. The Organization of File Systems A File System is a logical way of organizing the sectors on a disk. Different Operating Systems support different file systems: Windows: FAT and NTFS Linux: EXT3 Mac OS X: HFS+ FAT is the most widely supported file system. 13
The Organization of File Systems Sectors on a disk are allocated as follows for the FAT (File Allocation Table) file system: Boot sector FAT sectors Directory sectors Data sectors Operation of FAT Challenges of FAT After a lot of use (files created, edited, and deleted) the FAT becomes very fragmented. Not easy to search through the FAT on a hard disk as it is very large. Need software to interpret the FAT for us. File slack may contain valuable data. 14
Where is the File Slack? What Happens when a File is Deleted? The file s entries in the FAT are set to free. The file s entry in the Directory has its first byte (letter) changed to an unprintable code (E5) all other file properties stay the same. The data content of the file remains stored on disk until overwritten. A Sample Directory 15
The NTFS File System NTFS maintains a Master File Table that stores information (called metadata) about every file on the volume. Bear in mind that everything in NTFS is a file, including the list of bad clusters, the allocation bitmap that shows which clusters are allocated, and the transaction log that records all transactions on the volume. The structure of NTFS is more complicated than that of FAT, requiring around 10 MB for an empty file system, making NTFS unsuitable for floppy disks. 46 The NTFS File System 47 The NTFS File System 48 16
The NTFS File System 49 The NTFS File System 50 Where s the Data? Registry. Files and folders. Deleted files. Unallocated space. Slack space. System files: INDEX.DAT PAGEFILE.SYS HIBERFIL.SYS ebriatic.com 51 17
The EXT File System EXT2 was developed in 1993 for Linux. EXT3 added to Linux in 2001. Main new feature was journaling, which has three modes: Journal Ordered Writeback EXT4 added to Linux in 2008. Larger file systems supported. technologicia.com 52 The EXT File System www.sans.org 53 The EXT File System Recovering a deleted file in EXT2 is very easy as all information still resides in the inode for the file. Recovering a deleted file in EXT3 is much more difficult as the block pointer fields in the inode (and in the indirect blocks) are zeroed out. All is not lost however, as files may potentially be recovered by examining information contained in the journal. www.sans.org 54 18
Forensic Tools Hex editor: Display, search, and modify hexadecimal data. Forensic analysis software: FTK (Forensic Toolkit) EnCase Autopsy X Ways FTK (Forensic ToolKit) Forensic Tools Network traffic sniffer/analyzer Imaging software Hashing software Log file analyzer Steganography software 19
Skills Needed by a Forensic Examiner Knowledge of Operating Systems. Knowledge of File Systems. Must understand networking and TCP/IP. Must possess necessary software for imaging and analyzing images. Must possess additional software such as hex editor, log file analyzer, etc. Lots of patience!!! Thank you! James L. Antonakos james@whitehatforensics.com (607) 765 2686 20