INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION



Similar documents
Chapter 14 Analyzing Network Traffic. Ed Crowley

EC-Council Ethical Hacking and Countermeasures

MSc Computer Security and Forensics. Examinations for / Semester 1

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Open Source and Incident Response

information security and its Describe what drives the need for information security.

Computing forensics: a live analysis

RHCSA 7RHCE Red Haf Linux Certification Practice

CompTIA Security+ Certification Study Guide. (Exam SYO-301) Glen E. Clarke. Gravu Hill

Incident Response and Forensics

CONTENTS AT A GMi#p. Chapter I Ethical Hacking Basics I Chapter 2 Cryptography. Chapter 3 Reconnaissance: Information Gathering for the Ethical Hacker

Computer Hacking Forensic Investigator v8

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Computer Forensic Tools. Stefan Hager

Unix/Linux Forensics 1

Scene of the Cybercrime Second Edition. Michael Cross

Incident Response and Computer Forensics

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Management. Oracle Fusion Middleware. 11 g Architecture and. Oracle Press ORACLE. Stephen Lee Gangadhar Konduri. Mc Grauu Hill.

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

INFORMATION SECURITY TRAINING CATALOG (2015)

Hands-On How-To Computer Forensics Training

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Build Your Own Security Lab

ANTI-HACKER TOOL KIT. ourth Edition

Building VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S&

Security Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Network Security Foundations

Study Guide. Professional vsphere 4. VCP VMware Certified. (ExamVCP4IO) Robert Schmidt. IVIC GratAf Hill

Overview of Computer Forensics

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Getting Physical with the Digital Investigation Process

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

Understanding the Pros and Cons of Combination Networks 7. Acknowledgments Introduction. Establishing the Numbers of Clients and Servers 4

Network Incident Report

Network Forensics an emerging approach to an network analysis.

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

Digital Forensic Tool for Decision Making in Computer Security Domain

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

How To Understand A Firewall

WebLogic Server 11g Administration Handbook

Open Source Security Tools

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

Fundamentals of Mobile and Pervasive Computing

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Security Information and

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Concepts of digital forensics

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

INCIDENT RESPONSE CHECKLIST

Linux Network Security

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

for Hundreds of Ready-to-Use Phrases to Set the Stage for Productive Conversations, Meetings, and Events Meryl Runion with Diane Windingland

INTRUSION DETECTION SYSTEM

Programming Flaws and How to Fix Them

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Architecture Overview

Digital Forensics and Cyber Crime Datamining

Network Forensics: Log Analysis

Manager 10g Grid Control Handbook

Basic & Advanced Administration for Citrix NetScaler 9.2

e-discovery Forensics Incident Response

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Guide to Computer Forensics and Investigations, Second Edition

Network/Internet Forensic and Intrusion Log Analysis

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Digital Forensic Techniques

GSEC GIAC Security. Essentials Certification ONE ALL IN EXAM GUIDE. Ric Messier. Singapore Sydney Toronto

Where is computer forensics used?

Computer Forensics Basics, First Responder, Collection of Evidence

CompTIA Security+ (Exam SY0-410)

Design and Implementation of a Live-analysis Digital Forensic System

Networking. Sixth Edition. A Beginner's Guide BRUCE HALLBERG

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Description: Objective: Attending students will learn:

Guideline Model for Digital Forensic Investigation

Digital Forensics. Module 4 CS 996

NETWORK SECURITY HACKS *

Introduction p. 2. Introduction to Information Security p. 1. Introduction

Contents. Assessing Social Media Security. Chapter! The Social Media Security Process 3

Loophole+ with Ethical Hacking and Penetration Testing

An overview of IT Security Forensics

Ford ANX Troubleshooting Procedure for use by Trading Partners

Review Quiz 1. What is the stateful firewall that is built into Mac OS X and Mac OS X Server?

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Course Title: Computer Forensic Specialist: Data and Image Files

Application Intrusion Detection

Transcription:

" - * INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION CHRIS PROSISE KEVIN MANDIA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

CONTENTS Foreword Acknowledgments Introduction xxi xxiii xxv.... v i.- ".-.'!* ^^nm^fjssgt..,-./ - ;. T 1 Real-World Incidents 3 Factors Affecting Response 4 International Crime 5 Welcome to Invita 5 The PathStar Conspiracy 6 Traditional Hacks 7 So What? 9 T 2 Introduction to the Incident Response Process 11 What Is a Computer Security Incident? 12 What Are the Goals of Incident Response? 13 Who Is Involved in the Incident Response Process? 13 Incident Response Methodology 14 xi

vil Jill Incident Response ft Computer Forensic* Pre-Incident Preparation 16 Detection of Incidents 17 Initial Response 18 Formulate a Response Strategy 20 Investigate the Incident 24 Reporting 30 Resolution 31 So What? 32 Questions 32 T 3 Preparing for Incident Response 33 Overview of Pre-incident Preparation 34 Identifying Risk 35 Preparing Individual Hosts 36 Recording Cryptographic Checksums of Critical Files... 36 Increasing or Enabling Secure Audit Logging 39 Building Up Your Host's Defenses 46 Backing Up Critical Data 47 Educating Your Users about Host-Based Security 48 Preparing a Network 49 Installing Firewalls and Intrusion Detection Systems... 50 Using Access Control Lists on Your Routers 50 Creating a Network Topology Conducive to Monitoring.. 50 Encrypting Network Traffic 52 Requiring Authentication 52 Establishing Appropriate Policies and Procedures 53 Determining Your Response Stance 54 Understanding How Policies Can Aid Investigative Steps. 56 Developing Acceptable Use Policies 63 Designing AUPs 64 Developing Incident Response Procedures 66 Creating a Response Toolkit 66 The Response Hardware 67 The Response Software 68 The Networking Monitoring Platform 68 Documentation 69 Establishing an Incident Response Team 69 Deciding on the Team's Mission 69 Training the Team 70 So What? 73 Questions 73

Contents T 4 After Detection of an Incident 75 Overview of the Initial Response Phase 76 Obtaining Preliminary Information 77 Documenting Steps to Take 77 Establishing an Incident Notification Procedure 77 Recording the Details after Initial Detection 78 Initial Response Checklists 78 Case Notes 80 Incident Declaration 80 Assembling the CSIRT 81 Determining Escalation Procedures 82 Implementing Notification Procedures 83 Scoping an Incident and Assembling the : Appropriate Resources 84 Performing Traditional Investigative Steps 86 Conducting Interviews 87 Getting Contact Information 88 : Interviewing System Administrators 88 \ Interviewing Managers 89 i Interviewing End Users 90 ' Formulating a Response Strategy 90 Response Strategy Considerations 90 < Policy Verification 91 ; So What? 92 Questions 92 T 5 Live Data Collection from Windows Systems 95 Creating a Response Toolkit 96 Gathering the Tools 97 Preparing the Toolkit 98 Storing Information Obtained during the Initial Response 100 Transferring Data with netcat 100 Encrypting Data with cryptcat 102 Obtaining Volatile Data 103 Organizing and Documenting Your Investigation 103 Collecting Volatile Data 104 Scripting Your Initial Response 114 Performing an In-Depth Live Response 115 Collecting the Most Volatile Data 115

Incident Response ft Computer Forenslcs Creating an In-Depth Response Toolkit 115 Collecting Live Response Data 116 Is Forensic Duplication Necessary? 123 So What? 123 Questions 124 T 6 Live Data Collection from Unix Systems 125 Creating a Response Toolkit 126 Storing Information Obtained During the Initial Response... 127 Obtaining Volatile Data Prior to Forensic Duplication 128 Collecting the Data 128 Scripting Your Initial Response 137 Performing an In-Depth, Live Response 138 Detecting Loadable Kernel Module Rootkits 138 Obtaining the System Logs During Live Response 140 Obtaining Important Configuration Files 141 Discovering Illicit Sniffers on Unix Systems 141 Reviewing the /Proc File System 144 Dumping System RAM 147 So What? 148 Questions 149 7 Forensic Duplication 151 Forensic Duplicates As Admissible Evidence 152 What Is a Forensic Duplicate? 153 What Is a Qualified Forensic Duplicate? 153 What Is a Restored Image? 153 What Is a Mirror Image? 154 Forensic Duplication Tool Requirements 155 Creating a Forensic Duplicate of a Hard Drive 157 Duplicating with dd and dcfldd 157 Duplicating with the Open Data Duplicator (ODD) 159 Creating a Qualified Forensic Duplicate of a Hard Drive 163 Creating a Boot Disk 163 Creating a Qualified Forensic Duplicate with SafeBack... 164 Creating a Qualified Forensic Duplicate with EnCase... 168 So What? 172 Questions 172 T 8 Collecting Network-based Evidence 173 What Is Network-based Evidence? 174 What Are the Goals of Network Monitoring? 174

Contents xv Types of Network Monitoring 175 Event Monitoring 175 Trap-and-Trace Monitoring 175 Full-Content Monitoring 176 Setting Up a Network Monitoring System 177 Determining Your Goals 177 Choosing Appropriate Hardware 178 Choosing Appropriate Software 180 Deploying the Network Monitor 184 Evaluating Your Network Monitor 185 Performing a Trap-and-Trace 186 Initiating a Trap-and-Trace with tcpdump 187 Performing a Trap-and-Trace with WinDump 188 Creating a Trap-and-Trace Output File 190 Using tcpdump for Full-Content Monitoring 190 Filtering Full-Content Data 191 Maintaining Your Full-Content Data Files 192 Collecting Network-based Log Files 193 So What? 194 Questions 194 T 9 Evidence Handling 197 What Is Evidence? 198 The Best Evidence Rule 198 Original Evidence 199 The Challenges of Evidence Handling 199 Authentication of Evidence 200 Chain of Custody 200 Evidence Validation 201 Overview of Evidence-Handling Procedures 202 Evidence System Description 203 Digital Photos 203 Evidence Tags 205 Evidence Labels 207 Evidence Storage 207 The Evidence Log 210 Working Copies 211 Evidence Backups 211 Evidence Disposition 212 Evidence Custodian Audits 212 So What? 213 Questions 213

Incident Response ft Computer Forensics T 10 Computer System Storage Fundamentals 217 Hard Drives and Interfaces 218 The Swiftly Moving ATA Standard 218 SCSI (Not Just a Bad-Sounding Word) 223 Preparation of Hard Drive Media 227 Wiping Storage Media 227 Partitioning and Formatting Storage Drives 228 Introduction to File Systems and Storage Layers 231 The Physical Layer 232 The Data Classification Layer 233 The Allocation Units Layer 234 The Storage Space Management Layer 234 The Information Classification and Application-level Storage Layers 236 So What? 236 Questions 237 T 11 Data Analysis Techniques 239 Preparation for Forensic Analysis 240 Restoring a Forensic Duplicate 241 Restoring a Forensic Duplication of a Hard Disk 241 Restoring a Qualified Forensic Duplication of a Hard Disk. 244 Preparing a Forensic Duplication for Analysis In Linux 248 Examining the Forensic Duplicate File 249 Associating the Forensic Duplicate File with the Linux Loopback Device 250 Reviewing Image Files with Forensic Suites 253 Reviewing Forensic Duplicates in EnCase 253 Reviewing Forensic Duplicates in the Forensic Toolkit... 255 Converting a Qualified Forensic Duplicate to a Forensic Duplicate 257 Recovering Deleted Files on Windows Systems 260 Using Windows-Based Tools To Recover Files on FAT File Systems 260 Using Linux Tools To Recover Files on FAT File Systems.. 260 Running Autopsy as a GUI for File Recovery 264 Using Foremost to Recover Lost Files 268 Recovering Deleted Files on Unix Systems 271 Recovering Unallocated Space, Free Space, and Slack Space... 275 Generating File Lists 278

Contents Listing File Metadata 278 Identifying Known System Files 282 Preparing a Drive for String Searches 282 Performing String Searches 284 So What? 288 Questions 289 T 12 Investigating Windows Systems 291 Where Evidence Resides on Windows Systems 292 Conducting a Windows Investigation 293 Reviewing All Pertinent Logs 294 Performing Keyword Searches 302 Reviewing Relevant Files 303 Identifying Unauthorized User Accounts or Groups 320 Identifying Rogue Processes 320 Looking for Unusual or Hidden Files 321 Checking for Unauthorized Access Points 323 Examining Jobs Run by the Scheduler Service 326 Analyzing Trust Relationships 327 Reviewing Security Identifiers (SIDs) 328 File Auditing and Theft of Information 328 Handling the Departing Employee 331 Reviewing Searches and Files Used 332 Conducting String Searches on Hard Drives 332 So What? 333 Questions 333 T 13 Investigating Unix Systems 335 An Overview of the Steps in a Unix Investigation 336 Reviewing Pertinent Logs 337 Network Logging 337 Host Logging 340 User Activity Logging 341 Performing Keyword Searches 342 String Searches with grep 343 File Searches with find 344 Reviewing Relevant Files 344 Incident Time and Time/Date Stamps 345. Special Files 347 Identifying Unauthorized User Accounts or Groups 350 User Account Investigation 350 Group Account Investigation 351

will *" " incident Response ft Computer Forenslcs Identifying Rogue Processes 351 Checking for Unauthorized Access Points 352 Analyzing Trust Relationships 352 Detecting Trojan Loadable Kernel Modules 353 LKMs on Live Systems 354 LKM Elements 354 LKM Detection Utilities 355 So What? 358 Questions 358 14 Analyzing Network Traffic 359 Finding Network-Based Evidence 360 Tools for Network Traffic Analysis 360 Reviewing Network Traffic Collected with tcpdump... 361 Generating Session Data with tcptrace 362 Parsing a Capture File 362 Interpreting the tcptrace Output 363 Using Snort to Extract Event Data 364 Checking for SYN Packets 365 Interpreting the Snort Output 369 Reassembling Sessions Using tcpflow 369 Focusing on FTP Sessions 369 Interpreting the tcpflow Output 370 Reviewing SSH Sessions 374 Reassembling Sessions Using Ethereal 376 Refining tcpdump Filters 378 So What? 379 Questions 380 15 Investigating Hacker Tools 385 What Are the Goals of Tool Analysis? 386 How Files Are Compiled 386 Statically Linked Programs 387 Dynamically Linked Programs 387 Programs Compiled with Debug Options 387 Stripped Programs 389 Programs Packed with UPX 389 Compilation Techniques and File Analysis 392 Static Analysis of a Hacker Tool 394 Determining the Type of File 394 Reviewing the ASCII and Unicode Strings 395 Performing Online Research 397 Performing Source Code Review 398

Contents x * x Dynamic Analysis of a Hacker Tool 399 Creating the Sandbox Environment 399 Dynamic Analysis on a Unix System 401 Dynamic Analysis on a Windows System 409 So What? 413 Questions 413 T 16 Investigating Routers 415 Obtaining Volatile Data Prior to Powering Down 416 Establishing a Router Connection 417 Recording System Time 417 Determining Who Is Logged On 417 Determining the Router's Uptime 418 Determining Listening Sockets 419 Saving the Router Configuration 420 Reviewing the Routing Table 421 Checking Interface Configurations 422 Viewing the ARP Cache 423 Finding the Proof 423 Handling Direct-Compromise Incidents 423 Handling Routing Table Manipulation Incidents 425 Handling Theft of Information Incidents 426 Handling Denial-of-Service (DoS) Attacks 426 Using Routers as Response Tools 428 Understanding Access Control Lists (ACLs) 428 Monitoring with Routers 430 Responding to DDoS Attacks 431 So What? 433 Questions 433 T 17 Writing Computer Forensic Reports 435 What Is a Computer Forensics Report? 436 What Is an Expert Report? 436 Report Goals 437 Report Writing Guidelines 439 Document Investigative Steps Immediately and Clearly... 439 Know the Goals of Your Analysis 440 Organize Your Report 441 Follow a Template 441 Use Consistent Identifiers 441 Use Attachments and Appendixes 442 Have Co-workers Read Your Reports 442 Use MD5 Hashes 443 Include Metadata 443

XX Incident Response ft Computer Forenslcs A Template for Computer Forensic Reports 444 Executive Summary 445 Objectives 445 Computer Evidence Analyzed 446 Relevant Findings 447 Supporting Details 448 Investigative Leads 451 Additional Report Subsections 451 So What? 452 Questions 453 T A Answers to Questions * 457 Chapter 2 458 Chapter 3 460 Chapter 4 461 Chapter 5 462 Chapter 6 463 Chapter 7 463 Chapter 8 465 Chapter 9 468 Chapter 10 470 Chapter 11 473 Chapter 12 474 Chapter 13 474 Chapter 14 475 Chapter 15 477 Chapter 16 477 Chapter 17 478 B Incident Response Forms 481 T Index 491

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information