Constructing a Stable and Verifiable Computer Forensic System



Similar documents
Patch and Vulnerability Management Program

Hardware + Software Solutions for The Best in Client Management & Security. Malcolm Hay Intel Technology Manager

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

Planning and Administering Windows Server 2008 Servers

Instant Recovery for VMware

User Guide for VMware Adapter for SAP LVM VERSION 1.2

Information and Communication Technology. Patch Management Policy

Patch Management Policy

That Point of Sale is a PoS

DEDICATED MANAGED SERVER PROGRAM

Managing and Maintaining Windows Server 2008 Servers (6430) Course length: 5 days

Goals. Understanding security testing

virtualization.info Review Center SWsoft Virtuozzo (for Windows) //

Top Ten Private Cloud Risks. Potential downtime and data loss causes

Management (CSM) Capability

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Planning and Administering Windows Server 2008 Servers

Serving 4 million page requests an hour with Magento Enterprise

Adobe Systems Incorporated

Comprehensive Device Management Platform comprising of Management Suites specialized in addressing different problem domains, extensively

Streamlining Patch Testing and Deployment

INFORMATION SYSTEMS ANALYST III

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

HP-UX Event Monitoring Service (EMS) Hardware Monitors Release Notes

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

ManageEngine Desktop Central Training

SERVICE SCHEDULE DEDICATED SERVER SERVICES

Vess A2000 Series HA Surveillance with Milestone XProtect VMS Version 1.0

NOS for Network Support (903)

z/os VULNERABILITY SCANNING AND MANAGEMENT Key Resources, Inc. (312) KRI

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING

Proactively Managing Servers with Dell KACE and Open Manage Essentials

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Intel Entry Storage System SS4000-E

SapphireIMS 4.0 Asset Management Feature Specification

Provisioning Technology for Automation

HPSA Agent Characterization

FortiAnalyzer VM (VMware) Install Guide

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

INFORMATION TECHNOLOGY CONTROLS

Building Highly Available OpenZFS Storage Appliances Grenville Whelan

ICANWK401A Install and manage a server

What the student will need:

Restricted Document. Pulsant Technical Specification

How to Secure Infrastructure Clouds with Trusted Computing Technologies

Alliance Key Manager A Solution Brief for Technical Implementers

SOFTWARE-IMPLEMENTED SAFETY LOGIC Angela E. Summers, Ph.D., P.E., President, SIS-TECH Solutions, LP

Diploma in Computer Science

Symantec NetBackup Appliances

Red Hat Enterprise Linux as a

Planning and Administering Windows Server 2008 Servers

Office of Information Technology Hosted Services Service Level Agreement FY2009

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

Advanced Server Virtualization: Vmware and Microsoft Platforms in the Virtual Data Center

Summary of CIP Version 5 Standards

Information Technology Solutions. Managed IT Services

Emerson Smart Wireless Plant Network Solution - After Project Support

Making Data Security The Foundation Of Your Virtualization Infrastructure

Managed Hosting is a managed service provided by MN.IT. It is structured to help customers meet:

Technical Brief Distributed Trusted Computing

ITP01 - Patch Management Policy

WHITE PAPER. Permabit Albireo Data Optimization Software. Benefits of Albireo for Virtual Servers. January Permabit Technology Corporation

Ensuring Robust Data Integrity

PARALLELS SERVER 4 BARE METAL README

FireMon Security Manager Fact Sheet

Change & configuration management

Adapt Support Managed Service Programs

Developing Computer Forensics Solutions for Terabyte Investigations

Splunk for VMware Virtualization. Marco Bizzantino Vmug - 05/10/2011

Spyders Managed Security Services

Hardware and Asset Management Program

Building Storage Service in a Private Cloud

Impact of Digital Forensics Training on Computer Incident Response Techniques

Computer Security: Principles and Practice

The Operating System Lock Down Solution for Linux

Inside Track Research Note. In association with. Enterprise Storage Architectures. Is it only about scale up or scale out?

XID ERRORS. vr352 May XID Errors

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

How To Protect Your Data From Being Damaged On Vsphere Vdp Vdpa Vdpo Vdprod (Vmware) Vsphera Vdpower Vdpl (Vmos) Vdper (Vmom

Red Hat Enterprise linux 5 Continuous Availability

Testing Automation for Distributed Applications By Isabel Drost-Fromm, Software Engineer, Elastic

An Integrated End-to-End Data Integrity Solution to Protect Against Silent Data Corruption

Technical Proposal on ATA Secure Erase Gordon Hughes+ and Tom Coughlin* +CMRR, University of California San Diego *Coughlin Associates

IT & Asset Management Quick-Start Consulting Services for Clients

Technology Solutions for NERC CIP Compliance June 25, 2015

Overview of I/O Performance and RAID in an RDBMS Environment. By: Edward Whalen Performance Tuning Corporation

System Management. Leif Nixon. a security perspective 1/37

ORACLE OPS CENTER: PROVISIONING AND PATCH AUTOMATION PACK

License Administration Guide. FlexNet Publisher 2014 R1 ( )

Transcription:

Constructing a Stable and Verifiable Computer Forensic System Daniel Ayers Elementary Solutions Ltd Auckland, New Zealand Open Source Digital Forensics Conference 2011

Introduction This talk is about validation of computer forensic software Difficulties validating and using computer forensic tools on general purpose operating systems What can we do with open source software, including TSK & Linux, to help?

Definitions Tool Computer forensic software executing within a general purpose operating system Positive Validation Ability to extrapolate from successful test(s) that tool is correct. Negative Validation Ability to demonstrate through unsuccessful test(s) that tool is incorrect.

An Experiment Hypothesis Change in OS environment can cause a correct tool to give incorrect results Tested EnCase v6.18 & Linux (Debian Lenny) Results Modification of OS TZ database broke date/time calculations (EnCase & Linux, EnCase broken anyway) Modification of OS codepage/nls definitions broke keyword searching (EnCase, Linux inconclusive)

Tool in a General Purpose OS TOOL Correct tool provided by vendor Libraries Config Operating System Firmware Relies upon proper operation of operating system, firmware and hardware Hardware

Conclusions from Experiment Generic positive validation of a tool ( Tool X v1.4 works correctly ) is not possible A successful validation test means tool works on that particular computer or one with the same characteristics (equivalence) Faults can originate from OS patches (e.g. US DST patch for Windows) Misconfiguration Security compromise (anti-forensics) Changes in date and/or time

Computer Forensic System Computer Forensic System Tool plus all hardware and software capable of influencing the behaviour of the tool. How can you ascertain the scope of a system? Includes specific hardware & software Examine source code (for open source tools) strace/ptrace/process Monitor (closed source)?

But License Restrictions! The terms of the software license for most closed source tools prohibit reverse engineering and similar activities It may not be legal to examine the tool in sufficient detail to identify what OS services, libraries and configuration data it relies on A dead end for closed source?

Constructing a Stable and Verifiable System using Linux, TSK, etc A forensic appliance Based upon general purpose OS & open source software Automatic updates disabled Configuration control software (e.g. Puppet) Integrity verification software (e.g. Tripwire) Verification of hardware & firmware using diagnostics & burnin software Access evidence data via Lustre, NFS, CIFS or web services. Clusters comprised of many appliances

Appliance Life Cycle Version 1 BUILD TEST OPERATE Freeze Configuration Verify Integrity Version 2 BUILD TEST

Hardware Qualification Need to establish reliable operation of hardware and firmware Vendor diagnostic software Burn-in software Memtest86+ IPMI/Hardware monitoring for early detection of problems Verify disk operation prefer hardware RAID

Build Phase Select stable software (ad-hoc updates not possible) Minimal software install Automated configuration management (e.g. Puppet ensure => version ) Freeze Configuration Disable automated updates (lock file, null sources.lst) Install & configure tripwire

Test Phase Conduct sufficient testing to support positive validation of all components of system Tests should compare output of software on system with known correct results Keep detailed records of tests and results (may be required as evidence)

Operational Phase Monitor integrity of system (e.g. via tripwire and IPMI/BMC/iLO/etc) Occasional repetition of test suite (e.g. when the appliance is not required) Maintain logs of which data is processed by what appliance Beware of security vulnerabilities the only way to apply patches is to restart the build, test, operate cycle!

Optimisation Want maximum operate for minimum build + test Key is to prove an appliance is equivalent to one that was positively validated Identical hardware qualify each unit, but build & test only once then mass deploy?

Conclusion Generic validation of a tool is not possible as behaviour depends on OS correctness & configuration Validation tests must take into account all software & hardware factors that may influence outcome Necessary to obtain maximum operation time for minimum build+test Construction of forensic appliances using open source software is a convenient way to achieve this goal

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information