An overview of IT Security Forensics

Similar documents
Computer Forensics. Liu Qian, Fredrik Höglin, Patricia Alonso Diaz. Uppsala University

Security and privacy in public WLAN networks

Digital Forensics & e-discovery Services

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Digital Forensics & e-discovery Services

Basics of Internet Security

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

System Security Policy Management: Advanced Audit Tasks

USM IT Security Council Guide for Security Event Logging. Version 1.1

Scene of the Cybercrime Second Edition. Michael Cross

Robotics Core School 1

Firewall, Mail and File server solution

SECURING INFORMATION SYSTEMS

Information Technologies and Fraud

Log Management for the University of California: Issues and Recommendations

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

SMTP Information gathering

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Ovation Security Center Data Sheet

Getting Physical with the Digital Investigation Process

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Digital Forensics. General Terms Cyber Crime, forensics models, Investigation, Analysis, digital devices.

Critical Controls for Cyber Security.

SonicWALL PCI 1.1 Implementation Guide

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Incident Response and Forensics

Ovation Security Center Data Sheet

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Mail system components. Electronic Mail MRA MUA MSA MAA. David Byers

Computer Forensics as an Integral Component of the Information Security Enterprise

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Sage HRMS 2012 Sage Employee Self Service. Technical Installation Guide for Windows Server 2003 and Windows Server 2008

information security and its Describe what drives the need for information security.

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Cloud Computing Architecture and Forensic Investigation Challenges

Level 3 Public Use. Information Technology. Log/Event Management Guidelines

Incident Response. Six Best Practices for Managing Cyber Breaches.

INTRUSION DETECTION SYSTEMS and Network Security

74% 96 Action Items. Compliance

Firewalls Overview and Best Practices. White Paper

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

המרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון טל' פקס בשיתוף עם מכללת הנגב ע"ש ספיר

Information Technology Cyber Security Policy

FALSE ALARM? Incident Management Case Study. Carlos Villalba

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

ELECTRONIC INFORMATION SECURITY A.R.

Network Security Policy

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Introduction of Intrusion Detection Systems

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Global Partner Management Notice

NETWORK SECURITY (W/LAB) Course Syllabus

Guideline on Auditing and Log Management

Open Source Security Tool Overview

Information Technology Security Procedures

FIREWALLS & CBAC. philip.heimer@hh.se

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Management CSCU9B2 CSCU9B2 1

Teleran PCI Customer Case Study

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Design and Implementation of a Live-analysis Digital Forensic System

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Chapter 9 Monitoring System Performance

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Common Cyber Threats. Common cyber threats include:

NCIS Overview. Prevent Terrorism Protect Secrets Reduce Crime

Network Service, Systems and Data Communications Monitoring Policy

User Guide for the VersaMail Application

Case Study: Hiring a licensed Security Provider

Application Note 02 Advanced SMTP setup

Network- vs. Host-based Intrusion Detection

Quest InTrust. Version 8.0. What's New. Active Directory Exchange Windows

EC-Council Ethical Hacking and Countermeasures

Computer Hacking Forensic Investigator v8

The Role of Digital Forensics within a Corporate Organization

THE NATIONAL JUDICIAL COLLEGE

INSTANT MESSAGING SECURITY

INFORMATION SECURITY TRAINING CATALOG (2015)

BlackRidge Technology Transport Access Control: Overview

My FreeScan Vulnerabilities Report

SANS Institute First Five Quick Wins

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Small Business Server Part 2

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

LOCKING DOWN LOG FILES: ENHANCING NETWORK SECURITY BY PROTECTING LOG FILES

The Comprehensive Guide to PCI Security Standards Compliance

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

SOFTNIX LOGGER Centralized Logs Management

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011

CorreLog Alignment to PCI Security Standards Compliance

How To Manage Security On A Networked Computer System

Transcription:

An overview of IT Security Forensics Manu Malek, Ph.D. Stevens Institute of Technology mmalek@ieee.org www.cs.stevens.edu/~mmalek April 2008 IEEE Calif. 1

Outline Growing Threats/Attacks Need for Security Forensics Basic Methodology Forensic Tools A Sample Tool IEEE Calif. 2

Growing Threats/Attacks Cyber attacks are on the rise An increase of over 30 times during the past 5 years An increase of 10 times during the past 3 years Cyberterrorism: The potential exists for attackers to break into computer networks controlling sensitive processes. Reported Incidents and Vulnerabilities in in United the States US Incidents/Vulnerabilities 90000 80000 70000 60000 50000 40000 30000 20000 10000 0 1985 1990 1995 2000 2005 Year Incidents Vuln ties Adopted from www.cert.org IEEE Calif. 3

Trends Affecting Safe Internet Usage Faster discovery of vulnerabilities Automation and rising speed of attack tools Scanning for vulnerable systems Coordinated attack tools Increasing sophistication of attack tools Dynamic behavior Anti-forensics Increasing permeability of firewalls IEEE Calif. 4

What is Security Forensics? Forensic: Belonging to, or used in, public debate or court of law Security Forensics: Application of science and engineering to dealing with evidence stored on computers and network devices Attacker s computer Security Forensics Victim s computer It is the process of Identifying, Identification Collecting and preserving, Analyzing, and Collection/Preservation Reporting and presenting digital evidence in a manner that is legally acceptable. Analysis Reporting/Presentation IEEE Calif. 5

Need for Security Forensics Forensic methods are used to Determine root cause of events Support litigation Examples: Today s corporate environment requires preparation for possibilities of future litigation, e.g., for Wrongful termination claims Intellectual property claims Antitrust cases Law enforcement agencies use computer forensics in civil and criminal suits IEEE Calif. 6

Locard s Principle and Continuity of Offense Locard s Exchange Principle: When any two objects come into contact, there is transference of material from one object to another. Continuity of offense: Attribute the crime to its perpetrator by providing compelling links between the suspect offender, victim, and crime scene. Crime scene Evidence Victim Suspect IEEE Calif. 7

IT Requirements for Forensics The following capabilities are needed to support Computer Forensics: Being able to collect relevant information from systems Being able to positively identify users who log on to systems Being able to handle challenges to data ownership or audit trails found on a system Examples of activities to meet these requirements: Logging user actions Logging system and network events Maintaining time servers and standard time settings Giving each new employee a computer with a forensically clean disk and a standard set of applications Duplicating all the data on an employee s computer before he/she is informed of job termination IEEE Calif. 8

Forensic Data Collection in Client Computers Most operating systems provide significant logging capabilities. Windows systems (2000/NT/XP) store log files in the directory %systemroot%\system32\config\ In UNIX, information about running processes is usually stored in var/log/syslog Device logs; for example, one can find out if A USB device has been used A CD burner has been used A file has been printed Protecting logs Attackers could delete or modify logs Logs should be protected Demo: Windows event log and viewing IEEE Calif. 9

Hidden Evidence Evidentiary data is not often readily observable. Evidence could be in Deleted files Encrypted files Files hidden in other files Files in parts of the hard drive that are not readily exposed: File slack ATA Protected Area A Disk Platter tracks sectors A sector The last cluster of a file File slack Demo: File Scavenger IEEE Calif. 10

Network-based Evidence Network monitoring can be performed to collect evidence: Event monitoring: collecting network events, such as IDS alerts, network health monitoring alerts Trap-and-trace monitoring: transaction data such as protocol flags Full-content monitoring: collecting raw packets Network-based evidence can be found at endpoints and intermediate systems, such as Authentication servers Router logs Firewall logs Event logs from IDSs Caller ID systems Demo: Ethereal IEEE Calif. 11

Forensic Tools Many forensic tools and applications exist, e.g., for Hard disk duplication Text and file searching Internet history analysis Analysis of email files Analysis of data stores Network forensics Some popular tools: EnCase for drive forensics E-Trust for industrial espionage cases Forensic Toolkit (FTK) ProDiscover Hardware and software-based key loggers can collect key strokes for specified periods of time. IEEE Calif. 12

Example - Email Forensics Email is one of the important security forensic areas. Tracking email may become necessary to try to identify, e.g., The sender of a threatening message The sender of malicious software Unauthorized disclosure of corporate information Spammers Simplified email architecture o/g mail server i/c mail server PC SMTP (Port 25) Mbox1 Mbox2 MTA1 MTA2 Mbox1 Mbox2 POP (Port 110) IMAP (Port 143) PC MTA: Mail Transfer Agent IEEE Calif. 13

SMTP Extended Header To investigate a case involving email, the SMTP Extended Header must be analyzed. SMTP Extended Header includes information like shown below: Return-path: <mmalek@ieee.org> Received: from box.stevens.edu (box.stevens.edu [155.246.154.13]) by nexus.stevens.edu (iplanet Messaging Server 5.2 HotFix 2.04 (built Feb 8 2007)) with ESMTP id <0ILM00LKAW6TJT@nexus.stevens.edu> for mmalek@stevens.edu; Mon, 22 Aug 2007 13:20:53-0400 (EDT) Received: from mta1.srv.hcvlny.cv.net (mta1.srv.hcvlny.cv.net [167.206.4.196]) by box.stevens.edu (8.12.11/8.12.11) with ESMTP id j7mhkqda009401 for <mmalek@stevens.edu>; Mon, 22 Aug 2007 13:20:52-0400 (envelope-from mmalek@ieee.org) Received: from mypc (ool-44c4a45b.dyn.optonline.net [68.196.164.91]) by mta1.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-2.06 (built May 11 2007)) with SMTP id <0ILM00JVNW6RUH6O@mta1.srv.hcvlny.cv.net> for mmalek@stevens.edu; Mon, 22 Aug 2007 13:20:52-0400 (EDT) Date: Mon, 22 Aug 2007 13:22:44-0400 From: Manu Malek <mmalek@ieee.org> Subject: Test email To: Manu Malek <mmalek@stevens.edu> Message-id: <055701c5a73e$1ba84270$5ba4c444@yourd137mzmhow> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express Content-type: text/plain; reply-type=original; charset=iso-8859-1; IEEE Calif. 14

Finding the Perpetrator When the sender s IP address is found, the user with that assigned IP address must be determined. For an email initiated within an enterprise, check the authentication and DHCP server logs. In the case of an external user, review the ISP AAA server logs. If the user used a dial-up connection to the ISP, the RADIUS session log includes the IP address assigned to a specific login during a session. The ISP can then use caller ID to find the telephone number used to originate the session, and determine which login name was using that IP address. Once the user has been identified, the user s workstation needs to be seized and analyzed. IEEE Calif. 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information