Cyber Crime, Computer Forensics, and Incident Response

Lesson 28

Computer Crime

• The corporate world is beginning to understand that computers are just another medium for crime.• According to the 1999 CSI/FBI survey

• average bank robbery yields $2,500

• average computer crime nets $500,000

• Security breaches are the cause of an estimated $1.6 trillion in damage worldwide.

Predictions for the future

• There will be an increasing use of the Internet to commit everyday crimes.

• New forms of cybercrime will continue to occur.

• Identity theft and fraud will increase.

• Cyberextortion will become a mainstay.

• Manipulation of corporate data to meet various ends will become more sophisticated.

• Acts of Hactivism will rise.– Dave Morrow, April 2001 SC Magazine, “Computer Forensics”

Computer Forensics

Recommendation: Handle the corporate investigation as if Law enforcement will be called in and the attackers will be prosecuted.

• Computer Forensics Principles.

•P1: Preserve the evidence in an unchanged state.

•P2: Thoroughly and completely document the Investigative Process.

Computer Forensics Definitions

Evidence Media: The original media to be investigated whether subject or victim.

Target Media: A forensic duplicate of the evidence media. The forensic evidence transferred to the target media.

Restored Image: A copy of the forensic image restored to its bootable form.

Native Operating System: The OS utilized when the evidence media or forensic duplicate is booted for analysis.

Live Analysis: A analysis conducted on the original evidence media.

Offline Analysis: Analysis conducted on the Forensic Image.

Trace Evidence: Fragments of information from thefree space, etc.

Best Evidence Rule• "...if data are stored on a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'Original.'"

• Common Mistakes include:• Altering time and date stamps.• Killing rogue processes.• Patching the system before the investigation.• Not recording commands executed on the system.• Using untrusted commands and binaries.• Writing over potential evidence by:

• Installing software on the evidence media• Running programs that store their output on the evidence media.

Evidence Chain of Custody

• The prosecution is responsible for proving that whatever is presented in court is what was originally collected. An Evidence Chain of Custody must be maintained.

• Create an Evidence Tag at the time of evidence collection.

• A designated Evidence Custodian with a Laptop to generate the Evidence Tags.

• Date and Time• Case Number • Evidence Tag number• Evidence Description• Individual receiving the evidence and Date

• Each time the evidence moves from one person to another or from one media to another it must be recorded.

Forensic Image

•Initial Response: Power the system down or work it live?

• Volatile Data. If the system is powered down then volatile data will be lost.

• Memory• State of of Network connections• State of running Processes.

• Useful Windows NT/2000 commands/utilities• date, time, loggedon, netstat, fport, pslist, nbtstat, and doskey.

•http://www.sysinternals.com• Useful Unix commands

• w, netstat -amp, lsof, ps, netstat, script.

•Recommendation: If you need to work a live system then create a command script and stick to it.

BIOS Review

• Review the Target Basic Input/Output System (BIOS) before beginning a duplication to determine:

• Basic geometry of the hard drive on the target System.

• Document the hard drive setting to include maximum capacity, cylinders, heads, and sectors.

• For proper recovery by the original OS the partitions should be aligned on the cylinder boundaries.

• Determine the Boot Sequence on the target System.• Floppy drives.• CD-Rom• Hard Drive.• PCMCIA Card.

Forensic Duplication• Three Forensic Duplication Approaches.

•1. Remove the storage media and connect it to a Forensics Workstation.

• Document the system details to include serial number, jumper settings, visible damage, etc.

• Remove media from he target system and connect it to the Forensics workstation.

• Image the media using Safeback, the Unix dd utility or EnCase.

Forensics Workstations http://www.computer-forensics.com Safeback http://www.forensics-intl.com/safeback.html

EnCase http://guidancesoftware.comDiskPro http://www.e-mart.com/www/cnr.html

Forensic Duplication Cont.

• Three Forensic Duplication Approaches Cont.

• 2. Attach a hard drive to the Target Computer.

• Make sure the target computer works as expected.

• 3. Image the storage media by transmitting the disk image over a closed network to the forensics Workstation.

• Establish a point-to-point interface from evidence system to forensics workstation using an Ethernet Switch of Ethernet cross-connect cable.

• Perform MD5 computation on both the original and target system.

Forensic Analysis

• Physical Analysis. Performed on the forensic Image. • Perform a String Search

•String Search http://www.maresware.com/maresware/forensic1.htm

• Perform a Search and Extract. • Looks for file types.•File Formats http://www.wotsit.org/

• Extract File slack and/Free Space.

• Free Space: Hard Drive space not allocated to a file and deleted file fragments.

• Slack Space: Space left when a minimum block size is not filled by a write operation. •NTI Tool Suite http://www.forensics-intl.com/

Forensic Analysis Cont.

• Logical Analysis. • A partition by partition analysis of each file.

• A typical process includes:

• Mount each partition in Read-Only mode under Linux.

• Export the partition via SAMBA to the Forensics System.

• Examine each file with the appropriate file viewer.

• Typical Lists created:

• Web Sites

• E-mail addresses

• Specific Key words, etc

Common Forensics Mistakes

Failure to Maintain thorough complete documentation.

Failure to control access to digital information.

Underestimate the scope of the incident.,

Failure to report the incident in a timely manner.

Failure to provide accurate information.

No incident response plan.

Network Forensics

Definitions• Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor.

• Silent Sniffers will not respond to any received packets.• Illegal Sniffers violate 18 USC 2511 dealing with wiretaps.

• Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network.

• A normal NIC only intercepts packets packets addressed to its IP address and Broadcasts address.

• Transactional (Noncontent) information consists only of header information. For example, IP, TCP or UDP headers.

• Same as a LE Trap and Trace or Pen Register.

• Content Information consists of not only the headers but also part or all of the encapsulated data.

Network Forensics Data

• Network data can come from:• Routers, Firewalls, Servers, IDS, DHCP Servers, etc.

• These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody.

• Chain of Custody

• Strictly controlled network monitoring can maintain a proper chain of custody.

• Electronic evidence requires tighter control than most other types of evidence because it can be easily altered.

• A broken chain can affect admissibility.

Chain of Custody

• Network data Chain of Custody should include:• Date and time Recorded.

• Make, model, serial number and description of recording device.

• Names of individual recording or the name of individuals recovering the logs.• Description of the logs.

• Name, Signature and date of individual receiving the data.• Evidence Tag for this item.• Hash value (MD5) of each log file.

Monitoring The Network

• What are the Network Monitoring goals?• Monitor traffic to and from a Host?• Monitor traffic to and from a Network?• Monitor a specific person?• Verify an Intrusion Attempt?• Monitor attack signatures?• Monitor a specific protocol?• Monitor a specific port?

•Check with corporate legal counsel prior to starting the monitor.

Note: Make sure the corporate policy supports the type of monitoring to be performed!

Monitoring The Network Cont.

• Possible Network Monitors.• tcpdump, Ethereal and Snort.• Snoop, iptrace, Snifer Pro, Etherpeek, LANalyzer• NetMon, Network Tracing and Logging and Cisco IDS.

• Network Monitor Location.

• Host Monitoring - On the same Hub or switch. The switch should have Switch Port Analysis (SPAN).• Network Monitoring - At the network perimeter.• A Physically secure location.

Note: Run a Sniffer detection tool prior to connecting yours.

Some Notes• Run a Sniffer detection tool prior to connecting yours.

• Someone may already be listening to the network. • Capture the network traffic as close to the source host as possible.

• Hackers use bounce sites to attack hosts. • Have the capability of viewing the captured data as a continuous stream.

• This provides an overview of what the hacker is attempting to do.• Reconstruct documents, etc

• Have the capability of viewing the packets at the lowest level.

• High-level analyzers will sometimes strip off data that is not important for fault analysis but could be important for investigative purposes.

• Options and fields to identify the OS.• Typing speed of user.• Printer variables, X display variables , etc.

Common Forensics Mistakes

• Failure to Monitor. • ICMP Traffic• SMTP, POP and IMAP Traffic.• UseNet Traffic• Files saved to external media.• Web Traffic• Senior Executives Traffic.• Internal IP Traffic.

• Failure to Detect:• ICMP Covert Channels.

• UDP Covert Channels.• HTTP Covert Channels.

Common Forensics Mistakes Cont.

• Failure to PlayBack. • Encrypted traffic.• Graphics• Modeling and Simulation traffic.

• Failure to Trace:• Denial-of-Service.

• Distributed Denial of Services.• Spoofed EMail.

• Failure to Detect.•Steganography.• Erasing Logs• File Encryption.• Binary Trojans

Monitoring Tools

Dsniff http://www.monkey.org/~dugsong/dsniff

tcpdump http://www.tcpdump.org/

WinDump http://netgroup-serv.polito.it/windump/

ethereal http://www.ethereal.com/

Snort http://www.snort.org/

Some Basics To Remember

• Freeze and image the hard drive before anything else is done, remembering that freezing a system is best done when its workings are not critical to business needs.

• Get the intruders out of the network or close the holes so they cannot breach the system through the same vulnerability in the future. This can be achieved by collecting and correlating information from system, web, and other log files.

• Determine how bad the breach really is and decide what information should be divulged to the public. This is where legal counsel from an experienced and knowledgeable person can help.

– Chris Wysopal, director of research and development for @Stake

Volatile Data

• “When an incident is reported, certain steps need to be taken on a live system before you perform forensic duplication of that system.”

• “The initial response is an effort to obtain as much volatile data as possible before you power down the evidence system for forensic duplication.”

• Volatile (and possibly useful) data can be found in:• Registers, cache contents• Memory contents• State of network connections• State of running processes

Important Note!

• “A computer changes states through user interaction, process execution, data transfers, and power cycles; therefore, data in memory and storage is going to change. It is vitally important to understand the changes that will occur when you perform a command or operation. As you respond at the console, make sure that you document every step in detail.”

• “Before you review a ‘live’ system, create a step-by-step plan and stick to it like a script.”

Live Response Sample StepsFrom Incident Response by Mandia & Prosise

Step Windows NT/2000 UNIXEstablish a new shell cmd.exe bashRecord the system date and time date, time wDetermine who is logged on loggedon wRecord open sockets netstat netstat -anpList processes that open sockets fport lsofList currently running processes pslist psList systems that recently connected nbstat netstatRecord steps taken doskey script, vi, history

Extracting File Slack and Free Space

• “File system residue exists, to some extent, in all file systems. The types of residue fall into two categories”: • Free space – unallocated space

• May be space never before allocated to a file, or• Space that was created when a file was deleted

• Slack space – “occurs when data is written to a storage medium in chunks that fail to fill the minimum block size defined by the operating system.”

• If you want this info, you need a tool that is aware of the particular file system structure.

Common Incidents

• Denial-of-Service attack• e.g. TFN

• Unauthorized use• e.g. Use of systems to surf porn sites

• Vandalism• e.g. defaced web site

• Theft of information• e.g. stolen credit card info from customer DB

• Computer intrusion• e.g. remote administrative access

A thought --“Remember, the first to discover a problem is likely to be yourcompany’s lowest paid system administrator on the night shift.If this person cannot get guidance -- preferably prior guidance,he or she might decide to call the police or worse, the media.The plan should include who to call, who not to call, what todo with the machines, priorities -- (for example,) is keepingthe data center up a higher priority than preserving evidence?You decide as much as possible what the trade-offs are, basedon you understanding of your vulnerabilities or consultationwith experts in the field.”

-- Computer Forensics, April 2001 SC Magazine

Incident Definitions

• An Incident is any event that disrupts normal operating procedure and precipitates some level of crisis.

• A Computer Intrusion.• Denial of Service Attack.• Theft of information.• Computer Misuse.• A power failure.

• Investigator(s) gather facts, analyze and resolve the incident.

Goals of Incident Response

• Confirms or dispels whether an incident occurred

• Promotes the accumulation of accurate information

• Establishes controls for proper retrieval and handling of evidence

• Protects privacy rights established by law and policy

• Minimizes disruption to business and network operations

• Allows for legal or civil recriminations against perpetrators

• Provides accurate reports and useful recommendations

Incident Response• In developing an incident response roadmap, companies

should plan:• How to secure or preserve evidence, whether making an image copy or

locking up the original until computer forensic specialists arrive.• How or where to search for evidence, be it on the local drive, back-up

system, home computers or laptops.• A list of topics to consider when preparing a thorough report.• A list of outside agencies and resources to consult or report to given a

particular situation.• A recommended list of software to be used internally for investigations.• A recommended list of experts with whom to consult.

• “Computer Forensics”, April 2001 SC Magazine

• Consider creating a Computer Incident Response Team (CIRT)

Computer Incident Response Team

• Mission• Provide a rapid response capability to address

(suspected) intrusions/security incidents.

• Composition• Core – Manager, IT staff, legal counsel, support

personnel.

• Support – specific area experts

• Forensic Best practices

• Tools

• Organizations• FIRST, CERT, CIAC, SANS, ISSA, NIPC…

Incident Response Team Mission

• Respond to all security incidents with a formal investigative process based upon the Incident Response Plan and Corporate policies.• Conduct a bias free investigation.

• Determine if a true incident did occur.• Assess the damage and scope of the incident.• Control and contain the incident.• Document the incident and maintain a chain of custody.• Protect Privacy Rights by law and corporate policy.• Liaison to law Enforcement and Legal Authorities.• Provide Expert Testimony.• Provide recommendation to senior level management.

Incident Response Team

• Team Composition depends upon:• Number and type of hosts involved. • Number and type of networks involved.• Number and type of Operating Systems involved.• Attack sophistication.• Incident Publicity.• Internal Politics.• Corporate Liability.

Computer Incident Response Team (CIRT)

Team Manager.- Single Point of Contact- Leader/decision maker- Clear authority to act/decide.- Assess potential impact/loss- Upper management support- Spokesman- Documents team actions.

Computer Specialist- System Administrator- Systems Operator/Programmer- Technically Tracks intruder- Monitors on-going system activity.- Reconstructs crime.- Documents technical aspects of crime.

Network Specialist Advisor- Advises computer specialist- Network protocol specialist- As Required

Computer Crime Investigator- CI Investigator w/jurisdiction.- Collects/documents evidence.- Advises on investigative aspects.- This may be a team of investigators.

Company Attorney- Legal advice- Case preparation- Adjunct to Team

Public Affairs- Advise senior management on PR- Press Spokesperson- Adjunct to Team

Security Auditor- Assists Computer specialist.- Audit trails/logs- Assess Economic impact- Adjunct to Team

9 Steps to Incident Response• Emergency Action Card

• Preparation

• Identification

• Investigation and Containment

• Eradication

• Recovery

• Follow-up

• Incident Record Keeping

• Incident Specific Procedures

Steps to take when an incident happens

• Remain Calm !!!• Document everything• Notify appropriate personnel and get help• Enforce “need to know” policy• If compromise has occurred, use “out of band”

communication channels• First priority should be to contain problem• Make backup copies of systems for possible

prosecution purposes• Identify problem/vulnerability, patch• Get back to business• Prosecute/follow-up

Incident Preparation

•Has a lot to do with just securing your system

•Risk Management.

• Host preparation.

• Network Preparation.

• Network Policies and Procedures.

• A Response toolkit.

• The Incident Response Team.

Detection of Incident Process

Firewall Logs

IDS Logs

Suspicious user

System Admin

DETECTBegin IRChecklist

ActivateCIRT

• Intruder discovery•Strange activities

• System crashes• Unusual hard disk activity.• Unexplained Reboots.• Account discrepancies• Sluggish response• Strange login hours.• Failed logins with bad passwords.• Unusual activity with the su command.

• A message from a remote System Administrator

Incident Detection

•System monitoring:• Another superuser logs in.• A user on vacation who is logged in.• Deleted or corrupted log files.• A user who is not a programmer but is running compilers.

• Network connections from unknown machines.• Unauthorized changes to system programs.• New account entries in /etc/passwd file.• Analysis tools such as Tripwire.

• The System Administrator should investigate any strange activity.• Various UNIX commands can be employed to explore who is doing what on the system.

Incident Detection Cont.

• Stopping the Intruder.•Power Down?

• Interrupts users.• Deletes evidence• Damage the file systems.

•Ask him to leave?• He may damage the system to prevent being caught.

•Kill his/her processes?• Use the ps command to list all his/her processes.• Change all compromised account passwords.• Use the kill command to terminate the processes.• Check for backdoors/sniffers/undesired programs.

•Break the connection?• Interrupts other users.

Incident Detection Cont.

• Incident Response Team Leader is notified. •Notifies the organization Computer Incident Response Team.

•Briefs senior level management•Coordinates the response activities•Notifies all Points of contact.

• Local System Administrators/Network Managers. • Remote System Administrators/Network Managers.• Internet Service Provider managers/technicians.• Law Enforcement Computer Crime specialists.• Public Affairs specialist.• Legal Affairs officer.

Incident Reporting

• Incident notification Guidelines.•Use explicit language that is clear, concise and fully qualified.

• No smoke screens.• No generalities

•Use factual language..• No false information• No incomplete information.

•Use matter a fact language.• No emotion• No inflammatory language

Incident Reporting Cont.

• Freeze the Incident Scene.• Verbally contain the scene with instructions such as:

• “Take your hands off the keyboard and step away from the computer.”

•“Physically disconnect the computer from the network.”

•“What is your name, office and telephone number.”•“What is the hardware and operating system?”•“I’m going to fax you a set of instruction. What is your Fax number?”

Initial Response

Incident Response Checklist Version 1.0 Date: Time: Name: Telephone Number: Nature of Incident: Time of Incident: How was the incident detected: Current Impact of Incident; Future Impact of incident:

Description of the incident: Hardware/OS/Software involved: IP and network addresses of compromised systems: Network Type: Modem: Criticality of Information: Physical location: System Administrator Name and Number: Current status of machine:

Description of Hacker Actions Ongoing activity: Source Address: Malicious program involved: Denial of Service Vandalism: Indication of insider or outsider:

Incident Response Checklist Cont. Version 1.0

Client Actions Network disconnected: Remote access available: Local Access available: Audit logs available and examined: Any changes to firewall: Any changes to ACL: Who has been notified: Other actins taken:

Available Tools Third party host auditing: Network monitoring: Network Auditing:

Additional Contacts Users: System Administrators: Network Administrators:

Special Information Who should not know about this incident:

Response Team Member Signature/Date:__________________________________

Incident Response Team Fax Version 1.0

Date:_____________ Time:____________ Name:_______________________

Thank you for notifying the incident response team and agreeing to help. Please do not touch the affected computer(s) unless told to do so by a member of the Incident Response team. Please remain within sight of the computer until a member of the Incident Response Team arrives and assure that no one touches the computer.

Please help us by detailing as much information about the incident as possible. Please complete the following items. If additional space is required use a separate sheet of paper.

Witnesses: 1. 2. 3. What indicators lead you to notice and/or report the incident. Be as specific as possible. Incident Indicators:

The next section is important so be as accurate as possible. From the time you noticed the incident to the time you took your hands from the computer, list every command you typed and any file you accessed.

Commands typed and Files accessed:

Response Team Member Signature:______________________________________-

• Physically contain the scene.Two personnel, if possible, should immediately respond to the scene.

• Incident Scene Survey (1st Member)• Use a portable tape recorder to:•1. Record the scene•2. Everyone present.

• Order everyone to leave the scene who is not directly involved in the incident.

•3. Interview the individual who reported the incident. •4. Record, intermittently, the actions of the second

individual.•5. Assist the 2nd Member.

Initial Response Cont.

• Contain the System (2nd Member).• Ask the System Administrator to assist.• Back up the system.

• Do this with forensic type tool that does bit-by-bit backup such as SafeBack at http://www.forensics-intl.com.

• Alternatively, remove the drive and seal it in a plastic bag with your notes and the notes of the individual who reported the incident.

• Attempt to identify the changed files through:• Tripwire http://www.tripwire.org/ or alternatively • Expert Witness at http://www.asrdata.com.

•Instructor Note: The details are under the Computer Forensics Lecture.

Initial Response Cont

Response Toolkit• High-end processor

• Large capacity drives• Fast CD-RW drive• Tape drive• Extra power cables, SCSI cables, parallel-to-SCSI

adapters, Cat 5 cables and hubs, CD’s, labels for CD’s, Toolkit

• Software• 2 or 3 native operating systems on the machine

• Windows 98, NT, 2K, Linux

• Safeback, EnCase, Diskpro, and other forensics tools used to recreate exact images of computer media

• All of the drivers for all of the HW on your system• Quickview Plus, HandyVue, or some other SW that allows

you to view nearly all types of files

SafeBack

EnCase ($2K)

Quick View Plus

• System Administrator recovers the system. • Don't trust anything that is on-line.• Don't believe anything your system tells you.

• Reformat disks• Restore operating system.• Reload software.• Assign new passwords.• Scan the /etc/passwd for newly created files• Check for changes to files that may affect security (trapdoors, logic bombs, etc.).

System Restoration

• Check critical files for the appropriate file protection and permissions.

• Scan the system for newly created SUID and SGID files.

• Delete and recreate all .rhosts files.• Check for changes to the /etc/hosts.equiv file.

• Check for changes in user startup files.• Check for a modified .forward file.• Check for hidden or unowned files and directories.

• Run audit tools such a COPS and Tripwire.

System Restoration

• The recovery should be planned to have minimal impact on the users.

• Keep the users informed.• Engage in rumor control.

System Restoration

• Conduct an after action meeting.• Prepare an after action report to document the incident, the response to the incident and the recovery from the incident.

• Lessons Learned?• Policy to general!• Responsibilities not sufficiently defined!• Inadequate monitoring tools!• Systems not backed up!• Hard disk needs smaller partitions!• Set smaller limits on disk usage!• System not scanned with tools such as SATAN and ISS!

Incident Evaluation

Computer Crime Investigation

• Notify law Enforcement.• Brief/coordinate with upper management.• The Law Enforcement Computer Crime Team assumes control.• Computer crime investigation is complex, time consuming, and resource intensive.• Allow time/resources for

• Investigation.• Prosecution.

Network Surveillance

• Why perform network surveillance?• To confirm or dispel suspicions concerning a possible

security incident

• To accumulate additional evidence

• To verify the scope of a compromise

• To identify additional parties involved

• To determine a timeline of events occurring on the network

• To ensure compliance with mandated activity

“Honey Pots”

• If you’re trying to gather evidence for prosecution or to determine the origin of the attacker, consider using a “honey pot”

• a file or directory designed to attract an intruder

• can be used to help warn of an intrusion• no legitimate access to the file or directory so if anybody does

attempt to access them then its either an intruder or an insider attempting to exceed their authority

• Often contains large files or a large number of files to keep the intruder on for as long as possible..

Predictions

• The security industry in general, and the computer forensics and incident response arenas specifically, will have to begin dealing with new technologies, such as wireless. The wireless world will bring new challenges to computer forensic investigations.

• More legislation and standards related to computer forensics, comparable to other forms of criminal investigation, will come into force.

• Information security insurance will become more widely available.

– Dave Morrow, April 2001 SC Magazine, “Computer Forensics”

Summary

• Two major things to remember:• Preserve the chain of evidence! Don’t do

anything that will modify disks or log files. Document everything you do.

• If a criminal investigation is started, you may lose access to equipment or disks. Best thing to have in this case are -- BACKUPS!