Inet Investigation Short4

8/14/2019 Inet Investigation Short4

1/30

Copyright 1998-1999 Sanda International Corp.

Investigating Internet SecurityInvestigating Internet Security

IncidentsIncidents

A Brief Introduction toA Brief Introduction to

Cyber Forensic AnalysisCyber Forensic Analysis

Peter

Stephe

nson

hen@imfgro

up.com


2/30

Ste


AgendaAgenda

t Intrusion approaches

t Investigative tool kit

t Investigative approaches

t End-to-end tracing

t Evidence collection and preservation

t Forensic use of RMON2-based toolsfor documenting the path of an attack


3/30


What is Cyber Crime?What is Cyber Crime?

t Crimes directed against acomputer

t

Crimes where the computercontains evidence

t Crimes where the computer isused to commit the crime


4/30


0

20

40

60

80

100

% R eporting

Disgr.

Empl.

Hackers US

Compet.

For.

Corp.

For. Gov.

0

5

10

15

20

25

30

35

40

45

%

U

nauth.

Access

DoS

Outside

Pen.

Theftof

Info

Fraud

Sa

botage

The Nature of Computer RelatedThe Nature of Computer Related

Crime in Todays OrganizationsCrime in Todays Organizations

Source: 1998 CSI/FBI Study


5/30


There Are Only 4 Kinds of AttacksThere Are Only 4 Kinds of Attacks

t Denial of service

t Social engineering

t

Technicalt Sniffing


6/30


Intrusion ApproachesIntrusion Approaches

t Target selection, research and background infoq Internet searches

q Whois, nslookup

t Preliminary probing - avoid logging - get passwordsq POP probe

q Sniffing

q DNS zone transfer

q SMTP probe

q Other simple probes

t Search for back doors

t Technical attack or social engineering


7/30Copyright 1998-1999 Sanda International Corp.

Cleaning Up After an AttackCleaning Up After an Attack

t Delete tools and work files

t Modify logs (Unix example)q Syslog

q messages files (especially the mail log)

q su log

q lastlog (including wtmp and utmp)

q daemon logsq transfer logs



INVESTIGATIVE AXIOM:INVESTIGATIVE AXIOM:

Treat every incident as if it willTreat every incident as if it will

end up in a criminalend up in a criminalprosecution.prosecution.



Your Investigative Tool KitYour Investigative Tool Kit

t Policies

t Criminal profiling

t Tracing tools

t Log analysist Crime scene (victim computer) analysis

t E-mail header analysis

t News group header analysis



The Role of PoliciesThe Role of Policies

t They define the actions you can take

t They must be clear and simple tounderstand

t The employee must acknowledge thathe or she read them, understands themand will comply with them

t They cant violate law



Electronic CommunicationsElectronic Communications

Privacy Act - Your Enabling LawPrivacy Act - Your Enabling Law

t Owner may intercept communications between anintruder and that owner's computer system

t Owner providing others with the ability to use thatcomputer to communicate with other computersystems may:q make routine backups and perform other routine monitoring

q intercept with prior consent of the user

q intercept portions of communications necessary to determine origin anddestination

q intercept where necessary to protect owners rights or property

q disclose to law-enforcement any communications inadvertentlydiscovered which reveal criminal activity



Criminal ProfilingCriminal Profiling

t Criminal profiling is the process of usingavailable information about a crime and crimescene to compose a psychological portrait of the

unknown perpetrator of the crimet Classical profiling goals - to provide:

q a social and psychological assessment of the offender

q a psychological evaluation of relevant possessions found withsuspected offenders

q strategies that should be used when interviewing offenders



Crime Scene AnalysisCrime Scene Analysis

t Branch of profiling usingstandard investigativetechniques to analyze crime

scenes

t Investigators are usually mostcomfortable with this approach

t Very useful in computer incidents



Developing a Profile of an IntruderDeveloping a Profile of an Intruder

t Crime scene analysisq how was access obtained? What skills

were required?

q how did the intruder behave on thesystem? Damage? Clean-up? Theft?

t Investigative psychologyq motivation

q personality type



Goals of an InvestigationGoals of an Investigation

t To ensure that all applicable logs and evidence are preserved

t To understand how the intruder is entering the system

t To obtain the information you need to justify a trap and trace of the phoneline the intruder is using or to obtain a subpoena to obtain information froman ISP

t To discover why the intruder has chosen the computer

t To gather as much evidence of the intrusion as possible

t To obtain information that may narrow your list of suspects

t To document the damage caused by the intruder

t Gather enough information to decide if law enforcement should be involved.



Immediate Objective:Immediate Objective:PRESERVEPRESERVE

THE EVIDENCETHE EVIDENCE!!!!!!t Begin a traceback to identify

possible log locations

t Contact system administrators on

intermediate sites to request logpreservation

t Contain damage

t Collect local logst Image disks on victim computers



Building an Incident HypothesisBuilding an Incident Hypothesis

t Start with witness accountst Consider how the intruder could

have gained access

q eliminate the obviousq use logs and other physical evidence

3 consider the skill level or inside knowledgerequired

t Create mirrors of affected computers



Building an Incident HypothesisBuilding an Incident Hypothesis

t Develop a profile of the intruder

t Consider the path into the victimcomputer

t Recreate the incident in the labq use real mirrors whenever possible

t Consider alternative explanationsq test alternatives



Incident ReconstructionIncident Reconstruction

t Physicalq use mirrors of the actual involved systems

q useful for single computers

t Logicalq use similar systems

q useful for networks where you have access to theentire network

t Theoretical

q hypothesize intermediate computersq necessary when you cant access all involved

computers



Back TracingBack Tracing

t Elements of a back traceq end points

q intermediate systems

q e-mail and packet headers

q logst Objective: to get to a dial-in POP

t The only messages that cant be backtraced are those using a true anonymizer

and those where no logs are present



Enabling RelationshipsEnabling Relationships

I n t r u d e r ' s

L a p t o p

I n t e r n e t

I S P

R o u t e r

I n t e r m e d i a t e

H o s t

V I C T I M

DIAL

INTERNET

PENETRATE

HOST

ATTACK VICTIM

OUR LOGS

ISPs LOGSTELCO LOGS



Obtaining SubpoenasObtaining Subpoenas

t Notify involved organization that you aregoing to subpoena and request that theypreserve evidence - find out who to deliverthe subpoena to

t File John/Jane Doe lawsuit with anemergency order to subpoena appropriaterecords

t Subpoena the logs you needq Get everything you can on the first pass

q May need depositions

R i t f L t b dR i t f L t b d


23/30


Requirements for Logs to be usedRequirements for Logs to be used

as Evidenceas Evidence

t Must not be modifiableq Spool off to protected loghost

q Optical media

q Backups

t Must be completeq All superuser access

q Login and logout

q Attempts to use any controlled services

q Attempts to access critical resources

q E-mail details

t Appropriate retention


24/30


Tracing E-Mail HeadersTracing E-Mail Headers

(3) Received: from mailhost.example.com

([XXX.XXX.178.66])

by smtp.exampl.com; Sat, 12 Sep 1998 15:25:54 -0700

(2) Received: from web03.iname.net by mailhost.example.com (AIX

3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep 1998 15:31:55 -0700

(1) Received: (from root@localhost) by web03.iname.net (8.8.8/8.8.0) idSAA29949; Sat, 12 Sep 1998 18:25:13 -0400 (EDT)

Date: Sat, 12 Sep 1998 18:25:13 -0400 (EDT)

(4) From:fake user [email protected]

Message-Id:

Content-Type: text/plainMime-Version: 1.0

To: [email protected]

Content-Transfer-Encoding: 7bit

Subject: This is a forged e-mail message


25/30


Performing the TracePerforming the Trace

Contact inames

Security Officer Connect account name,

time, & message ID to

source IP address

Get logs from

source IP

Who was connected

at the time of the

E-Mail?

Locate ISP & contact

Security Officer


26/30


Evidence Collection &Evidence Collection &

PreservationPreservationt Forensic evidence

q Safeback - creates physical images and mirrorsof affected computers

t

Forensic analysisq NTI tools

t NEVER work directly on the evidenceq Never contribute to the evidence

t Ensure chain of custody


27/30


RMON2 Tracing ToolsRMON2 Tracing Tools

t Requires RMON2 devices

t Use ODS Networks Secure SwitchInvestigator

t Looks for evidence of alienconversations served from withinthe victims perimeter

t By moving outwards a step at atime, determine source of attack


28/30


MCI DoSTrackerMCI DoSTracker

t Attempts to trace source forged packets, startingat a victim location, and tracing backwards to thepossible source

t Attack must be in progress

t Process - login to starting edge routerq Deploy access control list in debug mode for victim IP

q Clear victim subnet cache

q Look for forged packets by comparing to route table

q Spawn separate process to log into next hop router and continue


29/30


CMDS - Abuse at the HostCMDS - Abuse at the Host

t Manager-Agent architecture

t Responds to violations of policies

t

Analyzes usage patternsq Identifies rogue usersq Identifies masqueraders

t Available from ODS Networks


30/30

SummarySummary

t Ensure appropriate policies

t Preserve the crime scene (victimcomputer)

t Act immediately to identify and preservelogs on intermediate systems

t Conduct your investigation

t Obtain subpoenas or contact lawenforcement

Documents

Inet Investigation Short4