Lesson 13 Initial Response Initial Assessment Computer Forensics

Lesson 13Initial Response

Initial AssessmentComputer Forensics

UTSA IS 3523 Incident Detection/Response

Roesch on the Threat

• “The propagation of automated tools for auto-hacking with the fact that less and less sophisticated attackers getting their hands on these tools is really going to cause big problems.”

• Martin Roesch

CEO, Sourcefire

SNORT Lead Developer


Initial Response


• Freeze the Incident Scene• Verbally contain the scene with instructions such as:

• “Take your hands off the keyboard and step away from the computer.”

• “Physically disconnect the computer from the network.”• “What is your name, office and telephone number.”• “What is the hardware and operating system?”• “I’m going to fax you a set of instruction. What is your Fax number?”

Off-scene Response

Incident Response Checklist Version 1.0 Date: Time: Name: Telephone Number:

Nature of Incident: Time of Incident: How was the incident detected: Current Impact of Incident: Future Impact of incident: Description of the incident:

Hardware/OS/Software involved: IP and network addresses of compromised systems: Network Type: Modem: Criticality of Information: Physical location: System Administrator Name and Number: Current status of machine:

Description of Hacker Actions Ongoing activity: Source Address: Malicious program involved: Denial of Service Vandalism: Indication of insider or outsider:

Incident Response Checklist Continued Version 1.0

Client Actions Network disconnected: Remote access available: Local Access available: Audit logs available and examined: Any changes to firewall: Any changes to ACL: Who has been notified: Other actins taken:

Available Tools Third party host auditing: Network monitoring: Network Auditing:

Additional Contacts Users: System Administrators: Network Administrators:

Special Information Who should not know about this incident:

Response Team Member Signature/Date:__________________________________

Incident Response Team Fax Version 1.0

Date:_____________ Time:____________ Name:_______________________

Thank you for notifying the incident response team and agreeing to help. Please do not touch the affected computer(s) unless told to do so by a member of the Incident Response team. Please remain within sight of the computer until a member of the Incident Response Team arrives and assure that no one touches the computer.

Please help us by detailing as much information about the incident as possible. Please complete the following items. If additional space is required use a separate sheet of paper.

Witnesses: 1. 2. 3. What indicators lead you to notice and/or report the incident. Be as specific as possible. Incident Indicators:

The next section is important so be as accurate as possible. From the time you noticed the incident to the time you took your hands from the computer, list every command you typed and any file you accessed.

Commands typed and Files accessed:

Response Team Member Signature:______________________________________-


• Physically contain the scene• Two personnel, if possible, should immediately respond to the scene

• Incident Scene Survey (1st Member)• Use a portable tape recorder to:1. Record the scene2. Everyone present

• Order everyone to leave the scene who is not directly involved in the incident

3. Interview the individual who reported the incident 4. Record, intermittently, the actions of the 2nd individual5. Assist the 2nd Member

On-scene Response


• Contain the System (2nd Member)• Ask the System Administrator to assist.• Back up the system.

• Do this with forensic type tool that does bit-by-bit backup such as SafeBack at http://www.forensics-intl.com

• Alternatively, remove the drive and seal it in a plastic bag with your notes and the notes of the individual who reported the incident

• Attempt to identify the changed files through:• Tripwire http://www.tripwire.org/ or alternatively • Expert Witness at http://www.asrdata.com.

On-Scene Response Continued

Incident Investigation&

Assessment


Knowing Architecture and Policies

• Review Network Topology• External connectivity

• Internet• Extranet•Dial-up• Remote Sites

• Network Devices: Routers, Firewall, IDS• Broadcast domains

• Review the Corporate Policies with regard to• Acceptable use policies• Network Monitoring• Computer Forensics


• System administrator selected questions include:

• Unusual Activity?• Administrative Access to System?.• Remote Access to Systems?• Logging Capabilities?• Current Security Precautions?

• Managers selected questions include:• On-going Security tests?• Disgruntled employees?• Recently fired employee?• History of current employees?• Sensitive data or applications on the systems?

• End users selected questions include:• Anomalous Behavior or Suspicious activity?

Conducting Personnel Interviews


• Assess the potential security Incident • What are the incident symptoms? • Is it a security incident?• A system problem?

• Power outage• Faulty software• Communication problems• Procedural problem• Training Problem

Initial Assessment


• Evaluate the severity & scope of incident• What specifically happened?• What was the entry point?• What local computers/networks were affected?• What remote computers/networks were affected?• What information was affected?

• What was its value to the organization?• What further can possibly occur?• Who else knows about the incident?• What are the estimated time/resources required to handle the incident.

Initial Evaluation


• A new account• Passwords were changed on existing accounts • The protection changed on selected files/devices• New SUID and SGID programs have been found• System programs have been added/modified• An alias has been installed in the E-Mail system to run a program• New features have been added to your news or UUCP system• Password sniffer was found (Steal passwords to use Crack)• File dates have been modified• Login files have been modified• The system has an unexplained crash• Accounting discrepancies• Denial of Service• Unexplained poor system performance• Suspicious probes/browsing

Incident Indications


• Undocumented changes or upgrades to programs• Unexplained user account charges or changes• Security Access compromise (passwords, etc)• Unauthorized use of computer facilities• Unexplained network/computer crashes• Unexplained corrupted files or services• Theft/missing computer/storage equipment• Unexplained Performance/response problems• Unexplained High utilization of equipment, storage• or network resources• Unexplained loss of critical/sensitive data• Unexplained user account lockouts• Unexplained Network traps/alarms• Unexplained Firewall/IDS alerts/alarms

Incident Indications continued


• All systems/networks are suspect until the actual extent of the incident is known

• Verify integrity of all site computers• Verify integrity of all site networks• Verify integrity of all files/directories (checksums)• Compare system files with backups or initial distributions

• Compare software application with the baseline• Analyze the documentation, files and security logs

Initial Steps

Be careful not to contaminate the crime scene

Computer Forensics


Pathways All data leaves a trail.

The search for data leaves a trail.

The erasure of data leaves a trail.

The absence of data, under the right circumstances, can leave the clearest trail of all.

Pathways All data leaves a trail.

The search for data leaves a trail.

The erasure of data leaves a trail.

The absence of data, under the right circumstances, can leave the clearest trail of all.

“This Alien Shore”, C. S. Friedman (C) 1998


Computer ForensicsBasic Principles

Investigate as if LE will be called in and the attackers will be prosecuted

• Principle 1

- Preserve the evidence in an unchanged state

• Principle 2

- Document the investigative process…thoroughly

and completely


Forensics Terminology

• Evidence Media: Original media that needs to be investigated

• Target Media: the media that the evidence media is duplicated onto

• Restored Image: Copy of the forensic image restored to bootable form

• Native Operating System: OS utilized when the evidence media or forensic duplicate is booted for analysis

• Live Analysis: A analysis conducted on the original evidence media

• Off-line Analysis: Analysis conducted on the forensic image

• Trace Evidence: Fragments of information from the free space, etc.


Best Evidence Rule

• Common Mistakes include:• Altering time and date stamps• Killing rogue processes• Patching the system before the investigation• Not recording commands executed on the system• Using un-trusted commands and binaries• Writing over potential evidence:

• Installing software on the evidence media• Running program that store output on evidence media.

• FRE 1001(3) "...if data are stored on a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'Original.'"


Evidence Chain of Custody

• Prosecution is responsible for proving that which is presented in court is that which was originally collected. An Evidence Chain of Custody must be maintained

• Create an Evidence Tag at the time of collection

• A designated Evidence Custodian with a Laptop to generate the Evidence Tags

• Date and Time• Case Number • Evidence Tag number• Evidence Description• Individual receiving the evidence and Date

• Each time the evidence moves from one person to another or from one media to another must be recorded


Forensic Image

• Initial Response: power system down or work it online?

• Volatile Data: if powered down then volatile data lost• Memory• State of of Network connections• State of running Processes

• Useful Windows NT/2000 commands/utilities• date, time, loggedon, netstat, fport, pslist, nbtstat, and doskey

• http://www.sysinternals.com

• Useful Unix commands• w, netstat -amp, lsof, ps, netstat, script


BIOS Review

• Review the Basic Input/Output System (BIOS) before beginning a duplication to determine:

• Basic geometry of the hard drive on the target System

• Document the hard drive setting to include maximum capacity, cylinders, heads, and sectors

• For proper recovery by the original OS the partitions should be aligned on the cylinder boundaries

• Determine the Boot Sequence on the target System - Floppy drives - Network - PCMCIA Card - CD-Rom - Hard Drive

Throughout the forensics process do not forget the basics…assume nothing.


Forensic Duplication

• Three Forensic Duplication Approaches

1. Remove the storage media and connect it to a Forensics Workstation

• Document the system details to include serial number, jumper settings, visible damage, etc

• Remove media from target system and connect it to the forensics workstation

• Image the media using Safeback, the Unix dd utility or EnCase

Forensics Workstations http://www.computer-forensics.com Safeback http://www.forensics-intl.com/safeback.html

EnCase http://guidancesoftware.comDiskPro http://www.e-mart.com/www/cnr.html


Forensic Duplication Continued

2. Attach a hard drive to the Target Computer

• Make sure the target computer works as expected

3. Image the storage media by transmitting the disk image over a closed network to the forensics Workstation

• Establish a point-to-point interface from evidence system to forensics workstation using an Ethernet Switch of Ethernet cross-connect cable

• Perform MD5 computation on both the original and target system

Don’t forget to document the process you used

The Computer Forensic Process

Forensic duplicatio

n?

Use Safeback

Use dd

Use EnCase

Use Other Forensic Software

Yes

Create DOS Controlled

Boot Floppy

Create Linux Controlled

Boot Floppy

Create DOS Controlled

Boot Floppy

??

Make Safeback Image Files

(.SFB)

Make dd Duplication

File

Make EnCase Evidence

Files (.E00)

??

Restore Safeback

Image Files to a Separate

Hard Drive for Analysis

Use EnCase Operating

Environment to Analyze

Drive Content

If the drive is Windows OS,

will likely have to

restore drive to separate

media.

??


Forensic Analysis

• Physical Analysis--performed on the forensic image only!• Perform a String Search

• Sting Search http://www.maresware.com/maresware/forensic1.htm

• Perform a Search and Extract • Looks for file types

• File Formats http://www.wotsit.org/

• Extract File slack and/Free Space

• Free Space: Hard Drive space not allocated to a file and deleted file fragments.

• Slack Space: Space left when a minimum block size is not filled by a write operation.

• NTI Tool Suite http://www.forensics-intl.com/


Forensic Analysis Continued

• Logical Analysis. • Partition by partition analysis of each file

• Typical process includes:

• Mount each partition in read-only mode under Linux

• Export the partition via SAMBA to the forensics system

• Examine each file with the appropriate file viewer

• Typical Lists created:

• Web Sites

• E-mail addresses

• Specific Key words, etc

Quick View Plus http://www.jasc.com/product.asp?pf_id=006

HandyVue http://shop.store.yahoo.com/repc/handyvue.html


Common Forensics Mistakes

• Failure to Maintain through complete documentation

• Failure to control access to digital information

• Underestimate the scope of the incident

• Failure to report the incident in a timely manner

• Failure to provide accurate information

• No incident response plan

Plan, control, document, report


Closing Thought

• “If an organization is going to make the effort to secure its systems it must make every effort to respond to security breaches…the only failure to good security planning is to fail to plan a response action for a breach in that security.”

• Rob Kaufman


Summary

• Prepare for incidents

• Perform initial assessment

• Evaluate crime scene

• Conduct forensics--D3

Documents

Lesson 13 Initial Response Initial Assessment Computer Forensics