Networks Forensics Week 4 PDF
Document Details
Uploaded by AstonishingDouglasFir
Al-Balqa Applied University
2024
Dr. Basil Elmasri
Tags
Related
- 12 9780840024220_PPT_ch12.pdf
- SEC524 Computer and Network Forensics Lectures 01 & 02 PDF
- SEC524 Computer and Network Forensics Lectures 03 and 04 PDF
- SEC524 Computer and Network Forensics Lectures 08-10 PDF
- King Fahd University of Petroleum & Minerals SEC524 Computer and Network Forensics Lectures 11 and 12 PDF
- GIU Digital Forensics Lecture 9 PDF
Summary
This document includes material from Al-Balqa Applied University concerning Networks Forensics for the 2024/2025 academic year. The document comprises principles of digital forensics and data acquisition.
Full Transcript
DF347 Networks Forensics 2024/2025 – Semester 1 Week 4 27th – 31st October 2024 [email protected] Dr. Basil Elmasri [email protected] ACPO Principles (I)...
DF347 Networks Forensics 2024/2025 – Semester 1 Week 4 27th – 31st October 2024 [email protected] Dr. Basil Elmasri [email protected] ACPO Principles (I) Principle set by the Association of Chief Police Officers (ACPO) in the UK. One of the most important things are needed to know as digital forensic practitioners. ACPO Principle 1 No action taken by law enforcement agencies, persons employed within those agencies, or their agents should change data which may subsequently be relied upon in court. ACPO Principle 2 In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. ACPO Principles (II) ACPO Principle 3 An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. ACPO Principle 4 The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to. The ACPO Principles are not law, so compliance is “voluntary”. But non- adherence will certainly lead to exclusion of evidence. Principle 1 is about data Change, principle 2 is about Original data, principle 3 is about Audit trail, and principle 4 is about overall Responsibility. Can be abbreviated by (COAR). Digital Evidence on Media Storage A computer itself or specifically media storage can be a crime scene The crime scene must be protected, and evidence(s) must not be contaminated. A digital evidence must be considered once contaminated it cannot be uncontaminated anymore. An images can be defined as snapshot of a data source. - In context of digital forensics, the word “image” should be carefully used. Dealing or messing with live data can change or affect Modification, Access, and Creation time (MAC times). So, unless necessary, live data must not be dealt with. Common Digital Evidence Locations Undeleted files, expect some names to be incorrect. Deleted files. Windows registry. Hibernation Files. Swap Files, usually a name for the virtual memory. - other names like page files or paging files. Temp Files (.tmp). Slack Space. Browser Caches. In RAM. On mission-critical machines, those can’t be turned off without severe disruption. Copying and Backups Copying files does not recover all the areas of the data for examination. Normal way of backups are usually insufficient; thus, it might be the only available method sometimes. Most operating systems in general concentrate on the file system structure. Slack, unallocated, deleted, etc. are not indexed. As a result, backups generally do not capture this type of data and they also modify MAC times, this will be contaminating the timeline. - What is an important thing, related to time, to consider? Most backup methods copy only the residing data in the allocated disk space. Bitstream Bitstream, or Forensic Copies, a bit for bit copying This will capture all the data on the copied media including hidden and residual data, e.g., slack space, swap, unallocated, unused space, deleted files … etc. A forensic (image) backup sequentially copies each and every disk sector, regardless of whether it is allocated space or has any data in it. The object is to produce a “snapshot” image of the drive that is absolutely identical to the drive itself. In typical and normal backup, a 1000 GB drive with 50 GB of allocated files will produce a 50 GB backup file. In forensic imaging, a 1000 GB drive with 50 GB of allocated files will produce a 1000 GB image file. Data Acquisition Static acquisition Copying a hard drive from a powered-off system. Used to be the standard. Does not alter the data, so it's repeatable. Live acquisition Copying data from a running computer. Now the preferred type, because of hard disk encryption. Cannot be repeated exactly, alters the data. Also, collecting RAM data is becoming more important. But RAM data has no timestamp, which makes it much harder to investigators. Imaging Process Make 2 copies of the original media. copy becomes the working copy. And one copy is a library/control copy. Verify the integrity of the copies to the original. The working copy is used for the analysis. The library copy is stored for disclosure purposes or in the event that the working copy becomes corrupted In case of performing a drive-to-drive imaging, NOT into an image file, it is highly recommended (nearly must) to use clean a media to copy to. The integrity of all images MUST be verified. - How? Box 2.6 in (Jackson & Jackson, 2017) Computer Networks and Digital Forensics Data relevant to the investigation may be stored on any connected device. - Inside or outside of the local investigation scene. Storage locations on the Internet. Devices may be transferring data without any human interaction. Some unknown third party may be remotely connected to any device trying to alter evidential data. Some steps to minimise impacts on the investigation in most residential cases. Dealing With the Wi-Fi Access Point Locate the Wi-Fi Access Point (AP), AKA the Wi-Fi router. If the lights upon it are either static or flashing occasionally: - It is likely that no network traffic is occurring. - Pull the telephone/cable/fibre optic connection from the rear of the device but leave the router powered on. If lights are flashing fast, it is likely that some network activity is occurring: - Establish from the owner whether they are is aware of any current activity. - Pull the telephone/cable/ fibre optic connection from the rear of the device but leave the router powered on. - If the same lights continue to flash in the same manner, it is indicative that devices within the local environment are continuing to transfer traffic. - In such cases, you may have to pull the power plug from the rear of the device. Indicator of Compromise (IoC) Indicators of Compromise (IoCs) are information about a specific security breach that can help security teams determine if an attack has taken place. IoCs help to identify and verify the presence of malicious software on a device or network, as an attack can leave behind traces of evidence. Obtaining IoCs can be by observation, analysis, and/or signatures. Observation: watching for abnormal activity or behaviours in systems or devices Analysis: determining the characteristics of the suspicious activity and analysing its impact Signatures: identifying known malicious software signatures Types of IoCs (I) Common types of IoCs: Network-based. Host-based. File-based. Behavioural. Metadata. Network-based IoCs: such as malicious IP addresses, domains, or URLs. They can also include network traffic patterns, such as unusual port activity, network connections to known malicious hosts, or patterns of data exfiltration. Types of IoCs (II) Host-based IoCs: are related to activity on a specific host, such as a workstation or server. Examples of host-based IoCs include file names or hashes, registry keys, or suspicious processes running on the host. File-based IoCs: include malicious files, such as malware or scripts used by an attacker. Behavioural IoCs: include different types of suspicious behaviour, such as unusual network traffic patterns or system activity, unusual logins or authentication attempts, or unusual user behaviour. Metadata IoCs: are related to the metadata associated with a particular file or document, such as the author, creation date, or version information. Indicators of Attack (IoA) Indicators of Attack (IoA) are the likelihood that a specific action or event may result in a threat. IoCs are similar to IoAs, but they are not exactly same. While IoA might indicate a high probability that an attack is planned to be launched, an IoC could be evidence of some unauthorised access to a network or system, such as the transfer of large amounts of data. IoC best practices include: Using automated and manual tools to monitor and analyse evidence of cyber attacks. Regular update of IoC procedures as new technologies and attack vectors emerge. What is the meaning of an attack vector, or threat vector? Watching Attacks – Live Demo Kaspersky Cyber Threat Map - https://cybermap.kaspersky.com. Fortinet Cyber Attack Map. - https://threatmap.fortiguard.com. Oracle Internet Intelligence Map (discontinued). - https://map.internetintel.oracle.com. Digital Attack Map. - https://www.digitalattackmap.com. Checkpoint Cyber Threat Map - https://threatmap.checkpoint.com. Security Operations Centre (SOC) A centralised function within an organisation employing people, processes, and technology. Such centre’s job is to continuously monitor and improve an organisation's security posture while preventing, detecting, analysing, and responding to cybersecurity incidents. A hub or central command post, across an organisation's IT infrastructure, including its networks, devices, appliances, and information stores. The SOC is responsible for the security of the IT infrastructure and all the data on it. Telemetry Telemetry is data collected from a network environment. Such data can be analysed to monitor the health and performance, availability, and security of the network and its components. In order to respond quickly and resolve network issues in real-time The proliferation of threats is placed by collecting context from diverse sources. SOC is the correlation point for every event logged within the organisation that is being monitored. - For each of these events, the SOC must decide how they will be managed and acted upon. Network Security Monitoring Network Security Monitoring (NSM) is the collection and the analysis of network traffic and endpoint events in order to detect and escalation of indications and warnings to detect and respond to intrusions There are some techniques and tools to implement NSM as part of security operations. IoCs allow the NSM to detect suspicious activities across networks and devices. IoC could be network- or host-based and include: - IPs - Protocol signatures. -Directory names - File names. - Persistence mechanism. - Login, usernames, passwords. -MD5 (checksums) The NSM Process Collection, detection and response. Collection of network traffic and endpoint events. Network data collection can be: Full packet data Session data Statistical data Alert data Network Monitoring & Forensics Slides by Jim Irving. - Taught in previous semesters in BAU. Network Forensics Host Forensics Usefulness PCAP and flow recap Intro to forensic data types Working with logs and alerts Working with PCAP data What they look like What it looks like How to interpret them How to interpret it Getting them all in one place How to get it SIEM’s and their familiars Working with flow data Fielding a monitoring solution What it looks like How to interpret it How to get it Introduction Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. Course Goal: To give the student a broad understanding of the main types of network forensic data gathering and an introduction to low level concepts necessary for a proper understanding of the task of performing network forensics. After completion, a student should be able to plan and execute a reasonable network monitoring program and use the gathered forensic data to perform a wide range of investigations. Benefits Why do you care - If this isn’t in your toolbelt already, you’ll get a lot of new capabilities when you go on a project. - If you’re already seasoned, you can learn from everyone else here. Why do I care - The Socratic method works. Disclaimer The information and views presented during this course concerning software or hardware does not in any way constitute a recommendation or an official opinion. All information presented here is meant to be strictly informative. Do not use the tools or techniques described here unless you are legally authorized to do so. References Jackson, R. A., & Jackson, J. M. (2017). Forensic Science (4 ed.). Harlow: Pearson Education. Slides by Dr. Sami Smadi from previous semesters. Slides by Jim Irving and CHFI.