SEC524 Computer and Network Forensics Lectures 01 & 02 PDF
Document Details
Uploaded by GainfulMeitnerium
King Fahd University of Petroleum and Minerals
Tags
Related
- Computer Forensics Investigation Team PDF
- Computer Forensics Investigation Team PDF
- Chapter 20 - 01 - Understand the Fundamentals of Computer Forensics - 01_ocred_fax_ocred.pdf
- Chapter 20 - 07 - Collecting the Evidence - 02_ocred_fax_ocred.pdf
- Cyber Security (R18A0521) Past Paper PDF 2020-2021
- SEC524 Computer and Network Forensics Lectures 03 and 04 PDF
Summary
This document provides an introduction to computer and network forensics, covering topics such as the introduction, outline, security vs forensics, and data recovery vs forensics. It details the major topics in the course and a brief history of digital forensics, which discusses the roots, early days, and the digital forensic crisis. This was a lecture for a course in Saudi Arabia, at King Fahd University of Petroleum & Minerals.
Full Transcript
King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 01 and 02 Introduction These slides are based on: Network Forensics: Tracking Hackers Thro...
King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 01 and 02 Introduction These slides are based on: Network Forensics: Tracking Hackers Through Cyberspace, Sherri Davidoff and Jonathan Ham (Ch. 1) Guide to Computer Forensics and Investigations: Processing Digital Evidence, Bill Nelson et al. (Ch. 1) Incident response & computer forensics, by Jason Luttgens et al. (Ch. 1) ENISA: Introduction to Network Forensics (Ch. 1) Mike Mabey Class Notes Outline Introduction to Computer and Network Forensics What are forensics, cyber crimes? Brief history of digital forensics Relationship with other Digital Forensics Fields Real-world Incidents of Cyber Crimes What skills you need for Computer and Network Forensics? Computer and Network Forensics as a Profession 2 Introduction to Comp & Net Forensics Security vs. Forensics? Security is concerned with achieving a minimum of confidentiality, integrity, and availability (CIA) Forensics is concerned with acquiring and analyzing data (evidence) after a cyber crime happens (postmortem) – violates confidentiality! Two elements of forensics Process Distinguishes forensics from data recovery, bug hunting How to acquire, handle, and analyze evidence properly (admissible in court) What precautions to take, pitfalls to be aware of Technical Knowledge Deep understanding of specific technology needed to extract information How is data stored at the binary level? Forensics: Application of technical knowledge to extract info from evidence while adhering to a lawful process 3 Introduction to Comp & Net Forensics Data recovery vs. Forensics? Data recovery is concerned with: Retrieving data accidentally deleted Damaged or destroyed (fire, power failure, etc.) User WANTS it back Forensics is concerned with: Retrieving data the user deliberately obscured to hide a cyber crime Searching for evidence User DOESN’T want it back Forensics searches for data (i.e., evidence): Stored on backup tapes (Archived) Currently seen by the operating system (Active) Has been removed from the operating system’s view (could still be in the unallocated disk/memory space) 4 Introduction to Comp & Net Forensics Major topics covered in the course What are forensics, cyber crimes? Brief history of digital forensics Relationship with other digital forensics fields Principles of forensics (Process) Acquisition, Authentication, Analysis, Presentation, Rules of evidence Computing basics File systems, How computers store data, How computers communicate Forensic tools and technologies Open-source tools, Commercial tools Cybercrime investigation What constitutes cyber crime, Law and policies on cyber crime Anti-forensic methods and countermeasures Writing forensic reports 5 What are Forensics, Cyber Crimes? Forensic Science: Application of science to those criminal and civil laws that are enforced in a criminal justice system Places physical evidence into a professional discipline (e.g., Computer, Chemistry, Biology, Physics, Geology,...) Cyber Crime: A crime in which technology plays an important, and often a necessary, part Computer system is the tool used in a crime Computer system is the target of a crime Computer system is used to store data related to criminal activity Field of digital forensics commenced! 6 Brief History of Digital Forensics Roots of digital forensics go back to roughly 1970, but... Originally focused on data recovery Late 1980s - Norton & Mace Utilities provided “Unformat, Undelete.” Early days were marked by: Diversity — Hardware, Software & Application Proliferation of file formats Heavy reliance on time-sharing and centralized computing Absence of formal process, tools & training Forensics of end-user systems was hard, but it didn’t matter much Most of the data was stored on centralized computers. Experts were available to assist with investigations. There wasn't much demand! Source: Simson Garfinkel’s slides for his paper “Digital Forensics Research: The Next 7 10 Years” Brief History of Digital Forensics (Cntd) Until 1993, laws defining computer crimes did not exist Analogies between existing law and cyber crime were incomplete and often flawed Crimes that have proliferated because of computers: Child pornography, Child abuse & bullying, Financial fraud, Identify theft, Coordinated drug activity Digital forensics crisis 1. Dramatically increased costs of extraction and analysis Huge storage, non-removable flash, proliferation of operating systems and file formats, multiple devices and services with important data 2. Encryption and cloud computing Pervasive encryption, end-user systems don’t have the data (i.e., on the cloud), RAM-based malware, and new legal challenges Source: Simson Garfinkel’s slides for his paper “Digital Forensics Research: The Next 8 10 Years” Brief History of Digital Forensics (Cntd) Digital forensics crisis (cntd) 3. Mobile phones Bit-copies can no longer be the gold standard, difficult to validate tools against thousands of phones or millions of apps, no standard extraction protocols. 4. RAM and hardware forensics is really hard Malware can hide in many places: disk, BIOS, firmware, RAID controllers, GPU, motherboard... 5. Tools and training simply can’t keep up! Source: Simson Garfinkel’s slides for his paper “Digital Forensics Research: The Next 9 10 Years” Relationship with other Digital Forensics Fields Digital forensics is divided into: Computer forensics, memory forensics, mobile device forensics, database forensics, network forensics, IoT forensics,... Digital forensics involves data retrieved from a suspect’s: Hard drive Other storage media: Cell phones, Flash drives, Cloud services, Cars, Thermostats, Smart speakers, IoT devices,... Note that data might be hidden, encrypted, fragmented, deleted, outside the normal file structure Digital forensics involves figuring out what happened, when, and who was responsible Computer forensics (sometimes called host-based forensics) is a digital forensic discipline dedicated to the collection of computer evidence for judicial purposes 10 Relationship with other Digital Forensics Fields Computer forensics involves preservation, identification, extraction, documentation and interpretation of data Must be able to show proof Network forensics is related to monitoring and analyzing network traffic for the purpose of information gathering, legal evidence, or intrusion detection, and involves (OSCAR) Obtaining information about the incident Strategizing the planning of the investigation Acquisition is prioritized according to the volatility of the sources, their potential value to the investigation and the effort needed to get them Collecting evidence which involves documenting, capturing (packets, logs,...), and storing/transporting the evidence (chain of custody) Analyzing the collected evidence Reporting the findings to proper client (e.g., managers, judges, etc.) 11 Relationship with other Digital Forensics Fields Network and computer forensics complement each other Adversaries may hide and remain invisible to computer forensics, but once they need to communicate, they are seen on the network Likewise, network forensics cannot tell what happened with the packet data on the communicating hosts (e.g., which processes sent/received the packets, what they did with it, etc.) Memory forensics complements network and computer forensics by Allowing the recovery of keys of network connections or keys of the hard drive encryption Helping to discover if network interfaces have been put into promiscuous mode for capturing network traffic, or it may find traces of previously used network connections in parts of the memory that have been freed but not yet overwritten 12 Real-World Incidents of Cyber Crimes (1) 1. Sending unauthorized email from a government organization director’s account Computer consultant received a call from the organization’s system administrator indicating that “Someone is sending email from our Director’s account” Consultant collected a few details to understand the situation Email setup had a single Microsoft Exchange Server accessed within the office by users on individual desktops Remote email capability was provided via Outlook Web Access (OWA) Director’s assistant had access to the email account, as did the two system administrators Consultant drafted a plan to determine how this incident might have occurred Determine the origin of the email System administrator provided the time/date stamp from an email purportedly sent from the Director’s account 13 Real-World Incidents of Cyber Crimes (1) Consultant determined from the computer’s event logs that the Director’s desktop computer was powered off when email was sent Next, he examined OWA logs and determined a remote computer did connect at that time, and it was the Director’s home computer! Director provided his home computer for analysis. It did not contain evidence of being compromised Further information was disclosed. The email was sent from the Director’s account to a co-worker, and it was personal and sensitive! It turned out a member of the Director’s family sent the email! Incident had gone from a compromised email account to a personal matter! Importance of example: Indicative of the thorny issues that can be encountered during an incident The overriding factor was political in nature; when the details were discovered, the investigation was terminated! As an investigator, it is important to understand that the technical investigation is only one of many factors affecting response! 14 Real-World Incidents of Cyber Crimes (2) 2. PathStar Conspiracy In January 2000, H. Lin, K. Xu, and Y.Q. Cheng founded ComTriad Technologies, a startup company in New Jersey (USA) Their product was a switch that integrated voice and data on IP networks. After demonstrating it to Datang Telecom Tech. Company (China) they received funding & agreed to a joint venture in Beijing Lin and Xu were also employees of Lucent and Cheng was a contractor at Lucent, and they worked on Lucent’s PathStar project, developing a switch that integrates voice and data on IP networks! The government’s indictment against the trio alleges that the demonstration of technology to Datang was a demonstration of the PathStar Access Server from Lucent Investigators found Lucent’s PathStar source code on the ComTriad web server Much of the technical investigation focused on proving that the PathStar source code was on ComTriad systems 15 Real-World Incidents of Cyber Crimes (3) 3. Hospital Laptop Goes Missing Doctor reports that a laptop has been stolen from her hospital office The computer is password-protected, but the hard drive is not encrypted Upon initial questioning, the doctor says that the laptop may contain copies of sensitive info Patient lab results, schedules that include patient names, birth dates, and IDs, notes regarding patient visits, and diagnoses Ramifications: Since the hospital is regulated by the United States’ laws, it would be required to notify patients whose protected health info was breached, and if the breach is large enough, it would also be required to notify the media Could cause significant damage to the hospital’s reputation, and cause financial loss if the hospital were held liable for any damages caused by the breach 16 Real-World Incidents of Cyber Crimes (3) Investigative team needed answers to the following questions: 1. Precisely when did the laptop go missing? 2. Can we track down the laptop and recover it? 3. Which patient data was on the laptop? 4. How many individuals’ data was affected? 5. Did the thief leverage doctor’s credentials to gain access to hospital’s network? Investigators began by trying to determine the time when the laptop was stolen, and if it was used to connect to the hospital network after the theft and, if so, the location that it connected from Helped establish an outer bound on what data could have been stored on it Provided starting point for searching physical surveillance footage & access logs Leveraging wireless access point logs, the investigative team was able to pinpoint the time of the theft and track the laptop through the facility out to a visitor parking garage 17 Real-World Incidents of Cyber Crimes (3) Parking garage cameras provided a low-fidelity image of the attacker, and investigators correlated this with gate video of the car itself as it left the lot with two occupants The video was handed to the police, who were able to track the license plate, and the laptop was eventually recovered Investigators reviewed VPN logs and operating system logs stored on the central logging server and found no evidence that the laptop was used to attempt any further access to hospital IT resources Hard drive analysis of the recovered laptop showed no indication that the system had been turned on after the theft After consultation with legal counsel, hospital management concluded that patient data had ultimately not been leaked In response to the incident, the hospital implemented full-disk encryption for all laptop hard drives, and deployed physical laptop locking mechanisms 18 Real-World Incidents of Cyber Crimes (4) 4. Hacked Government Server During a routine antivirus scan, a government system administrator was alerted to suspicious files on a server. The files appeared to be part of a well-known rootkit Server didn’t host any confidential data other than password hashes However, there were other systems on the local subnet that contained sensitive information of thousands of state residents who had filed for unemployment assistance The administrative account usernames and passwords were the same for all servers on the local subnet Ramifications: State laws required the government to notify any individuals whose sensitive info were breached If the servers containing this sensitive info were hacked, the state might be required to spend large amounts of money to send out notifications, set up hotlines for affected individuals, and engage in any resulting lawsuits Disclosure of a breach can damage careers of high-ranking elected state officials 19 Real-World Incidents of Cyber Crimes (4) Investigative team needed answers to the following questions: 1. Was the server in question truly compromised? 2. If so, how was the system exploited? 3. Were any other systems on the local network compromised? 4. Was any confidential information exported? The server in question appeared to contain files with names that fit the pattern for a well-known rootkit Investigators began by examining these files and concluded that they were malicious software The rootkit files were found in the home directory of an old local administrator account that staff had forgotten even existed Investigators found that the local authentication logs had been deleted. Fortunately, all servers on the subnet were configured to send logs to a central logging server Alternatively, investigators reviewed Secure Shell (SSH) logs from the central logging server that were associated with the account 20 Real-World Incidents of Cyber Crimes (4) From the SSH logs, it was clear that the account had been the target of a brute-force password-guessing attack Investigators used visualization tools to identify the times that there were major spikes in the volume of authentication attempts A password audit revealed that the account’s password was very weak, and SSH logs showed the source of the attack was in Brazil IT staff were surprised because based on network documentation the perimeter firewall was supposed to be configured to block external access to SSH port Investigators gathered copies of the current, active firewall configuration and found that it did not match the documented policy Subsequently, investigators analyzed firewall logs and found entries that corroborated the findings from the SSH logs IT staff were concerned that the attacker might have used stolen account credentials to access other systems on the local subnet 21 Real-World Incidents of Cyber Crimes (4) Fortunately, further analysis of the server hard drive indicated that the attacker’s access was short-lived Antivirus scan had alerted on the suspicious files shortly after they were created Investigators analyzed authentication logs for all systems on local subnet and found no other suspicious access to the other servers Furthermore, there were no records of logins using the hacked account on any other servers Extensive analysis of the firewall logs showed no suspicious data exportation from any servers on the local subnet Investigators concluded that the server under investigation was compromised but that no other systems on local subnet had been exploited, and no personal information had been breached To protect against future incidents, the IT staff corrected the errors in the firewall configuration, implemented a policy in which firewall rules were audited at least twice per year, and established a policy of auditing all server accounts on a quarterly basis 22 What Skills you need for Comp & Net Forensics? Ethics Law, especially rules of evidence File system and operating system (OS) How a computer saves a file to disk What happens when you delete a file? Data is not changed; OS indicates that clusters used by file can be reused Understanding Data Hex editor, Binary analysis Basic OS-level commands are useful and critical Encryption methods Forensic software such as Disk Image Backup Software, Search & Recovery Utilities, File Viewing Utilities, Cracking Software, Archive & Compression Utilities 23 Comp & Net Forensics as a Profession Forensics investigator or analyst works with law enforcement agencies as well as private firms to retrieve digital evidence of cyber crimes Global digital forensics market size is expected to reach $11.0 billion by 2023, rising at a market growth of 15.8% compound annual growth rate during the forecast period Scope and coverage of digital forensics 24 Source: kbv research’s Global Digital Forensics Market Comp & Net Forensics as a Profession Job duties include: Recovering and examining digital evidence from electronic devices When a device is damaged, the analyst must dismantle and rebuild the system in order to recover lost digital evidence Writing up technical reports detailing how the digital evidence was discovered and all the steps taken during the retrieval process Giving testimony in court regarding the digital evidence collected Keeping current on new methodologies and forensic technology Training law enforcement officers on proper procedure regarding digital evidence 25 Comp & Net Forensics as a Profession What jobs can you get with a forensics degree? Computer Forensics Investigator Computer Forensics Analyst Computer Forensics Examiner Mobile Forensics Expert Malware Analyst Computer Crime Investigator Information Security Analyst Information Systems Security Analyst Information Technology Auditor Disaster Recovery Expert Security Consultant ... 26 Comp & Net Forensics as a Profession Best digital forensics certifications (based on searching popular online job boards) ACE – AccessData Certified Examiner (vendor-specific) CFCE – Certified Forensic Computer Examiner CHFI – Computer Hacking Forensic Investigator EnCE – EnCase Certified Examiner (vendor-specific) GCFE – GIAC* Certified Forensic Examiner GCFA – GIAC* Certified Forensic Analyst Other notable digital forensics certifications CSFA – CyberSecurity Forensic Analyst CCE – Certified Computer Examiner PCI – Professional Certified Investigator CPP – Certified Protection Professional 27 * Global Information Assurance Certification