King Fahd University Of Petroleum & Minerals Computer Forensics Lectures 05-07 PDF

Summary

These lecture slides from King Fahd University of Petroleum & Minerals cover computer forensics topics, including the investigation of cybercrimes, incident response processes, and the handling of digital evidence. The provided content is focused on computer science.

Full Transcript

King Fahd University of Petroleum & Minerals
College of Computer Sciences & Engineering

SEC524 Computer and Network
Forensics

Lectures 05 – 07
Conducting Cyber Crime
Investigations
These slides are based on:
Digital evidence and computer crime: Forensic science, computers, and the internet, Eoghan Casey

Incident response & computer forensics, Jason Luttgens et al. (Ch. 2-4)
 Outline

Process Models
Incident Response Process
Handling a Cyber Crime Scene
Investigative Reconstruction with Digital Evidence
Digital Evidence as Alibi

2
 Process Models

Motivations:
Framework for training and directing research
Benchmarking performance against generally accepted practice
Refine our understanding of what is required to complete a
successful investigation in a way that is independent of a technology
Encourages a complete investigation, ensures proper
evidence handling, and reduces the chance of mistakes
Useful for the developing case management tools, Standard
Operating Procedures (SOPs), and investigative reports
Can have limitations
Important to be familiar with the various process models and the
extent to which they apply to a given situation

3
 Process Models (Cntd)

Process model basis: preparation, identification,
preservation, examination & analysis, and presentation

4
 Process Models (Cntd)

Preparation: Generating a plan of action to conduct an
investigation, and obtain supporting resources & materials
Survey/Identification: Finding potential sources of evidence
(e.g., at crime scene, within organization, on Internet)
Preservation: Preventing evidence changes (isolate system
on network, secure log files, collect volatile data...)
Examination & Analysis: Searching & interpreting evidence
Examination: Process of extracting and viewing information from the
evidence and making it available for analysis
Analysis: Application of scientific methods & critical thinking to
answer the questions: who, what, where, when, how, why
Presentation: Reporting findings in a manner which satisfies
the context of the investigation (legal, corporate,...)
5
 Process Models (Cntd)

Integrated Digital Investigation Model
Relates the digital investigative process with the more established
investigative process associated with physical crime scenes

6
 Process Models (Cntd)

Staircase Model
Digital investigators, forensic examiners, and attorneys work
together to scale these steps from bottom to top

7
 Process Models (Cntd)

Evidence Flow Model
Incorporates nontechnical aspects of a digital investigation

8
 Process Models (Cntd)

Subphase Model
Creates a multitiered framework, taking the steps common in other
models and adding subphases with defined objectives
Top-level steps used are preparation, incident response, data
collection, data analysis, findings presentation, and incident closure
Each of the top-level steps have objectives-based subphases
For example, the data analysis step has 3 subphases: survey, extract, examine
This approach could lead to greater consistency and standardization
in how digital investigations are conducted
However, this framework attempts to combine steps that are
generally treated separately in other process models without
explaining the rationale for doing so

9
 Process Models (Cntd)

Roles and Responsibilities Model
Goal of this framework is to address not just the technical aspects of
a digital investigation but also the legal and managerial issues

10
 Incident Response Process

What is a computer security incident?
Any unlawful, unauthorized, or unacceptable action that involves a
computer system or a computer network
Theft of trade secrets
Email spam or harassment
Unauthorized or unlawful intrusions into computing systems
Embezzlement
Possession or dissemination of child pornography
Denial-of-service (DoS) attacks
Tortious interference of business relations
Extortion
Any unlawful action when the evidence of such action may be stored on
computer media such as fraud, threats, and traditional crimes
Many of these events include violations of public law, and they may
be actionable in criminal or civil proceedings
Several of these events have a grave impact on an organization’s
reputation and its business operations
11
 Incident Response Process (Cntd)

What are the Goals of Incident Response?
Prevent disjointed, noncohesive response (which can be disastrous)
Confirm or dispel whether an incident occurred
Promote accumulation of accurate information
Establish controls for proper retrieval and handling of evidence
Protect privacy rights established by law and policy
Minimize disruption to business and network operations
Allow for criminal or civil action against perpetrators
Provide accurate reports and useful recommendations
Provide rapid detection and containment
Minimize exposure and compromise of proprietary data
Protect your organization’s reputation and assets
Educate senior management
Promote rapid detection & prevention of such incidents in the future
12
 Incident Response Process (Cntd)

Who Should be Involved in the Incident Response Process?
Incident response is a multifaceted discipline

Requires resources from several operational units of an organization
Human resources personnel, legal counsel, technical experts, security
professionals, corporate security officers, business managers, end users,
helpdesk workers, and other employees

Most organizations establish a multidisciplined team of individuals
referred to as Computer Security Incident Response Team (CSIRT)

13
 Incident Response Process (Cntd)

How to handle an incident? – Incident Response Process

14
 Incident Response Process (Cntd)

Incident Response Process (Cntd)
1. Pre-incident Preparation: Take actions to prepare the organization
and CSIRT Cyb. Sec. Inc. Res. Team before an incident occurs
2. Detection of Incident: Identify a potential computer security
incident
3. Initial Response: Perform an initial investigation
Record the basic details surrounding the incident
Assemble the incident response team
Notifying the individuals who need to know about the incident
4. Formulate Response Strategy: Based on the results of all the
known facts, determine the best response & obtain management
approval
Determine what civil, criminal, administrative, or other actions are appropriate to
take, based on the conclusions drawn from the investigation

15
 Incident Response Process (Cntd)

Incident Response Process (Cntd)
5. Investigate the Incident: Perform a thorough collection of data,
and review the data collected to determine:
What happened
When it happened
Who did it
How it can be prevented in the future
6. Reporting: Accurately report information about the investigation in
a manner useful to decision makers
7. Resolution: Employ security measures and procedural changes,
record lessons learned, and develop long-term fixes for any
problems identified

16
 Incident Response Process (Cntd)

1. Pre-incident Preparation
Organization needs to prepare the organization itself as a whole and
CSIRT members, prior to responding to a computer security incident

Incident response is reactive in nature, and the pre-incident
preparation comprises the only proactive measure CSIRT can
initiate to ensure that an organization’s assets & info are protected

Preparing the organization involves:
Implementing host-based security measures
Implementing network-based security measures
Training end users
Employing an intrusion detection system (IDS)
Creating strong access control
Performing timely vulnerability assessments
Ensuring backups are performed on a regular basis
17
 Incident Response Process (Cntd)

1. Pre-incident Preparation (Cntd)
Preparing CSIRT involves considering:
Hardware needed to investigate computer security incidents

Software needed to investigate computer security incidents

Documentation, such as forms and reports, needed to investigate computer
security incidents

Appropriate policies/operating procedures to implement the response strategies

Training your staff or employees require to perform incident response in a
manner that promotes successful forensics, investigations, and remediation

18
 Incident Response Process (Cntd)

2. Detection of Incident
One of the most important aspects of incident response
One of the most decentralized phases, in which those with
incident response expertise have the least control
Normally identified when someone suspects that an unauthorized,
unacceptable, or unlawful event has occurred
Reported by an end user (through immediate supervisor, corporate help desk, or
an incident hotline managed by the Information Security entity), detected by a
system administrator, identified by IDS alerts, or discovered by other means
It is paramount to record all the known details
Use an initial response checklist to make sure you record the pertinent facts
Initial response checklist should account for many details such as current time
and date, who/what reported the incident, nature of the incident, when the
incident occurred, hardware/software involved, etc.
After completing the checklist, CSIRT must be activated who will use
the checklist info to begin the next phase (i.e., Initial Response)
19
 Incident Response Process (Cntd)

2. Detection of Incident (Cntd)

20
 Incident Response Process (Cntd)

3. Initial Response
Obtain enough information to determine an appropriate response
Involves assembling CSIRT, collecting network-based and other data,
determining the incident type, and assessing the incident impact
Gather enough information to begin the next phase (i.e., formulate
response strategy)
This phase helps in documenting the steps that must be taken
Prevents panic when an incident is detected, allowing the organization to
implement a methodical approach during a stressful situation
This phase doesn't involve touching affected system(s); it involves:
Interviewing system admin. who may have insight into tech. details of incident
Interviewing business unit personnel who may have insight into business events
that may provide a context for the incident
Reviewing intrusion detection reports and network-based logs to identify data
that would support that an incident has occurred
Reviewing the network topology and access control lists to determine if any
avenues of attack can be ruled out
21
 Incident Response Process (Cntd)

3. Initial Response (Cntd)
At a minimum, the team must verify:
An incident has actually occurred
Which systems are directly or indirectly affected
Which users are involved
Potential business impact

It may be necessary to initiate network monitoring at this stage,
simply to confirm an incident is occurring

22
 Incident Response Process (Cntd)

4. Formulate Response Strategy
Goal is to determine the most appropriate response strategy, given
the circumstances of the incident
Strategy should take into consideration the political, technical, legal,
and business factors that surround the incident
Consider the following factors when deciding how many resources
are needed to investigate an incident, whether to create a forensic
duplication of relevant systems, whether to make a criminal referral,
whether to pursue civil litigation, and other aspects of your strategy:
How critical are the affected systems?
How sensitive is the compromised or stolen information?
Who are the potential perpetrators?
Is the incident known to the public?
What is the level of unauthorized access attained by the attacker?
What is the apparent skill of the attacker?
How much system and user downtime is involved?
23 What is the overall monetary loss?
 Incident Response Process (Cntd)

4. Formulate Response Strategy (Cntd)
Details obtained during the initial response can be critical when
choosing a response strategy
For example, a DoS attack originating from a university may be handled much
differently from how a similar DoS attack originating from a competitor is handled

Before the response strategy is chosen, it may become necessary to
reinvestigate details of the incident

Other than the details of the incident, the organization’s response
posture plays a large role in determining the response strategy
Response posture is your capacity to respond, determined by the technical
resources, political considerations, legal constraints, and business objectives

24
 Incident Response Process (Cntd)

4. Formulate Response Strategy (Cntd)
Samples of common situations with response strategies and potential
outcomes

25
 Incident Response Process (Cntd)

5. Investigate the Incident
Involves determining the who, what, when, where, how, and why
surrounding an incident
Review host-based evidence, network-based evidence, and evidence
gathered via traditional and nontechnical investigative steps
Establishing the identity of the party responsible for the incident on a
network is becoming increasingly difficult
Users are becoming more adept at using encryption, steganography, anonymous
email accounts, fakemail, spoofed IP addresses, spoofed MAC addresses,...
Since establishing identity can be less of a concern to the victim than the things
damaged, many organizations choose to focus solely on what was damaged, how
it was damaged, and how to fix it
Investigation can be divided into two phases:
Data Collection: Gather all the relevant information needed to resolve the incident
in a manner that meets your response strategy
Forensic Analysis: Examine all the data collected to determine the who, what,
when, where, and how information relevant to the incident
26
 Incident Response Process (Cntd)

5. Investigate the Incident (Cntd)

27
 Incident Response Process (Cntd)

5. Investigate the Incident (Cntd)
Data Collection involves several unique forensic challenges:
You must collect electronic data in a forensically sound manner

You are often collecting more data than you can read in your lifetime
Computer storage capacity continues to grow

You must handle the data you collect in a manner that protects its integrity
Evidence handling

28
 Incident Response Process (Cntd)

5. Investigate the Incident (Cntd)
Data collected can be divided into three fundamental areas:
1. Host-based information – Involves gathering info using two different manners:
live data collection and forensic duplication
Live data collection records system date and time, applications currently running on the system,
currently established network connections, currently open sockets (ports), applications listening on the
open sockets, state of the network interface (promiscuous or not)
Forensic duplication is used if the incident is severe or material has been deleted, and it provides a
“mirror image” of the target system, which shows due diligence when handling critical incidents
Forensic duplication provides a means to have working copies of the target media for analysis without
worrying about altering or destroying potential evidence
2. Network-based information – Includes information obtained from:
IDS logs
Consensual monitoring logs
Nonconsensual wiretaps
Pen-register/trap and traces
Router logs
Firewall logs
Authentication servers
3. Other information – Involves testimony and other information obtained from
people using more traditional investigative techniques (i.e., nontechnical means)
29
 Incident Response Process (Cntd)

5. Investigate the Incident (Cntd)
Forensic Analysis involves reviewing all the data collected including:
Log files, system configuration files, trust relationships, web browser history files,
email messages and their attachments, installed applications, and graphic files

Perform software analysis, review time/date stamps, perform
keyword searches, and take any other necessary investigative steps

Includes also performing more low-level tasks, such as looking
through information that has been logically deleted from the system
to determine if deleted files, slack space, or free space contain data
fragments or entire files that may be useful to the investigation

30
 Incident Response Process (Cntd)

5. Investigate the Incident (Cntd)

31
 Incident Response Process (Cntd)

6. Reporting
Reports must:
1. Accurately describe the incident details
2. Be understandable to decision makers
3. Withstand the barrage of legal scrutiny
4. Be produced in a timely manner
Report writing guidelines:
Document immediately: All investigative steps and conclusions need to be clearly
and concisely documented as soon as possible
Write concisely and clearly: Discourage shorthand or shortcuts, vague notations,
incomplete scribbling, and other unclear documentation
Use a standard format: Develop a format for your reports and stick to it as this
makes report writing scalable, saves time, and promotes accuracy
Use technical editors: This helps develop reports that are comprehensible to
nontechnical personnel. You still need to review the final report prior to
submission as editors can inadvertently change the meaning of critical information
32
 Incident Response Process (Cntd)

7. Resolution
Implement host-based, network-based, and procedural
countermeasures to prevent an incident from causing more damage
and to return the organization to a secure, healthy operational status
Contain, solve, and take steps to prevent the problem from occurring again

If you are collecting evidence for civil, criminal, or administrative
action, then collect all evidence before you begin to implement any
security measures that would alter the evidence obtained

33
 Incident Response Process (Cntd)

7. Resolution (Cntd)
The following steps are often taken to resolve an incident:
1. Identify your organization’s top priorities (returning all systems to operational
status, ensuring data integrity, containing the impact of the incident, collecting
evidence, or avoiding public disclosure)
2. Determine the nature of the incident in enough detail to identify what host-
based and network-based remedies are required to address it
3. Determine if there are underlying or systemic causes for the incident that need
to be addressed (lack of standards, noncompliance with standards, and so on)
4. Restore any affected or compromised systems (may need to rely on a prior
version of the data, server platform software, or application software)
5. Apply corrections required to address any host-based vulnerabilities
6. Apply network-based countermeasures (e.g., access control lists, firewalls, IDS)
7. Assign responsibility for correcting any systemic issues
8. Track progress on all corrections that are required
9. Validate that all remedial steps or countermeasures are effective
10. Update security policy/procedures as needed to improve the response process

34
 Handling a Cyber Crime Scene

Computers, mobile devices, and networks should be
considered an extension of the crime scene, even when
they are not directly involved in facilitating the crime
Cyber crime scenes can contain many pieces of evidence
and it is necessary to apply forensic principles to survey,
preserve, and document the entire scene
Published guidelines for handling cyber crime scenes:
Electronic Crime Scene Investigation: A Guide for First Responders
(Department of Justice, USA, 2001)
Best Practices for Seizing Electronic Evidence: A Pocket Guide for
First Responders (Secret Service, USA, 2006)
The Good Practice Guide for Computer Based Evidence (Association
of Chief Police Officers, UK, 2009)
Most mature and practical guideline
35
 Handling a Cyber Crime Scene (Cntd)

Four principles when handling cyber crime scenes:
Principle 1: No action taken by law enforcement agencies or their
agents should change data held on a computer or storage media
which may subsequently be relied upon in court
Principle 2: In circumstances where a person finds it necessary to
access original data held on a computer or on storage media, that
person must be competent to do so and be able to give evidence
explaining the relevance and the implications of their actions
Principle 3: An audit trail or other record of all processes applied to
computer-based electronic evidence should be created and
preserved
An independent third party should be able to examine those processes and
achieve the same result
Principle 4: The person in charge of the investigation (the case
officer) has overall responsibility for ensuring that the law and these
principles are adhered to
36
 Handling a Cyber Crime Scene (Cntd)

Things to consider before approaching the evidence:
Should obtain written authorization before gathering evidence (i.e.,
search is not going to violate any laws or give rise to liability)
Digital investigators are generally authorized to collect and examine
only what is directly pertinent to the investigation
Gather as much information as possible about what will be
encountered at the crime scene
Bring all tools needed (screwdrivers, pliers,...) as well as a camera,
hardware duplicators, boot CDs, data cables, crossover network
cables, and mobile device forensic kits and associated cables
Request passwords and encryption keys from all individuals with
access to the computer systems relevant to the investigation
Preserve the cyber crime scene
Control entry points to cyber crime scenes
Freeze the networked crime scene
37
 Handling a Cyber Crime Scene (Cntd)

38
 Investigative Reconstruction with Digital Evidence

In more complex cases, important questions may remain
unanswered, even after a thorough investigation
There may be no viable suspects, or very limited amount of
evidence (i.e., difficult to prove what they suspect)
It can be fruitful to employ an investigative reconstruction
Systematic process of piecing together evidence and info collected
by investigator to better understand what occurred during the crime
Cyber crime scene evidence contains behavioral imprints
Words used by an offender on the Internet may point to offender
Tools that an offender uses online can be significant, and how an
offender conceals his/her identity and criminal activity can be telling
When investigators collect evidence from a crime scene,
they should concurrently perform some reconstructive tasks
39
 Investigative Reconstruction with Digital Evidence

Basic elements: rough forensic analysis, victimology, crime
scene characteristics
Investigative reconstruction can be useful in the following:
Develop leads and locate additional, possibly concealed, evidence
Develop a “big picture” which can help solve a case and can be
useful for explaining events to decision makers
Focus the investigation by exposing avenues of inquiry
Develop suspects with motive, means, and opportunity
Prioritize investigation of suspects
Establish evidence of insider or intruder knowledge
Anticipate intruder actions and assess potential for escalation
Can prompt investigators to implement safeguards
Carefully link related crimes with the same behavioral imprints
Augment case presentation in court
40
 Investigative Reconstruction with Digital Evidence

Individual pieces of digital data might not be useful on their
own, but patterns may emerge when they are combined

Three forms of reconstruction should be performed when
analyzing evidence to develop a clearer picture of the crime
and see gaps or discrepancies:
Temporal (when): Helps identify sequences and patterns in time of
events
Relational (who, what, where): Components of crime, their
positions, and interactions
Functional (how): What was possible and impossible

41
 Investigative Reconstruction with Digital Evidence

42
 Digital Evidence as Alibi

Alibi is determined by time and/or location
When an individual does anything involving a computer or network,
the time and location are often noted, generating digital evidence
that can be used to support or refute an alibi
In addition, telephone calls, credit card purchases, train ticket
usage, automated toll payments, and ATM transactions are all
supported by computer networks that keep detailed logs of activities
Internet activities, such as when an e-mail message is sent, contain
the time and originating IP address and are noted in headers/logs
Keep in mind that computer times and IP addresses can be
manipulated, allowing a criminal to create a false alibi
Investigators should not rely on one piece of digital evidence when
examining an alibi—they should look for an associated cybertrail

43
 Digital Evidence as Alibi (Cntd)

First step in investigating an alibi is to assess the reliability
of the info on the computers and networks involved
Some computers are configured to synchronize their clocks with
very accurate time sources and make a log of any discrepancies
Other computers allow anyone to change their clocks and do not
keep logs of time changes
Some computer networks control and monitor which computers are
assigned specific IP addresses using protocols like BOOTP and DHCP
Other networks do not strictly control IP address assignments,
allowing anyone to change the IP address on a computer
Interviewing several individuals who are familiar with the
computer or network involved will be sufficient to determine
if an alibi is solid

44
 Digital Evidence as Alibi (Cntd)

When an obscure piece of equipment is involved, it might
be necessary to perform extensive research
Reading through documentation, searching the Internet, contacting
manufacturers with questions about how their product works
Aim of this research is to determine the reliability of the alibi
If the actions above cannot be performed, recreation of the
events surrounding the alibi become necessary
Difficult to fabricate an alibi on a network because a person
rarely can falsify an alibi on all the involved computers
Most challenging situations arise when investigators cannot
find any evidence to support or refute an alibi
Absence of evidence is not evidence of absence
However, alibi is severely weakened by a lack of expected evidence
45