SEC524-L05-L07-Conducting Cyber Crime Investigations.pdf
Document Details
Uploaded by GainfulMeitnerium
Full Transcript
King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 05 – 07 Conducting Cyber Crime Investigations These slides are based on: Digital evidence and co...
King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 05 – 07 Conducting Cyber Crime Investigations These slides are based on: Digital evidence and computer crime: Forensic science, computers, and the internet, Eoghan Casey Incident response & computer forensics, Jason Luttgens et al. (Ch. 2-4) Outline Process Models Incident Response Process Handling a Cyber Crime Scene Investigative Reconstruction with Digital Evidence Digital Evidence as Alibi 2 Process Models Motivations: Framework for training and directing research Benchmarking performance against generally accepted practice Refine our understanding of what is required to complete a successful investigation in a way that is independent of a technology Encourages a complete investigation, ensures proper evidence handling, and reduces the chance of mistakes Useful for the developing case management tools, Standard Operating Procedures (SOPs), and investigative reports Can have limitations Important to be familiar with the various process models and the extent to which they apply to a given situation 3 Process Models (Cntd) Process model basis: preparation, identification, preservation, examination & analysis, and presentation 4 Process Models (Cntd) Preparation: Generating a plan of action to conduct an investigation, and obtain supporting resources & materials Survey/Identification: Finding potential sources of evidence (e.g., at crime scene, within organization, on Internet) Preservation: Preventing evidence changes (isolate system on network, secure log files, collect volatile data...) Examination & Analysis: Searching & interpreting evidence Examination: Process of extracting and viewing information from the evidence and making it available for analysis Analysis: Application of scientific methods & critical thinking to answer the questions: who, what, where, when, how, why Presentation: Reporting findings in a manner which satisfies the context of the investigation (legal, corporate,...) 5 Process Models (Cntd) Integrated Digital Investigation Model Relates the digital investigative process with the more established investigative process associated with physical crime scenes 6 Process Models (Cntd) Staircase Model Digital investigators, forensic examiners, and attorneys work together to scale these steps from bottom to top 7 Process Models (Cntd) Evidence Flow Model Incorporates nontechnical aspects of a digital investigation 8 Process Models (Cntd) Subphase Model Creates a multitiered framework, taking the steps common in other models and adding subphases with defined objectives Top-level steps used are preparation, incident response, data collection, data analysis, findings presentation, and incident closure Each of the top-level steps have objectives-based subphases For example, the data analysis step has 3 subphases: survey, extract, examine This approach could lead to greater consistency and standardization in how digital investigations are conducted However, this framework attempts to combine steps that are generally treated separately in other process models without explaining the rationale for doing so 9 Process Models (Cntd) Roles and Responsibilities Model Goal of this framework is to address not just the technical aspects of a digital investigation but also the legal and managerial issues 10 Incident Response Process What is a computer security incident? Any unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network Theft of trade secrets Email spam or harassment Unauthorized or unlawful intrusions into computing systems Embezzlement Possession or dissemination of child pornography Denial-of-service (DoS) attacks Tortious interference of business relations Extortion Any unlawful action when the evidence of such action may be stored on computer media such as fraud, threats, and traditional crimes Many of these events include violations of public law, and they may be actionable in criminal or civil proceedings Several of these events have a grave impact on an organization’s reputation and its business operations 11 Incident Response Process (Cntd) What are the Goals of Incident Response? Prevent disjointed, noncohesive response (which can be disastrous) Confirm or dispel whether an incident occurred Promote accumulation of accurate information Establish controls for proper retrieval and handling of evidence Protect privacy rights established by law and policy Minimize disruption to business and network operations Allow for criminal or civil action against perpetrators Provide accurate reports and useful recommendations Provide rapid detection and containment Minimize exposure and compromise of proprietary data Protect your organization’s reputation and assets Educate senior management Promote rapid detection & prevention of such incidents in the future 12 Incident Response Process (Cntd) Who Should be Involved in the Incident Response Process? Incident response is a multifaceted discipline Requires resources from several operational units of an organization Human resources personnel, legal counsel, technical experts, security professionals, corporate security officers, business managers, end users, helpdesk workers, and other employees Most organizations establish a multidisciplined team of individuals referred to as Computer Security Incident Response Team (CSIRT) 13 Incident Response Process (Cntd) How to handle an incident? – Incident Response Process 14 Incident Response Process (Cntd) Incident Response Process (Cntd) 1. Pre-incident Preparation: Take actions to prepare the organization and CSIRT Cyb. Sec. Inc. Res. Team before an incident occurs 2. Detection of Incident: Identify a potential computer security incident 3. Initial Response: Perform an initial investigation Record the basic details surrounding the incident Assemble the incident response team Notifying the individuals who need to know about the incident 4. Formulate Response Strategy: Based on the results of all the known facts, determine the best response & obtain management approval Determine what civil, criminal, administrative, or other actions are appropriate to take, based on the conclusions drawn from the investigation 15 Incident Response Process (Cntd) Incident Response Process (Cntd) 5. Investigate the Incident: Perform a thorough collection of data, and review the data collected to determine: What happened When it happened Who did it How it can be prevented in the future 6. Reporting: Accurately report information about the investigation in a manner useful to decision makers 7. Resolution: Employ security measures and procedural changes, record lessons learned, and develop long-term fixes for any problems identified 16 Incident Response Process (Cntd) 1. Pre-incident Preparation Organization needs to prepare the organization itself as a whole and CSIRT members, prior to responding to a computer security incident Incident response is reactive in nature, and the pre-incident preparation comprises the only proactive measure CSIRT can initiate to ensure that an organization’s assets & info are protected Preparing the organization involves: Implementing host-based security measures Implementing network-based security measures Training end users Employing an intrusion detection system (IDS) Creating strong access control Performing timely vulnerability assessments Ensuring backups are performed on a regular basis 17 Incident Response Process (Cntd) 1. Pre-incident Preparation (Cntd) Preparing CSIRT involves considering: Hardware needed to investigate computer security incidents Software needed to investigate computer security incidents Documentation, such as forms and reports, needed to investigate computer security incidents Appropriate policies/operating procedures to implement the response strategies Training your staff or employees require to perform incident response in a manner that promotes successful forensics, investigations, and remediation 18 Incident Response Process (Cntd) 2. Detection of Incident One of the most important aspects of incident response One of the most decentralized phases, in which those with incident response expertise have the least control Normally identified when someone suspects that an unauthorized, unacceptable, or unlawful event has occurred Reported by an end user (through immediate supervisor, corporate help desk, or an incident hotline managed by the Information Security entity), detected by a system administrator, identified by IDS alerts, or discovered by other means It is paramount to record all the known details Use an initial response checklist to make sure you record the pertinent facts Initial response checklist should account for many details such as current time and date, who/what reported the incident, nature of the incident, when the incident occurred, hardware/software involved, etc. After completing the checklist, CSIRT must be activated who will use the checklist info to begin the next phase (i.e., Initial Response) 19 Incident Response Process (Cntd) 2. Detection of Incident (Cntd) 20 Incident Response Process (Cntd) 3. Initial Response Obtain enough information to determine an appropriate response Involves assembling CSIRT, collecting network-based and other data, determining the incident type, and assessing the incident impact Gather enough information to begin the next phase (i.e., formulate response strategy) This phase helps in documenting the steps that must be taken Prevents panic when an incident is detected, allowing the organization to implement a methodical approach during a stressful situation This phase doesn't involve touching affected system(s); it involves: Interviewing system admin. who may have insight into tech. details of incident Interviewing business unit personnel who may have insight into business events that may provide a context for the incident Reviewing intrusion detection reports and network-based logs to identify data that would support that an incident has occurred Reviewing the network topology and access control lists to determine if any avenues of attack can be ruled out 21 Incident Response Process (Cntd) 3. Initial Response (Cntd) At a minimum, the team must verify: An incident has actually occurred Which systems are directly or indirectly affected Which users are involved Potential business impact It may be necessary to initiate network monitoring at this stage, simply to confirm an incident is occurring 22 Incident Response Process (Cntd) 4. Formulate Response Strategy Goal is to determine the most appropriate response strategy, given the circumstances of the incident Strategy should take into consideration the political, technical, legal, and business factors that surround the incident Consider the following factors when deciding how many resources are needed to investigate an incident, whether to create a forensic duplication of relevant systems, whether to make a criminal referral, whether to pursue civil litigation, and other aspects of your strategy: How critical are the affected systems? How sensitive is the compromised or stolen information? Who are the potential perpetrators? Is the incident known to the public? What is the level of unauthorized access attained by the attacker? What is the apparent skill of the attacker? How much system and user downtime is involved? 23 What is the overall monetary loss? Incident Response Process (Cntd) 4. Formulate Response Strategy (Cntd) Details obtained during the initial response can be critical when choosing a response strategy For example, a DoS attack originating from a university may be handled much differently from how a similar DoS attack originating from a competitor is handled Before the response strategy is chosen, it may become necessary to reinvestigate details of the incident Other than the details of the incident, the organization’s response posture plays a large role in determining the response strategy Response posture is your capacity to respond, determined by the technical resources, political considerations, legal constraints, and business objectives 24 Incident Response Process (Cntd) 4. Formulate Response Strategy (Cntd) Samples of common situations with response strategies and potential outcomes 25 Incident Response Process (Cntd) 5. Investigate the Incident Involves determining the who, what, when, where, how, and why surrounding an incident Review host-based evidence, network-based evidence, and evidence gathered via traditional and nontechnical investigative steps Establishing the identity of the party responsible for the incident on a network is becoming increasingly difficult Users are becoming more adept at using encryption, steganography, anonymous email accounts, fakemail, spoofed IP addresses, spoofed MAC addresses,... Since establishing identity can be less of a concern to the victim than the things damaged, many organizations choose to focus solely on what was damaged, how it was damaged, and how to fix it Investigation can be divided into two phases: Data Collection: Gather all the relevant information needed to resolve the incident in a manner that meets your response strategy Forensic Analysis: Examine all the data collected to determine the who, what, when, where, and how information relevant to the incident 26 Incident Response Process (Cntd) 5. Investigate the Incident (Cntd) 27 Incident Response Process (Cntd) 5. Investigate the Incident (Cntd) Data Collection involves several unique forensic challenges: You must collect electronic data in a forensically sound manner You are often collecting more data than you can read in your lifetime Computer storage capacity continues to grow You must handle the data you collect in a manner that protects its integrity Evidence handling 28 Incident Response Process (Cntd) 5. Investigate the Incident (Cntd) Data collected can be divided into three fundamental areas: 1. Host-based information – Involves gathering info using two different manners: live data collection and forensic duplication Live data collection records system date and time, applications currently running on the system, currently established network connections, currently open sockets (ports), applications listening on the open sockets, state of the network interface (promiscuous or not) Forensic duplication is used if the incident is severe or material has been deleted, and it provides a “mirror image” of the target system, which shows due diligence when handling critical incidents Forensic duplication provides a means to have working copies of the target media for analysis without worrying about altering or destroying potential evidence 2. Network-based information – Includes information obtained from: IDS logs Consensual monitoring logs Nonconsensual wiretaps Pen-register/trap and traces Router logs Firewall logs Authentication servers 3. Other information – Involves testimony and other information obtained from people using more traditional investigative techniques (i.e., nontechnical means) 29 Incident Response Process (Cntd) 5. Investigate the Incident (Cntd) Forensic Analysis involves reviewing all the data collected including: Log files, system configuration files, trust relationships, web browser history files, email messages and their attachments, installed applications, and graphic files Perform software analysis, review time/date stamps, perform keyword searches, and take any other necessary investigative steps Includes also performing more low-level tasks, such as looking through information that has been logically deleted from the system to determine if deleted files, slack space, or free space contain data fragments or entire files that may be useful to the investigation 30 Incident Response Process (Cntd) 5. Investigate the Incident (Cntd) 31 Incident Response Process (Cntd) 6. Reporting Reports must: 1. Accurately describe the incident details 2. Be understandable to decision makers 3. Withstand the barrage of legal scrutiny 4. Be produced in a timely manner Report writing guidelines: Document immediately: All investigative steps and conclusions need to be clearly and concisely documented as soon as possible Write concisely and clearly: Discourage shorthand or shortcuts, vague notations, incomplete scribbling, and other unclear documentation Use a standard format: Develop a format for your reports and stick to it as this makes report writing scalable, saves time, and promotes accuracy Use technical editors: This helps develop reports that are comprehensible to nontechnical personnel. You still need to review the final report prior to submission as editors can inadvertently change the meaning of critical information 32 Incident Response Process (Cntd) 7. Resolution Implement host-based, network-based, and procedural countermeasures to prevent an incident from causing more damage and to return the organization to a secure, healthy operational status Contain, solve, and take steps to prevent the problem from occurring again If you are collecting evidence for civil, criminal, or administrative action, then collect all evidence before you begin to implement any security measures that would alter the evidence obtained 33 Incident Response Process (Cntd) 7. Resolution (Cntd) The following steps are often taken to resolve an incident: 1. Identify your organization’s top priorities (returning all systems to operational status, ensuring data integrity, containing the impact of the incident, collecting evidence, or avoiding public disclosure) 2. Determine the nature of the incident in enough detail to identify what host- based and network-based remedies are required to address it 3. Determine if there are underlying or systemic causes for the incident that need to be addressed (lack of standards, noncompliance with standards, and so on) 4. Restore any affected or compromised systems (may need to rely on a prior version of the data, server platform software, or application software) 5. Apply corrections required to address any host-based vulnerabilities 6. Apply network-based countermeasures (e.g., access control lists, firewalls, IDS) 7. Assign responsibility for correcting any systemic issues 8. Track progress on all corrections that are required 9. Validate that all remedial steps or countermeasures are effective 10. Update security policy/procedures as needed to improve the response process 34 Handling a Cyber Crime Scene Computers, mobile devices, and networks should be considered an extension of the crime scene, even when they are not directly involved in facilitating the crime Cyber crime scenes can contain many pieces of evidence and it is necessary to apply forensic principles to survey, preserve, and document the entire scene Published guidelines for handling cyber crime scenes: Electronic Crime Scene Investigation: A Guide for First Responders (Department of Justice, USA, 2001) Best Practices for Seizing Electronic Evidence: A Pocket Guide for First Responders (Secret Service, USA, 2006) The Good Practice Guide for Computer Based Evidence (Association of Chief Police Officers, UK, 2009) Most mature and practical guideline 35 Handling a Cyber Crime Scene (Cntd) Four principles when handling cyber crime scenes: Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved An independent third party should be able to examine those processes and achieve the same result Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to 36 Handling a Cyber Crime Scene (Cntd) Things to consider before approaching the evidence: Should obtain written authorization before gathering evidence (i.e., search is not going to violate any laws or give rise to liability) Digital investigators are generally authorized to collect and examine only what is directly pertinent to the investigation Gather as much information as possible about what will be encountered at the crime scene Bring all tools needed (screwdrivers, pliers,...) as well as a camera, hardware duplicators, boot CDs, data cables, crossover network cables, and mobile device forensic kits and associated cables Request passwords and encryption keys from all individuals with access to the computer systems relevant to the investigation Preserve the cyber crime scene Control entry points to cyber crime scenes Freeze the networked crime scene 37 Handling a Cyber Crime Scene (Cntd) 38 Investigative Reconstruction with Digital Evidence In more complex cases, important questions may remain unanswered, even after a thorough investigation There may be no viable suspects, or very limited amount of evidence (i.e., difficult to prove what they suspect) It can be fruitful to employ an investigative reconstruction Systematic process of piecing together evidence and info collected by investigator to better understand what occurred during the crime Cyber crime scene evidence contains behavioral imprints Words used by an offender on the Internet may point to offender Tools that an offender uses online can be significant, and how an offender conceals his/her identity and criminal activity can be telling When investigators collect evidence from a crime scene, they should concurrently perform some reconstructive tasks 39 Investigative Reconstruction with Digital Evidence Basic elements: rough forensic analysis, victimology, crime scene characteristics Investigative reconstruction can be useful in the following: Develop leads and locate additional, possibly concealed, evidence Develop a “big picture” which can help solve a case and can be useful for explaining events to decision makers Focus the investigation by exposing avenues of inquiry Develop suspects with motive, means, and opportunity Prioritize investigation of suspects Establish evidence of insider or intruder knowledge Anticipate intruder actions and assess potential for escalation Can prompt investigators to implement safeguards Carefully link related crimes with the same behavioral imprints Augment case presentation in court 40 Investigative Reconstruction with Digital Evidence Individual pieces of digital data might not be useful on their own, but patterns may emerge when they are combined Three forms of reconstruction should be performed when analyzing evidence to develop a clearer picture of the crime and see gaps or discrepancies: Temporal (when): Helps identify sequences and patterns in time of events Relational (who, what, where): Components of crime, their positions, and interactions Functional (how): What was possible and impossible 41 Investigative Reconstruction with Digital Evidence 42 Digital Evidence as Alibi Alibi is determined by time and/or location When an individual does anything involving a computer or network, the time and location are often noted, generating digital evidence that can be used to support or refute an alibi In addition, telephone calls, credit card purchases, train ticket usage, automated toll payments, and ATM transactions are all supported by computer networks that keep detailed logs of activities Internet activities, such as when an e-mail message is sent, contain the time and originating IP address and are noted in headers/logs Keep in mind that computer times and IP addresses can be manipulated, allowing a criminal to create a false alibi Investigators should not rely on one piece of digital evidence when examining an alibi—they should look for an associated cybertrail 43 Digital Evidence as Alibi (Cntd) First step in investigating an alibi is to assess the reliability of the info on the computers and networks involved Some computers are configured to synchronize their clocks with very accurate time sources and make a log of any discrepancies Other computers allow anyone to change their clocks and do not keep logs of time changes Some computer networks control and monitor which computers are assigned specific IP addresses using protocols like BOOTP and DHCP Other networks do not strictly control IP address assignments, allowing anyone to change the IP address on a computer Interviewing several individuals who are familiar with the computer or network involved will be sufficient to determine if an alibi is solid 44 Digital Evidence as Alibi (Cntd) When an obscure piece of equipment is involved, it might be necessary to perform extensive research Reading through documentation, searching the Internet, contacting manufacturers with questions about how their product works Aim of this research is to determine the reliability of the alibi If the actions above cannot be performed, recreation of the events surrounding the alibi become necessary Difficult to fabricate an alibi on a network because a person rarely can falsify an alibi on all the involved computers Most challenging situations arise when investigators cannot find any evidence to support or refute an alibi Absence of evidence is not evidence of absence However, alibi is severely weakened by a lack of expected evidence 45