Digital Forensic Spring 2024 ch1.pdf

Full Transcript

THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Spring 2024 CM 4041 Digital Forensic and Incidents Response Alaa H Ridha Course coordinator [email protected] 1 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Table of Contents No. Topics Pg. # 1. Introduction to cybercrimes 3-6 2. Cybercrime Law in Kuwait 7-9 3. Workshop 4. Fundamentals of IR (1) 10-20 5. Fundamentals of IR (2) 10-20 6. Resources for IR 21-25 7. Pre-Incident Preparation 26-29 8. Midterm Analyzing Evidence (1) 30-38 10. Analyzing Evidence (2) 30-38 11. Mobile Forensics 39-42 12. Report Writing 43-46 9. 13. Final Review Final Exam 2 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Chapter 1 What is Cyber Attack / “incident”? A cyber-attack is defined as any attempt to gain unauthorized access to a computer, computing system or computer network with the intent to cause damage. Cyber-attacks aim to disable, disrupt, destroy, or control computer systems or “device”, or to alter, block, delete, manipulate, or steal the data held within these systems. In another word, a cyber incident refers to any event that compromises the confidentiality, integrity, or availability of data or information – core principles of information security and often referred to as the “CIA triad”. (Recall CM 3041)* Common examples of computer security incidents are: - Data theft such as personal information, email, and documents. - Theft of funds such as bank account, credit cards, and wire fraud. - Unauthorized access to computer resource. - Presence of malware such as remote access tools and spyware. Suspicious events should be viewed as potential incidents until proven otherwise. What are the main categories of cybercrimes? 1. Individual Cybercrimes: This type is targeting individuals. It includes phishing, spoofing, spam, cyberstalking, and more. 2. Organization Cybercrimes: The main target here is organizations. Usually, this type of crime is done by teams of criminals including malware attacks and denial of service attacks. 3. Property Cybercrimes: This type targets property like credit cards or even intellectual property rights. 4. Society Cybercrimes: This is the most dangerous form of cybercrime as it includes cyberterrorism. What are the most common types of Cybersecurity Attacks? 1. Phishing and Scam: Phishing is a type of social engineering attack that targets users and trick them by sending fake messages and emails to get sensitive information about the user or trying to download malicious software and exploit it on the target system. 3 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT 2. Identity Theft Identity theft occurs when a cybercriminal uses another person’s personal data like credit card numbers or personal pictures without their permission to commit a fraud or a crime. 3. Ransomware Attack The most common type of attack. It can take be in a form of malware that has the capability to prevent users from accessing their personal data on the system by encrypting them and then asking for a ransom to give access to the encrypted data. 4. Hacking/Misusing Computer Networks This term refers to the crime of unauthorized access to private computers or networks and misuse of it either by shutting it down or tampering with the data stored or other illegal approaches. 5. Internet Fraud Internet fraud is a type of cybercrimes that makes use of the internet, and it can be considered a general term that groups all the crimes that happen over the internet like spam, banking frauds, theft of service, etc. Other Types of Cybercrime 6. Cyber Bullying It is also known as online or internet bullying. It includes sending or sharing harmful and humiliating content about someone else which causes embarrassment and can be a reason for the occurrence of psychological problems. 7. Cyber Stalking Cyberstalking can be defined as unwanted persistent content from someone targeting other individuals online with the aim of controlling and intimidating like unwanted continued calls and messages. 8. Software Piracy Software piracy is the illegal use or copy of paid software with violation of copyrights or license restrictions. An example of software piracy is when you download a fresh non-activated copy of windows and use what is known as “Cracks” to obtain a valid license for windows activation. It also implies to music, movies, or pictures. 9. Social Media Frauds The use of social media fake accounts to perform any kind of harmful activities like sending intimidating or threatening messages. The most common social media fraud is Email spam. 10. Online Drug Trafficking With the big rise of cryptocurrency technology, it became easy to transfer money in a secured private way and complete drug deals without drawing the attention of law enforcement. Illegal drugs are commonly sold and traded online, especially on what is known as the “Dark Web”. 4 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT 11. Electronic Money Laundering It is based on unknown companies or online business that makes approvable payment methods and credit card transactions but with incomplete or inconsistent payment information for buying unknown products. 12. Cyber Extortion Cyber extortion is the demand for money by cybercriminals to give back some important data they’ve stolen or stop doing malicious activities such as denial of service attacks. 13. Intellectual-property Infringements It is the violation or breach of any protected intellectual-property rights such as copyrights and industrial design. 14. Online Recruitment Fraud This is fake job opportunities released by fake companies for the purpose of obtaining a financial benefit from applicants or even making use of their personal data. What is digital forensic (DF)? Digital forensics is a branch of science that focuses on identifying, acquiring, processing, analyzing, and reporting on data stored electronically. The field of digital forensics is divided into a few main branches depending on the types of devices to which the forensics are applied: Cloud forensics Computer forensics Mobile forensics Network forensics Digital evidence is a component of criminal activities and digital forensics that is crucial for law enforcement investigations. What is incident Response (IR)? Incident response (IR) is coordinated and structured approach to go from incident detection to resolution. It is defined as the effort to quickly identify an attack, minimize its effects, contain damage, and remediate the cause to reduce the risk of future incidents. Organizations usually create a team or department to carry out their incident response practices. 5 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Review Questions Chapter 1 Fill the blanks: 1. _________________________ any attempt to gain unauthorized access to a computer, computing system or computer network with the intent to cause damage. 2. _________________________ is a type of cybercrime that targets organizations. Usually, this type of crime is done by teams of criminals including malware attacks and denial of service attacks. 3. _________________________ is a type of cybercrime that targets property like credit cards or even intellectual property rights. 4. _________________________ a type of social engineering attack that targets users and trick them by sending fake messages and emails to get sensitive information about the user. 5. _________________________ is a type of attack that uses another person’s personal data like credit card numbers or personal pictures without their permission to commit a fraud or a crime. 6. _________________________ is the most common type of cyber-attack, in which hackers ask victims for a ransom to give them back the access to their data. 7. 8. is a branch of forensic science that focuses on identifying, acquiring, processing, analyzing, and reporting on data stored electronically. 9. _________________________ is a component of almost all criminal activities and digital forensics support is crucial for law enforcement investigations. 10. _________________________ is coordinated and structured approach to go from incident detection to resolution. Short answers: 1. List two types of cybercrime categories: a) b) 2. List two types of cyber-attacks: a) b) 3. Mention two main branches of digital forensics: a) b) In-class Exercise: How to test links against phishing attacks? Try: www.virustotal.com What are the main services available on the website? 6 ALAA H RIDHA ‫‪THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION‬‬ ‫‪COMPUTER DEPARTEMENT‬‬ ‫‪Chapter 2‬‬ ‫‪WORKSHOP‬‬ ‫‪Cyber Crime Law in Kuwait‬‬ ‫ﻗﺎﻧﻮن اﻟﺠﺮاﺋﻢ اﻹﻟﻜﺘﺮوﻧﯿﺔ‬ ‫ﻗﺎﻧﻮن رﻗﻢ ‪ 63‬ﻟﺴﻨﺔ ‪2015‬‬ ‫ﻟﻼطﻼع ﻋﻠﻰ اﻟﻨﺴﺨﺔ ﻛﺎﻣﻠﺔ‪:‬‬ ‫‪https://www.moi.gov.kw/main/content/docs/cybercrime/ar/law‬‬‫‪establishing-cyber-crime-dept.pdf‬‬ ‫اﻟﻔﺼﻞ اﻷول‬ ‫ﺗﻌﺮﯾﻔﺎت اﻟﻤﺎدة‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ا ﻟ ﻤ ﻌ ﻠ ﻮ ﻣ ﺎ ﺗ ﯿ ﺔ ‪ :‬ﻛ ﻞ ﻓ ﻌ ﻞ ﯾ ﺮ ﺗ ﻜ ﺐ ﻣ ﻦ ﺧ ﻼ ل اﺳ ﺘ ﺨ ﺪ ام ا ﻟﺤ ﺎﺳ ﺐ اﻵ ﻟ ﻲ أ و ا ﻟ ﺸ ﺒ ﻜ ﺔ ا ﻟ ﻤ ﻌ ﻠ ﻮ ﻣ ﺎ ﺗ ﯿ ﺔ أ و ﻏ ﯿ ﺮ ذ ﻟ ﻚ ﻣ ﻦ‬ ‫و ﺳ ﺎﺋﻞ ﺗﻘ ﻨﯿﺔ اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎ ت ﺑ ﺎﻟﻤ ﺨ ﺎﻟﻔﺔ ﻷ ﺣ ﻜ ﺎم ھ ﺬ ا اﻟﻘ ﺎﻧﻮ ن ‪.‬‬ ‫ا ﻻ ﺣ ﺘ ﯿ ﺎ ل ا ﻹ ﻟ ﻜ ﺘ ﺮ و ﻧ ﻲ ‪ :‬ا ﻟ ﺘ ﺄ ﺛ ﯿ ﺮ ﻓ ﻲ ﻧﻈ ﺎم إ ﻟ ﻜ ﺘ ﺮ و ﻧ ﻲ ﻣ ﺆ ﺗ ﻤ ﺖ ‪ ،‬أ و ﻧﻈ ﺎم ﻣ ﻌ ﻠﻮ ﻣ ﺎ ﺗ ﻲ إﻟﻜ ﺘﺮ و ﻧ ﻲ ‪ ،‬أ و ﺷ ﺒ ﻜ ﺔ ﻣ ﻌ ﻠ ﻮ ﻣ ﺎ ﺗ ﯿ ﺔ ‪ ،‬أ و‬ ‫ﻣ ﺴ ﺘﻨ ﺪ أ و ﺳ ﺠ ﻞ إ ﻟ ﻜ ﺘ ﺮ و ﻧ ﻲ ‪ ،‬أ و و ﺳ ﯿ ﻠ ﺔ ﺗ ﻘ ﻨ ﯿ ﺔ ﻣ ﻌ ﻠ ﻮ ﻣ ﺎ ﺗ ﯿ ﺔ ‪ ،‬أ و ﻧﻈ ﺎم ‪ ،‬أ و ﺟ ﮭ ﺎز ﺣ ﺎﺳ ﺐ آ ﻟ ﻲ ‪ ،‬أ و ﺗ ﻮ ﻗ ﯿ ﻊ إ ﻟ ﻜ ﺘ ﺮ و ﻧ ﻲ ‪ ،‬أ و‬ ‫ﻣ ﻌ ﻠ ﻮ ﻣ ﺎ ت إ ﻟ ﻜ ﺘ ﺮ و ﻧ ﯿ ﺔ و ذ ﻟﻚ ﻋ ﻦ ط ﺮ ﯾﻖ ا ﻟ ﺒ ﺮ ﻣ ﺠ ﺔ ‪ ،‬أ و ا ﻟ ﺤ ﺼ ﻮ ل ‪ ،‬أ و اﻹ ﻓ ﺼ ﺎح ‪ ،‬أ و ا ﻟ ﻨ ﻘ ﻞ ‪ ،‬أ و ا ﻟ ﻨ ﺸ ﺮ ﻟ ﺮ ﻗ ﻢ ‪ ،‬أ و ﻛ ﻠ ﻤ ﺔ ‪،‬‬ ‫أ و ر ﻣ ﺰ ﺳ ﺮ ي ‪ ،‬أو ﺑ ﯿ ﺎ ﻧ ﺎ ت ﺳ ﺮ ﯾ ﺔ ‪ ،‬أ و ﺧ ﺎ ﺻ ﺔ أﺧ ﺮ ى ‪ ،‬ﺑﻘ ﺼ ﺪ ا ﻟ ﺤ ﺼ ﻮ ل ﻋ ﻠ ﻰ ﻣ ﻨ ﻔ ﻌ ﺔ د و ن و ﺟ ﮫ ﺣ ﻖ أ و ا ﻹ ﺿ ﺮ ا ر‬ ‫ﺑ ﺎ ﻟ ﻐ ﯿ ﺮ ‪.‬ل ﺑ ﺒ ﺬ‬ ‫اﻟﻔﺼﻞ اﻟﺜﺎﻧﻲ‬ ‫اﻟﺠﺮاﺋﻢ واﻟﻌﻘﻮﺑﺎت‬ ‫ﻣ ﻠ ﺨ ﺺ ا ﻟ ﺠ ﺮ ا ﺋ ﻢ و ا ﻟ ﻌ ﻘ ﻮ ﺑ ﺎ ت ﻣ ﻦ ﻣ ﻮ ﻗ ﻊ إ د ار ة ا ﻟ ﺠ ﺮ ا ﺋ ﻢ ا ﻻ ﻟ ﻜ ﺘ ﺮ و ﻧ ﯿ ﺔ ا ﻟ ﺘ ﺎ ﺑ ﻊ ﻟ ﻮ ز ا ر ة ا ﻟ ﺪ ا ﺧ ﻠ ﯿ ﺔ‬ ‫‪https://www.moi.gov.kw/main/content/docs/cybercrime/ar/cyber‬‬‫‪crime-punishments.pdf‬‬ ‫ﻟ ﻺ ﺑ ﻼ غ ﻋ ﻦ أي ﺟ ﺮ ﯾ ﻤ ﺔ ا ﻟ ﻜ ﺘ ﺮ و ﻧ ﯿ ﺔ ‪ :‬ا ﻟ ﺘ ﻮ ا ﺻ ﻞ ا ﻟ ﻤ ﺒ ﺎ ﺷ ﺮ ﻣ ﻊ إ د ار ة ا ﻟ ﺠ ﺮ ا ﺋ ﻢ ا ﻻ ﻟ ﻜ ﺘ ﺮ و ﻧ ﯿ ﺔ‬ ‫اﻻﺗﺼﺎل ﻋﻠﻰ رﻗﻢ اﻟﻄﻮارئ ‪ +96597283939‬ﺳﯿﺘﻢ اﻟﺘﻌﺎﻣﻞ ﻣﻊ اﻟﺒﻼغ ﺑﺴﺮﯾﺔ ﺗﺎﻣﺔ‬ ‫‪ALAA H RIDHA‬‬ ‫‪7‬‬ ‫‪THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION‬‬ ‫‪COMPUTER DEPARTEMENT‬‬ ‫اﻟﺠﺮاﺋﻢ وﻋﻘﻮﺑﺘﮭﺎ ﻓﻲ ﻗﺎﻧﻮن ﺟﺮاﺋﻢ ﺗﻘﻨﯿﺔ اﻟﻤﻌﻠﻮﻣﺎت ﻓﻲ دوﻟﺔ اﻟﻜﻮﯾﺖ‬ ‫ﻣﺎدة )‪(1‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬اﻟﺪ ﺧ ﻮ ل ﻏ ﯿﺮ اﻟﻤ ﺸ ﺮ و ع إﻟﻰ ﺟ ﮭ ﺎز ﺣ ﺎﺳ ﺐ آﻟﻲ أو ﻧﻈ ﺎم ﻣ ﻌ ﻠﻮ ﻣ ﺎﺗ ﻲ أو ﺷ ﺒﻜ ﺔ ﻣ ﻌ ﻠﻮ ﻣ ﺎﺗﯿﺔ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﺘﺔ أﺷﮭﺮ( ‪ +‬ﻏﺮاﻣﺔ )‪ (500-2000‬دﯾﻨﺎر أو أﺣﺪھﻤﺎ‪.‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬إ ذ ا ﺗ ﺮ ﺗ ﺐ ﻋ ﻠ ﻰ ا ﻟ ﺪ ﺧ ﻮ ل إ ﻟ ﻐ ﺎ ء ‪ ،‬أ و ﺣ ﺬ ف ‪ ،‬أ و ﺗ ﺪ ﻣ ﯿﺮ ‪ ،‬أ و ﺗ ﻐ ﯿ ﯿ ﺮ ‪ ،‬أ و إ ﻋ ﺎ د ة ﻧ ﺸ ﺮ ﺑ ﯿ ﺎ ﻧ ﺎ ت ‪ ،‬أ و‬ ‫ﻣ ﻌ ﻠﻮ ﻣ ﺎت‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﻨﺘﯿﻦ( ‪ +‬ﻏﺮاﻣﺔ )‪ (2-5‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫و إذا ﻛ ﺎﻧ ﺖ اﻟﺒ ﯿﺎﻧﺎت ﺷ ﺨ ﺼ ﯿﺔ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ )ﺛﻼث ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (3-10‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ﻣﺎدة )‪(1/3‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬اﻟﺪ ﺧ ﻮ ل ﻏ ﯿﺮ اﻟﻤ ﺸ ﺮ و ع ﺑﻘ ﺼ ﺪ اﻟﺤ ﺼ ﻮ ل ﻋ ﻠﻰ ﺑﯿ ﺎﻧ ﺎ ت أو ﻣ ﻌ ﻠﻮ ﻣ ﺎ ت ﺣ ﻜ ﻮ ﻣ ﯿﺔ ﺳ ﺮ ﯾﺔ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﻋﺸﺮ ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (5-20‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ﻣﺎدة )‪(2/3‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬ﺗﺰ و ﯾﺮ أو اﺗﻼ ف ﻣ ﺴ ﺘﻨ ﺪ أو ﺳ ﺠ ﻞ أو ﺗﻮ ﻗﯿﻊ اﻟﻜ ﺘﺮ و ﻧ ﻲ أو ﻧﻈ ﺎم اﻟﻜ ﺘﺮ و ﻧ ﻲ أو ﻣ ﻮ ﻗﻊ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺛﻼث ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (3-10‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫و إ ذ ا و ﻗ ﻊ ا ﻟ ﺘ ﺰ و ﯾ ﺮ ﻋ ﻠ ﻰ ﻣ ﺴ ﺘ ﻨ ﺪ ر ﺳ ﻤ ﻲ ‪ ،‬أ و ﺑ ﻨ ﻜ ﻲ ‪ ،‬أ و ﺑ ﯿ ﺎ ﻧ ﺎ ت ﺣ ﻜ ﻮ ﻣ ﯿ ﺔ ‪ ،‬أو ﺑ ﻨ ﻜ ﯿ ﺔ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ )ﺳﺒﻊ ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (5-20‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬ﺗ ﻐ ﯿ ﯿ ﺮ أ و ا ﺗ ﻼ ف ﻣ ﺴ ﺘ ﻨ ﺪ ا ﻟ ﻜ ﺘ ﺮ و ﻧ ﻲ ﯾ ﺘ ﻌ ﻠﻖ ﺑ ﺎ ﻟ ﻔ ﺤ ﻮ ﺻ ﺎ ت ا ﻟﻄ ﺒ ﯿ ﺔ أ و ا ﻟ ﺘ ﺸ ﺨ ﯿ ﺺ أ و ا ﻟ ﻌ ﻼ ج ا ﻟﻄ ﺒ ﻲ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺛﻼث ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (3-10‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫اﻟﺠ ﺮ ﯾﻤ ﺔ ‪ :‬ﺗﮭ ﺪ ﯾﺪ أو اﺑﺘﺰ از ﺷ ﺨ ﺺ ط ﺒﯿﻌ ﻲ أو اﻋ ﺘﺒ ﺎر ي ﻟﺤ ﻤ ﻠﮫ ﻋ ﻠﻰ ﻓﻌ ﻞ أو اﻻ ﻣ ﺘﻨ ﺎع ﻋ ﻨﮫ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺧﻤﺲ ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (5-20‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬اﻻ ﺳ ﺘﯿﻼ ء ﻋ ﻠ ﻰ ﻣ ﻨﻔﻌ ﺔ ‪ ،‬أو ﻣ ﺎل ‪ ،‬أو ﻣ ﺴ ﺘﻨﺪ ‪ ،‬أو ﺗﻮ ﻗﯿﻊ ﻋ ﻠﻰ ﻣ ﺴ ﺘﻨﺪ ﺑ ﺎﺳ ﺘﻌ ﻤ ﺎل ط ﺮ ق اﺣ ﺘﯿ ﺎﻟﯿﺔ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺛﻼث ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (3-10‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ﻣﺎدة )‪(4‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬إﻋ ﺎﻗﺔ أو ﺗﻌ ﻄ ﯿ ﻞ اﻟﻮ ﺻ ﻮ ل إﻟﻰ ﻣ ﻮ ﻗﻊ أو اﻟﺪﺧ ﻮ ل إﻟﻰ اﻷ ﺟ ﮭ ﺰ ة أو اﻟﺒﺮ اﻣ ﺞ أو ﻣ ﺼ ﺎدر اﻟﺒﯿ ﺎﻧ ﺎت‬ ‫ﻋ ﻤ ﺪا‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﻨﺘﯿﻦ( ‪ +‬ﻏﺮاﻣﺔ )‪ (2-5‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬اﻟﺪ ﺧ ﻮ ل اﻟﻌ ﻤ ﺪ ي ﻋ ﻦ ط ﺮ ﯾﻖ اﻟﺸ ﺒﻜ ﺔ اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎﺗﯿﺔ أو ﺑ ﺎﺳ ﺘﺨ ﺪ ام و ﺳ ﯿﻠﺔ ﻣ ﻦ و ﺳ ﺎﺋ ﻞ ﺗﻘ ﻨﯿﺔ‬ ‫اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎ ت ﻣ ﺎ ﻣ ﻦ ﺷ ﺄﻧﮫ ﺗﻌ ﻄ ﯿﻠﮭ ﺎ أو اﯾﻘ ﺎﻓﮭ ﺎ ﻋ ﻦ اﻟﻌ ﻤ ﻞ أو د ﺧ ﻮ ل ﻣ ﻮ ﻗ ﻊ ﻟﺘﻐ ﯿﯿﺮ ﺗﺼ ﻤ ﯿﻤ ﮫ ‪ ،‬أو إﻟﻐ ﺎء ه ‪ ،‬أو‬ ‫ﺗﻌ ﺪ ﯾﻠﮫ ‪ ،‬أو إﯾﻘ ﺎﻓﮫ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﻨﺘﯿﻦ( ‪ +‬ﻏﺮاﻣﺔ )‪ (2-5‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫‪ALAA H RIDHA‬‬ ‫‪8‬‬ ‫‪THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION‬‬ ‫‪COMPUTER DEPARTEMENT‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬اﻟﺘﻨﺼ ﺖ أو اﻻ ﻟﺘﻘ ﺎط أو اﻟﺘﻌ ﺮ ض ﻋ ﻤ ﺪ ا ﻟﻤ ﺎ ھ ﻮ ﻣ ﺮ ﺳ ﻞ ﻋ ﻦ ط ﺮ ﯾﻖ اﻟﺸ ﺒﻜ ﺔ اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎﺗﯿﺔ أو‬ ‫و ﺳ ﯿﻠﺔ ﻣ ﻦ و ﺳ ﺎﺋ ﻞ ﺗﻘﻨﯿﺔ اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎت‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﻨﺘﯿﻦ( ‪ +‬ﻏﺮاﻣﺔ )‪ (2-5‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ﻓ ﺎذ ا أﻓ ﺸ ﻰ ﻣ ﺎ ﺗ ﻮ ﺻ ﻞ إ ﻟ ﯿ ﮫ ﯾ ﻌ ﺎﻗ ﺐ ﺑ ﺎ ﻟ ﺤ ﺒ ﺲ ﻣ ﺪ ة ﻻ ﺗ ﺠ ﺎ و ز ﺛ ﻼ ث ﺳ ﻨ ﻮ ا ت و ﺑ ﻐ ﺮ ا ﻣ ﺔ ﻻ ﺗ ﻘ ﻞ ﻋ ﻦ ﺛ ﻼ ﺛ ﺔ آ ﻻ ف‬ ‫د ﯾﻨﺎر و ﻻ ﺗ ﺠ ﺎو ز ﻋ ﺸ ﺮ ة آﻻ ف د ﯾﻨﺎر أو ﺑ ﺈ ﺣ ﺪ ى ھ ﺎ ﺗ ﯿ ﻦ اﻟﻌ ﻘﻮ ﺑﺘﯿﻦ ‪.‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬إﻧﺸ ﺎء ﻣ ﻮ ﻗ ﻊ ‪ ،‬أو ﻧﺸ ﺮ ‪ ،‬أو اﻧﺘ ﺎج ‪ ،‬أو إﻋ ﺪ اد ‪ ،‬أو إر ﺳ ﺎ ل ‪ ،‬أو ﺗﺨ ﺰ ﯾﻦ ﻣ ﻌ ﻠﻮ ﻣ ﺎ ت ‪ ،‬أو ﺑ ﯿ ﺎ ﻧ ﺎ ت ﺑ ﻘ ﺼ ﺪ‬ ‫اﻻ ﺳ ﺘﻐ ﻼ ل ‪ ،‬أو اﻟﺘﻮ ز ﯾﻊ ‪ ،‬أو اﻟﻌ ﺮ ض ﻋ ﻠ ﻰ اﻟﻐ ﯿﺮ و ﻛ ﺎن ذ ﻟﻚ ﻣ ﻦ ﺷ ﺄﻧﮫ اﻟﻤ ﺴ ﺎس ﺑ ﺎﻵ د اب اﻟﻌ ﺎﻣ ﺔ أو إد ار ة‬ ‫ﻣ ﻜ ﺎن ﻟﮭ ﺬ ا اﻟﻐ ﺮ ض‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﻨﺘﯿﻦ( ‪ +‬ﻏﺮاﻣﺔ )‪ (2-5‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬اﻟﺘﺤ ﺮ ﯾﺾ ﻋ ﻠﻰ ار ﺗﻜ ﺎ ب أﻋ ﻤ ﺎ ل اﻟﺪ ﻋ ﺎر ة أو اﻟﻔﺠ ﻮ ر أو اﻟﻤ ﺴ ﺎﻋ ﺪ ة ﻋ ﻠﻰ ذ ﻟﻚ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﻨﺘﯿﻦ( ‪ +‬ﻏﺮاﻣﺔ )‪ (2-5‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ﻓ ﺎذ ا ﻛ ﺎن ا ﻟ ﻔ ﻌ ﻞ ﻣ ﻮ ﺟ ﮭ ﺎ ً ا ﻟ ﻰ ﺣ ﺪ ث ﻓ ﺘ ﻜ ﻮ ن ا ﻟ ﻌ ﻘ ﻮ ﺑ ﺔ ا ﻟ ﺤ ﺒ ﺲ ﻣ ﺪة ﻻ ﺗ ﺠ ﺎو ز ﺛﻼ ث‬ ‫ﺳﻨﻮات واﻟﻐﺮاﻣﺔ اﻟﺘﻲ ﻻ ﺗﻘﻞ ﻋﻦ ﺛﻼﺛﺔ آﻻف دﯾﻨﺎر وﻻ ﺗﺠﺎوز ﻋﺸﺮة آﻻف دﯾﻨﺎر أو إﺣﺪى ھﺎﺗﯿﻦ‬ ‫اﻟﻌ ﻘﻮ ﺑﺘﯿﻦ ‪.‬‬ ‫ﻣﺎدة )‪(5‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬اﺳ ﺘﺨ ﺪ ام ﺷ ﺒﻜ ﺔ اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎ ت أو و ﺳ ﯿﻠﺔ ﻣ ﻦ و ﺳ ﺎﺋ ﻞ ﺗﻘﻨﯿﺔ اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎ ت ﻟﻠﻮ ﺻ ﻮ ل د و ن و ﺟ ﮫ ﺣ ﻖ إﻟﻰ‬ ‫أر ﻗ ﺎم أو ﺑﯿ ﺎﻧ ﺎ ت ﺑﻄ ﺎﻗﺔ اﺋﺘﻤ ﺎﻧﯿﺔ أو ﻣ ﺎ ﻓ ﻲ ﺣ ﻜ ﻤ ﮭ ﺎ‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﻨﮫ( ‪ +‬ﻏﺮاﻣﺔ )‪ (1-3‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫وﺗﻜﻮن اﻟﻌﻘﻮﺑﺔ اﻟﺤﺒﺲ ﻟﻤﺪة ﻻ ﺗﺘﺠﺎوز )ﺛﻼث ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (1-3‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ إذا‬ ‫ﺗﺮ ﺗ ﺐ ﻋ ﻠﻰ ذ ﻟﻚ اﻟﺤ ﺼ ﻮ ل ﻋ ﻠﻰ أﻣ ﻮ ال اﻟﻐ ﯿﺮ أو ﻣ ﺎ ﺗﻨﺘ ﺠ ﮫ ﻣ ﻦ ﺧ ﺪ ﻣ ﺎت ‪.‬‬ ‫ﻣﺎدة )‪(8‬‬ ‫اﻟﺠ ﺮ ﯾﻤ ﺔ ‪ :‬إﻧﺸ ﺎء ﻣ ﻮ ﻗﻊ أو ﻧﺸ ﺮ ﻣ ﻌ ﻠﻮ ﻣ ﺎت ﺑﻘﺼ ﺪ اﻻ ﺗﺠ ﺎر ﺑ ﺎﻟﺒﺸ ﺮ أو ﺗﺴ ﮭ ﯿﻞ اﻟﺘﻌ ﺎﻣ ﻞ ﻟﺘﺮ و ﯾﺞ اﻟﻤ ﺨ ﺪر ات أو‬ ‫ﻣ ﺎ ﻓ ﻲ ﺣ ﻜ ﻤ ﮭ ﺎ أو ﺗﺴ ﮭ ﯿ ﻞ ذ ﻟﻚ ﻓ ﻲ ﻏ ﯿﺮ اﻷ ﺣ ﻮ ال اﻟﻤ ﺼ ﺮ ح ﺑﮭ ﺎ‪.‬‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﺳﺒﻊ ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (10-30‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ﻣﺎدة )‪(9‬‬ ‫ا ﻟ ﺠ ﺮ ﯾ ﻤ ﺔ ‪ :‬ﻏ ﺴ ﻞ اﻷ ﻣ ﻮ ا ل أو ﺗﺤ ﻮ ﯾ ﻞ أﻣ ﻮ ا ل ﻏ ﯿﺮ ﻣ ﺸ ﺮ و ﻋ ﺔ ‪ ،‬أ و ﻧ ﻘ ﻠ ﮭ ﺎ ‪ ،‬أ و ﺗ ﻤ ﻮ ﯾ ﮫ ‪ ،‬أ و إ ﺧ ﻔ ﺎ ء ﻣ ﺼ ﺪ ر ھ ﺎ ‪ ،‬أ و‬ ‫اﻛ ﺘﺴ ﺎﺑﮭ ﺎ ﻋ ﻦ ط ﺮ ﯾﻖ اﻟﺸ ﺒﻜ ﺔ اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎﺗﯿﺔ أو ﺑ ﺎﺳ ﺘﺨ ﺪ ام و ﺳ ﯿﻠﺔ ﻣ ﻦ و ﺳ ﺎﺋ ﻞ ﺗﻘﻨﯿﺔ اﻟﻤ ﻌ ﻠﻮ ﻣ ﺎ ت‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﻋﺸﺮ ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (20-50‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫ﻣﺎدة )‪(10‬‬ ‫اﻟﺠ ﺮ ﯾﻤ ﺔ ‪ :‬إﻧﺸ ﺎء ﻣ ﻮ ﻗﻊ ﻟﻤ ﻨﻈ ﻤ ﺔ إر ھ ﺎﺑﯿﺔ أو ﻟﺸ ﺨ ﺺ إر ھ ﺎﺑﻲ أو ﻧﺸ ﺮ ﻣ ﻌ ﻠﻮ ﻣ ﺎت ﻋ ﻠﻰ اﻟﺸ ﺒﻜ ﺔ أو أي و ﺳ ﯿﻠﺔ‬ ‫ﻣ ﻦ و ﺳ ﺎ ﺋ ﻞ ﺗ ﻘ ﻨ ﯿ ﺔ ا ﻟ ﻤ ﻌ ﻠ ﻮ ﻣ ﺎ ت ﻟ ﺘ ﺴ ﮭ ﯿ ﻞ ا ﺗ ﺼ ﺎ ﻻ ت ﺑ ﺄ ﺣ ﺪ ﻗ ﺎ د ﺗ ﮭ ﺎ‪ ،‬أ و أ ﻋ ﻀ ﺎ ﺋ ﮭ ﺎ ‪ ،‬أ و أ ﻓ ﻜ ﺎ ر ھ ﺎ ‪ ،‬أ و ﺗ ﻤ ﻮ ﯾ ﻠ ﮭ ﺎ ‪ ،‬أ و‬ ‫ﻧﺸ ﺮ ﻛ ﯿﻔﯿﺔ ﺗﺼ ﻨﯿﻊ اﻷ ﺟ ﮭ ﺰ ة اﻟﺤ ﺎر ﻗﺔ أو اﻟﻤ ﺘﻔﺠ ﺮ ة‬ ‫اﻟﻌﻘﻮﺑﺔ‪ :‬اﻟﺤﺒﺲ ﻣﺪة ﻻ ﺗﺘﺠﺎوز )ﻋﺸﺮ ﺳﻨﻮات( ‪ +‬ﻏﺮاﻣﺔ )‪ (20-50‬آﻻف دﯾﻨﺎر أو أﺣﺪھﻤﺎ‬ ‫‪ALAA H RIDHA‬‬ ‫‪9‬‬ THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Chapters 3 & 4 Fundamentals of IR Recall from Week 1, what is IR? Incident response (IR) is a methodology for organizing the process of responding to security incidents. Incident response (IR) plans are designed to keep IT infrastructure running while minimizing an incident’s negative effect. What are the main goals of IR? The primary goal of IR is to effectively (1) remove a threat, (2) minimize the damages and (3) restore normal operations. Main activities of Incident Response (IR): Create an incident response policy and plan. Develop procedures for performing incident handling and reporting data. Set guidelines for communicating with outside parties regarding incidents. Select a team structure and model. Establish communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies). Determine what services, the incident response team should provide. Staffing and training. Incident Response Management Having a standard framework for incident management in place is important. Organizations need to ensure that the right steps are taken. Incident Response usually consists of four main stages: Stage 1: Initial Response This stage includes all the early steps, such as initial identification of the incident and assembling the IR team including incident manager, lead investigator, and lead communicator. Stage 2: Consolidation In this phase, the incident management team works to find out more about the issue and to determine its severity. Once the incident is categorized it should be clear whether other teams are needed to resolve the incident. The incident management plan is put in place, and the true resolution process starts. Communication with stakeholders is also very important during this phase. 10 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Stage 3: Recovery The incident will be largely resolved by the recovery phase. The IR team returns system to their normal operations. However, monitoring should continue to ensure that the incident and any fallout that was caused by it are truly resolved. Examples of activities performed during this step are: Disconnect from the Internet. Block suspicious IPs. Remove compromised systems. Enhance logs. (system logs- application logs- network logs) Enhance alerting. Patch third-party applications. Implement multifactor authentication. Reduce locations where important data stored. Change all users’ passwords. Upgrading to more secured OS. Reducing user privileges. Implement traffic filtering. Implement network segmentation. Stage 4: Restoration of Normality Finally, after the root cause of the issue has been found and resolved and the key metrics verified, the incident can be considered closed. This stage involves communicating the resolution to stakeholders, as well as making sure the incident report is complete in terms of data. IR Lifecyle: The main phases of Incident Response Lifecycle: Preparation of system and procedures Identification of threat Containment of threat Recovery and restoration Feedback and refinement 11 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Diagram (1) IR Lifecyle by NIST IR teams Organizations usually create teams to carry out their incident response practices. A cross-functional incident response team ensures that the organization has the right mix of talent needed to effectively respond to security threats. What are the core functions of IR teams? Leadership: Coordinates the overall direction, strategy and ensures the team stays focused on minimizing damage, recovering quickly, and operating efficiently. Investigation: Coordinates efforts to determine an incident’s root cause. Specifically, information that can provide value to correct the acute issue as well as prevent future incidents. Communications: Manages relevant internal and external communications necessary for the incident response. Communications may be required across an organization’s teams and departments, or with external stakeholders and the public. Documentation: Keeps records of incident response measures and activities. Legal representation: Ensures that the incident response activities taken line up with laws and regulations to protect the organization. 12 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT What are the most common forms of IR teams? 1. Computer Security Incident Response Team (CSIRT) This is a team of professionals responsible for preventing and responding to security incidents. A CSIRT may also handle aspects of incident response in other departments, such as dealing with legal issues or communicating with the press. 2. Computer Emergency Response Team (CERT) ‫ﻓﺮﯾﻖ اﻻﺳﺘﺠﺎﺑﺔ ﻟﻄﻮارئ اﻟﺤﺎﺳﺐ‬ This is a team of professionals in charge of handling cyberthreats and vulnerabilities within an organization. In addition, CERTs tend to release their findings to the public to help others strengthen their security infrastructure. 3. Security Operations Center (SOC) ‫ﻣﺮﻛﺰ ﻋﻤﻠﯿﺎت اﻷﻣﻦ اﻟﺴﯿﺒﺮاﻧﻲ‬ This is a type of command center facility that is dedicated to monitoring, analyzing, and protecting an organization from cyber-attacks. A SOC typically includes threat hunters and analysts that focus only on system security incident response. Diagram (2) Main roles and responsibilities What does SOC do? A SOC team is responsible for managing the ongoing operational activities associated with an organization’s network and infrastructure security. While security operations team members may contribute knowledge or expertise to developing security strategy or designing security architecture, a SOC team primarily focuses on detecting, analyzing, investigating, remediating, and responding to security incidents and threats. SOC functions usually include: 13 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT 1. Management and maintenance: Oversight and administration of security tools, including updates and patches. 2. Surveillance: Monitoring of event logs on networks, systems, devices, and infrastructure for unusual or suspicious activity. 3. Threat prevention and detection: including intelligence gathering to help deter potential threats and attacks. 4. Incident analysis and investigation: Forensic examination to determine the incident or threat’s source and the extent to which it has infiltrated and affected business systems. 5. Threat or attack response: Coordination of an approach to effectively manage and contain the threat or incident. 6. Recovery and remediation: Retrieval of lost or stolen data and an examination of what assets have been compromised, as well as addressing vulnerabilities and adjusting security monitoring and alerting tools and procedures. 7. Compliance and risk management: Oversight of federal regulations or industryrecommended best practices on such things as ISO 27001, the NIST Cybersecurity Framework (CSF), the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and payment card industry data security standards (PCI DSS). Examples of SOC Tools and Technologies: 1. Security Information and Event Management (SIEM) Solution: SIEM stands for Security Information and Event Management SIEM solutions use rules and statistical correlations to turn log entries and events from security systems into actionable information. This information can help security teams detect threats in real time, manage incident response, perform forensic investigation. SIEM solutions enable you to perform search queries using event IDs, severity, source, username, IP address, etc., or a combination. AI offers the potential for SIEM solutions to support more data types (such as cloud, IoT, mobile technologies). SIEM makes behavioral anomalies visible to security teams, with AI to automate incident detection and response processes. It has replaced many manual tasks, becoming an important tool for any security operation center (SOC). Common Security-related Log Events Tracked by a SIEM Include: - Alert from antivirus or endpoint protection of a malware infection. Alert from an email system about spam or malicious content in an email. Firewall alert about blocked network traffic. 14 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT - Connection to a system from unknown host or IP. Failed logins, especially if repeated or targeted at critical systems. Change in user privileges, especially privilege escalation. Use of new or unknown ports, or protocols that are not secure or violate the security policy. Core functions of SIEM solutions: o o o o Log Data Management Reporting Alerts Dashboard Examples of SIEM solutions: Diagram (3) sample of SIEM Interface 15 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Diagram (4) sample of SIEM Interface 2. Asset Directory: Provides insight into the systems, devices, and tools operating in your IT environment. 3. Behavioral Monitoring: Assists security experts in creating a baseline when using machine learning or behavior modeling to identify security concerns. 4. 5. 6. 7. Intrusion Detection System: Helps security experts detect an attack at the initial phases. Endpoint Detection and Response: Provides visibility and containment options. Network Detection and Response: Captures, analyzes, and helps to block threats. Log Collection and Aggregation: Offers log availability and retention through a centralized repository to assist with analysis. 8. Automated Malware Analysis and Sandboxing: Provides understanding of malware purpose and generates indicators of compromise (IOCs). 9. Threat Intelligence Platforms: Collects and aggregated internal and external sources of information for investigation. 10. Cloud-based Acquisition Solutions: Collects data from third-party services, such as Amazon Web Services, Microsoft 365, Google, iCloud, Facebook, Instagram, and Twitter, and performs data analysis. 11. Remote Collection Capabilities: Pulls artifacts, system information, and forensic images remotely, without the need for local access. 16 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Who are the members of SOC team? SOC Manager: Oversees the SOC team. Assesses and reviews incident and compliance reports. Reports on SOC activities to business executives. Security Analyst: Involved with proactive monitoring, threat detection, analysis, and investigation. Compliance Auditor: Helps to standardize processes. Oversees compliance protocols. Threat Responder: Involved in activities associated with threat and incident response. Forensic Investigator: Examines and analyzes a threat’s structure, components, source, purpose, and the extent to which it has infiltrated and affected business systems. SOC Manager Threat Responder Security Analyst SOC Team Forensic Investigator Compliance Auditor Diagram (5) Key Members of SOC Team 17 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Review Questions Chapters 3&4 Choose the correct answer: 1. ________________ is a team of professionals in charge of handling cyberthreats and vulnerabilities within an organization. a) HR b) SOC c) CERT 2. To modify network to be more IR friendly: a) Buy new hardware b) Use firewall c) Hire a good lawyer 3. ________________ is to know what systems belong to each department, their ownership information and where they are located. a) Instrumentation b) Asset management c) Documentation 4. One main target of IR teams? a) Hardware troubleshooting b) Upgrading the OS c) Handling cyber threats and incidents 5. IR teams usually responsible about: a) Training and educating employees and staff b) Informing and managing public and customers perceptions c) All the above 6. Solutions use rules and statistical correlations to turn log entries and events from security systems into actionable information are called: a) SIM b) SIEM c) SEMENS True / False: T / F Resolving a cyber incident is completed during the post-incident activity. T / F IR teams are responsible about cyber security awareness training in their organizations. T / F Major cyber incidents have major impacts on organizations’ IT infrastructure. T / F Documentation and report writing are necessary skills for IR-team members. 18 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Short Answers: 1. Who are the key members in SOC teams? a) b) 2. What are the main goals of IR? a) b) 3. Give two examples of common IR team structures: a) b) 4. Give two core functions of SIEM solutions: a) b) Complete the following: 1) IR Lifecyle diagram 2) Incident Response Model Phase Summary of tasks Initial Response Consolidation Recovery 19 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT 3) SOC team members and their responsibilities IR Team Member Responsibility Oversees the SOC team. Responsible about monitoring, threat detection, analysis, and investigation. Oversees compliance protocols. Responsible about activities associated with threat and incident response. Examines and analyzes a threat’s structure, components, source, purpose, and the extent to which it has infiltrated and affected business systems. Write the long form for the following: SIEM: _____________________________________________ SOC: ______________________________________________ IR: ________________________________________________ DF: ________________________________________________ In-class Exercise: What are the main differences between SOC and NOC teams? 20 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Chapter 5 Resources for IR What is DFIR? A term used to refer to the process of collecting, preserving, and analyzing electronic evidence in cyber security incidents. DFIR specialists will gather and inspect information (including user logs, web server access logs, firewall logs, vault audit logs, and VPN audit logs) to determine who attacked them, how they got in, what tools were used to compromise their systems, and how to close those security gaps. Modern hardware and software solutions are used to help IR teams perform their tasks. Organizations are to provide the proper training and create documentations for IR process. What kind of digital forensics data do analysts typically collect? Disk images: A bit-for-bit copy of a digital storage device, usually of a hard drive or hard disk. Disk images may also be taken from other storage mediums, such as USB drives. Memory images: Memory images are a computer’s RAM, which can be recorded by special software. They contain a wealth of information often unavailable on the hard drive. In addition, some advanced techniques or threat actors are invisible to traditional virus and malware scanning. Application data: Investigators will turn to application data if you don’t have access to a drive or memory image. This includes host logs, network device logs, and software-specific logs. Important Note! Information about the case must kept safe and protected whether in the field, office, or in transport. The most effective way is to encrypts the data. 21 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT The following are some of the resources known to help the IR team with investigation: 1. Hardware for IR a. Forensics in the Field For this part of the investigation of the field, IR teams usually use a laptop to perform the forensic work and can interface properly with specialized forensics tools. b. Forensics at the Office During investigation IR team make copies of the data and keep original data safe. IR team uses virtual environments to make the analysis on the working copies. Once the analysis is complete, the virtual machine is destroyed. c. Shared Forensics Equipment (common tools) Disk duplication and imaging systems Write blockers for all media Mobile device acquisition systems Hard drives for evidence storage also blank CDs and DVDs Assorted cables and adaptor Digital cameras to document the evidence Case-Opening Tools such as: screwdrivers What is write blocker? A write blocker is a device that enables data to be acquired from a hard disk without modifying the disk’s data. The device allows a read command but does not allow write commands to be executed on the hard disk. Most imaging tools have a built-in write blocker that the Examiner can utilize while imaging a hard disk. 2. Software for IR For software solutions, IR team is expected to be using both free and commercial software that can do the job in the least amount of time. What are the most common software tools used in IR investigation? Boot Disks Operating Systems (OS) Disk Imaging Tools Memory Capture and Analysis 22 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Live Response Capture and Analysis Indicator Creation and Search Utilities Forensic Examination Suites Log Analysis Tools What is disk imaging? The imaging of a storage medium can be performed using forensic software or hardware. The imaging software can include features such as: Recognition of hidden areas. Imaging multiple devices simultaneously. Imaging to multiple destinations concurrently. Hash verification with common hash algorithms. Hash verification at different stages of the imaging process. Support the most common forensic image formats. Producing encrypted and compressed images. Resuming an interrupted acquisition process. Tolerance of hardware errors. There are several common image file formats, namely raw or dd. These formats store all data from the original medium in a raw file. Other formats include Expert Witness Format (EWF) and Advanced Forensic Format (AFF). They contain features like: Compression of data Encryption of data Error-Checks Case Metadata Hash sums Splitting the image in chunks What tools used for Disk Imaging? A. FTK Imager FTK Imager is an open-source software by AccessData that is used for creating accurate copies of the original evidence (disk imaging) without making any changes to original evidence. AccessData FTK Imager is forensics tool whose main purpose is to preview recoverable data from a disk of any kind. It can also create perfect copies, called forensic images, of that data. 23 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT This powerful tool can create forensic images of local hard drives, floppy disks, Zip disks, CDs, and DVDs, entire folders, or even of individual files from various places within the media storage device. FTK imager can create forensic images in different formats including RAW, E01 and AFF. The Interface Diagram (6) FTK Imager Interface What other important features found in FTK Imager? HASH REPORTS Generate hash reports for regular files and disk images (including files inside disk images) that you can later use as a benchmark to prove the integrity of your case evidence. FTK Imager uses two leading hash functions: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1). RAM CAPTURE FTK Imager allows you to perform memory capture or registry capture on a live device, to recover passwords or other data stored in memory on the active device. 24 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT What is the RAM dump? In the realm of digital forensics and incident response, the analysis of volatile memory, commonly referred to as RAM (Random Access Memory), plays a pivotal role in extracting crucial evidence and uncovering valuable information. RAM dump is the process of capturing the contents of a computer's memory, is a vital step in preserving volatile data for forensic examination. RAM dumps can be acquired using specialized tools like FTK Imager and Magnet Ram Capturer (both of which are available for free) or the analysis can be done using specialized tools or Open source frameworks like Volatility Framework. How it is useful for digital forensics investigation? Volatile nature of RAM: RAM is a volatile form of memory that holds data temporarily while a computer is powered on. Once the system is shut down, the contents of RAM are lost. Therefore, capturing a RAM dump becomes essential to preserve valuable evidence that may not be available through traditional disk-based analysis. Dynamic and live information: RAM contains real-time information about running processes, active network connections, open files, encryption keys, passwords, and other critical artifacts. Analyzing the RAM dump allows forensic investigators to access this dynamic and live information, providing insights into the state of the system at the time of the incident. Uncovering hidden or encrypted data: RAM often holds data that may not be easily accessible through traditional file system analysis. It can reveal information about active malware, hidden processes, encrypted data in memory, or remnants of deleted files, offering a wealth of evidence that can be crucial to an investigation. 3. Digital Forensics Lab (DFL) Computer forensics laboratories are tightly controlled areas for various levels of computer examination. Professional DF examiners usually divide computer forensics labs into two domains: active-system analysis and static media examination. Active-system analysis deals with forensic information, user activity and log reports based off an actively running operating system stored in volatile memory: erased on shutdown or restart. Static media examinations focus on removable flash drives. external and internal hard disks and other types of storage media that persists after a computer is shut down. 25 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Chapter 6 Incident Preparation (Case Management System) It is important to gather facts and additional information about the incident, so an investigation gets started. Those facts and information usually help to establish a context. For example, IP address is more helpful if you know what system it belongs to or what role that system performs. Also, a time of the incident it less useful if you don’t know the time zone. Without context it is easy to jump to wrong conclusions. Below are some general checklists used to gather information about the incident: (lists vary for each type of incident) A. Incident Summary Checklist Date and the time the incident was reported. The date and the time the incident was detected. Contact information of the person documenting the information. Contact information of the person who reported the incident. Contact information of the person who detected the incident. The nature of the incident. (mass malware – spear phishing attempt – failed logins – unauthorized access) The type of affected resources. How the incident was detected. The unique identifier and location of the computers affected by the incident. (IP address – Host name – Asset tag number) Who accessed the system since the detection? Who is aware of the incident? Whether the incident is currently ongoing. Whether there is a requirement to keep knowledge of the incident on “need-to-know” basis. B. Incident Detection Checklist (Additional Details) Individual System Details. Physical location. The asset tag number. The system’s make and model. The operation system installed. Primary Function of the system. 26 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT The responsible system administrator or user. The assigned IP address. The system’s host name and domain. The critical information stored on the system. Whether backups exist for the system. Whether the system is still connected to the network. A list of malwares detected, from the time of your investigation back to the beginning. A list of any remediation steps that have been taken. If any data is being persevered, what process is being used and where it is being stored. C. Network Details Checklist A list of all external malicious IP addresses or domain names involved. Whether network monitoring is being conducted. A list of any remediation steps that have been taken. If any data is being preserved, what process is being used and where it is being stored. Updates to network diagrams and configurations. D. Malware Details Checklist The date and time of the detection. How the malware was detected. The list of systems where the malware was found. The name of the malicious file, and what directory was it present in. What the detection mechanism determined, such as the name and family of the malicious file. If the malware is active during the IR and if active network connections and present. Whether a copy of the malware is preserved, either manually or through a quarantine process. The status of any analysis. Has the malware been analyzed for the network and host indicator of the compromise? Whether the malware was submitted to third parties, either through automated processes or via direct action by an employee. 27 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Review Questions Chapters 5 & 6 Fill the blank: FTK Imager Network Details Checklist DFIR Boot Disk Malware Details Checklist Write blocker 1. _____________________ process of collecting, preserving, and analyzing electronic evidence in cyber security incidents. 2. _____________________ is a device that enables data to be acquired from a hard disk without modifying the disk’s data. 3. _____________________ is an example of desk imaging software. 4. _____________________ includes a list of all external malicious IP addresses or domain names involved. Fill the table: Cables – Boot Disk – Write blockers – Desk Imaging Tool Case-opening Tools – Live Response – Camera – Operating System (OS) Hardware tools Software tools Short answers: 1. Give two examples of digital forensics data collected during investigations: a) b) 2. Give two main functions of FTK Imager: a) b) 28 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT 3. Give examples of information found in the summary checklist: a) b) 4. Give examples of information found in the malware checklist: a) b) In-class Exercise: Go online find more about Vice Society attack on IKEA Discuss the following: When did the attack happen? In which country? What is the type of attack? What steps should be taken to prevent future attacks? 29 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Chapters 7 and 8 Analyzing Evidence First step of analyzing the evidence is to determine what data needs to be analyzed. For digital evidence to be classified as genuine and trustworthy, it should meet the following criteria: Admissible in court Authentic Complete Reliable Believable Investigators collect and analyze evidence based on the following factors: Nature of the case Amount of data collected Search warrant and court orders Policies Basic (general) steps for Computer Forensics: (The approach may vary based on the type of the case) - For the target drive, we need to investigate the recently wiped media. Inspect the computer viruses. Inventory the hardware on suspect’s computer. Examine the condition of the computer when it was seized. Remove the original drive from the computer. List all the folders and files found on suspect’s computer. Examine the data if possible (start at the root directory / partitions) Make your best to recover the files for all password-protected files. Report all the steps performed. Maintain control of all evidence and findings. Important note! Investigators should ensure physical security of the digital evidence so nothing happens to the evidence and that no items can be lost or compromised. 30 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT How to handle digital evidence? (INTERPOL Global Guidelines for Digital Forensics) 2. 3. 4. 5. 6. 7. Label and seal: evidence must be uniquely labeled and sealed with proper container. Document: details of the device including type, serial number, and manufacture. Not left unattended. Kept away from any source of contamination such as water, heat, dust, or humidity. Stored in a secure place. Preservation (original evidence kept safe) Anti-static shielding bags are used to store, transport, and protect evidence. The bags will protect electronic items from damage when electrostatic discharge occurs. At the start of their investigation, investigators will typically begin by creating a digital “image” of the victim’s hard drive. This process provides a replica of what you see on the original drive and allows them to explore and test hypotheses without worrying about changing evidence or potentially deleting it. The imaging process will generate cryptographic hash values, which verify the drive’s authenticity. Wherever possible, evidence gathered is stored in a secure location, and you can access it later. The flowchart below explains briefly how to handle digital evidence: 31 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Diagram (7) how to handle digital evidence 32 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT What is Steganography in DF? A steganography a very famous technique involves hiding sensitive information within an ordinary, non-secret file or message, so that it will not be detected. The sensitive information will then be extracted from the ordinary file or message at its destination, thus avoiding detection. You can use steganography to hide text, video, images, or even audio data. Hackers are also using artificial intelligence (AI). Steganography is just one of the many methods that artificial intelligence is increasingly employing to conceal its activities. AI implementations have tweaked even steganographic techniques to make attacks harder to detect. The following are examples of steganography: - Embedding text in a picture. - Backward masking a message in an audio file. - Concealing information in either metadata or within a file header. - Hiding an image in a video, viewable only if the video is played at a particular frame rate. - Or it can be used by hackers to corrupt data files or hide malware in otherwise innocent documents. For example, attackers can use BASH and PowerShell scripts to launch automated attacks, embedding scripts in Word and Excel documents. The following are examples of forensic tools used to detect steganography: Stegdetect Xstegsecret Stego Watch StegAlyzerAS StegSpy Let’s take an example of analyzing a computer… What data DF examiners need to extract? 1. 2. 3. 4. 5. 6. 7. 8. Emails Office Documents (Word, Excel, etc.) Pictures and Videos (using hash comparison, location, and other metadata) Internet Browsers (Chrome, Safari, etc.) Website visit history Local cache / temporary internet files Bookmarks/favorites Session’s information Cookies Saved usernames and passwords Entries from form fields Internet keyword searches Software Cloud and Remote Storage User Activity Logs 33 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Windows Event Logs On Windows operating systems, the event logs store a lot of useful information about the system, users, activities, and applications. The main purpose of the event logs is to provide information to administrators and users. They are structured in five levels (information, warning, error, critical, and success/failure audit). In terms of forensic analysis, this is a valuable source to understand the course of actions on a system. Windows event log are structured in five channels: - Application: contains information logged by applications on the system. - Security: contains incidents related to security events according to the auditing policy of the Windows operating system. This log contains login attempts (success and failure), elevated privileges, and more. Details of the security event logs can be increased by applying a specialized auditing policy. - Setup: captures incidents of installation or upgrading of the Windows operating system. - System: contains messages generated by the Windows operating system. - Forwarded Events: contains events which are forwarded by other computers. This event is populated if Windows Event Forwarding is enabled and the local machine is running as a central subscriber, other machines are forwarders. All logs are stored in five categories/levels (information, warning, error, critical and success/failure audit). Error, audit success and failure logs are important in terms of forensic investigations while the other categories provide insight about the incidents occurred on the system. Event logs are stored in XML format at System32/winevt/Logs folder. Important note! Configuring adequate logging on Windows systems, and ideally aggregating those logs into a SIEM or other log aggregator, is a critical step toward ensuring that your environment can support effective incident response using Incident Response tools. Modern tools have multiple capacities where they can block, and detect the threat and they can even alert the security teams to investigate further issues such as: ManageEngine IBMQRadar SolarWinds SumoLogic AlientVault LogRhythm Splunk Varonis Dynatrace 34 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Diagram (8) Event Viewer Interface Other forensics tools to analyze evidence… EnCase EnCase Forensic helps investigators quickly search, identify, and prioritize potential evidence across computers, laptops, and mobile devices to determine whether further investigation is warranted, decreasing case backlogs, and closing cases faster. Main features of EnCase: A) Acquisition (including Smartphone and Tablet support): - Apple’s iOS Google’s AndroidTM OS Nokia Symbian Microsoft’s Windows Mobile OS B) Processing: Automate common tasks associated with preparing evidence for investigation, includes: - Recover Folders File Signature Analysis Protected File Analysis Hash Analysis (MD5 and SHA-1) Expand compound files Find Email (PST, NSF, DBX, EDB, AOL, MBOX) Find Internet Artifacts (IE, Firefox, Safari) 35 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT C) Search for Keywords Index Deep Forensic Analysis: - New Supported Files:. EXT4 HSFX Microsoft Office 2010 iOS Physical Images (iPad, iPhone, iPod) - - D) New Encryption Support: Full Disk Encryption. New E-Mail Investigation Platform:. Added capabilities to review e-mail conversations and related messaged to uncover context and identify all individuals related to the case. Tagging: Create custom tags and apply to any file, including hash records, to enable easy export of files for review by others. Unified Search: Now search across the entire case from one easy to use, flexible, and powerful search interface. Incorporate the index, keyword search results, and tags into a single search. Reporting - Customizable Templates: Create custom report templates for consistent reporting for every case. Formatting: Choose formatting for each section of the report, tailoring the representation of finding to meet the audience’s needs. Easy Export Options: Save reports in any of the following formats: Text, RFT (opens in Microsoft Office), HTML, XML, PDF. Diagram (9) EnCase Interface 36 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Review Questions Chapters 7 & 8 Choose the correct answer: 7. A forensic tool used to detect steganography: A. FTK Imager B. EnCase C. Stegdetect 8. Investigators collect and analyze evidence based on one of the following factors: A. Nature of the case B. Names of the people on the case C. How much money got stolen from victim 9. For digital evidence to be classified as trustworthy, it has to be: A. Hidden B. Authentic C. Mysterious 10. A forensics tool that is used to preview recoverable data from a disk: A. FTK Imager B. Write-Blocker C. Event Viewer 11. A technique involves hiding sensitive information within an ordinary, non-secret file or message, so that it will not be detected is called: A. Steganography B. Steganalysis C. Encryption True / False: T / F SIEM solutions are used to create copy of original evidence. T/F FTK can recover deleted messages from a drive. T/F Write blocker is used to make changes on original evidence. T/F Steganography is used with encryption to hide important evidence. T/F Digital forensic software help investigator to search for keywords related to the case. T/F Investigators look for more authentic and admissible evidence in courts. T/F SIEMS can track connections to unknown IPs. Short Answers: 1. Give two examples of data DF examiners extract from computers during cyber-incidents’ investigations: a) b) 37 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT 2. Give two examples of steganography techniques used in hiding digital information: a) b) 3. List two commercial tools used for analyzing digital evidence: a) b) 4. List two main functions of EnCase: a) b) 5. Mention two important steps for handling digital evidence: a) b) Draw a simple flowchart to illustrate how to preserve digital evidence: 38 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Chapter 9 Mobile Forensics Following the development of mobile forensics, you can see that the mobile digital forensics software developed so you can extract data from call logs, photos, messages, browsers history, geolocation data, deleted files, applications, images and videos and other deleted records. DF examiners try their best to extract evidence for the case. Their aim to gather all passcodes, passwords or patterns of the exhibit, prior to conducting the work. Using the manual method, for example, requires the phone to be unlocked. Almost all extraction methods require phones to be unlocked. It is therefore always a good practice to try to obtain the unlock code at the time of seizure. There are five common different levels of data extraction for mobile devices, which are described from the level where most data can be extracted to the level where the least can be extracted. Regardless of the method used, after the information has been extracted from the device the SIM card and Micro SD are analyzed separately. A. Logical Extraction Logical extraction involves receiving information from the mobile device and allowing the device to present the data for analysis. This is often the equivalent of accessing the data on the device itself. This method makes only live data available to the DF Examiner. Most mobile device forensic software offers this type of feature. Live data which can be acquired through logical extraction include: call and text logs contact lists passwords to active social media like Facebook or Twitter saved photos and videos data from apps like Tinder or WhatsApp Logical extractions will not recover deleted files, and the process cannot be performed on locked or password-protected devices. 39 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT B. File System Dump (FSD) The File System Dump (FSD) is a hybrid of Physical Extraction and Logical Extraction. FSD retrieves the device’s file system and interprets the data during the processing stage. This allows the DF Examiner to retrieve, for example, databases holding deleted messages that may not be available at a logical extraction and may not be accessible during a physical extraction. However, a limitation of FSD is that it does not retrieve all deleted data the way a physical extraction is able to do. C. Physical Extraction A physical extraction is the acquisition of raw binary data from the media storage of the device. These raw data then need to be analyzed and processed at a later stage by a forensic software. This method typically allows the DF examiner to access live and deleted data, operating system files and areas of the device that are not normally accessible to the user. HOW? mobile phones are designed to allow the insertion of a small piece of code, called bootloaders, into the RAM during start-up.” The bootloader will read the contents of the device’s memory and send it back to extraction device. DF investigator can bypass system locks and passcodes for many devices. In addition to the information derived from logical extraction, physical extraction can yield the following: deleted passwords. deleted files, photos and videos. deleted Snapchat pics. deleted text messages, contacts and call logs. location tags & GPS fixes. Diagram (10) illustrate data extracted using logical, FSD and physical methods 40 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT D. Manual A limitation of forensic software is that sometimes it does not support the model of certain unique mobile devices, or recently launched models. In this case, it is commonly acceptable for the DF Examiner to use the manual method. This method accesses the device and records of the data displayed on the screen with photographs or video, or by transcribing its data. E. JTAG / Chip-Off / Rooting / Jail Breaking For mobile devices that are damaged or locked with a password, JTAG and Chip-Off methods can be used to extract the data. JTAG extraction requires the stripping down of the device to its logical board and soldering the certain cable to a certain connection on the board. This requires high technical skill. Using this method, the DF Examiner should be able to retrieve raw binary data from the media storage of the device. Chip-Off also allows the extraction of raw binary data from the device’s storage, but it requires the permanent removal of the device’s memory chip from the memory board. When the Examiner conducts Chip-Off, the device will be damaged and can no longer be used. On top of that, expectations on the use of chip-off for mobile devices must be moderated. Recent devices store encrypted data on their memory chip. Devices operating on Android version 7.0 onwards are encrypted by default. Chip-off will still remain viable for other IOT devices which usually store data in clear text. Another, less destructive, method that can be used with some mobile devices is “Rooting” or “Jail Breaking”. This process involves leveraging features of the operating system to elevate the permissions and privileges of the running user (like the process of gaining “Root” access in a Linux computer). This process cannot be considered as a forensic technique as it involves the modification of system files and can potentially damage the device and so should be low on the list of techniques used. 41 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Review Questions Chapter 9 Choose the correct answer: 1. A forensic tool used to analyze data extracted from a mobile: a) Live response b) EnCase c) Stegdetect 2. __________________ defined as the acquisition of raw binary data from the media storage of the device: a) Manual extraction b) Physical extraction c) Logical extraction 3. __________________ requires the permanent removal of the device’s memory chip from the memory board. a) Chip-Off b) Manual c) Physical Extraction 4. This method accesses the device and records the data displayed on the screen including photographs or videos for recently launched devices that are not supported by DF tools. a) Manual extraction b) Physical extraction c) Logical extraction True / False: T / F Different mobile extraction methods retrieve different forensic data. T/F Chip-off extraction is used in case the mobile device was damaged. T/F SIM cards are used to extract data during DF investigations. T/F Logical extraction retrieved all deleted data from mobile devices. Short Answer: 1. Give two examples of data extraction methods from mobile devices: a) b) 2. Give two examples of data extracted from mobile devices and used in DF investigations.: a) b) 42 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Chapter 10 Report Writing What are the main parts of digital forensic report? Diagram (11) main and sub sections of DF report 1. Executive Summary: This section provides background data of conditions that needs a requirement for investigation. Executive Summary or the Translation Summary is read by Senior Management or law officials as they do not read detailed report. This section must contain short description, details, and important pointers. This section consists of following: a. b. c. d. e. Taking account of who authorized the forensic examination. List of the significant evidence in a short detail. Explaining why a forensic examination of computing device was necessary. Including a signature block for the examiners who performed the work. Full, legitimate, and proper name of all people who are related or involved in case, Job Titles, dates of initial contacts or communications. 2. Objectives: Objectives section is used to outline all tasks that an investigation has planned to complete. In some cases, it might happen that forensics examination may not do a fullfledged investigation when reviewing contents of media. The prepared plan list must be discussed and approved by legal counsel, decision makers and client before any forensic analysis. 3. Computer Evidence Analyzed: This section is where all gathered evidence and its interpretations are introduced. It provides detailed information regarding assignment of evidence’s tag numbers, description of evidence and media serial numbers. 43 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT 4. Relevant Findings: This section gives summary of evidence found of “probative value” When a match is found between forensic science material recovered from a crime scene e.g., a fingerprint, a strand of hair, a shoe print, etc. and a reference sample provided by a suspect of case, match is widely considered as strong evidence that suspect is source of recovered material. It answers questions such as “What related objects or items were found during investigation of case?” 5. Supporting Details: This section where in-depth analysis of relevant findings is done. It contains table of vital files with a full path name, results of string searches, Emails/URLs reviewed, number of files reviewed and any other relevant data. All tasks undertaken to meet objectives is outlined by this section. In Supporting Details, we focus more on technical depth. It includes charts, tables, and illustrations. This section is the longest section. It starts with giving background details of media analyzed. 6. Investigative Leads: Investigative Leads performs action items that could help to discover additional information related to the investigation of case. The investigators perform all outstanding tasks to find extra information if more time is left. Investigative Lead section is very critical to law enforcement. This section suggests extra tasks that discovers information needed to move on case. For example, finding out if there are any firewall logs that date any far enough into past to give a correct picture of any attacks that might have taken place. 7. Additional Subsections: Various additional subsections are included in a forensic report. These subsections are dependent on clients want and their need. The following subsections are useful in specific cases: Attacker Methodology Additional briefing to help reader understand general or exact attacks performed is given in this section of attacker methodology. This section is useful in computer intrusion cases. Inspection of how attacks are done and what bits and pieces of attacks look like in standard logs is done here. User Applications In this section we discuss relevant applications that are installed on media analyzed because it is observed that in many cases applications present on system are very relevant. Give a title to this section, if you are investigating any system that is used by an attacker. e.g. Cyber Attack Tools. 44 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Internet Activity Internet Activity or Web Browsing History section gives web surfing history of user of media analyzed. The browsing history is also useful to suggest intent, downloading of malicious tools, unallocated space, online research, downloading of secure deleted programs or evidence removal type programs that wipe files slack and temporary files that often harbor evidence very important to an investigation. Recommendations This section gives recommendation to posture client to be more prepared and trained for next computer security incident. We investigate some hostbased, network-based, and procedural countermeasures are given to clients to reduce or eliminate risk of incident security. 45 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT Review Questions Chapter 10 Match the following: Recommendation – Summary – Internet Activity – Findings – Objectives Part of report Description Lists names of all people related and involved in the case. Subsections of the forensics report that lists the “Web Browsing History This part of the report lists the strong evidence found in the case. This is considered as an additional section of digital forensic reports This section is used to outline all tasks that an investigation has planned to complete. In-class Exercise: Go online and find some IR reports then discuss the main parts as follow: - What is the languages used? - Is it written in short or details? - Did it mention the date and time of the incident? - Did it include the steps taken or future actions? 46 ALAA H RIDHA THE HIGHER INSTITUTE OF COMMUNICATION AND NAVIGATION COMPUTER DEPARTEMENT References Textbooks: Incident Response and Computer Forensics (3rd Edition) by Jason Luttgens..‫ ﺟﻤﯿﻞ ﺣﺴﯿﻦ طﻮﯾﻠﺔ‬.‫ م‬.‫اﻟﺘﺤﻠﯿﻞ اﻟﺠﻨﺎﺋﻲ اﻟﺮﻗﻤﻲ‬ Websites: https://www.moi.gov.kw/main/content/docs/cybercrime/ar/law-establishing-cyber-crimedept.pdf http://www.interpol.int https://media.kasperskycontenthub.com https://www.datto.com https://www.geeksforgeeks.org/computer-forensic-report-format/ https://cybericus.com/best-mobile-forensic-tools/ https://www.citra.gov.kw/sites/ar/Pages/cybersecurity.aspx http://haveibeenpwned.com https://www.windowscentral.com/how-use-event-viewer-windows-10 https://ad-pdf.s3.amazonaws.com/Imager/4_3_0/FTKImager_UG.pdf https://blog.group-ib.com/digital_forensics_tools https://cybertalents.com/blog/what-is-cyber-crime-types-examples-and-prevention https://www.exabeam.com/incident-response/csirt/ https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf https://heimdalsecurity.com/blog/what-is-digital-forensics-and-incident-response-dfir/ https://www.exabeam.com/explainers/siem/what-is-siem/ https://www.manageengine.com/log-management/cyber-security/forensic-analysis-inSIEM.html https://www.learnforensic.com/blog-details/How-Steganography-can-Lead-Digital-ForensicInvestigation/7 https://www.simplilearn.com/what-is-steganography-article https://forensafe.com/blogs/event_logs.html https://www.comparitech.com/net-admin/siem-tools/ Others: ‫ﺟﻤﻌﯿﺔ أﻣﻦ اﻟﻤﻌﻠﻮﻣﺎت )ﺣﻤﺎﯾﺔ( – اﻟﻤﻤﻠﻜﺔ اﻟﻌﺮﺑﯿﺔ اﻟﺴﻌﻮدﯾﺔ‬ 47 ALAA H RIDHA