Intrusion Detection MIS ALTER 0A234 Lecture 12

What is Computer & Cyber Forensics Computer / Cyber forensics is the practice of collecting, analysing and reporting on digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics follows a similar process to other forensic disciplines, and faces similar issues.

Cyber Forensics Identifying This is the process of identifying such things as what evidence is present, where and how it is stored, and which operating system is being used. From this information the investigator can identify the appropriate recovery methodologies, and the tools to be used.

Preserving This is the process of preserving the integrity of the digital evidence, ensuring the chain of custody is not broken. The data needs to be preserved (copied) on stable media such as CD-ROM, using reproducible methodologies. All steps taken to capture the data must be documented. Any changes to the evidence must also be documented, including what the change was and the reason for the change. You may need to prove the integrity of the data in a court of law.

Analyzing This is the process of reviewing and examining the data. The advantage of copying this data onto CD-ROMs is the fact that it can be viewed without risk of accidental changes, therefore maintaining the integrity whilst examining the evidence. Presenting This is the process of presenting the evidence in a legally acceptable and understandable manner. If the matter is presented in court the jury, who may have little or no computer experience, must all be able to understand what is presented and how it relates to the original, otherwise all your efforts could be futile.

Incident Investigation Principles / Rules Principle 1: Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court. Minimal Handling of the original data. Principle 2: A person must be competent enough in handling the original data held on a computer or storage media if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their actions. Principle 3: An audit trail or other documentation of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: A person who is responsible for the investigation must have overall responsibility for accounting that the law and the ACPO principles are adhered to.

Incident Investigation - Principles Principle 1: Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court. Minimal Handling of the original data. This can be regarded as the most important rule in computer forensics. Where possible make duplicate copies of the evidence and examine the duplicates. In doing this, the copy must be an exact reproduction of the original, and you must also authenticate the copy, otherwise questions can be raised over the integrity of the evidence.

Incident Investigation - Principles Principle 1: Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court. In certain circumstances changes to the evidence may be unavoidable. For instance, booting up or shutting down a machine can result in changes to the memory, and/or temporary files. Where changes do occur, the nature, extent and reason for the change must be documented.

Incident Investigation - Principles Principle 2: A person must be competent enough in handling the original data held on a computer or storage media if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their actions. Do not proceed with an investigation if it is beyond your level of knowledge and skill. If you find yourself in this situation you should seek assistance from one more experienced, such as a specialist investigator, or if time permits obtain additional training to improve your knowledge and skills. It is advisable not to continue with the examination as you may damage the outcome of your case.

Incident Investigation - Principles Principle 3: An audit trail or other documentation of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Incident Investigation - Principles Principle 4: A person who is responsible for the investigation must have overall responsibility for accounting that the law and the ACPO principles are adhered to. The rules of evidence are the rules investigators must follow when handling and examining evidence, to ensure the evidence they collect will be accepted by a court of law. Five points on rules of evidence Admissible Authentic Complete Reliable Believable

Incident Investigation - Principles Admissible: This is the most basic rule – the evidence must be able to be used in court or elsewhere. Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher. Authentic: If you can’t tie the evidence positively to the incident, you can’t use it to prove anything. You must be able to show that the evidence relates to the incident in a relevant way.

Incident Investigation - Principles Complete: It’s not enough to collect evidence that just shows one perspective of the incident. Not only should you collect evidence that can help prove the attacker’s actions but for completeness it is also necessary to consider and evaluate all evidence available to the investigators and retain that which may contradict or otherwise diminish the reliability of other potentially incriminating evidence held about the suspect. Similarly, it is vital to collect ev idence that eliminates alternative suspects. For instance, if you can show the attacker was logged in at the time of the incident, you also need to show who else was logged in and demonstrate why you think they didn’t do it. This is called Exculpatory Evidence and is an important part of proving a case.

Incident Investigation - Principles Reliable: Your evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity. Believable: The evidence you present should be clear, easy to understand and believable by a jury. There’s no point presenting a binary dump of process memory if the jury has no idea what it all means. Similarly, if you present them with a formatted version that can be readily understood by a jury, you must be able to show the relationship to the original binary, otherwise there’s no way for the jury to know whether you’ve faked it.

Cyber Forensics – Process Steps 1.Obtain authorization to search and seize. 2.Secure the area 3.Document the chain of custody 4.Bag, tag, and safely transport the equipment and e-evidence. 5.Acquire the e-evidence from the equipment by using forensically sound methods and tools to create a forensic image of the e-evidence. Keep the original material in a safe, secured location.

Cyber Forensics 6.Design your review strategy of the e-evidence, including lists of keywords and search terms. 7.Examine and analyze forensic images of the e-evidence (never the original!) according to your strategy. 8.Interpret and draw inferences based on facts gathered from the e-evidence. Check your work. 9.Describe your analysis and findings in an easy-to-understand and clearly written report. 10.Give testimony under oath in a deposition or courtroom.

Cyber Forensics Memory Dump Considering modern technology : Volume Encryption, cloud services, etc. It becomes vital for an investigation to capture a volatile memory dump first, before triggering the power switch. Memory dumps routinely contain information that could be essential for an investigation, including binary decryption keys for encrypted volumes (TrueCrypt, BitLocker, PGP WDE), recently viewed pictures, loaded registry keys, recent Facebook communications, s sent and received via Web services such as Gmail or Hotmail, active malware, open remote sessions, and so on.

Cyber Forensics Disk Forensics Creating a forensic image of the suspect’s hard drive is an essential step and a must-do in any investigation. You should consider the following when looking at a tool: Bypass ATA / bootup passwords – Search on ATA bypass would get your started. You can reset HPA/DCO if present. Device configuration overlay (DCO) is a hidden area on many of today’s hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS, OS, or the user.hard disk drives host protected areaBIOSOS Cloning and imaging to a file.

Analysis Once the relevant information has been extracted, the analyst should study and analyze the data to draw conclusions from it. The foundation of forensics is using a methodical approach to reach appropriate conclusions based on the available data or determine that no conclusion can yet be drawn. The analysis should include identifying people, places, items, and events, and determining how these elements are related so that a conclusion can be reached. Often, this effort will include correlating data among multiple sources. For instance, a network intrusion detection system (IDS) log may link an event to a host, the host audit logs may link the event to a specific user account, and the host IDS log may indicate what actions th at user performed. Tools such as centralized logging and security event management software can facilitate this process by automatically gathering and correlating the data. Comparing system characteristics to known baselines can identify various types of changes made to the system.

Reporting Alternative Explanations. If there are many possibilities, then the analyst needs to address each one. Audience Consideration. Report should address the audience. Technical, Legal, Managerial, Law enforcement Actionable Information. Reporting also includes identifying actionable information gained from data that may allow an analyst to collect new sources of information. For example, a list of contacts Identified back doors or other malware

Additional Resources NIST SP800-86