Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.

Slides:



Advertisements
Similar presentations
Guide to Computer Forensics and Investigations Third Edition
Advertisements

Guide to Computer Forensics and Investigations Fourth Edition
Chapter 10 Recovering Graphics Files
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition
Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 13 Cell Phone and Mobile Devices Forensics.
Guide to Computer Forensics and Investigations Fourth Edition
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Intrusion Detection Systems and Practices
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
COS 413 Day 20. Agenda Assignment 6 is posted –Due Nov 7 (Chap 11 & 12) LAB 7 write-up due tomorrow Lab 8 in OMS tomorrow –Hands-on project 11-1 through.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Lecture 11 Intrusion Detection (cont)
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Network Security Monitoring By Bea Wilds CS Dec 06.
Hands-on: Capturing an Image with AccessData FTK Imager
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
COEN 252 Computer Forensics
What is FORENSICS? Why do we need Network Forensics?
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Guide to Computer Forensics and Investigations Fifth Edition
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Guide to Computer Forensics and Investigations Fifth Edition
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Chapter 3 Installing and Learning Software. 2Practical PC 5 th Edition Chapter 3 Getting Started In this Chapter, you will learn: − What is in an application.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Defense in Depth. 1.A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Role Of Network IDS in Network Perimeter Defense.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Firmware threat Dhaval Chauhan MIS 534.
Configuring Windows Firewall with Advanced Security
Wireless Network Security
Lesson Objectives Aims You should be able to:
Chapter 4: Protecting the Organization
Network hardening Chapter 14.
G061 - Network Security.
Presentation transcript:

Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions

Guide to Computer Forensics and Investigations2 Objectives Describe primary concerns in conducting forensic examinations of virtual machines Describe the importance of network forensics Explain standard procedures for performing a live acquisition Explain standard procedures for network forensics Describe the use of network tools

Virtual Machines Overview Virtual machines are important in today’s networks. Investigators must know how to detect a virtual machine installed on a host, acquire an image of a virtual machine, and use virtual machines to examine malware.

Virtual Machines Overview (cont.) Check whether virtual machines are loaded on a host computer. Check Registry for clues that virtual machines have been installed or uninstalled.

Guide to Computer Forensics and Investigations5 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain how an attack was carried out or how an event occurred on a network Intruders leave trail behind Determine the cause of the abnormal traffic –Internal bug –Attackers

Guide to Computer Forensics and Investigations6 Securing a Network Layered network defense strategy –Sets up layers of protection to hide the most valuable data at the innermost part of the network Defense in depth (DiD) –Similar approach developed by the NSA –Modes of protection People Technology Operations

Guide to Computer Forensics and Investigations7 Securing a Network (continued) Testing networks is as important as testing servers You need to be up to date on the latest methods intruders use to infiltrate networks –As well as methods internal employees use to sabotage networks

Guide to Computer Forensics and Investigations8 Performing Live Acquisitions Live acquisitions are especially useful when you’re dealing with active network intrusions or attacks Live acquisitions done before taking a system offline are also becoming a necessity –Because attacks might leave footprints only in running processes or RAM Live acquisitions don’t follow typical forensics procedures Order of volatility (OOV) –How long a piece of information lasts on a system

Guide to Computer Forensics and Investigations9 Performing Live Acquisitions (continued) Steps –Create or download a bootable forensic CD –Make sure you keep a log of all your actions –A network drive is ideal as a place to send the information you collect –Copy the physical memory (RAM) –The next step varies, depending on the incident you’re investigating –Be sure to get a forensic hash value of all files you recover during the live acquisition

Guide to Computer Forensics and Investigations10 Performing a Live Acquisition in Windows Several tools are available to capture the RAM. –Mantech Memory DD –Win32dd –winen.exe from Guidance Software –BackTrack 3

Performing a Live Acquisition in Windows

Guide to Computer Forensics and Investigations12 Developing Standard Procedures for Network Forensics Long, tedious process Standard procedure –Always use a standard installation image for systems on a network –Close any way in after an attack –Attempt to retrieve all volatile data –Acquire all compromised drives –Compare files on the forensic image to the original installation image

Guide to Computer Forensics and Investigations13 Developing Standard Procedures for Network Forensics (continued) Computer forensics –Work from the image to find what has changed Network forensics –Restore drives to understand attack Work on an isolated system –Prevents malware from affecting other systems

Guide to Computer Forensics and Investigations14 Reviewing Network Logs Record ingoing and outgoing traffic –Network servers –Routers –Firewalls Tcpdump tool for examining network traffic –Can generate top 10 lists –Can identify patterns Attacks might include other companies –Do not reveal information discovered about other companies

Guide to Computer Forensics and Investigations15 Using Network Tools Sysinternals –A collection of free tools for examining Windows products Examples of the Sysinternals tools: –RegMon shows Registry data in real time –Process Explorer shows what is loaded –Handle shows open files and processes using them –Filemon shows file system activity

Guide to Computer Forensics and Investigations16 Using Network Tools (continued)

Guide to Computer Forensics and Investigations17 Using Network Tools (continued) Tools from PsTools suite created by Sysinternals –PsExec runs processes remotely –PsGetSid displays security identifier (SID) –PsKill kills process by name or ID –PsList lists details about a process –PsLoggedOn shows who’s logged locally –PsPasswd changes account passwords –PsService controls and views services –PsShutdown shuts down and restarts PCs –PsSuspend suspends processes

Guide to Computer Forensics and Investigations18 Using UNIX/Linux Tools Knoppix Security Tools Distribution (STD) –Bootable Linux CD intended for computer and network forensics Knoppix-STD tools –Dcfldd, the U.S. DoD dd version –memfetch forces a memory dump –photorec grabs files from a digital camera –snort, an intrusion detection system –oinkmaster helps manage your snort rules

Guide to Computer Forensics and Investigations19 Using UNIX/Linux Tools (continued) Knoppix-STD tools (continued) –john –chntpw resets passwords on a Windows PC –tcpdump and ethereal are packet sniffers With the Knoppix STD tools on a portable CD –You can examine almost any network system

Guide to Computer Forensics and Investigations20

Guide to Computer Forensics and Investigations21 Using UNIX/Linux Tools (continued)

Guide to Computer Forensics and Investigations22 Using UNIX/Linux Tools (continued) The Auditor –Robust security tool whose logo is a Trojan warrior –Based on Knoppix and contains more than 300 tools for network scanning, brute-force attacks, Bluetooth and wireless networks, and more –Includes forensics tools, such as Autopsy and Sleuth –Easy to use and frequently updated

Guide to Computer Forensics and Investigations23 Using Packet Sniffers Packet sniffers –Devices or software that monitor network traffic –Most work at layer 2 or 3 of the OSI model Most tools follow the PCAP format Some packets can be identified by examining the flags in their TCP headers Tools –Tcpdump –Tethereal

Guide to Computer Forensics and Investigations24 Using Packet Sniffers (continued)

Guide to Computer Forensics and Investigations25 Using Packet Sniffers (continued) Tools (continued) –Snort –Tcpslice –Tcpreplay –Tcpdstat –Ngrep –Etherape –Netdude –Argus –Ethereal

Guide to Computer Forensics and Investigations26 Using Packet Sniffers (continued)

Guide to Computer Forensics and Investigations27 Using Packet Sniffers (continued)

Guide to Computer Forensics and Investigations28 Using Packet Sniffers (continued)

Guide to Computer Forensics and Investigations29 Examining the Honeynet Project Attempt to thwart Internet and network hackers –Provides information about attacks methods Objectives are awareness, information, and tools Distributed denial-of-service (DDoS) attacks –A recent major threat –Hundreds or even thousands of machines (zombies) can be used

Guide to Computer Forensics and Investigations30 Examining the Honeynet Project (continued)

Guide to Computer Forensics and Investigations31 Examining the Honeynet Project (continued) Zero day attacks –Another major threat –Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available Honeypot –Normal looking computer that lures attackers to it Honeywalls –Monitor what’s happening to honeypots on your network and record what attackers are doing

Guide to Computer Forensics and Investigations32 Examining the Honeynet Project (continued) Its legality has been questioned –Cannot be used in court –Can be used to learn about attacks Manuka Project –Used the Honeynet Project’s principles To create a usable database for students to examine compromised honeypots Honeynet Challenges –You can try to ascertain what an attacker did and then post your results online

Guide to Computer Forensics and Investigations33 Examining the Honeynet Project (continued)

Guide to Computer Forensics and Investigations34 Summary Virtual machines are important in today’s networks, and investigators must know how to detect a virtual machine installed on a host, acquire an image of a virtual machine, and use virtual machines to examine malware Network forensics tracks down internal and external network intrusions Networks must be hardened by applying layered defense strategies to the network architecture Live acquisitions are necessary to retrieve volatile items

Guide to Computer Forensics and Investigations35 Summary (continued) Standard procedures need to be established for how to proceed after a network security event has occurred By tracking network logs, you can become familiar with the normal traffic pattern on your network Network tools can monitor traffic on your network, but they can also be used by intruders Bootable Linux CDs, such as Knoppix STD and Helix, can be used to examine Linux and Windows systems

Summary (continued) The Honeynet Project is designed to help people learn the latest intrusion techniques that attackers are using