Network Forensics An example of a computer crime – VIRTUAL crime that needs computer forensic expertise. Your company has recently hired a new salesman. Six months after his hire, he leaves your company and forms a competing interest, sending letters to all of your clients. You may think this a bit odd and contact an attorney to consider filing a suit. What has occurred is a virtual theft -- the salesman stole a copy of your client database. Note that this is a VIRTUAL theft -- since you were not deprived of any property (he didn't delete it, just copied it) you will likely not be able to prosecute him criminally.

What is Computer Forensics? Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Arose as a result of the growing problem of computer crimes. Computer crimes fall into two categories: –Computer is a tool used in a crime – because of the role of computers and networks in modern communications, it is inevitable that computers are used in crimes. Investigation into these crimes often involves searching computers suspected to be involved. –Computer itself is a victim of a crime – this commonly referred to as incident response. It refers to the examination of systems that have been remotely attacked. Forensics experts follow clear, well-defined mythologies and procedures

Computer forensics started a few years ago- when it was simple to collect evidence from a computer. While basic forensic methodologies remain the same, technology itself is rapidly changing – a challenge to forensic specialists. Basic forensic methodology consists of: –Acquire the evidence without altering or damaging the original –Authenticate that your recovered evidence is the same as the originally seized data –Analyze the data without modifying it.

Acquire the Evidence Keep in mind that every case is different Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system. Consider the following issues: –Handling the evidence- if you do not take care of the evidence, the rest of the investigation will be compromised. –Chain of custody – the goal of maintaining a good chain of custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to: Who collected it How and where Who took possession of it how was it stored and protected in storage Who took it out of storage and why?

–Collection You want the evidence to be so pure that it supports your case. –Identification Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled. –Transportation Evidence is not supposed to be moved so when you move it be extremely careful. –Storage Keep the evidence in a cool, dry, and appropriate place for electronic evidence. –Documenting the investigation Most difficult for computer professionals because technical people are not good at writing down details of the procedures.

Authenticating evidence –It is difficult because Crime scenes change Evidence is routinely damaged by environmental conditions Computer devices slowly deteriorate –Keep proof of integrity and timestamp the evidence through encryption of files of data Two algorithms (MD5 and SHA) are in common use today Analysis –Make two backups –Use any well known analysis tools.

Tracking the Offender Keep in mind that cyber sleuths often have to track their offenders across a digital matrix Also that digital forensic techniques and tools are largely undeveloped- so you have little to run on. Tracing IP addresses –For http addresses in dotted quad ( base 256) use a ping to covert it to digit decimal (base 10) –For MAC address use the ARP tables ( be aware that MAC addresses can be changed by software) and NIC can be changed/removed/replaced. –Beware of DNS – may resolve and query with IP addresses. –After getting some information, try to traceroute Learn to read an trail. NetBIOS – a Windows protocol that used to run exclusively on LANS ( instead of TCP/IP) now running on top of TCP/IP to cover WANs, has a nbstat function that can display protocol statistics for all TCP/IP connctions. Other tracing tools include: Neotrace and Netscan Pro. These can do a trace route Use IDS logs

Storage Media Hard Drives –Make an image copy and then restore the image to a freshly wiped hard drive for analysis –Remount the copy and start to analyze it. –Before opening it get information on its configuration –Use tools to generate a report of lists of the disk’s contents ( PartitionMagic) –View operating system logs.

Encryption and Forensics Many times the evidence may be encrypted. Find a way to decrypt it while preserving the its integrity. In addition to encryption codes and compression of data may make the forensic work difficult. Find a way to overcome data compression and use of code.

Data Hiding There are several techniques that intruders may hide data. –Obfuscating data through encryption and compression. –Hiding through codes, steganoraphy, name embedding, obscurity and nonames on files –Blinding investigators through changing behavior of system commands and modifying operating systems. Use commonly known tools to overcome

Hostile Code Any unauthorized code on your computer. It is becoming increasing significant. Hostile code fall into two categories: –Manual – like network tools that allow unauthorized access (NetBus, BackOrifice, IRC), fix utilities that seamlessly replace legitimate binary code with a hostile version, log manipulators, vulnerability scanners, DDoS, –Autonomous – viruses(Melissa, time bombs), DDoS, and IRC bots.

Forensic Electronic Toolkit Computer and network forensics involves and requires: –Identification –Extraction –Preservation –Documentation A lot of tools are needed for a thorough work The “forensically sound “ method is never to conduct any examination on the original media. Before you use any forensic software, make sure you know how to use it, and also that it works. Tools: –Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic) –File Viewers – to thumb through stacks of data and images looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus)

More tools (cont.) Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins. CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics Text – because text data can be huge, use fast scans tools like dtSearch. Other kits: –Forensic toolkit – command-line utilities used to reconstruct access activities in NT File systems –Coroner toolkit - to investigate a hacked Unix host. –ForensiX – an all-purpose set of data collection and analysis tools that run primarily on Linux. –New Technologies Incorporated (NTI) – EnCase –Hardware- Forensic-computers.com

Forensics based on OS Brands Investigating –Windows computers – pay attention to the Registry. It contains a wealth of information –Unix – take a look at the password files, the shell, the filesystem,

Internet Data Incident Response Guidelines Restore service safely Estimate extent and cost of incident Identify source of attack and their motivation Deter future crime Recover loss Protect public image Conduct due diligence Assume corporate responsibility Increase understanding of security landscape.

Roles and Responsibilities To facilitate teamwork the organization’s roles must be assigned as fallows: –Corporate security and incident team –Security investigator –Emergency response core team –Application owner –Application developer –System owner/administrator –Network administrator –Firewall administrator –Security consultants