Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

Slides:



Advertisements
Similar presentations
F3 Collecting Network Based Evidence (NBE)
Advertisements

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.
CA: A New Step into Security Management.  eBusiness = business  A cultural shift — security is a part of the business fabric  Security is prevention.
Access Control Chapter 3 Part 5 Pages 248 to 252.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Intrusion Detection Systems and Practices
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Describe How Software and Network Security Can Keep Systems and Data Secure P3. M2 and D1 Unit 7.
What is FORENSICS? Why do we need Network Forensics?
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Vantage Report 3.0 Product Sales Guide
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
JMU GenCyber Boot Camp Summer, Defense Logging Auditing Response.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #14 Network Forensics September 26, 2007.
Chapter 5: Implementing Intrusion Prevention
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Cryptography and Network Security Sixth Edition by William Stallings.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Intrusion Detection System
Role Of Network IDS in Network Perimeter Defense.
IS3220 Information Technology Infrastructure Security
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Incident Response Christian Seifert IMT st October 2007.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.
Some Great Open Source Intrusion Detection Systems (IDSs)
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
SECURITY INFORMATION AND EVENT MANAGEMENT
CompTIA Security+ Study Guide (SY0-401)
Security Operations Without Going Blind
Shifting from “Incident” to “Continuous” Response
Presentation transcript:

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005

Communication and Information System Control and Operation Centre Information Security Centre InfoSec Centre Chief mjr. Ing. Albert VAJÁNYI Division Chief 1Lt. Ing. Boris ZEMEK (c) May 2005

What is computer forensics anyway? The application of computer investigations and analysis techniques in the interests of determining potential legal evidence. Computer specialists can draw on an array of methods for discovering deleted, encrypted or damaged file information. (Rorrins, 1997)

You don ’ t know what happened on your network. A network forensic analysis tool can effectively answer the difficult question “What happened?” in the aftermath of a security incident. That tool provides a passive network monitoring solution that visualizes the network activity. A network forensics analysis tool can visualize and analyze data from firewalls, IDS, IPS, syslogs, audit systems and more.

Key Features of Forensic Tools Data collection and visualization –Monitor and analyze data from all seven layers of the Open Systems Interconnection (OSI) stack –Relational, Tree ontology for knowledge base –TCP dump recording: records traffic being monitored in an unprocessed, binary state Pattern and content analysis –Powerful visualizations expose anomalous activities, providing visibility into network communications before, during and after a suspicious event –Functions irrespective of language using n-gram analysis

Key Features of Forensic Tools Forensic analysis and investigation - Graphical arrangements include source, destination, time, type and duration of communication and content - Rebuild crime pattern - Playback events - Generate reports and visual representations of the suspicious activity - Report on key security and network parameters

Forensics Technology Services – FTS Digital Evidence Recovery It is a technique of finding and extraction evidence. A lot of times the legislative designates how to confidence a digital evidence. Cyber Forensics Some specialists score incidents to the network. Cyber Forensics shows who made an attack.

Forensics Technology Services – FTS Forensic Data Analysis It is an interpretation of vast multiple data by using visualization techniques. Document Management Services Making documents accessible helps sharing essential knowledge. In your investigations you can draw upon modern document management tools that allow you to archive, search, find, organising and reproduce documents.

COLLECTING ANALYZING2D or 3D VISUALIZATION Traffic Analysis Knowledge Base Knowledge Base Data Visualization Database Meta Data and Content Analysis Real-Time Post Event Context Analyzer Context Analyzer Requirements for Forensics Tools

Types of Collecting Data Types: - IDS/IPS logs - Firewall logs - Sys logs - SQUID logs - Audit system logs - and more All logs are collecting to the Central logs base!!!

Network monitoring Network operation centre Security operation centre Intranet Any Public Network Central logs base Server Farm Service Alarms Security Alarms Security Information Management System

What is Security Information Management (SIM)? SIM provides a simple mechanism that allows security teams to collect and analyze vast amounts of security alert data. More specifically, SIM solutions collect, analyze and correlate – in real-time – all security device information across an entire enterprise. Correlated results are then displayed on a centralized real-time console that is part of an intuitive graphical user interface. Security Information Management

SIM can be divided into four different phases: 1)Normalization 2)Aggregation 3)Correlation 4)Visualization SIM utilizes normalization, aggregation, and correlation to sift through mountains of security activity data on a real-time basis – correlating events, flagging and rating the potential seriousness of all attacks, compromises, and vulnerabilities. The power of SIM technology allows a relatively small security staff to dramatically reduce the time between attack and response..

Security Information Management Normalization is the process of gathering individual security device data and putting it into a context that is easier to understand, mapping different messages about the same security events to a common alarm ID. Keeping in mind that there are no standards in the security device industry, normalization alone is a tremendous asset to security teams. Aggregation eliminates redundant or duplicate event data from the security event data stream, refining and optimizing the amount of information that is presented to security analysts.

Security Information Management Correlation uses software technology to analyze aggregated data, in real-time, to determine if specific patterns exist. These patterns of similar security events often correspond to specific securityattacks – whether denial of service,anti virus, or some other form of attack. Visualization, the final step in SIM, is the graphical representation of correlated information in a single, real-time console. Effective visualization lets security operators quickly identify and respond to security threats as they occur, before they create problems within the enterprise.

Systems alarms remapping Original logs from systems - around types Sep 27 16:22:43 dmzserver su(pam_unix)[10983]: session opened for user nf by root(uid=0) Sep 27 16:36:12 [ ] Sep :36:12: %PIX : Login permitted from /44743 to inside: /ssh for user "pix_ADMIN“ Changed to 100 NF types Forbidden Database Access Privilege Escalation Security Policy Change Authentication succeed 9 categories of NF alarms Access / Authentication / Authorization Application Exploit Configuration / System Status Evasion Policy Violations Reconnaissance Attempts Unknown / Suspicious Virus / Trojan

Place Forensics Tool in Network Network operation centre Security operation centre Intranet Any Public Network Central logs base Server Farm Service Alarms Security Alarms Security Information Management System Forensics Tool

Network Forensics Analyzer Examples of Visualization

Visualization of Firewall Data Quickly visualize and understand relationships in firewall data across time Source_IP ——— # of occurrences ——— Dest_IP

Source_IP versus Firewall Action Source_IP ——— # of occurrences ——— Firewall Action Green = AcceptRed = Reject Blue = Drop

VPN Traffic Events Overlay Intrusion Detection System Alerts Blocked Firewall Traffic Event Correlation

Exercises of anomaly

E – mail:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.