Download presentation
Presentation is loading. Please wait.
1
Tan (tan@atstake.com)tan@atstake.com COMPUTER FORENSICS
2
FORENSICS IS A FOUR STEP PROCESS Acquisition Identification Evaluation Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm, by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm
3
GROUND ZERO – WHAT YOU CAN DO do not start looking through files establish an evidence custodian - start a journal with the date and time, keep detailed notes Designate equipment as “off-limits” to normal activity (if possible) – especially back-ups (with dump or other backup utilities), locally or remotely scheduled house-keeping, and configuration changes. collate mail, DNS and other network service logs to support host data capture exhaustive external TCP and UDP port scans of the host (unless tcp-wrapped) contact security department or CERT,management,police or FBI, affected sites* packaging/labeling and shipping short-term storage
4
Incident Response – What the Pros Do Identify designate or become the evidence custodian Review any journal of what has been done to the system already and how the intrusion was detected Start or maintain existing journal Install a sniffer Backdoors If possible without rebooting, make two byte by byte copies of the physical disk Capture network info Capture process listings and open files Capture configuration information to disk and notes Receipt and signing of data
5
Data Collection with dd, TCT & cryptcat Script started on Fri Sep 29 16:39:41 2000 # grave-robber –v –F –i –l –M –m –O –P –S –s –t –V / # tar –c $TCT_HOME/data/`hostname` |cryptcat –k f0renzikz juarez 33 ^C punt! # df -k Filesystem kbytes used avail capacity Mounted on /proc 0 0 0 0% /proc /dev/dsk/c0t0d0s0 240302 37942 178330 18% / /dev/dsk/c0t0d0s6 2209114 324049 1840883 15% /usr fd 0 0 0 0% /dev/fd /dev/dsk/c0t0d0s1 480620 2983 429575 1% /var /dev/dsk/c0t0d0s7 961257 94 903488 1% /export/home swap 196312 832 195480 1% /tmp #./dd if=/dev/dsk/c0t0d0s0 bs=1024 |cryptcat -k f0renzikz juarez 37737 farm9crypt_init: f0renzikz 256095+0 records in 256095+0 records out ^C punt! # exit script done on Fri Sep 29 16:57:51 2000 Script started on Fri Sep 29 16:35:37 2000 juarez% cryptcat –k f0renzikz –l –p 33 >jezabelle_gr.tar ^C punt! Bus error (core dumped) juarez% df -k. Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0t8d0s7 9344221 5836607 3414172 64% /export/home juarez% cryptcat -k f0renzikz -l -p 37737 >jezabelle.c0t0d0s0 ^C punt! Bus error (core dumped) juarez% exit script done on Fri Sep 29 16:54:53 2000 Sending Side Receiving Side
6
Acquisition – Takin’ it Off-Line SLR – take pictures Considerations before pulling the plug Unplug the system from the network If possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented Unplug the system (power) Packaging/labeling Shipping
7
FBI List of Computer Forensic Laboratory Services Content (what type of data) Comparison (against known data) Transaction (sequence) Extraction (of data) Deleted Data Files (recovery) Format Conversion Keyword Searching Password (decryption) Limited Source Code (analysis or compare) Storage Media (many types)
8
Summarization of acquisition (1)
9
Summarization of acquisition (2)
10
Summarization of acquisition (3)
11
Summarization of acquisition (4)
12
Extraction with Lazarus Script started on Sat Sep 30 16:23:03 2000 [root@plaything forensics]#../tct-1.03/bin/lazarus -B -h -H../www -D../blocks -w../www -t./valencia.hda1 [root@plaything www]# cd../www [root@plaything www]# netscape./valencia.hda1.html
13
Summarization of extraction (1)
14
Summarization of extraction (2)
15
Summarization of extraction (3)
16
Correlating Log Files Where to look What do log entries mean? How to narrow your search How reliable is the data?
17
Shipping and Storage UPS/FEDEX Requirements Laboratory Requirements Latent Materials Tamper Evident Packaging Restricted Access and Low Traffic, Camera Monitored Storage. Sign In/Out for Chain of Custody
18
Thinking Strategic Preparing with procedures and checklists Having an evidence locker OS Accounting turned on Log IP Numbers - DO NOT RESOLVE! Clocks synchronized to GPS on GMT Evidence Server Use of encrypted file systems Tools and materials
19
Pocket Security Toolkit
20
ADDITIONAL RESOURCES RCMP Article on the Forensic Process. http://www.rcmp- grc.gc.ca/tsb/pubs/bulletins/bull41_3.htmhttp://www.rcmp- grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm Lance Spitzner’s Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html http://www.enteract.com/~lspitz/pubs.html Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/http://www.fish.com/forensics/ The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htmhttp://www.ntobjectives.com/forensic.htm Cryptcat. http://www.farm9.com/Free_Tools/Cryptcathttp://www.farm9.com/Free_Tools/Cryptcat Long Play Video Recorders. http://www.pimall.com/nais/vrec.htmlhttp://www.pimall.com/nais/vrec.html FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm http://www.fbi.gov/programs/lab/handbook/intro.htm Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/security-improvement/implementations/i003.01.html http://www.cert.org/security-improvement/implementations/i003.01.html ONCTek List of possible Trojan/Backdoor Activity http://www.onctek.com/trojanports.html http://www.onctek.com/trojanports.html Sixteen Tips for Testifying in Court from the “PI Mall” http://www.pimall.com/nais/n.testify.html http://www.pimall.com/nais/n.testify.html
21
Thank you … … very much.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.