Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

Published byBethany McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005."— Presentation transcript:

1 Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005

2 Communication and Information System Control and Operation Centre Information Security Centre InfoSec Centre Chief mjr. Ing. Albert VAJÁNYI Division Chief 1Lt. Ing. Boris ZEMEK (c) May 2005

3 What is computer forensics anyway? The application of computer investigations and analysis techniques in the interests of determining potential legal evidence. Computer specialists can draw on an array of methods for discovering deleted, encrypted or damaged file information. (Rorrins, 1997)

4 You don ’ t know what happened on your network. A network forensic analysis tool can effectively answer the difficult question “What happened?” in the aftermath of a security incident. That tool provides a passive network monitoring solution that visualizes the network activity. A network forensics analysis tool can visualize and analyze data from firewalls, IDS, IPS, syslogs, audit systems and more.

5 Key Features of Forensic Tools Data collection and visualization –Monitor and analyze data from all seven layers of the Open Systems Interconnection (OSI) stack –Relational, Tree ontology for knowledge base –TCP dump recording: records traffic being monitored in an unprocessed, binary state Pattern and content analysis –Powerful visualizations expose anomalous activities, providing visibility into network communications before, during and after a suspicious event –Functions irrespective of language using n-gram analysis

6 Key Features of Forensic Tools Forensic analysis and investigation - Graphical arrangements include source, destination, time, type and duration of communication and content - Rebuild crime pattern - Playback events - Generate reports and visual representations of the suspicious activity - Report on key security and network parameters

7 Forensics Technology Services – FTS Digital Evidence Recovery It is a technique of finding and extraction evidence. A lot of times the legislative designates how to confidence a digital evidence. Cyber Forensics Some specialists score incidents to the network. Cyber Forensics shows who made an attack.

8 Forensics Technology Services – FTS Forensic Data Analysis It is an interpretation of vast multiple data by using visualization techniques. Document Management Services Making documents accessible helps sharing essential knowledge. In your investigations you can draw upon modern document management tools that allow you to archive, search, find, organising and reproduce documents.

9 COLLECTING ANALYZING2D or 3D VISUALIZATION Traffic Analysis Knowledge Base Knowledge Base Data Visualization Database Meta Data and Content Analysis Real-Time Post Event Context Analyzer Context Analyzer Requirements for Forensics Tools

10 Types of Collecting Data Types: - IDS/IPS logs - Firewall logs - Sys logs - SQUID logs - Audit system logs - and more All logs are collecting to the Central logs base!!!

11 Network monitoring Network operation centre Security operation centre Intranet Any Public Network Central logs base Server Farm Service Alarms Security Alarms Security Information Management System

12 What is Security Information Management (SIM)? SIM provides a simple mechanism that allows security teams to collect and analyze vast amounts of security alert data. More specifically, SIM solutions collect, analyze and correlate – in real-time – all security device information across an entire enterprise. Correlated results are then displayed on a centralized real-time console that is part of an intuitive graphical user interface. Security Information Management

13 SIM can be divided into four different phases: 1)Normalization 2)Aggregation 3)Correlation 4)Visualization SIM utilizes normalization, aggregation, and correlation to sift through mountains of security activity data on a real-time basis – correlating events, flagging and rating the potential seriousness of all attacks, compromises, and vulnerabilities. The power of SIM technology allows a relatively small security staff to dramatically reduce the time between attack and response..

14 Security Information Management Normalization is the process of gathering individual security device data and putting it into a context that is easier to understand, mapping different messages about the same security events to a common alarm ID. Keeping in mind that there are no standards in the security device industry, normalization alone is a tremendous asset to security teams. Aggregation eliminates redundant or duplicate event data from the security event data stream, refining and optimizing the amount of information that is presented to security analysts.

15 Security Information Management Correlation uses software technology to analyze aggregated data, in real-time, to determine if specific patterns exist. These patterns of similar security events often correspond to specific securityattacks – whether denial of service,anti virus, or some other form of attack. Visualization, the final step in SIM, is the graphical representation of correlated information in a single, real-time console. Effective visualization lets security operators quickly identify and respond to security threats as they occur, before they create problems within the enterprise.

16 Systems alarms remapping Original logs from systems - around 20 000 types Sep 27 16:22:43 dmzserver su(pam_unix)[10983]: session opened for user nf by root(uid=0) Sep 27 16:36:12 [192.168.177.1] Sep 27 2004 16:36:12: %PIX-6- 605005: Login permitted from 192.168.177.2/44743 to inside:192.168.177.1/ssh for user "pix_ADMIN“ Changed to 100 NF types Forbidden Database Access Privilege Escalation Security Policy Change Authentication succeed 9 categories of NF alarms Access / Authentication / Authorization Application Exploit Configuration / System Status Evasion Policy Violations Reconnaissance Attempts Unknown / Suspicious Virus / Trojan

17 Place Forensics Tool in Network Network operation centre Security operation centre Intranet Any Public Network Central logs base Server Farm Service Alarms Security Alarms Security Information Management System Forensics Tool

18 Network Forensics Analyzer Examples of Visualization

19 Visualization of Firewall Data Quickly visualize and understand relationships in firewall data across time Source_IP ——— # of occurrences ——— Dest_IP

20 Source_IP versus Firewall Action Source_IP ——— # of occurrences ——— Firewall Action Green = AcceptRed = Reject Blue = Drop

21 VPN Traffic Events Overlay Intrusion Detection System Alerts Blocked Firewall Traffic Event Correlation

22 Exercises of anomaly

23

24 E – mail: infosec@mil.sk

Download ppt "Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005."

Similar presentations

F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
CA: A New Step into Security Management.  eBusiness = business  A cultural shift — security is a part of the business fabric  Security is prevention.

CA: A New Step into Security Management.  eBusiness = business  A cultural shift — security is a part of the business fabric  Security is prevention.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM

Similar presentations

Ads by Google