Download presentation
Presentation is loading. Please wait.
Published byKathryn Watts Modified over 9 years ago
1
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 Nov 1, 2005 Computer Forensics (Lab 2 Related)
2
INFSCI 2935: Introduction to Computer Security2 What is Computer Forensics? Forensics: Forensics: The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics: Computer Forensics: Commonly defined as the collection, preservation, analysis and court presentation of computer- related evidence. Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a computer system.
3
INFSCI 2935: Introduction to Computer Security3 What is Computer Forensics? Understand what happened Understand what happened Proper acquisition and preservation of computer evidence. Authentication of collected Data for court Presentation Recovery of all available data, including deleted files Prevention of future incidents Often similar problems to Audit But audit trail may be inadequate! Often similar problems to Audit But audit trail may be inadequate! Audit information incomplete/insufficient Audit trail damaged We don’t own the computer
4
INFSCI 2935: Introduction to Computer Security4 What is the Challenge? Audit information incomplete/erased Audit information incomplete/erased Reconstruct deleted information “Acceptable” state of system unknown “Acceptable” state of system unknown Need to identify violation in spite of this Goal not obvious Goal not obvious Transformations may have been applied to data Strong burden of proof Strong burden of proof Not enough to know what happened Must be able to prove it
5
INFSCI 2935: Introduction to Computer Security5 FBI List of Computer Forensic Services Content (what type of data) Content (what type of data) Comparison (against known data) Comparison (against known data) Transaction (sequence) Transaction (sequence) Extraction (of data) Extraction (of data) Deleted Data Files (recovery) Deleted Data Files (recovery) Format Conversion Format Conversion Keyword Searching Keyword Searching Password (decryption) Password (decryption) Limited Source Code (analysis or compare) Limited Source Code (analysis or compare) Storage Media (many types) Storage Media (many types)
6
INFSCI 2935: Introduction to Computer Security6 The Coroner’s Toolkit (TCT) Overview Collections of tools to assist in a forensic examination of a computer (primarily designed for Unix systems) Collections of tools to assist in a forensic examination of a computer (primarily designed for Unix systems) http://www.porcupine.org/forensics/tct.html mactimes - report on times of files mactimes - report on times of files ils - list inode info (usually removed files) ils - list inode info (usually removed files) icat - copies files by inode number icat - copies files by inode number unrm - copies unallocated data blocks unrm - copies unallocated data blocks lazarus - create structure from unstructured data lazarus - create structure from unstructured data file - determine file type file - determine file type pcat - copy process memory pcat - copy process memory grave-robber - captures forensic data grave-robber - captures forensic data
7
INFSCI 2935: Introduction to Computer Security7 Law Enforcement Challenges Many findings will not be evaluated to be worthy of presentation as evidence Many findings will not be evaluated to be worthy of presentation as evidence Many findings will need to withstand rigorous examination by another expert witness Many findings will need to withstand rigorous examination by another expert witness The evaluator of evidence may be expected to defend their methods of handling the evidence being presented. The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.
8
INFSCI 2935: Introduction to Computer Security8 Broader Picture: What to Do do not start looking through files do not start looking through files start a journal with the date and time, keep detailed notes start a journal with the date and time, keep detailed notes unplug the system from the network if possible unplug the system from the network if possible do not back the system up with dump or other backup utilities do not back the system up with dump or other backup utilities if possible without rebooting, make byte by byte copies of the physical disk if possible without rebooting, make byte by byte copies of the physical disk capture network info capture network info capture process listings and open files capture process listings and open files capture configuration information to disk and notes capture configuration information to disk and notes collate mail, DNS and other network service logs to support host data collate mail, DNS and other network service logs to support host data capture exhaustive external TCP and UDP port scans of the host capture exhaustive external TCP and UDP port scans of the host contact security department or CERT/management/police or FBI contact security department or CERT/management/police or FBI if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented short-term storage short-term storage packaging/labeling packaging/labeling shipping shipping
9
INFSCI 2935: Introduction to Computer Security9 Well-known ports A port is a number used to identify a network service on an IP network (the Internet) A port is a number used to identify a network service on an IP network (the Internet) A port in the TCP/UDP header directs packets to the appropriate application in the server. For the complete list of well-known ports and registered ports, visit www.iana.org/assignments/port-numbers www.iana.org/assignments/port-numbers The Internet Assigned Numbers Authority (IANA) registers ports 1024 to 49151 The Internet Assigned Numbers Authority (IANA) registers ports 1024 to 49151 Port numbers from 49152 to 65535 are private ports Port numbers from 49152 to 65535 are private ports Some well-known ports are HTTP (80), HTTPS (443), FTP (20, 21), FTPS (989, 990), Telnet (23), SSH (22), DNS (53), Kerberos (88), SMTP (25), POP3 (110), IMAP (143), etc. Some well-known ports are HTTP (80), HTTPS (443), FTP (20, 21), FTPS (989, 990), Telnet (23), SSH (22), DNS (53), Kerberos (88), SMTP (25), POP3 (110), IMAP (143), etc.
10
INFSCI 2935: Introduction to Computer Security10 Port Redirection Port restrictions are enforced to prevent attacks on well- known ports Port restrictions are enforced to prevent attacks on well- known ports Port redirection is used to overcome port restrictions (shown in the illustration). Port redirection is used to overcome port restrictions (shown in the illustration).
11
INFSCI 2935: Introduction to Computer Security11 Steganography Art of hiding information in the midst of irrelevant data Art of hiding information in the midst of irrelevant data This is NOT cryptography This is NOT cryptography Useful to hide the existence of secret communication Useful to hide the existence of secret communication
12
INFSCI 2935: Introduction to Computer Security12 Example of Steganography (Text – page 48) Dear George, Greetings to all at Oxford. Many thanks for your letter and for the summer examination package. All entry forms and fees forms should be ready for final dispatch to the syndicate by Friday 20 th or at the latest I am told by the 21 st. Admin has improved here though there is room for improvement still; just give us all two or three more years and we will really show you! Please don’t let these wretched 16+ proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Sincerely yours, your your package package ready ready Friday Friday 21 st. 21 st. room room three three Please Please destroy destroy this thisimmediately
13
INFSCI 2935: Introduction to Computer Security13 Steganography with Bitmapped image Steganography is the mechanism to hide relatively small amount of data in other data files that are significantly larger. Steganography is the mechanism to hide relatively small amount of data in other data files that are significantly larger. Bitmap image (raster image) is representation of a digital image as a matrix of picture elements (pixels). Bitmap image (raster image) is representation of a digital image as a matrix of picture elements (pixels). Examples: JPEG, GIF, BMP and TIFF formats The color of each pixel is individually defined as images in the RGB color space, for instance, often consist of colored pixels defined by three bytes—one byte each for red, green and blue.
14
INFSCI 2935: Introduction to Computer Security14 Data Storage Tracks Tracks Concentric rings Sectors Sectors Tracks are divided radially into parts called sectors Files storage Files storage The minimum space occupied by any file is one sector. Unused space in the sectors is known as slack space.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.