computer forensics the legal side of incident response ioanna kantzavelou technological educational...
Post on 01-Jan-2016
219 Views
Preview:
TRANSCRIPT
Computer Forensics
The Legal Side of Incident Response
Ioanna Kantzavelou
Technological Educational Institution - TEI of Athens
Department of Informatics
Symposium on Innovation of Computer Science Curriculum in Higher Education
February 2004
Outline at a Glance
The Incident Response area Computer Forensics
– Definition and meaning– Main principles– Requirements– Roadmap
Conclusion and Future Work Resources
Incidents Incident:Incident: any security relevant adverse event that might
threaten the security of a computer system or a network. An eventevent must have observable and recordable characteristics:
– the connection to a system via a network,– the file access,– a system shutdown, etc.
Adverse eventsAdverse events:– system crashes,– packet flooding within a network,– unauthorized use of another user's account,– defacement of a web page,– execution of malicious code,– floods, fires, electrical outages, etc.
Types of Incidents Most incidents point towards:
– CConfidentiality,– IIntegrity, or– AAvailability.
Different types of incidents:– reconnaissance,– repudiation,– harassment,– extortion,– pornography trafficking,– organized crime activity,– subversion,– hoaxes, etc.
Incident Response
Incident ResponseIncident Response is a new field with similar goals as IT Security.
ScopeScope: to negate or minimize the impact of an incident, reacting by taking certain actions.
It can be used to restore confidentiality, integrity, and availability.
A particular important part of the legal side of incident response is the area of forensicsforensics.
Computer Forensics meaning Forensic (adj.)Forensic (adj.)
– belonging to courts of law and it is used in law pleading.– It relates to sciences or scientists connected with legal
investigations. Forensics (n.)Forensics (n.)
– the art or study of public debate. ForensicsForensics
– any systematic or scientific examination of evidence in the investigation of a crime.
Computer forensicsComputer forensics– (cyber-forensics), is the detailed examination of computer
systems in an investigation.
CF scope and characteristics ScopeScope: The collection and search of specific data
that will serve as acceptable evidence in a court of law.
Computer Forensics deals with:– storage media (e.g. hard disks),– the examination and analysis of network logs.
The most repeatable and scientific process. An expert follows a step-by-step methodology,
preserving the integrity of the evidence. This methodology does not vary substantially
between different investigations and technologies.
Main Principles
ScopeScope: To protect the investigator, the evidence, and the accused party and his/her rights.
Principles regarding EthicsEthics:– The investigator must have the authority to seize and
search a computer.
– The search should have clearly defined goals.
Principles regarding the processprocess:– A set of rules eliminates the possibility of tampering
with evidence.
– Guidelines assist the maintenance of these rules.
Rules to prevent tampering with evidence Rule 1.Rule 1. The examination should never be performed on the
original media. Rule 2.Rule 2. The copy is made onto forensically sterile media. New
media should always be used if available. Rule 3.Rule 3. The copy of the evidence must be an exact, bit-by-bit
copy. Rule 4.Rule 4. The computer and the data on it must be protected
during the acquisition of the media to ensure that the data is not modified.
Rule 5.Rule 5. The examination must be conducted in such a way as to prevent any modification of the evidence.
Rule 6.Rule 6. The chain of the custody of all evidence must be clearly maintained to provide an audit log of whom might have accessed the evidence and at what time.
CF Requirements An Incident Response teamIncident Response team (Computer Incident Advisory
Capability - CIAC, Computer Emergency Response Team Coordination Center - CERT/CC, etc.), or an individual expertindividual expert.– trainedtrained in the use of a wide range of such tools,– clearly understandunderstand the scope of the investigation, and– planplan the examination step-by-step.
Hardware– Build a forensics machine from scratch, or– To buy a ready-made machine from vendors.
Software (generally accepted software tools)– Media acquisition tools– Searching tools– Integrated suites
Roadmap
Data Acquisition
Examination– Conducts technical analysis to identify objects.– Evaluates for content as evidence.– Determines relevance (the “chain of custody”
problems).
Results Presentation Evidence
Media Acquisition Tools AcquisitionAcquisition objectivesobjectives:
– the software must have an exact copy, bit-by-bit copy, and
– the software must not modify the original data in any way.
Hardware-copying devices Disk-cloning software (e.g. DriveCopy,
www.powerquest.com) Safeback (www.forensics-inintl.com), certifies
that the copy is an exact, bit-by-bit copy of the original.
Searching Tools Searching RequirementsSearching Requirements:
– A capable search tool that do not modify data.– A careful plan on what to search for.
File Viewers (e.g. Norton Utilities). Dedicated File Viewers (e.g. QuickView Plus). Disk Editors (e.g. Norton Disk Editor). Hex Editors. The file search capability within Windows. The grep utility (UNIX and Windows NT). Specialized search tools for law enforcement use to search and
categorize images (pornography on seized systems). DiskSearch Pro (www.forensics-intl.com), a text search program.
Integrated Suites
Integrated software suites provide the capability:– To acquire data
– To perform searches
– To produce reports
Byte Back (www.toolsthatwork.com) DriveSpy (www.digitalintel.com) EnCase (www.guidancesoftware.com) Expert Witness (www.asrdata.com)
Data Acquisition
The U.S. Justice Department has defined guidelines for search and seizure of electronic evidence.
The basic rulesbasic rules are:– Document everything that the investigator does.
– Take all appropriate steps to ensure that the evidence itself is not compromised in any way during the acquisition.
(cont.)
Data Acquisition Steps to preserve the evidence and provide the
investigator with any required data:1. Secure the physical area2. Shut down the system3. Secure the system4. Prepare the system5. Examine the system6. Prepare the system for acquisition7. Connect the target media8. Copy the media9. Secure the evidence
Examination Examining the evidence is not straightforward. Plan what items to search for. Narrow the search to an acceptable scope. Define what constitutes a successful (or
unsuccessful) conclusion. Recover deleted files because data might be found in
file fragments or file slack. Image files which are often highly compressed, are
especially difficult to reconstruct. Certain OS might contain crucial evidence (e.g. the
Windows Registry, event log files).
Limitations A forensics examination can, at best, identify the
computer involved in an incident. Placing a specific person at that computer is
extremely difficult without additional evidence. Finding evidence that a computer was used to
access other systems, is much more difficult. A forensics examination that does not also involve
other corroborating evidence source cannot be conclusive.
A skilful user makes the examiner’s job difficult, if not impossible.
Conclusion and Future Work
Forensics is an extremely valuable tool in the investigation of computer security incidents.
Considerable legal issues arise when investigating computer systems.
Intrusion Detection might support Computer Forensics in the future, and vice versa.
Resources Computer Crime Investigation – Forensic Tools and
Technology, edited by Eoghan Casey, Academic Press, 2002. E. Eugene Schultz and Rusell Shumway. Incident Response -
A Strategic Guide to Handling System and Network Security Breaches. New Riders, 2002.
Warren G. Kruse II and Jay G. Heiser, Computer Forensics : Incident Response Essentials, Addison-Wesley, 2001.
Mohay G., Anderson A., Collie B., Oliver de Vel, and McKemmish R., Computer and Intrusion Forensics, Computer Security Series, Artech House Publishers, 2003.
Searching and Seizing Computers and Obtaining Electronic Evidence, U.S. Justice Department, www.usdoj.gov/criminal/cybercrime/searchmanual.htm
top related