forensics:
DESCRIPTION
What is Computer Forensics?. Forensics: The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics: Commonly defined as the collection, preservation, analysis and court presentation of computer related evidence. - PowerPoint PPT PresentationTRANSCRIPT
1
•Forensics: • The use of science and technology to
investigate and establish facts in criminal or civil courts of law.
•Computer Forensics: • Commonly defined as the collection,
preservation, analysis and court presentation of computer related evidence.
• Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a computer system.
What is Computer Forensics?
2
•Understand what happenedo Proper acquisition and preservation of computer
evidence.o Authentication of collected Data for court Presentationo Recovery of all available data, including delete fileso Prevention of future incidents
Often similar problems to Audit But audit trail may be inadequate! o Audit information incomplete/insufficiento Audit trail damagedo We don’t own the computer
What is Computer Forensics?
3
What is the Challenge?
• Audit information incomplete/erased o Reconstruct deleted information
• “Acceptable” state of system unknown o Need to identify violation in spite of this
• Goal not obvious Goal not obviouso Transformations may have been applied to data
• Strong burden of proof Strong burden of proofo Not enough to know what happenedo Must be able to prove it
4
FBI List of Computer Forensic Services
• Content (what type of data) • Comparison (against known data) • Transaction (sequence) • Extraction (of data)• Deleted Data Files (recovery) • Format Conversion • Keyword Searching • Password (decryption) • Limited Source Code (analysis or compare) • Storage Media (many types)
5
The Coroner’s Toolkit (TCT) Overview
• Collections of tools to assist in a forensic examination of a computer (primarily designed for Unix systems)
• mactimes - report on times of files• ils - list inode info (usually removed files) • icat - copies files by inode number• unrm - copies unallocated data blocks• lazarus - create structure from unstructured data• file - determine file type• pcat - copy process memory• grave-robber - captures forensic data
6
mactime
• mactime is shorthand reference to the three time attributes - mtime, atime, and ctimeo atime - time of last accesso mtime - time of last modificationo ctime - time of last status change of inodeo dtime - time of deletion (Linux only)
• Examples Examples# mactime -m /var/adm
7
ils
• ils lists inode information of removed files. • Can be used to identify deleted files for possible
attempt to undelete with possible attempt to undelete with icat.
• Specify a device file which contains a file system.
• Exampleils /dev/hdb1
8
Unix file
9
Icat, file
• icat copies files by copies files by inode number from a device which contains a file system
• Can be used to recover a deleted fileExample
icat /dev/hdb1 17
• file – determine file type• Similar to UNIX System V file command, but
may generate better indication of file type
10
unrm
• unrm – copies unallocated data blockso Used to copy unallocated blocks to an output
file in order to be processed by lazarus.Example# unrm /dev/hdb1 > /tmp/unrm.of.hdb1
• lazarus – attempts to make sense out of raw data blocksExample
# lazarus /tmp/unrm.of.hdb1
11
pcat
• pcat – copies process memoryoThis is used to try to understand what a program is (doing), especially when the executable file has been deleted.
• Modern UNIX systems have a /proc filesystem that makes process information available in a convenient manner, including the executable file, current directory, and process memory.
12
grave-robber
• grave-robber captures system forensic datao Runs many of TCT tools under the covers
• Three types of optionso general options
where output goes, verbosity, etc
o micro optionsfiner control over what data is collected
o macro optionsputs micro data collection into logical groups
13
Law Enforcement Challenges
• Many findings will not be evaluated to be worthy of presentation as evidence
• Many findings will need to withstand rigorous examination by another expert witness
• The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.
14
Broader Picture: What to Do
•do not start looking through files•start a journal with the date and time, keep detailed notes•unplug the system from the network if possible•do not back the system up with dump or other backup utilities•if possible without rebooting, make byte by byte copies of the physical disk•capture network info•capture process listings and open files•capture configuration information to disk and notes
•collate mail, DNS and other network service logs to support host data•capture exhaustive external TCP and UDP port scans of the host•contact security department or CERT/management/police or FBI•if possible freeze the system such that the current memory, swap files, and even CPU registers are saved documented•short-term storage •packaging/labeling•Shipping
15
Risk management
16
Likelihood Vs. Consequence
17
– A countermeasure is an action, device, procedure, or technique used to eliminate or reduce one or more vulnerabilities.
COUNTERMEASURE
18
– Procedures:• security policies and procedures• training• personnel transfer
– Hardware:• doors, window bars, fences• paper shredder• alarms, badges
– Manpower:• guard force
Examples of Countermeasures
19
– A consequence is that which logically or naturally follows an action or condition.
CONSEQUENCE
20
– “The worse the consequence of a threat harming the system, the greater the risk”
AttackAttack ConsequenceConsequence SuccessSuccess
Determination of the Consequence of the Attack
21
– determine:• the threat• the vulnerability• the likelihood of attack• the consequence of an attack
– apply this formula by: • postulating attacks• estimating the likelihood of a successful attack• evaluating the consequences of those successful
attacks
Risk Calculation Process
22
– Developed in the NSA Information Systems Security Organization (ISSO)
– Used for INFOSEC Products and Systems– Can Use During Entire life Cycle– Not Widely Used Outside of the ISSO
NSA ISSO Risk Assessment Methodology
23
– Understanding the system– Developing attack scenarios– Understanding the severity of the
consequences– Creating a risk plane– Generating a report
The NSA ISSO Risk Assessment Process
24
The Risk Plane
Source: Courtesy of Professors Chris Clifton & Matt Bishop
25
Risk Index• Risk Index, as defined by the “Yellow
Book”, is the disparity between the minimum clearance or authorization of system users and the maximum sensitivity of data processed by a system– Minimum User Clearance=Rmin– Maximum Data Sensitivity=Rmax– Risk Index=Rmax – Rmin
• Risk index is between O and 7
26
Rating Scale for Minimum User Clearance (Rmin)
MINIMUM USER CLEARANCE RATING(Rmin)
Uncleared (U) 0Not Cleared but Authorized Access to Sensitive UnclassifiedInformation (N)
1
Confidential (C) 2Secret (S) 3Top Secret (TS)/Current Background Investigation (BI) 4Top Secret (TS)/Current Special Background Investigation(SBI)
5
One Category (1C) 6Multiple Categories (MC) 7
27
Rating Scale for Maximum Data Sensitivity (Rmax)
Maximum DataSensitivity RatingsWithout Categories
Rating(Rmax)
Maximum Data Sensitivity With Categories Rating(Rmax)
Unclassified (U) 0 N/ANot Classified But
Sensitive1 Unclassified but Sensitive With One or More
Categories2
Confidential (C) 2 Confidential With One or More Categories 3Secret (S) 3 Secret With No More Than One Category
Containing Secret Data
Secret With Two or More CategoriesContaining Secret Data
4
5Top Secret (TS) 5 Top Secret With One or More Categories
With No More Than one CategoryContaining Secret or Top Secret Data
Top Secret With Two or More CategoriesContaining Secret or Top Secret Data
6
7
28
* = Security Requirements Beyond State of the Art
Computer Security Requirements
RISKINDEX
MODE MINIMUM CRITERIA FOROPEN ENVIRONMENTS
MINIMUM CRITERIA FORCLOSED ENVIRONMENTS
0 Dedicated None None0 System High C2 C21 Compartmented
MultilevelB1 B1
2 CompartmentedMultilevel
B2 B2
3 Multilevel B3 B24 Multilevel A1 B35 Multilevel * A16 Multilevel * *7 Multilevel * *
29
Examples of documented risk assessment systems
– Aggregated Countermeasures Effectiveness (ACE) Model
– Risk Assessment Tool – Information Security Risk Assessment Model (ISRAM)– Dollar-based OPSEC Risk Analysis (DORA)– Analysis of Networked Systems Security Risks
(ANSSR)– Profiles– National Security Agency (NSA) Information Systems
Security Organization (ISSO) INFOSEC Risk Assessment Tool
30
Conclusion• Why should I bother doing security risk
management?– Risk Management and assessment prepares you
with deciding what to do about a risk– Allows you to identify assets, vulnerabilities, and
controls– Helps you understand what you do & do not know
– improve basis for decisions– Assists in justifying expenditures for security