investigating sophisticated security breaches digital forensics has proven tough in the age of...
TRANSCRIPT
![Page 1: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/1.jpg)
Investigating SophisticatedInvestigating Sophisticated
Security BreachesSecurity BreachesDigital ForensicsDigital Forensics
has proven tough in the age of has proven tough in the age of sophisticated Intruderssophisticated Intruders
![Page 2: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/2.jpg)
Security BreachesSecurity Breaches
What’s going on?What’s going on?– Data is being compromisedData is being compromised– Information is being placed in inappropriate Information is being placed in inappropriate
places (i.e. Swastika on a Jewish site)places (i.e. Swastika on a Jewish site)– Code manipulation (i.e. Altering code being Code manipulation (i.e. Altering code being
utilized in security without developer utilized in security without developer knowledge)knowledge)
– Personal identitiesPersonal identities
![Page 3: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/3.jpg)
Security BreachesSecurity Breaches
Who is doing it?Who is doing it?– ProgrammersProgrammers– HackersHackers– Governments (China, Russia)Governments (China, Russia)– TerroristsTerrorists
![Page 4: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/4.jpg)
Security BreachesSecurity Breaches
What is happening?What is happening?– Workplace theftWorkplace theft– Phishing scamsPhishing scams– Email ScamsEmail Scams– Utilization of Utilization of RootkitsRootkits (coming up) (coming up)– Network IntrusionsNetwork Intrusions
![Page 5: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/5.jpg)
Security BreachesSecurity Breaches
Who Investigates?Who Investigates?– Company Security PersonnelCompany Security Personnel– Forensic Scientist (Digital and Traditional)Forensic Scientist (Digital and Traditional)– GovernmentsGovernments– Police DepartmentsPolice Departments– Digital Forensic Specialization companiesDigital Forensic Specialization companies
![Page 6: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/6.jpg)
Network IntrusionsNetwork Intrusions
Among the most challenging kinds of Among the most challenging kinds of computer crime to investigatecomputer crime to investigate– Dynamic nature of networksDynamic nature of networks– Time is evidence lostTime is evidence lost– Investigate without interrupting organizationInvestigate without interrupting organization– Find what was stolen (taken)Find what was stolen (taken)– Find out who did itFind out who did it
![Page 7: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/7.jpg)
Network IntrusionsNetwork Intrusions
Hindrances to investigationHindrances to investigation– Smarter and younger generation of hackersSmarter and younger generation of hackers– Sophisticated programsSophisticated programs– Dynamic nature of networksDynamic nature of networks– Large amounts of data to go throughLarge amounts of data to go through– Time zone differencesTime zone differences– Foreign location of systems/personsForeign location of systems/persons– Encoded Communications between hostsEncoded Communications between hosts
![Page 8: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/8.jpg)
Investigation ToolsInvestigation Tools
The companies Security personnel (if they The companies Security personnel (if they weren’t fired!)weren’t fired!)
Command, Control, Communications, and Command, Control, Communications, and Concealment systems Concealment systems ((Analysts NotebookAnalysts Notebook))
Sniffers (Packet, Node, etc…)Sniffers (Packet, Node, etc…)
Custom ProgramsCustom Programs
![Page 9: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/9.jpg)
Analysts NotebookAnalysts Notebook
Image Credit given to Jessica Reust
![Page 10: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/10.jpg)
RootkitsRootkits
A rootkit is a set of software tools used to A rootkit is a set of software tools used to legitimately (and not legitimately) conceal legitimately (and not legitimately) conceal running processes.running processes.
They modify parts of the operating system They modify parts of the operating system (Including, UNIX, Linux, Solaris, and Windows)(Including, UNIX, Linux, Solaris, and Windows)
The term rootkit is used due to its origins The term rootkit is used due to its origins in UNIX and since it allows an intruder to in UNIX and since it allows an intruder to maintain ‘root’, the secure level of the maintain ‘root’, the secure level of the UNIX operating system UNIX operating system (‘ps, netstat, w, passwd)(‘ps, netstat, w, passwd)
![Page 11: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/11.jpg)
RootkitsRootkits
Used to hide filesUsed to hide filesRootkits are a technology Rootkits are a technology Threats that utilize Rootkits generally try to Threats that utilize Rootkits generally try to maintain control of one system (Zombie maintain control of one system (Zombie host)host)Used forUsed for– DOS AttacksDOS Attacks– Email attacksEmail attacks– Spam AttacksSpam Attacks
![Page 12: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/12.jpg)
The Investigative TeamThe Investigative Team
Multidisciplinary teams are needed to catch Multidisciplinary teams are needed to catch sophisticated intruderssophisticated intruders
Range from 3 to 8 personnelRange from 3 to 8 personnel
All have their own expertiseAll have their own expertise
May include outside help (Local police, May include outside help (Local police, Forensics labs, etc)Forensics labs, etc)
May also include a liaison to other law May also include a liaison to other law enforcement agenciesenforcement agencies
Keep track of incoming information (not easy)Keep track of incoming information (not easy)
![Page 13: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/13.jpg)
The Need For SpeedThe Need For Speed
Success is very dependant on system logs Success is very dependant on system logs and backups the organization has in place. and backups the organization has in place. Capture of logs by freezingCapture of logs by freezingCapture data backups by utilizing the Capture data backups by utilizing the organizations personnelorganizations personnelGhost hard drives and memory spacesGhost hard drives and memory spacesCapturing network trafficCapturing network trafficDisabling rootkits if still active to reveal Disabling rootkits if still active to reveal any of the above needed dataany of the above needed data
![Page 14: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/14.jpg)
Organization IssuesOrganization Issues
Rarely prepared for a digital forensic Rarely prepared for a digital forensic investigationinvestigationInvestigators seldom have knowledge of Investigators seldom have knowledge of the victim networkthe victim networkPreservation effort is heavily dependant on Preservation effort is heavily dependant on information gathered from the victim IT information gathered from the victim IT staffstaff– All of this data is collected in a forensically All of this data is collected in a forensically
sound mannersound manner
![Page 15: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/15.jpg)
Challenges Faced Challenges Faced
Gathering Memory Dumps Gathering Memory Dumps
Capturing Virtual MemoryCapturing Virtual Memory
Looking for comparable hintsLooking for comparable hints
Discovering the Method of Operation (MO) Discovering the Method of Operation (MO) of the intruder. of the intruder.
Searching network level logsSearching network level logs
Hacking backHacking back
![Page 16: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/16.jpg)
ConclusionConclusion
Ill prepared networks allow for controlled Ill prepared networks allow for controlled systems to attack the more prepared systems to attack the more prepared networksnetworks
The more sophisticated the networks The more sophisticated the networks become, the more sophisticated the become, the more sophisticated the intruders becomeintruders become
Programmers wake-upProgrammers wake-up
![Page 17: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/17.jpg)
Informative SitesInformative Sites
Kernel Control Software Kernel Control Software – Hxdef.czweb.orgHxdef.czweb.org
Development of Anti-forensic toolsDevelopment of Anti-forensic tools– www.metasploit.com/projects/antiforensicswww.metasploit.com/projects/antiforensics
Investigating CompanyInvestigating Company– Global Digital ForensicsGlobal Digital Forensics
www.evestigate.comwww.evestigate.com
– Digital Forensic Research WorkshopDigital Forensic Research Workshopwww.dfrws.orgwww.dfrws.org
![Page 18: Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders](https://reader036.vdocument.in/reader036/viewer/2022082820/56649f575503460f94c7c908/html5/thumbnails/18.jpg)
ReferencesReferences
Casey, Eoghan, Casey, Eoghan, Investigating sophisticated security breachesInvestigating sophisticated security breaches; February ; February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press Press Richard, Golden, Roussev, Vassil, Richard, Golden, Roussev, Vassil, Next-generation cyber forensicsNext-generation cyber forensics; ; February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press ACM Press Burmester, Mike, Mulholland, Judie, Burmester, Mike, Mulholland, Judie, The Advent of Trusted Computing: The Advent of Trusted Computing: Implications for Digital ForensicsImplications for Digital Forensics; April 2006, Communications of the ; April 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press ACM, Volume 49 Issue 2, Publisher: ACM Press Mohay, Gearge, Mohay, Gearge, Technical Challenges and Direction for Digital Technical Challenges and Direction for Digital ForensicsForensics; 2005, Proceed or the first International Workshop on Systemic ; 2005, Proceed or the first International Workshop on Systemic Approches to Digital ForensicsApproches to Digital ForensicsLasavio, Micheal, Lasavio, Micheal, The Law of Digital Objects: Dominion and Control The Law of Digital Objects: Dominion and Control Issues for Digital Forensics Investigations and ProsecutionsIssues for Digital Forensics Investigations and Prosecutions; 2005, ; 2005, Proceed or the first International Workshop on Systemic Approches to Proceed or the first International Workshop on Systemic Approches to Digital ForensicsDigital Forensics