Investigating SophisticatedInvestigating Sophisticated

Security BreachesSecurity BreachesDigital ForensicsDigital Forensics

has proven tough in the age of has proven tough in the age of sophisticated Intruderssophisticated Intruders

Security BreachesSecurity Breaches

What’s going on?What’s going on?– Data is being compromisedData is being compromised– Information is being placed in inappropriate Information is being placed in inappropriate

places (i.e. Swastika on a Jewish site)places (i.e. Swastika on a Jewish site)– Code manipulation (i.e. Altering code being Code manipulation (i.e. Altering code being

utilized in security without developer utilized in security without developer knowledge)knowledge)

– Personal identitiesPersonal identities

Security BreachesSecurity Breaches

Who is doing it?Who is doing it?– ProgrammersProgrammers– HackersHackers– Governments (China, Russia)Governments (China, Russia)– TerroristsTerrorists

Security BreachesSecurity Breaches

What is happening?What is happening?– Workplace theftWorkplace theft– Phishing scamsPhishing scams– Email ScamsEmail Scams– Utilization of Utilization of RootkitsRootkits (coming up) (coming up)– Network IntrusionsNetwork Intrusions

Security BreachesSecurity Breaches

Who Investigates?Who Investigates?– Company Security PersonnelCompany Security Personnel– Forensic Scientist (Digital and Traditional)Forensic Scientist (Digital and Traditional)– GovernmentsGovernments– Police DepartmentsPolice Departments– Digital Forensic Specialization companiesDigital Forensic Specialization companies

Network IntrusionsNetwork Intrusions

Among the most challenging kinds of Among the most challenging kinds of computer crime to investigatecomputer crime to investigate– Dynamic nature of networksDynamic nature of networks– Time is evidence lostTime is evidence lost– Investigate without interrupting organizationInvestigate without interrupting organization– Find what was stolen (taken)Find what was stolen (taken)– Find out who did itFind out who did it

Network IntrusionsNetwork Intrusions

Hindrances to investigationHindrances to investigation– Smarter and younger generation of hackersSmarter and younger generation of hackers– Sophisticated programsSophisticated programs– Dynamic nature of networksDynamic nature of networks– Large amounts of data to go throughLarge amounts of data to go through– Time zone differencesTime zone differences– Foreign location of systems/personsForeign location of systems/persons– Encoded Communications between hostsEncoded Communications between hosts

Investigation ToolsInvestigation Tools

The companies Security personnel (if they The companies Security personnel (if they weren’t fired!)weren’t fired!)

Command, Control, Communications, and Command, Control, Communications, and Concealment systems Concealment systems ((Analysts NotebookAnalysts Notebook))

Sniffers (Packet, Node, etc…)Sniffers (Packet, Node, etc…)

Custom ProgramsCustom Programs

Analysts NotebookAnalysts Notebook

Image Credit given to Jessica Reust

RootkitsRootkits

A rootkit is a set of software tools used to A rootkit is a set of software tools used to legitimately (and not legitimately) conceal legitimately (and not legitimately) conceal running processes.running processes.

They modify parts of the operating system They modify parts of the operating system (Including, UNIX, Linux, Solaris, and Windows)(Including, UNIX, Linux, Solaris, and Windows)

The term rootkit is used due to its origins The term rootkit is used due to its origins in UNIX and since it allows an intruder to in UNIX and since it allows an intruder to maintain ‘root’, the secure level of the maintain ‘root’, the secure level of the UNIX operating system UNIX operating system (‘ps, netstat, w, passwd)(‘ps, netstat, w, passwd)

RootkitsRootkits

Used to hide filesUsed to hide filesRootkits are a technology Rootkits are a technology Threats that utilize Rootkits generally try to Threats that utilize Rootkits generally try to maintain control of one system (Zombie maintain control of one system (Zombie host)host)Used forUsed for– DOS AttacksDOS Attacks– Email attacksEmail attacks– Spam AttacksSpam Attacks

The Investigative TeamThe Investigative Team

Multidisciplinary teams are needed to catch Multidisciplinary teams are needed to catch sophisticated intruderssophisticated intruders

Range from 3 to 8 personnelRange from 3 to 8 personnel

All have their own expertiseAll have their own expertise

May include outside help (Local police, May include outside help (Local police, Forensics labs, etc)Forensics labs, etc)

May also include a liaison to other law May also include a liaison to other law enforcement agenciesenforcement agencies

Keep track of incoming information (not easy)Keep track of incoming information (not easy)

The Need For SpeedThe Need For Speed

Success is very dependant on system logs Success is very dependant on system logs and backups the organization has in place. and backups the organization has in place. Capture of logs by freezingCapture of logs by freezingCapture data backups by utilizing the Capture data backups by utilizing the organizations personnelorganizations personnelGhost hard drives and memory spacesGhost hard drives and memory spacesCapturing network trafficCapturing network trafficDisabling rootkits if still active to reveal Disabling rootkits if still active to reveal any of the above needed dataany of the above needed data

Organization IssuesOrganization Issues

Rarely prepared for a digital forensic Rarely prepared for a digital forensic investigationinvestigationInvestigators seldom have knowledge of Investigators seldom have knowledge of the victim networkthe victim networkPreservation effort is heavily dependant on Preservation effort is heavily dependant on information gathered from the victim IT information gathered from the victim IT staffstaff– All of this data is collected in a forensically All of this data is collected in a forensically

sound mannersound manner

Challenges Faced Challenges Faced

Gathering Memory Dumps Gathering Memory Dumps

Capturing Virtual MemoryCapturing Virtual Memory

Looking for comparable hintsLooking for comparable hints

Discovering the Method of Operation (MO) Discovering the Method of Operation (MO) of the intruder. of the intruder.

Searching network level logsSearching network level logs

Hacking backHacking back

ConclusionConclusion

Ill prepared networks allow for controlled Ill prepared networks allow for controlled systems to attack the more prepared systems to attack the more prepared networksnetworks

The more sophisticated the networks The more sophisticated the networks become, the more sophisticated the become, the more sophisticated the intruders becomeintruders become

Programmers wake-upProgrammers wake-up

Informative SitesInformative Sites

Kernel Control Software Kernel Control Software – Hxdef.czweb.orgHxdef.czweb.org

Development of Anti-forensic toolsDevelopment of Anti-forensic tools– www.metasploit.com/projects/antiforensicswww.metasploit.com/projects/antiforensics

Investigating CompanyInvestigating Company– Global Digital ForensicsGlobal Digital Forensics

www.evestigate.comwww.evestigate.com

– Digital Forensic Research WorkshopDigital Forensic Research Workshopwww.dfrws.orgwww.dfrws.org

ReferencesReferences

Casey, Eoghan, Casey, Eoghan, Investigating sophisticated security breachesInvestigating sophisticated security breaches; February ; February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press Press Richard, Golden, Roussev, Vassil, Richard, Golden, Roussev, Vassil, Next-generation cyber forensicsNext-generation cyber forensics; ; February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: February 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press ACM Press Burmester, Mike, Mulholland, Judie, Burmester, Mike, Mulholland, Judie, The Advent of Trusted Computing: The Advent of Trusted Computing: Implications for Digital ForensicsImplications for Digital Forensics; April 2006, Communications of the ; April 2006, Communications of the ACM, Volume 49 Issue 2, Publisher: ACM Press ACM, Volume 49 Issue 2, Publisher: ACM Press Mohay, Gearge, Mohay, Gearge, Technical Challenges and Direction for Digital Technical Challenges and Direction for Digital ForensicsForensics; 2005, Proceed or the first International Workshop on Systemic ; 2005, Proceed or the first International Workshop on Systemic Approches to Digital ForensicsApproches to Digital ForensicsLasavio, Micheal, Lasavio, Micheal, The Law of Digital Objects: Dominion and Control The Law of Digital Objects: Dominion and Control Issues for Digital Forensics Investigations and ProsecutionsIssues for Digital Forensics Investigations and Prosecutions; 2005, ; 2005, Proceed or the first International Workshop on Systemic Approches to Proceed or the first International Workshop on Systemic Approches to Digital ForensicsDigital Forensics