kai axford, cissp, ianal sr. security strategist microsoft corporation [email protected] det....
TRANSCRIPT
Kai Axford, CISSP, IANALSr. Security StrategistMicrosoft [email protected] http://blogs.technet.com/kaiaxford
Det. Constable Warren Bulmer #1406Toronto Police ServiceChild Exploitation Section
The Problem: Investigating illegal / improper activity on your computers and networks
The Guide: Four-step investigative process
The Tools: Demos of Sysinternals, EnCase, Forensic Toolkit, Etc.
The Man: Q&A with Toronto Police Services Investigators
www.privacyrights.org
Assess the situationAssess the situation
Acquire key dataAcquire key data
Analyze dataAnalyze data
Report resultsReport results
Decide whether or not to involve law enforcement
Assess the situationAssess the situation
• End internal End internal investigationinvestigation• Contact law Contact law enforcementenforcement agencyagency• Provide assistanceProvide assistance
Should law Should law enforcemenenforcemen
t be t be involved?involved?
Continue internal Continue internal investigationinvestigation
Yes
No
You might
change your
mind!
Meet with management and legal advisorsCollectively review policies and lawsIdentify possible team membersAssess the situation & the business impactPrepare to acquire evidence
Volatile and Non-Volatile
Assess the situationAssess the situation
Build your toolkit!! Collect evidence of access to files at file serverCollect volatile evidence at clientCollect evidence of access to files at clientConsider data storage protection and archival
Acquire key dataAcquire key data
The HARDEST part of any investigation! Analyze data obtained from serverAnalyze data obtained from host
Analyze dataAnalyze data
Gather all background, documentation, notesIdentify data relevant to investigationIdentify facts that support conclusionList evidence to be submitted in reportList conclusionsBased on above, create report
Be Objective! Just like the CSI: Miami crew!!
Report resultsReport results
Tools for Your Investigation
Use to document unauthorized file and folder access
Acquire key dataAcquire key data
Shows what folder permissions a user hasProvides evidence that user has opportunity
Acquire key dataAcquire key data
Shows if a user is logged onto a computing resource
Acquire key dataAcquire key data
Reveals rootkits, which take complete control of a computer and conceal their existence from standard diagnostic tools
Acquire key dataAcquire key data
Allows investigator to remotely obtain information about a user’s computer - without tipping them off or installing any applications on the user’s computer
Acquire key dataAcquire key data
First and foremost: We are not lawyers. Always consult your local law enforcement agency and legal department first!
Digital forensics is SERIOUS BUSINESSYou can easily shoot yourself in the foot by doing it incorrectlyGet some in-depth training…this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your own.)
I just want to spend a few minutes showing you somecommon forensic tools and how they can help
http://www.guidancesoftware.comVery popular in private corporations EnScript Macro Language allows for creation of powerful scripts and filters to automate tasks Safely preview a disk before acquisition Picture gallery shows thumbnails of all images Virtually boot disk image using VMware to allow first-hand view of the system
(Courtesy of Professor Kris Herrin, CISSP. University of Dallas – Graduate School of Management)
http://www.accessdata.com/Full indexed searches in addition to Regex searches Preprocess of all files, which makes for faster searchingData is categorized by type (document, image, email, archive, etc.) for easy sorting Ability to rule out “common files” using
the Known File Filter plug-inDetection of encrypted/compressed files
(Courtesy of Professor Kris Herrin, CISSP. University of Dallas – Graduate School of Management)
The Sleuth Kit (TSK) and AutopsyWritten by Brian Carrier (www.sleuthkit.org)TSK is command line; Autopsy provides GUI for TSK runs on *nix platforms Client server architecture allows multiple examiners to use one central server Allows basic recovery of deleted data and searching Lots of manual control to the investigator, but is light on the automation
(Courtesy of Professor Kris Herrin, CISSP. University of Dallas – Graduate School of Management)
Helix (http://www.e-fense.com/helix/) Customized Knoppix disk that is forensically safe Includes improved versions of ‘dd’ Terminal windows log everything for good documentation Includes Sleuthkit, Autopsy, chkrootkit, and others Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools
Be Aware of activity in the Anti-Forensics area!! There are active efforts to produce tools to thwart your forensic investigation.
Metasploit’s Anti-Forensic Toolkit*, Defiler’s Toolkit, etc.
TimestompTransmogrifySlackerSAM juicer
Stay Alert! Stay Alive!Stay Alert! Stay Alive!
*Courtesy of Vinnie Liu at Metasploit Project.
normal
• after setting values (-z “Monday 05/05/2005 05:05:05 AM”)
• example EnCase weakness (-b)
Security Minded – Kai’s Bloghttp://blogs.technet.com/kaiaxford
File System Forensic Analysis. Brian Carrier ISBN: 0-321-26817-2
Digital Evidence and Computer Crime. Eoghan Casey. ISBN: 012162885X
Fundamental Computer Investigation Guide For Windows http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx
Incident Response: Investigating Computer Crime. Kevin Mandia & Chris ProsiseISBN: 007222696X
Windows Forensic Analysis. Harlan Carvey.ISBN: 159749156X
“How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab”. Berinato, Scott. May 2007. http://www.cio.com
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.