module 1 cs 996 - new york university tandon school of ... · 1/26/2004 module 1-introduction 2 ......
TRANSCRIPT
![Page 1: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/1.jpg)
Digital Forensics
Module 1
CS 996
![Page 2: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/2.jpg)
1/26/2004 Module 1-Introduction 2
Instructors
Dr. Frederick SchollOffice Hours: 5-6 PM, Mondays
E-mail: [email protected]
Phone 212-869-4458
I am not a lawyer!
Kulesh Shanmugasundaram
Professor Nasir Memon
![Page 3: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/3.jpg)
1/26/2004 Module 1-Introduction 3
Course Calendar
Classes Start January 16
Presidents Day February 16
Mid-term Exam March 15 (in class)
April 5 Spring Break
May 3 Last Class
May 6-14 Final Exams
![Page 4: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/4.jpg)
1/26/2004 Module 1-Introduction 4
Grading
Eight Labs (50%)
Mid-term Exam (25%)
Final Exam (25%)
![Page 5: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/5.jpg)
1/26/2004 Module 1-Introduction 5
Textbooks
Incident Response & Computer Forensics, 2nd
Edition, Kevin Mandia, Chris Prosise, Matt Pepe, McGraw-Hill, 2003.
ReferencesCounter Hack, Ed Skoudis Prentice Hall, 2002
Digital Evidence and Computer Crime, EoghanCasey, Academic Press, 2000.
![Page 6: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/6.jpg)
1/26/2004 Module 1-Introduction 6
My Background: Civil Litigation
Help businesses reduce risk through Internet forensics
Web site trespassingNetwork abuseSLA disputesOutsourcing disputesWeb site break-inPorn in the workplaceSpam investigationPatent infringement
Testified in state and Federal courts
![Page 7: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/7.jpg)
1/26/2004 Module 1-Introduction 7
Outline of Lectures (Draft)
Module 1: Applications of ForensicsModule 2: Tracking SpamModule 3: Creating Forensic Ready InfrastructureModule 4: Evidence Collection from Network TrafficModule 5: Evidence Collection from HostsModule 6: Host Investigation Using EncaseModule 7: Evidence Handling, Reporting and Presentation in Court
![Page 8: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/8.jpg)
1/26/2004 Module 1-Introduction 8
Outline of Lectures, cont.
Module 8: Evidence Collection from SIM Tools
Module 9: Using Network Intelligence Private I
Module 10: Investigating Cybercriminals—Guest lecturer NYPD or FBI
Module 11:
Module 12:
![Page 9: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/9.jpg)
1/26/2004 Module 1-Introduction 9
Today’s Lecture: The Big Picture
Applications of Forensics
Business and law enforcement drivers
How forensics reduces risk and saves $$$ for businesses
Where are business opportunities?
Finding evidence on the Internet
![Page 10: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/10.jpg)
1/26/2004 Module 1-Introduction 10
What is Digital Forensics?
Comes from Latin meaning: public forum
“Network and computer testing and analysis done in support of litigation”
Civil litigation
Criminal litigation
Homeland security: military tribunals
“Internet Forensics”: http://www.acm.org/~hlb/col-edit/digital_village/aug-03/dv_8-03.html
![Page 11: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/11.jpg)
1/26/2004 Module 1-Introduction 11
Why is forensics important today?
Willie Sutton, born in Brooklyn 1901
Why do I rob banks?
That’s where the money is!
0
2000
4000
6000
8000
10000
12000
2001 2003
GDP
ECOMMERCE
![Page 12: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/12.jpg)
1/26/2004 Module 1-Introduction 12
SOURCES OF INFORMATION
HARD DRIVEREGISTRY & CONTENT
ROUTER SYSLOG FILES
SERVER LOG FILES
LIVE SNIFFER DATA COLLECTION
FIREWALL LOG FILES
IP INVESTIGATIONSINTERNET ARCHIVES
ISP RECORDS
![Page 13: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/13.jpg)
1/26/2004 Module 1-Introduction 13
Standards of Evidence
Criminal Case“Beyond a Reasonable Doubt”
Civil Case“Clear and Convincing Evidence”
“A Preponderance of the Evidence”
Legal standards go beyond engineering standards
Technical: primary, backups
Legal: as many ways as possible
![Page 14: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/14.jpg)
1/26/2004 Module 1-Introduction 14
Challenges
Evidence collection done in adversarial environment
Judge and jury are not technical
Commercial testing tools may not work
Integrate business, technical and legal
Definition of terms in legal world
![Page 15: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/15.jpg)
1/26/2004 Module 1-Introduction 15
Example: Legal vs. Engineering Practice
Evidence must be admissible and stand up to cross examination
Case: ISP vs. Internet backbone providerSLA dispute involving $100M
Ran independent tests measuring performance
Commercial software #1 failed to provide consistent data
Removed software; installed new test system
![Page 16: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/16.jpg)
1/26/2004 Module 1-Introduction 16
Forensics Procedures/Best Practices
Few available
Common Body of Knowledge: “Law, Investigation and Ethics”
ISO 17799: System Auditing and Monitoring; not forensics
Hot off the presses: NIST “Computer Security Incident Handling Guide”
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
![Page 17: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/17.jpg)
1/26/2004 Module 1-Introduction 17
Proactive and Reactive
Proactive“Detection is much more important than prevention. …it is fundamentally impossible to prevent attacks. …everything we know about complex systems tells us that we cannot find and fix every vulnerability. There will always be attackers; we just have to catch and punish them”. (Bruce Schneier, Secrets and Lies)
Reactive
![Page 18: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/18.jpg)
1/26/2004 Module 1-Introduction 18
Proactive
Prevent bad behavior like network abuse
Sarbanes OxleyResponse to Enron
Companies must be able to acquire, search and preserve electronic data related to fraud
Effective July 20, 2002
Applies to public companies
![Page 19: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/19.jpg)
1/26/2004 Module 1-Introduction 19
Example: Consequences of Bad Behavior
Eli Lilly disclosure of email addresses
www.prozac.com
Email went out with all addresses visible
Consequence: FTC will monitor their security program for 20+ years+!!
http://www.akingump.com/docs/publication/67.pdf
![Page 20: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/20.jpg)
1/26/2004 Module 1-Introduction 20
Sarbanes Oxley
Section 302: CEO’s, CFO’s certify financial reports. $5M fine; 20 years prison
Section 404: …”controls related to the prevention, identification and detection of fraud” (Technology Auditor position created)
Risk: Inadequate control prevents financial auditor from signoff
http://www.guidancesoftware.com/corporate/whitepapers/downloads/Sarbanes-Oxley.pdf
![Page 21: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/21.jpg)
1/26/2004 Module 1-Introduction 21
Recent Criminal Cases 18 U.S.C.§ 1030
US v. LamoJan. 8, 2004
Entered NY Times web site; $300,000 damages
Hacker
US v. BaasDec. 18, 2003
Stole customer data from Acxiom
Baas worked for outsourcer
![Page 22: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/22.jpg)
1/26/2004 Module 1-Introduction 22
Recent criminal cases, cont.
US v. DiazDec. 5, 2003Remotely deleted critical programs; $80,000 damages to Hellman LogisticsDiaz was former IT employee
US v. PattersonDec. 2, 2003DOS attack against American Eagle OutfittersPatterson was former employee
http://www.usdoj.gov/criminal/cybercrime/index.html
![Page 23: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/23.jpg)
1/26/2004 Module 1-Introduction 23
Homeland Security
Need for more survelliance
![Page 24: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/24.jpg)
1/26/2004 Module 1-Introduction 24
Evidence on the Internet
Web searchwww.superpages.com
Google usenet listings
Archival sites
Whois search
Nslookup
www.samspade.org
![Page 25: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/25.jpg)
1/26/2004 Module 1-Introduction 25
INTERNET ARCHIVE (WWW.ARCHIVE.ORG)
![Page 26: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/26.jpg)
1/26/2004 Module 1-Introduction 26
1999 WWW.JOHNSONS.COM
![Page 27: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/27.jpg)
1/26/2004 Module 1-Introduction 27
IDENTIFYING INTERNET RESOURCES
![Page 28: Module 1 CS 996 - New York University Tandon School of ... · 1/26/2004 Module 1-Introduction 2 ... Host Investigation Using Encase Module 7: Evidence Handling, ... installed new](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae813837f8b9a8704903fa4/html5/thumbnails/28.jpg)
1/26/2004 Module 1-Introduction 28