tan ([email protected])[email protected] computer forensics
TRANSCRIPT
FORENSICS IS A FOUR STEP PROCESS
Acquisition Identification Evaluation Presentation
RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)
GROUND ZERO – WHAT YOU CAN DO do not start looking through files establish an evidence custodian - start a journal with the date
and time, keep detailed notes Designate equipment as “off-limits” to normal activity (if
possible) – especially back-ups (with dump or other backup utilities), locally or remotely scheduled house-keeping, and configuration changes.
collate mail, DNS and other network service logs to support host data
capture exhaustive external TCP and UDP port scans of the host (unless tcp-wrapped)
contact security department or CERT,management,police or FBI, affected sites*
packaging/labeling and shipping short-term storage
Incident Response – What the Pros Do
Identify designate or become the evidence custodian Review any journal of what has been done to the system
already and how the intrusion was detected Start or maintain existing journal Install a sniffer Backdoors If possible without rebooting, make two byte by byte copies of
the physical disk Capture network info Capture process listings and open files Capture configuration information to disk and notes Receipt and signing of data
Data Collection with dd, TCT & cryptcat
Script started on Fri Sep 29 16:39:41 2000
# grave-robber –v –F –i –l –M –m –O –P –S –s –t –V /
# tar –c $TCT_HOME/data/`hostname` |cryptcat –k f0renzikz juarez 33
^C punt!
# df -k
Filesystem kbytes used avail capacity Mounted on
/proc 0 0 0 0% /proc
/dev/dsk/c0t0d0s0 240302 37942 178330 18% /
/dev/dsk/c0t0d0s6 2209114 324049 1840883 15% /usr
fd 0 0 0 0% /dev/fd
/dev/dsk/c0t0d0s1 480620 2983 429575 1% /var
/dev/dsk/c0t0d0s7 961257 94 903488 1% /export/home
swap 196312 832 195480 1% /tmp
# ./dd if=/dev/dsk/c0t0d0s0 bs=1024 |cryptcat -k f0renzikz juarez 37737
farm9crypt_init: f0renzikz
256095+0 records in
256095+0 records out
^C punt!
# exit
script done on Fri Sep 29 16:57:51 2000
Script started on Fri Sep 29 16:35:37 2000
juarez% cryptcat –k f0renzikz –l –p 33 >jezabelle_gr.tar
^C punt!
Bus error (core dumped)
juarez% df -k .
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t8d0s7 9344221 5836607 3414172 64% /export/home
juarez% cryptcat -k f0renzikz -l -p 37737 >jezabelle.c0t0d0s0
^C punt!
Bus error (core dumped)
juarez% exit
script done on Fri Sep 29 16:54:53 2000
Sending Side Receiving Side
Acquisition – Takin’ it Off-Line SLR – take pictures Considerations before pulling the plug Unplug the system from the network If possible freeze the system such that the current
memory, swap files, and even CPU registers are saved or documented
Unplug the system (power) Packaging/labeling Shipping
FBI List of Computer Forensic Laboratory Services
Content (what type of data) Comparison (against known
data) Transaction (sequence) Extraction (of data) Deleted Data Files (recovery) Format Conversion Keyword Searching Password (decryption) Limited Source Code
(analysis or compare) Storage Media (many types)
Summarization of acquisition (1)
Summarization of acquisition (2)
Summarization of acquisition (3)
Summarization of acquisition (4)
Extraction with Lazarus
Script started on Sat Sep 30 16:23:03 2000
[root@plaything forensics]# ../tct-1.03/bin/lazarus -B -h -H ../www -D ../blocks -w ../www -t ./valencia.hda1
[root@plaything www]# cd ../www
[root@plaything www]# netscape ./valencia.hda1.html
Summarization of extraction (1)
Summarization of extraction (2)
Summarization of extraction (3)
Correlating Log Files
Where to look What do log entries mean? How to narrow your search How reliable is the data?
Shipping and Storage
UPS/FEDEX Requirements Laboratory Requirements Latent Materials Tamper Evident Packaging Restricted Access and Low Traffic, Camera
Monitored Storage. Sign In/Out for Chain of Custody
Thinking Strategic
Preparing with procedures and checklists Having an evidence locker OS Accounting turned on Log IP Numbers - DO NOT RESOLVE! Clocks synchronized to GPS on GMT Evidence Server Use of encrypted file systems Tools and materials
Pocket Security Toolkit
ADDITIONAL RESOURCES RCMP Article on the Forensic Process.
http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm Lance Spitzner’s Page: Forensic Analysis, Building Honeypots
http://www.enteract.com/~lspitz/pubs.html Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic
Class Handouts. http://www.fish.com/forensics/ The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm Cryptcat. http://www.farm9.com/Free_Tools/Cryptcat Long Play Video Recorders. http://www.pimall.com/nais/vrec.html FBI Handbook of Forensic Services.
http://www.fbi.gov/programs/lab/handbook/intro.htm Solaris Fingerprint Database for cryptographic comparison of system binaries. http://
sunsolve.sun.com/pub-cgi/fileFingerprints.pl Inspecting Your Solaris System and Network Logs for Evidence of Intrusion.
http://www.cert.org/security-improvement/implementations/i003.01.html ONCTek List of possible Trojan/Backdoor Activity
http://www.onctek.com/trojanports.html Sixteen Tips for Testifying in Court from the “PI Mall”
http://www.pimall.com/nais/n.testify.html
Thank you …
… very much.