CSE 4482: Computer Security Management: Assessment and Forensics

1
CSE 4482 Computer Security Management
Assessment and Forensics
Instructor Suprakash Datta (dattaatcse.yorku.ca
) ext 77875 Lectures Tues (CB 122), 710 PM
Office hours Wed 3-5 pm (CSEB 3043), or by
appointment. Textbooks 1. "Management of
Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning,
2011, 3rd Edition 2. "Guide to Computer
Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson
Education / CENGAGE Learning, 2010, 4th Edition.
2
Performing RAID Data Acquisitions

• Size is the biggest concern
• Many RAID systems now have terabytes of data
• What is RAID and what is it used for?
• Redundant array of independent (formerly
  inexpensive) disks (RAID)
• Computer configuration involving two or more
  disks
• Originally developed as a data-redundancy measure

2
3
Raid Techniques
4
RAID Mirroring
4
5
RAID Bit-level Striping
5
6
RAID versions

• RAID 0
• Provides rapid access and increased storage
• Lack of redundancy
• RAID 1
• Designed for data recovery
• More expensive than RAID 0
• RAID 2
• Similar to RAID 1
• Data is written to a disk on a bit level
• Has better data integrity checking than RAID 0
• Slower than RAID 0

6
7
RAID Block level striping
7
8
RAID versions II

• RAID 3
• Uses data striping and dedicated parity
• RAID 4
• Data is written in blocks
• RAID 5
• Similar to RAIDs 0 and 3
• Places parity recovery data on each disk
• RAID 6
• Redundant parity on each disk
• RAID 10, or mirrored striping
• Also known as RAID 10
• Combination of RAID 1 and RAID 0

8
9
Acquiring RAID Disks

• Concerns
• How much data storage is needed?
• What type of RAID is used?
• Do you have the right acquisition tool?
• Can the tool read a forensically copied RAID
  image?
• Can the tool read split data saves of each RAID
  disk?
• Older hardware-firmware RAID systems can be a
  challenge when youre making an image

9
10
Acquiring RAID Disks (continued)

• Vendors offering RAID acquisition functions
• Technologies Pathways ProDiscover
• Guidance Software EnCase
• X-Ways Forensics
• Runtime Software
• R-Tools Technologies
• Occasionally, a RAID system is too large for a
  static acquisition
• Retrieve only the data relevant to the
  investigation with the sparse or logical
  acquisition method

10
11
Using Remote Network Acquisition Tools

• You can remotely connect to a suspect computer
  via a network connection and copy data from it
• Remote acquisition tools vary in configurations
  and capabilities
• Drawbacks
• LANs data transfer speeds and routing table
  conflicts could cause problems
• Gaining the permissions needed to access more
  secure subnets
• Heavy traffic could cause delays and errors

11
12
Remote Acquisition with ProDiscover

• With ProDiscover Investigator you can
• Preview a suspects drive remotely while its in
  use
• Perform a live acquisition
• Encrypt the connection
• Copy the suspect computers RAM
• Use the optional stealth mode
• ProDiscover Incident Response additional
  functions
• Capture volatile system state information
• Analyze current running processes
• Locate unseen files and processes
• Remotely view and listen to IP ports
• Run hash comparisons
• Create a hash inventory of all files remotely

12
13
Remote Acquisition with ProDiscover (continued)

• PDServer remote agent
• ProDiscover utility for remote access
• Needs to be loaded on the suspect
• PDServer installation modes
• Trusted CD
• Preinstallation
• Pushing out and running remotely
• PDServer can run in a stealth mode
• Can change process name to appear as OS function

13
14
Remote Acquisition with ProDiscover (continued)

• Remote connection security features
• Password Protection
• Encryption
• Secure Communication Protocol
• Write Protected Trusted Binaries
• Digital Signatures

14
15
Remote Acquisition with EnCase Enterprise

• Remote acquisition features
• Remote data acquisition of a computers media and
  RAM data
• Integration with intrusion detection system (IDS)
  tools
• Options to create an image of data from one or
  more systems
• Preview of systems
• A wide range of file system formats
• RAID support for both hardware and software

15
16
Remote Acquisition with R-Tools R-Studio

• R-Tools suite of software is designed for data
  recovery
• Remote connection uses Triple Data Encryption
  Standard (3DES) encryption
• Creates raw format acquisitions
• Supports various file systems

16
17
Remote Acquisition with Runtime Software

• Utilities
• DiskExplorer for FAT
• DiskExplorer for NTFS
• HDHOST
• Features for acquisition
• Create a raw format image file
• Segment the raw format or compressed image
• Access network computers drives

17
18
Using Other Forensics-Acquisition Tools

• Tools
• SnapBack DatArrest
• SafeBack
• DIBS USA RAID
• ILook Investigator IXimager
• Vogon International SDi32
• ASRData SMART
• Australian Department of Defence PyFlag

18
19
SnapBack DatArrest

• Columbia Data Products
• Old MS-DOS tool
• Can make an image on three ways
• Disk to SCSI drive
• Disk to network drive
• Disk to disk
• Fits on a forensic boot floppy
• SnapCopy adjusts disk geometry

19
20
NTI SafeBack

• Reliable MS-DOS tool
• Small enough to fit on a forensic boot floppy
• Performs an SHA-256 calculation per sector copied
• Creates a log file
• Functions
• Disk-to-image copy (image can be on tape)
• Disk-to-disk copy (adjusts target geometry)
• Copies a partition to an image file
• Compresses image files

20
21
More tools

• DIBS USA RAID (Rapid Action Imaging Device)
• Makes forensically sound disk copies
• Portable computer system designed to make
  disk-to-disk images
• Copied disk can then be attached to a
  write-blocker device
• ILook Investigator IXimager
• Runs from a bootable floppy or CD
• Designed to work only with ILook Investigator
• Can acquire single drives and RAID drives

21
22
More tools II

• Vogon International SDi32
• Creates a raw format image of a drive
• Write-blocker is needed when using this tool
• Password Cracker POD
• Device that removes the password on a drives
  firmware card
• ASRData SMART
• Linux forensics analysis tool that can make image
  files of a suspect drive
• Capabilities
• Robust data reading of bad sectors on drives
• Mounting suspect drives in write-protected mode
• Mounting target drives in read/write mode
• Optional compression schemes

22
23
Next Network Forensics

• Guide to Computer Forensics and Investigations,
  Third Edition, Chapter 11

23
24
Objectives

• Describe the importance of network forensics
• Explain standard procedures for performing a live
  acquisition
• Explain standard procedures for network forensics
• Describe the use of network tools

24
25
Network Forensics Overview

• Network forensics
• Systematic tracking of incoming and outgoing
  traffic
• To ascertain how an attack was carried out or how
  an event occurred on a network
• Intruders leave trail behind
• Determine the cause of the abnormal traffic
• Internal bug
• Attackers

25
26
Securing a Network

• Layered network defense strategy
• Sets up layers of protection to hide the most
  valuable data at the innermost part of the
  network
• Defense in depth (DiD)
• Similar approach developed by the NSA
• Modes of protection
• People
• Technology
• Operations

26
27
Securing a Network (continued)

• Testing networks is as important as testing
  servers
• You need to be up to date on
• the latest methods intruders use to infiltrate
  networks, and
• methods internal employees use to sabotage
  networks

27
28
Performing Live Acquisitions

• Live acquisitions are especially useful when
  youre dealing with active network intrusions or
  attacks
• Live acquisitions done before taking a system
  offline are also becoming a necessity
• Because attacks might leave footprints only in
  running processes or RAM
• Live acquisitions dont follow typical forensics
  procedures
• Order of volatility (OOV)
• How long a piece of information lasts on a system

28
29
Performing Live Acquisitions (continued)

• Steps
• Create or download a bootable forensic CD
• Make sure you keep a log of all your actions
• A network drive is ideal as a place to send the
  information you collect
• Copy the physical memory (RAM)
• The next step varies, depending on the incident
  youre investigating
• Be sure to get a forensic hash value of all files
  you recover during the live acquisition

29
30
Performing a Live Acquisition in Windows

• Several bootable forensic CDs are available
• Such as Helix and DEFT
• Helix operates in two modes
• Windows Live (GUI or command line) and bootable
  Linux
• The Windows Live GUI version includes a runtime
  prompt for accessing the command line
• GUI tools are easy to use, but resource intensive

30
31
Performing a Live Acquisition in Windows
(continued)
31
32
Performing a Live Acquisition in Windows
(continued)
32
33
Developing Standard Procedures for Network
Forensics

• Long, tedious process
• Standard procedure
• Always use a standard installation image for
  systems on a network
• Close any way in after an attack
• Attempt to retrieve all volatile data
• Acquire all compromised drives
• Compare files on the forensic image to the
  original installation image

33
34
Developing Standard Procedures for Network
Forensics II

• Computer forensics
• Work from the image to find what has changed
• Network forensics
• Restore drives to understand attack
• Work on an isolated system
• Prevents malware from affecting other systems

34
35
Reviewing Network Logs

• Record ingoing and outgoing traffic
• Network servers
• Routers
• Firewalls
• Tcpdump tool for examining network traffic
• Can generate top 10 lists
• Can identify patterns
• Attacks might include other companies
• Do not reveal information discovered about other
  companies

35
36
Using Network Tools

• Sysinternals
• A collection of free tools for examining Windows
  products
• Examples of the Sysinternals tools
• RegMon shows Registry data in real time
• Process Explorer shows what is loaded
• Handle shows open files and processes using them
• Filemon shows file system activity

36
37
Using Network Tools (continued)
37
38
Using Network Tools (continued)

• Tools from PsTools suite created by Sysinternals
• PsExec runs processes remotely
• PsGetSid displays security identifier (SID)
• PsKill kills process by name or ID
• PsList lists details about a process
• PsLoggedOn shows whos logged locally
• PsPasswd changes account passwords
• PsService controls and views services
• PsShutdown shuts down and restarts PCs
• PsSuspend suspends processes

38
39
Using UNIX/Linux Tools

• Knoppix Security Tools Distribution (STD)
• Bootable Linux CD intended for computer and
  network forensics
• Knoppix-STD tools
• Dcfldd, the U.S. DoD dd version
• memfetch forces a memory dump
• photorec grabs files from a digital camera
• snort, an intrusion detection system
• oinkmaster helps manage your snort rules

39
40
Using UNIX/Linux Tools (continued)

• Knoppix-STD tools (continued)
• john
• chntpw resets passwords on a Windows PC
• tcpdump and ethereal are packet sniffers
• With the Knoppix STD tools on a portable CD
• You can examine almost any network system

40
41
Using UNIX/Linux Tools (continued)
41
42
Using UNIX/Linux Tools (continued)

• The Auditor
• Robust security tool whose logo is a Trojan
  warrior
• Based on Knoppix and contains more than 300 tools
  for network scanning, brute-force attacks,
  Bluetooth and wireless networks, and more
• Includes forensics tools, such as Autopsy and
  Sleuth
• Easy to use and frequently updated

42
43
Using Packet Sniffers

• Packet sniffers
• Devices or software that monitor network traffic
• Most work at layer 2 or 3 of the OSI model
• Most tools follow the PCAP format
• Some packets can be identified by examining the
  flags in their TCP headers

43
44
Using Packet Sniffers (continued)
44
45
Using Packet Sniffers (continued)

• Tools
• Tcpdump
• Tethereal
• Snort
• Tcpslice
• Tcpreplay
• Tcpdstat
• Ngrep
• Etherape
• Netdude
• Argus
• Ethereal

45
46
Using Packet Sniffers (continued)
46
47
Examining the Honeynet Project

• Attempt to thwart Internet and network hackers
• Provides information about attacks methods
• Objectives are awareness, information, and tools
• Distributed denial-of-service (DDoS) attacks
• A recent major threat
• Hundreds or even thousands of machines (zombies)
  can be used

47
48
Examining the Honeynet Project (continued)
48
49
Examining the Honeynet Project (continued)

• Zero day attacks
• Another major threat
• Attackers look for holes in networks and OSs and
  exploit these weaknesses before patches are
  available
• Honeypot
• Normal looking computer that lures attackers to
  it
• Honeywalls
• Monitor whats happening to honeypots on your
  network and record what attackers are doing

49
50
Examining the Honeynet Project (continued)

• Its legality has been questioned
• Cannot be used in court
• Can be used to learn about attacks
• Manuka Project
• Used the Honeynet Projects principles
• To create a usable database for students to
  examine compromised honeypots
• Honeynet Challenges
• You can try to ascertain what an attacker did and
  then post your results online

50
51
Examining the Honeynet Project (continued)
51
52
Summary

• Network forensics tracks down internal and
  external network intrusions
• Networks must be hardened by applying layered
  defense strategies to the network architecture
• Live acquisitions are necessary to retrieve
  volatile items
• Standard procedures need to be established for
  how to proceed after a network security event has
  occurred

52
53
Summary (continued)

• By tracking network logs, you can become familiar
  with the normal traffic pattern on your network
• Network tools can monitor traffic on your
  network, but they can also be used by intruders
• Bootable Linux CDs, such as Knoppix STD and
  Helix, can be used to examine Linux and Windows
  systems
• The Honeynet Project is designed to help people
  learn the latest intrusion techniques that
  attackers are using

53