COMPUTER FORENSICS - Black Hat

Document Sample
COMPUTER FORENSICS - Black Hat Powered By Docstoc
					     COMPUTER FORENSICS




Tan (tan@atstake.com)
    FORENSICS IS A FOUR STEP PROCESS

       Acquisition
       Identification
       Evaluation
       Presentation


RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC
Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt,
Federal Bureau of Investigation, Baltimore, Maryland (4/96)
GROUND ZERO – WHAT YOU CAN DO
 do not start looking through files
 establish an evidence custodian - start a journal with the date
  and time, keep detailed notes
 Designate equipment as “off-limits” to normal activity (if
  possible) – especially back-ups (with dump or other backup
  utilities), locally or remotely scheduled house-keeping, and
  configuration changes.
 collate mail, DNS and other network service logs to support host
  data
 capture exhaustive external TCP and UDP port scans of the
  host (unless tcp-wrapped)
 contact security department or CERT,management,police or
  FBI, affected sites*
 packaging/labeling and shipping
 short-term storage
 Incident Response – What the Pros Do
 Identify designate or become the evidence custodian
 Review any journal of what has been done to the system
  already and how the intrusion was detected
 Start or maintain existing journal
 Install a sniffer
 Backdoors
 If possible without rebooting, make two byte by byte copies of
  the physical disk
 Capture network info
 Capture process listings and open files
 Capture configuration information to disk and notes
 Receipt and signing of data
   Data Collection with dd, TCT & cryptcat
                        Sending Side                                                     Receiving Side
Script started on Fri Sep 29 16:39:41 2000                          Script started on Fri Sep 29 16:35:37 2000
# grave-robber –v –F –i –l –M –m –O –P –S –s –t –V /                juarez% cryptcat –k f0renzikz –l –p 33 >jezabelle_gr.tar
# tar –c $TCT_HOME/data/`hostname` |cryptcat –k f0renzikz           ^C punt!
juarez 33                                                           Bus error (core dumped)
^C punt!                                                            juarez% df -k .
# df -k                                                             Filesystem         kbytes used avail capacity Mounted on
Filesystem          kbytes used avail capacity Mounted on           /dev/dsk/c0t8d0s7 9344221 5836607 3414172 64%
/proc                0     0   0 0% /proc                           /export/home
/dev/dsk/c0t0d0s0 240302 37942 178330 18% /                         juarez% cryptcat -k f0renzikz -l -p 37737 >jezabelle.c0t0d0s0
/dev/dsk/c0t0d0s6 2209114 324049 1840883 15% /usr                   ^C punt!
fd                 0     0   0 0% /dev/fd                           Bus error (core dumped)
/dev/dsk/c0t0d0s1 480620 2983 429575 1% /var                        juarez% exit
/dev/dsk/c0t0d0s7 961257         94 903488 1%                       script done on Fri Sep 29 16:54:53 2000
/export/home
swap              196312 832 195480 1% /tmp
# ./dd if=/dev/dsk/c0t0d0s0 bs=1024 |cryptcat -k f0renzikz juarez
37737
farm9crypt_init: f0renzikz
256095+0 records in
256095+0 records out
^C punt!
# exit
script done on Fri Sep 29 16:57:51 2000
Acquisition – Takin’ it Off-Line
 SLR – take pictures
 Considerations before pulling the plug
 Unplug the system from the network
 If possible freeze the system such that the current
  memory, swap files, and even CPU registers are
  saved or documented
 Unplug the system (power)
 Packaging/labeling
 Shipping
FBI List of Computer Forensic Laboratory Services
  Content (what type of data)
  Comparison (against known
   data)
  Transaction (sequence)
  Extraction (of data)
  Deleted Data Files (recovery)
  Format Conversion
  Keyword Searching
  Password (decryption)
  Limited Source Code
   (analysis or compare)
  Storage Media (many types)
Summarization of acquisition (1)
Summarization of acquisition (2)
Summarization of acquisition (3)
Summarization of acquisition (4)
        Extraction with Lazarus



Script started on Sat Sep 30 16:23:03 2000
[root@plaything forensics]# ../tct-1.03/bin/lazarus -B -h -H ../www -D ../blocks -w ../www -t ./valencia.hda1
[root@plaything www]# cd ../www
[root@plaything www]# netscape ./valencia.hda1.html
Summarization of extraction (1)
Summarization of extraction (2)
Summarization of extraction (3)
Correlating Log Files
   Where to look
   What do log entries mean?
   How to narrow your search
   How reliable is the data?
Shipping and Storage
 UPS/FEDEX Requirements
 Laboratory Requirements
 Latent Materials
 Tamper Evident Packaging
 Restricted Access and Low Traffic, Camera
  Monitored Storage.
 Sign In/Out for Chain of Custody
Thinking Strategic
   Preparing with procedures and checklists
   Having an evidence locker
   OS Accounting turned on
   Log IP Numbers - DO NOT RESOLVE!
   Clocks synchronized to GPS on GMT
   Evidence Server
   Use of encrypted file systems
   Tools and materials
Pocket Security Toolkit
    ADDITIONAL RESOURCES
   RCMP Article on the Forensic Process. http://www.rcmp-
    grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm
   Lance Spitzner’s Page: Forensic Analysis, Building Honeypots
    http://www.enteract.com/~lspitz/pubs.html
   Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic
    Class Handouts. http://www.fish.com/forensics/
   The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm
   Cryptcat. http://www.farm9.com/Free_Tools/Cryptcat
   Long Play Video Recorders. http://www.pimall.com/nais/vrec.html
   FBI Handbook of Forensic Services.
    http://www.fbi.gov/programs/lab/handbook/intro.htm
   Solaris Fingerprint Database for cryptographic comparison of system binaries.
    http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
   Inspecting Your Solaris System and Network Logs for Evidence of Intrusion.
    http://www.cert.org/security-improvement/implementations/i003.01.html
   ONCTek List of possible Trojan/Backdoor Activity
    http://www.onctek.com/trojanports.html
   Sixteen Tips for Testifying in Court from the “PI Mall”
    http://www.pimall.com/nais/n.testify.html
Thank you …

         … very much.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:9/13/2011
language:English
pages:21