Your SlideShare is downloading. ×
0
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

First Responders Course - Session 4 - Forensic Readiness [2004]

77

Published on

The fourth session from a two day course I ran for potential first responders in a large financial services client.

The fourth session from a two day course I ran for potential first responders in a large financial services client.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
77
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Phil HugginsFebruary 2004
  • 2.  The goals of Forensic Readiness are to decrease the time and cost ofForensicAnalysis (and ScopeAssessment) while increasing theeffectiveness. The main idea in Forensic Readiness is to build an infrastructure thatsupports the needs (data) of an investigation The main areas include: Logging and monitoring Build Management & Inventory User Policies Reporting forms
  • 3.  Data is critical to Forensic Analysis If the needed data is not being recorded, thenit can not be used in the investigation. Forensic Readiness assesses what networkand system information should be recordedevery day and what should be recordedduring an incident
  • 4.  Goal:To create data entry forms that will contain the information thatneeds to be gathered during an incident Every action performed during an incident should be documented Forms help to ensure that the proper data is recorded Examples: Chain of Custody: Records who has control of the data at a given time SystemAcquisition Form:When the response team takes a system from itsowner, this records the system description and owner signature Hard Disk Form: Records the history of each drive used during theincident, including serial numbers and what systems it was installed in Investigator Log: Allows the responder to document their actions Form templates are included in your course handbook and will beincluded on the course cd-rom.
  • 5.  Log data can be crucial to the investigation There are two major issues with logging andforensics:1.Many incidents involve someone havingunauthorized privileged user access and most logscan be modified or deleted by such a user.2.Not all systems are logging the neededinformation that is useful to an investigation
  • 6.  All servers send a copy of their log data to adedicated log server Server can be on the normal network or a dedicatednetwork Server is secured to only allow log data (syslog) andSSH access and is considered a critical asset whenpatching systems Syslog Example: UNIX servers are configured to redirect syslog output Windows servers use 3rd party tools to send event logs toserver
  • 7.  All logs can be analyzed on a periodic basis to detectanomalies Makes it more difficult for attacker to modify the logs It is important to correlate events from multiple sources, sowe can compare the locally stored logs and the remotelystored logs This server will be the target of many attacks, which mayalert one to other attacks if it is watched closely
  • 8.  Windows stores logs in event files 3rd party programs run on a scheduler and send new evententries to the syslog server: Event Reporter (www.eventreporter.com) NT Syslog (www.ntsyslog.sourceforge.net) evlogsys.pl (perl script) Back Log (NT-Only) There is a slight window of opportunity with this model forthe attacker to delete the logs before the collection tool runs
  • 9.  Goal:To ensure that the proper data is logged and that it is storedin a method that can be used during forensics Send logs to central server to secure them during an attack Ensure log files have strict permissions so only a privileged usercan write to them. If possible, only allow the log to be appended to and deny all readaccess Identify what OS events should be logged: User Logins System Reboots As much as possible, based on space requirements Process logging can require large amounts of storage
  • 10.  Identify which application events should be logged: As much as possible, based on space requirements Log all network devices: Firewalls VPNs Routers Dialups Servers Use NetworkTime Protocol (NTP) to make log processing acrossmultiple machines easier Log by IP, do not resolve hostname
  • 11.  Log Integrity Generate MD5 sums of log files when they aresaved and rolled over Use a secure (crypto-based) logging system: Core SDI syslog-ng IETF Secure Syslog
  • 12.  Goal:To record needed network traffic to provide new evidence andcorrelate activity. This is from the investigation perspective, notdetection. An IDS system can be used to record all events, but not generatealerts A general sniffer can record all raw data tcpdump Ethereal Protocol analyzers can process raw output of tcpdump NetWitness Ethereal
  • 13.  Available storage will be the only limitation ofhow much data can be stored Specialized hardware or a SAN could beworthwhile If monitoring is not always on, a dedicatedsystem should exist that can start monitoringwhen an incident occurs
  • 14.  Goal:To record host activity, not already being logged, whichwill assist in a forensic investigation. This level of recording is needed for only the most sensitivesystems Keystroke recorders can be either: software: Run as services and can hide data in an encrypted file or willemail them to a remote location hardware: Device that the keyboard plugs into and saves thekeystrokes in hardware (does not record the window title)
  • 15.  Goal:To document a system’s state A common task in forensics is to identify which binaries werereplaced with a trojan version Change management identifies which patch-level thesystems should be MD5 checksums can be calculated for each machine andstored off-line (similar toTripwire) Configurations are recorded to identify which services aresupposed to be running and which are backdoors
  • 16.  Goal:To document ownership of hardwareand addresses This is most useful with internalinvestigations Allows one to identify the system with agiven MAC address (from DHCP logs) Allows one to identify who has a givenhostname (which is found in system logs)
  • 17.  Goal:To set users expectation of privacyappropriately An investigation may need access to a usersmailbox or other “private” data Identifying how much privacy users have shouldbe discussed before an incident occurs Data Protection Act requires users to be notifiedand to accept any monitoring and for monitoringto be a normal administration task. Suddenlyincreasing monitoring is not acceptable underthe DPA.
  • 18.  Goal:To build the infrastructure needed for an in-houseforensics lab (if one does not outsource it) The forensics lab has unique requirements from othertechnology labs because of its legal requirements Location: Little traffic Secured by key badge or other auditable mechanism Camera surveillance Separate computer network A safe for long-term data storage (with sign-out sheets)
  • 19.  Contents will vary depending on supported platforms At least one system of each supported platform Linux can mount most file system images and tools exist formore advanced analysis (The Sleuth Kit) Windows does not have many tools native to it, butspecialized tools exist for analysis of windows systems(EnCase etc.) Binary analysis capabilities Malicious code monitoring capabilities
  • 20.  Many proactive steps can be performed toeffectively handle incidents Readiness forces an organization to considerhow to handle an incident before it occurs The amount of documentation required willdepend on the organization

×