Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Phil HugginsFebruary 2004
 The goals of Forensic Readiness are to decrease the time and cost ofForensicAnalysis (and ScopeAssessment) while increas...
 Data is critical to Forensic Analysis If the needed data is not being recorded, thenit can not be used in the investiga...
 Goal:To create data entry forms that will contain the information thatneeds to be gathered during an incident Every act...
 Log data can be crucial to the investigation There are two major issues with logging andforensics:1.Many incidents invo...
 All servers send a copy of their log data to adedicated log server Server can be on the normal network or a dedicatedne...
 All logs can be analyzed on a periodic basis to detectanomalies Makes it more difficult for attacker to modify the logs...
 Windows stores logs in event files 3rd party programs run on a scheduler and send new evententries to the syslog server...
 Goal:To ensure that the proper data is logged and that it is storedin a method that can be used during forensics Send l...
 Identify which application events should be logged: As much as possible, based on space requirements Log all network d...
 Log Integrity Generate MD5 sums of log files when they aresaved and rolled over Use a secure (crypto-based) logging sy...
 Goal:To record needed network traffic to provide new evidence andcorrelate activity. This is from the investigation pers...
 Available storage will be the only limitation ofhow much data can be stored Specialized hardware or a SAN could beworth...
 Goal:To record host activity, not already being logged, whichwill assist in a forensic investigation. This level of rec...
 Goal:To document a system’s state A common task in forensics is to identify which binaries werereplaced with a trojan v...
 Goal:To document ownership of hardwareand addresses This is most useful with internalinvestigations Allows one to iden...
 Goal:To set users expectation of privacyappropriately An investigation may need access to a usersmailbox or other “priv...
 Goal:To build the infrastructure needed for an in-houseforensics lab (if one does not outsource it) The forensics lab h...
 Contents will vary depending on supported platforms At least one system of each supported platform Linux can mount mos...
 Many proactive steps can be performed toeffectively handle incidents Readiness forces an organization to considerhow to...
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
Upcoming SlideShare
Loading in …5
×

First Responders Course - Session 4 - Forensic Readiness [2004]

134 views

Published on

The fourth session from a two day course I ran for potential first responders in a large financial services client.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

First Responders Course - Session 4 - Forensic Readiness [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  The goals of Forensic Readiness are to decrease the time and cost ofForensicAnalysis (and ScopeAssessment) while increasing theeffectiveness. The main idea in Forensic Readiness is to build an infrastructure thatsupports the needs (data) of an investigation The main areas include: Logging and monitoring Build Management & Inventory User Policies Reporting forms
  3. 3.  Data is critical to Forensic Analysis If the needed data is not being recorded, thenit can not be used in the investigation. Forensic Readiness assesses what networkand system information should be recordedevery day and what should be recordedduring an incident
  4. 4.  Goal:To create data entry forms that will contain the information thatneeds to be gathered during an incident Every action performed during an incident should be documented Forms help to ensure that the proper data is recorded Examples: Chain of Custody: Records who has control of the data at a given time SystemAcquisition Form:When the response team takes a system from itsowner, this records the system description and owner signature Hard Disk Form: Records the history of each drive used during theincident, including serial numbers and what systems it was installed in Investigator Log: Allows the responder to document their actions Form templates are included in your course handbook and will beincluded on the course cd-rom.
  5. 5.  Log data can be crucial to the investigation There are two major issues with logging andforensics:1.Many incidents involve someone havingunauthorized privileged user access and most logscan be modified or deleted by such a user.2.Not all systems are logging the neededinformation that is useful to an investigation
  6. 6.  All servers send a copy of their log data to adedicated log server Server can be on the normal network or a dedicatednetwork Server is secured to only allow log data (syslog) andSSH access and is considered a critical asset whenpatching systems Syslog Example: UNIX servers are configured to redirect syslog output Windows servers use 3rd party tools to send event logs toserver
  7. 7.  All logs can be analyzed on a periodic basis to detectanomalies Makes it more difficult for attacker to modify the logs It is important to correlate events from multiple sources, sowe can compare the locally stored logs and the remotelystored logs This server will be the target of many attacks, which mayalert one to other attacks if it is watched closely
  8. 8.  Windows stores logs in event files 3rd party programs run on a scheduler and send new evententries to the syslog server: Event Reporter (www.eventreporter.com) NT Syslog (www.ntsyslog.sourceforge.net) evlogsys.pl (perl script) Back Log (NT-Only) There is a slight window of opportunity with this model forthe attacker to delete the logs before the collection tool runs
  9. 9.  Goal:To ensure that the proper data is logged and that it is storedin a method that can be used during forensics Send logs to central server to secure them during an attack Ensure log files have strict permissions so only a privileged usercan write to them. If possible, only allow the log to be appended to and deny all readaccess Identify what OS events should be logged: User Logins System Reboots As much as possible, based on space requirements Process logging can require large amounts of storage
  10. 10.  Identify which application events should be logged: As much as possible, based on space requirements Log all network devices: Firewalls VPNs Routers Dialups Servers Use NetworkTime Protocol (NTP) to make log processing acrossmultiple machines easier Log by IP, do not resolve hostname
  11. 11.  Log Integrity Generate MD5 sums of log files when they aresaved and rolled over Use a secure (crypto-based) logging system: Core SDI syslog-ng IETF Secure Syslog
  12. 12.  Goal:To record needed network traffic to provide new evidence andcorrelate activity. This is from the investigation perspective, notdetection. An IDS system can be used to record all events, but not generatealerts A general sniffer can record all raw data tcpdump Ethereal Protocol analyzers can process raw output of tcpdump NetWitness Ethereal
  13. 13.  Available storage will be the only limitation ofhow much data can be stored Specialized hardware or a SAN could beworthwhile If monitoring is not always on, a dedicatedsystem should exist that can start monitoringwhen an incident occurs
  14. 14.  Goal:To record host activity, not already being logged, whichwill assist in a forensic investigation. This level of recording is needed for only the most sensitivesystems Keystroke recorders can be either: software: Run as services and can hide data in an encrypted file or willemail them to a remote location hardware: Device that the keyboard plugs into and saves thekeystrokes in hardware (does not record the window title)
  15. 15.  Goal:To document a system’s state A common task in forensics is to identify which binaries werereplaced with a trojan version Change management identifies which patch-level thesystems should be MD5 checksums can be calculated for each machine andstored off-line (similar toTripwire) Configurations are recorded to identify which services aresupposed to be running and which are backdoors
  16. 16.  Goal:To document ownership of hardwareand addresses This is most useful with internalinvestigations Allows one to identify the system with agiven MAC address (from DHCP logs) Allows one to identify who has a givenhostname (which is found in system logs)
  17. 17.  Goal:To set users expectation of privacyappropriately An investigation may need access to a usersmailbox or other “private” data Identifying how much privacy users have shouldbe discussed before an incident occurs Data Protection Act requires users to be notifiedand to accept any monitoring and for monitoringto be a normal administration task. Suddenlyincreasing monitoring is not acceptable underthe DPA.
  18. 18.  Goal:To build the infrastructure needed for an in-houseforensics lab (if one does not outsource it) The forensics lab has unique requirements from othertechnology labs because of its legal requirements Location: Little traffic Secured by key badge or other auditable mechanism Camera surveillance Separate computer network A safe for long-term data storage (with sign-out sheets)
  19. 19.  Contents will vary depending on supported platforms At least one system of each supported platform Linux can mount most file system images and tools exist formore advanced analysis (The Sleuth Kit) Windows does not have many tools native to it, butspecialized tools exist for analysis of windows systems(EnCase etc.) Binary analysis capabilities Malicious code monitoring capabilities
  20. 20.  Many proactive steps can be performed toeffectively handle incidents Readiness forces an organization to considerhow to handle an incident before it occurs The amount of documentation required willdepend on the organization

×