Digital Evidence Incident Response and Computer ForensicsWhat do you see?Preparing for Incident ResponseEstablish Security PoliciesEstablish Security PracticesTrain EmployeesEnumerate AssetsRisk ManagementSecurity Procedures - HostsCryptographic checksumsCommon Hash FunctionsLabsWindows LoggingLinux/Unix LoggingSecuring Syslog InfrastructureNetflow & Log InfrastructureCreating the IRTEstablishing Incident Response PoliciesGoals of Incident ResponsePossible ReactionsGuiding Principles of Incident Management – Part IGuiding Principles of Incident Management – Part IICoordinating the ResponseIncident Response HardwareSoftwareHelix – Forensic ToolkitEndDigital EvidenceIncident Response and Computer ForensicsUsing encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. Gene SpaffordPreparing for Incident ResponseWhat do you see?Preparing for Incident ResponseEstablish Security Policies Enumerate Assets to be ProtectedIdentify Risks Faced by AssetsEstablish Security ProceduresHost and Network SecurityEstablish Incident Response Policies and ObjectivesCreate a CISRT and ToolkitEstablish Security PoliciesInfoSec Policies Are:High-level, Strategic goals of InfoSec Not operational (“How to”)Read Scott Barman’s Writing Information Security PoliciesKeep them Short and TightBad Policies can be a GOOJF Card*Establish Security PracticesStandards, Guidelines and ProceduresEnumerate the “How To” Delegate to Department Level if PossibleAudit for Compliance with InfoSec PoliciesUpdate RegularlyTrain EmployeesTo comply with PoliciesTo spot and report incidents StrategiesTeamwork ModelCarrot ModelStick ModelEnumerate AssetsCan we afford to protect everything?What is really important? People – Leadership, Critical WorkersProcesses – Money, Information TransfersTechnology – Systems, NetworksItems of Potentially Intangible Worth Corporate ReputationIntellectual PropertyNon-Public Personally Identifiable Information OCTAVE MethodologyRisk ManagementRisk = Threat x VulnerabilityWhat Are the Vulnerabilities?Establish Mitigating ControlsWhat threats are faced by:Corporate Reputation Intellectual PropertyNon-Public Personally Identifiable InformationMonitoring, Intelligence and AnalysisSecurity Procedures - Hosts Record Cryptographic Checksums National Software Reference LibraryMD5, SHA-1, Tripwire, md5deepEnable Host Logging or AuditingEst. Secure Backup ProceduresEducate Users on Host SecurityEstablish a SEAT ProgramCryptographic checksumsA reductive hash function algorithm applied to reduce input data to unique signature output valueUseful for verifying integrity and authenticity of digital evidence or file system information“Collisions” are possibleCommon Hash FunctionsMessage Digest 5 MD5 = 128 Bit HashSecure Hash Algorithm SHA1 = 160 Bit HashSHA256 = 256 Bit HashLabsMd5sum Hash Function LabSHA256 LabJesse Kornblum AFOSIMd5deep Multiple Hash FunctionsMD5, SHA1, SHA256, Tiger, WhirlpoolAllows for recursive hash functionsMan pageWindows LoggingObfuscated Binary Format (grr)Requires Event to Syslog TranslatorsLinux/Unix Logging Unix / Linux Log to SyslogEdit /etc/syslog.conf or /etc/syslog.d filesEnable Cisco Syslog LoggingMost Devices Support SyslogSyslog Is Not Forensically SoundUDP – Port 514Write Only Logging ConfigurationSecuring Syslog Infrastructure Inter-Site Logging Over VPN Multi-homed HostNIC1 - Write Only Configuration NIC2 – Management Hardened SystemNo Other Services on the HostSyslog-NGSecure SyslogNetflow & Log InfrastructureA network flow is a unidirectional sequence of packets all sharing the same source and destination IP address, source and destination port, and IP protocol Protocol supported by most Cisco gear Ntop tracks these flows in round-robin database applicationFor what could this be used?Creating the IRTEstablishing Incident Response PoliciesEstablish a Protocol Establish Reporting ProceduresHelpdesk, Managers, etcEstablish Initial Response ProceduresEscalation and HandoffGoals of Incident ResponseAvoid negative publicity Protect shareholder value Defend against legal challenges Defend against further attacks Arrest and prosecute offendersPossible ReactionsCall Law EnforcementCall in Private Investigators* (GA Law)Ignore the IncidentImplement Mitigating ControlsSurveillance and Counter-IntelligenceIdentify and Disable the Attackers*Guiding Principles of Incident Management – Part IBusiness Effect of the Event Downtime, Exposure, PublicityLegal Issues and Constraints Policy V Law - Internal V External HandlingNational, Regional, State and Local LawsTrap and Trace Requires Consent of One of the Parties or a Court Order Potential ECPA ViolationsGuiding Principles of Incident Management – Part IIPolitical Considerations Internal & External Technical Capabilities of the TeamFunding / Available ResourcesDoes the organizational will exist to see the event through to a legal conclusion?Coordinating the ResponseInternet Service ProvidersEstablish SLE’s Establish Contact with NOC Abuse Contacts With Foreign ISP’s Good luck! Pre-Establish Contact with LE if PossibleConsider a Public Relations IRT MemberIncident Response HardwareLaptops* – Extra Hard DisksLots of Storage (Portable RAID Array)Hardware Drive Copiers Write Blocking HardwareDiverse Array of IDE, SCSI Adapters Cameras – Digital V AnalogVoice Recorders for NotesVideo Camera w/ Removable MicrophoneSoftwareDisk AnalysisFBI Uses Access Data FTK (*Academic)EnCase is Popular and $3000Sleuthkit and Autopsy are widely acceptedHelix – Bootable CD-Based Forensic ToolkitNetwork Analysis Snort/tcpdump, NetIntercept, NetWitness Understanding the operation of tools is very important. However, being too tool focused can cost one objectivity.Helix – Forensic ToolkitHelix – An Open Source ToolkitDeveloped by Drew Fahey Former AFOSI / FBI InvestigatorIncludes The Coroner’s ToolkitSleuthkit / AutopsyCommand-line Carving ToolsLive
View Full Document