Digital Evidence Incident Response and Computer ForensicsWhat do you see?Preparing for Incident ResponseEstablish Security PoliciesEstablish Security PracticesTrain EmployeesEnumerate AssetsRisk ManagementSecurity Procedures - HostsCryptographic checksumsCommon Hash FunctionsLabsWindows LoggingLinux/Unix LoggingSecuring Syslog InfrastructureNetflow & Log InfrastructureCreating the IRTEstablishing Incident Response PoliciesGoals of Incident ResponsePossible ReactionsGuiding Principles of Incident Management – Part IGuiding Principles of Incident Management – Part IICoordinating the ResponseIncident Response HardwareSoftwareHelix – Forensic ToolkitEndDigital EvidenceIncident Response and Computer ForensicsUsing encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. Gene SpaffordPreparing for Incident ResponseWhat do you see?Preparing for Incident ResponseEstablish Security Policies Enumerate Assets to be ProtectedIdentify Risks Faced by AssetsEstablish Security ProceduresHost and Network SecurityEstablish Incident Response Policies and ObjectivesCreate a CISRT and ToolkitEstablish Security PoliciesInfoSec Policies Are:High-level, Strategic goals of InfoSec Not operational (“How to”)Read Scott Barman’s Writing Information Security PoliciesKeep them Short and TightBad Policies can be a GOOJF Card*Establish Security PracticesStandards, Guidelines and ProceduresEnumerate the “How To” Delegate to Department Level if PossibleAudit for Compliance with InfoSec PoliciesUpdate RegularlyTrain EmployeesTo comply with PoliciesTo spot and report incidents StrategiesTeamwork ModelCarrot ModelStick ModelEnumerate AssetsCan we afford to protect everything?What is really important? People – Leadership, Critical WorkersProcesses – Money, Information TransfersTechnology – Systems, NetworksItems of Potentially Intangible Worth Corporate ReputationIntellectual PropertyNon-Public Personally Identifiable Information OCTAVE MethodologyRisk ManagementRisk = Threat x VulnerabilityWhat Are the Vulnerabilities?Establish Mitigating ControlsWhat threats are faced by:Corporate Reputation Intellectual PropertyNon-Public Personally Identifiable InformationMonitoring, Intelligence and AnalysisSecurity Procedures - Hosts Record Cryptographic Checksums National Software Reference LibraryMD5, SHA-1, Tripwire, md5deepEnable Host Logging or AuditingEst. Secure Backup ProceduresEducate Users on Host SecurityEstablish a SEAT ProgramCryptographic checksumsA reductive hash function algorithm applied to reduce input data to unique signature output valueUseful for verifying integrity and authenticity of digital evidence or file system information“Collisions” are possibleCommon Hash FunctionsMessage Digest 5 MD5 = 128 Bit HashSecure Hash Algorithm SHA1 = 160 Bit HashSHA256 = 256 Bit HashLabsMd5sum Hash Function LabSHA256 LabJesse Kornblum AFOSIMd5deep Multiple Hash FunctionsMD5, SHA1, SHA256, Tiger, WhirlpoolAllows for recursive hash functionsMan pageWindows LoggingObfuscated Binary Format (grr)Requires Event to Syslog TranslatorsLinux/Unix Logging Unix / Linux Log to SyslogEdit /etc/syslog.conf or /etc/syslog.d filesEnable Cisco Syslog LoggingMost Devices Support SyslogSyslog Is Not Forensically SoundUDP – Port 514Write Only Logging ConfigurationSecuring Syslog Infrastructure Inter-Site Logging  Over VPN Multi-homed HostNIC1 - Write Only Configuration NIC2 – Management Hardened SystemNo Other Services on the HostSyslog-NGSecure SyslogNetflow & Log InfrastructureA network flow is a unidirectional sequence of packets all sharing the same source and destination IP address, source and destination port, and IP protocol Protocol supported by most Cisco gear Ntop tracks these flows in round-robin database applicationFor what could this be used?Creating the IRTEstablishing Incident Response PoliciesEstablish a Protocol Establish Reporting ProceduresHelpdesk, Managers, etcEstablish Initial Response ProceduresEscalation and HandoffGoals of Incident ResponseAvoid negative publicity Protect shareholder value Defend against legal challenges Defend against further attacks Arrest and prosecute offendersPossible ReactionsCall Law EnforcementCall in Private Investigators* (GA Law)Ignore the IncidentImplement Mitigating ControlsSurveillance and Counter-IntelligenceIdentify and Disable the Attackers*Guiding Principles of Incident Management – Part IBusiness Effect of the Event Downtime, Exposure, PublicityLegal Issues and Constraints Policy V Law - Internal V External HandlingNational, Regional, State and Local LawsTrap and Trace Requires Consent of One of the Parties or a Court Order Potential ECPA ViolationsGuiding Principles of Incident Management – Part IIPolitical Considerations Internal & External Technical Capabilities of the TeamFunding / Available ResourcesDoes the organizational will exist to see the event through to a legal conclusion?Coordinating the ResponseInternet Service ProvidersEstablish SLE’s Establish Contact with NOC Abuse Contacts With Foreign ISP’s Good luck! Pre-Establish Contact with LE if PossibleConsider a Public Relations IRT MemberIncident Response HardwareLaptops* – Extra Hard DisksLots of Storage (Portable RAID Array)Hardware Drive Copiers Write Blocking HardwareDiverse Array of IDE, SCSI Adapters Cameras – Digital V AnalogVoice Recorders for NotesVideo Camera w/ Removable MicrophoneSoftwareDisk AnalysisFBI Uses Access Data FTK (*Academic)EnCase is Popular and $3000Sleuthkit and Autopsy are widely acceptedHelix – Bootable CD-Based Forensic ToolkitNetwork Analysis Snort/tcpdump, NetIntercept, NetWitness Understanding the operation of tools is very important. However, being too tool focused can cost one objectivity.Helix – Forensic ToolkitHelix – An Open Source ToolkitDeveloped by Drew Fahey Former AFOSI / FBI InvestigatorIncludes The Coroner’s ToolkitSleuthkit / AutopsyCommand-line Carving ToolsLive