computer forensics 劉 立 民 老師 中原大學 應用數學系. introduction
Post on 22-Dec-2015
258 views
TRANSCRIPT
Computer Forensics
劉 立 民 老師中原大學 應用數學系
Introduction
Sharon Guthrie Case Sharon Guthrie, 54, drowned in the bathtub of
her Wolsey, South Dakota home May 14. An autopsy revealed the contents of 10-20 capsules of Temazepan in her body, a sleeping pill that was prescribed for her husband.
Rev. Guthrie pleaded innocent. "A minister killing his wife in the bathtub? Impossible!" asserted the defense.
Judd Robbins, a computer forensics, found evidence that Guthrie had searched the Internet for painless and surefire killing methods.
Rev. Guthrie was sentenced to life imprisonment.
蠻牛千面人 民國 94 年 5 月,“蠻牛”與“保力達
B” 遭人下毒,放置氰化物 造成一無辜民眾物飲死亡 警方由監視錄影中找到線索,順利逮捕
一名嫌犯 在嫌犯電腦中找出 “毒蠻牛” 的字樣與
圖案以及為寄出的恐嚇信件
Computer Crime
Computer misuse has two categories: Computer is use to commit a crime
Child pornography Threatening letters Fraud Theft of intellectual property
Computer Crime (con’t)
Computer misuse has two categories: Computer itself is a target of a crime.
AKA incident response Started from mid-80s, attack was carried
out over phone line through modems. Internet More sophisticated attacks
What is Computer Forensics
Computer forensics includes Preservation, Identification, Extraction, Documentation, Interpretation of computer data.
What is Computer Forensics These evidence can be useful in many
investigations: Civil litigations such as divorce, harassment,
and discrimination cases Corporations seeking to embezzlement,
fraud, or intellectual property theft issues Individuals seeking evidence in age
discrimination, wrongful termination, or sexual harassment claims
Insurance company investigations where evidence is required relating to insurance fraud, wrongful death, workerman’s compensation, and other cases.
Types of IncidentsCategories of incident defined by Federal
Computer Incident Response Center (FedCIRC) Malicious code attacks Unauthorized access Unauthorized utilization of services Disruption of service Misuse Espionage Hoaxes
Malicious code attacks
Malicious code: Viruses Trojan horse programs Worms Scripts used by crackers/hackers
Difficult to detect Self replicating property
Unauthorized access
Improperly logging into a user’s account
Unauthorized access to files and directories
Plating an unauthorized sniffer program or device
Unauthorized utilization of services
Perpetrate an attack without access someone’s account
Using the NFS to mount the file system of a remove server machine
Interdomain access mechanisms in Windows NT files and directories
Disruption of service
Disrupt services in a variety of ways:
Erasing critical programs
Mail spamming
Altering system functionality by
installing Trojan horse programs.
Misuse, Espionage, Hoaxes
Someone uses a computing system for other than official purposes A legitimate user uses a government
computer to store personal tax records.
Espionage is stealing information to subvert the interests of a corporation
Hoaxes occur when false information about incidents or vulnerabilities is spread
Catching the criminal
US FBI delineates the following aspects of computer forensic science: Data objects Digital evidence Physical items Original digital evidence Duplicate digital evidence
Catching the criminal (con’t) Data objects
Objects or information of potential probative value that are associated with physical items.
Digital evidence Information of probative value that is stored or
transmitted in digital form.
Physical items Items on which data objects or information may be
stored and/or through which data objects are transferred.
Catching the criminal (con’t)
Original digital evidence Physical items and the data objects
associated with such items at the time of acquisition or seizure
Duplicate digital evidence An accurate digital reproduction of all data
objects contained on an original physical item.
FedCIRC incident activity summary for 2000
Detecting intrusion The common approach to detecting
intrusions is as follows: Observe your systems for unexpected
behavior or anything suspicious. Investigate anything you consider to be
unusual Initiate your intrusion response procedures
when you find you find something that isn’t explained by authorized activity.
Look for unusual or unauthorized user accounts or groups.
Monitoring your Windows system
Look for unusual or unauthorized user accounts or groups. Guest account should be disable
Check all groups for invalid user membership
Check log file for connections from unusual locations or for any unusual activity.
Computer management utility
Monitoring your Windows system
Search for invalid user right. Guest account should be disable
Check all groups for invalid user membership
Check log file for connections from unusual locations or for any unusual activity.
Check to see if unauthorized application are running.
Edit Registry
Monitoring your Windows system
Look for invalid services Monitor system startup folder Inspect network configurations for
unauthorized entries Check your system program files for
alterations Check for unusual ports listing for connections
from other hosts by using the netstat.
Common program startup locations
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
SuperScan 3.0 by Foundstone
Incident Response Team
All organizations need an incident response team to develop a complete incident response response capability
The team should have written procedures for incident response What conditions warrant calling on local
and/or federial law enforcement authorities.
The incident reporting process Low-level incidents are least severe and
should be resolved within one working day. Low-level incidents include Loss of passwords Suspected unauthorized sharing of accounts Misuse of computer hardware Unintentional computer actions Unsuccessful scans or probes
The incident reporting process Mid-level incidents are more serious and should
be handled within 2-4 hours. Mid-level incidents include
Property destruction related to a computer incident Illegal download of copyrighted music/unauthorized
software Violation of special access Unauthorized user of a system for processing of storing
personal data An act resulting from unfriendly employee termination Illegal building access Personal theft
The incident reporting process High-level incidents are the most serious and
should be handled immediately. They include Property destruction related to a computer incident Child pornography Pornography Personal theft (higher value than a mid-level
incident) Suspected computer break-in Denial of service (DoS) attacks Illegal software download Malicious code Any violation of the law
Internal reporting procedure Every organization needs to develop
one that requires following: Preservation of evidence Assessment Containment and recovery actions Damage determination Report documentation Lessons learned Identification of corrective actions required
by the organization’s security programs
Forensic Toolkit Authenticity and Integrity A tool to report any open TCP/UDP port and map
them to the owning process or application A tool to capture and analyze logs to identify and
track who has gained access to a computer system A utility to make a bit-stream back-up of a hard drive A tool to examine files on a disk drive for
unauthorized activity A program used to document the CMOS system Time
and Date on a computer seized as evidence
Forensic Toolkit (con’t) A password-cracking utility A text-search utility that can scan Windows systems and
locate targeted keywords and/or strings of text in computer-related investigations and computer security reviews
A forensic binary data search tool that is used to identify targeted graphics file content and/or foreign language words and phrases stored in the form of computer data
A tool to discover hidden files, such as NTFS Alternate Data Streams
A data collection tool to capture file slack and unallocated (erased file) data
Considerations of the Law Enforcements
The Role of NIPC NIPC (National Infrastructure Protection
Center) was established at 1998 located in the headquarter of the FBI.
The NIPC’s functions: The NIPC is the national focal point for
gathering information on threats to critical infrastructure,
Coordinating the federal government’s response to an incident, mitigating attacks, investigating threats.
The NIPC provides law enforcement and intelligence information and reports to relevant federal, state, and local agencies.
Taiwan 行政院下設立「國家資通安全會報」
分為七個工作小組:綜合業務,技術服務、標準規範、稽核服務、網路犯罪、資訊蒐集、危機通報
國家資通安全會報設有「國家資通安全應變中心」 下轄行政機關、國防體系、事業機構、學術機構、民營
機構六個分組 台灣電腦網路危機處理中心( TWCERT/CC ) 政府憑證管理中心 GCA 的成立( 1998 年 2 月)
加拿大 於 2001 年 2 月,成立「關鍵基礎建設防護與緊急應變辦公室」
( Office of Critical Infrastructure & Emergency Preparedness , OCIPEP )
OCIPEP 由國防部長主持,來防護加拿大關鍵基礎建設免受失效或被襲擾的風險
於 OCIPEP 成立「基礎建設防護協調中心」 加拿大政府定義的國家關鍵基礎建設,共有六大類:能源設施
(如電力、天然氣及石油傳輸系統),通信(如電信及廣播系統),服務(如金融、食品、醫療),運輸(如陸上、水上、空中及鐵路),安全(如核安、搜救、急難救助),政府(如重要設施、資訊網路、及資產)。
英國 於 1999 年 12 月,成立「國家基礎建設安全協調中心」
( National Infrastructure Security Co-ordination Centre , NISCC )
負責開發一些專案來防止國家關鍵基礎建設遭到電子攻擊( electronic attack )。
重點放在:電信、金融、供水與下水道系統,能源、運輸、醫療服務、中央政府、急難救助 的資訊科技系統( IT systems )
在 NISCC 之下設有 「統一事件報告與警告小組」( Unified Incident Reporting &
Alert Scheme , UNIRAS )以做為英國政府的電腦緊急應變小組 「電子攻擊應變小組」( Electronic Attack Response
Group , EARG )
Related laws Disclosure law - “Title 18, Part I, Chapter 121,
Sec. 2702 of the Federal Criminal Code” Computer crimes will be considered breaking
federal laws when it involves: The theft or compromise of national defense, foreign
relations, atomic energy, or other restricted information
A computer owned by a U.S. government department or agency
A bank or most other types of financial institutions Interstate or foreign communications People or computer in other states or countries
Related laws (con’t)
The “Computer Fraud and Abuse Act” was signed by President Reagan at 1986
Computer Abuse Amendments Act of 1994
The USA Patriot Act of 2001
相關法律 著作權法 刑法 220 , 315 , 318 , 359 , 360 等條
文 刑法第二百二十條在紙上或物品上之文字、符號、
圖畫、照像,依習慣或特約,足以為表示其用意之證明者,關於本章及本章以外各罪,以文書論。錄音、錄影或電磁紀錄,藉機器或電腦之處理所顯示之聲音、影像或符號,足以為表示其用意之證明者,亦同。
刑法第三百五十九條 無故取得、刪除或變更他人電腦或其相關設備之電磁紀錄,致生損害於公眾或他人者,處五年以下有期徒刑、拘役或科或併科二十萬元以下罰金。
Forensic Preparation
Forensic Preparation Network Operating Systems Auditing and Logging Logs cab help organizations by
Altering system administrators of any suspicious activity
Determining the extent of any damage caused by an intruder’s activity
Helping to quickly recover systems Providing information or serving as evidence
required for legal proceedings
Enable auditing and logging on Windows
Log files on Windows
Centralized logging
The location of the log data is centralized
The integrity of log data remains protected
This approach is easier to back up, secure, and analyze.
Logging Tools Kiwi Syslog Deamon by Kiwi
Enterprise Freeware for Windows plateform www.kiwisyslog.com
GFI LANquard Security Event Log Monitor by GFI Software Is able to analyzing Windows NT/2000
event logs in real time. www.fgi.com
Time Synchronization Automating the synchronization of
system clocks save substantial time during an incident response.
IP based networks, Network Time Protocol (NTP) is the one most commonly used.
Tools on Windows: Automachron by Guy Coding NIST Internet Time Service (ITS) World Time by PawPrint.net
Memory dump on Windows
The contents of the system memory should be printed or copied while it still resides in memory.
Windows 2000 and XP (not NT) include a handy feature to generate a memory dump file. However, it must first be configured to do so.
Memory dump on UNIX
The sysdump command
Crash utility
Imaging hard drives Hard-drive imaging provides a mirror image or a
snapshot of the data contained on the hard-drive.
The imaging process can be performed off-lined (OS is turned off).
NIST’s disk-imaging spec. includes the following guidelines:
The tool shall not alter the original disk The tool shall be able to access both IDE and SCSI disks. The tool shall log input/output (I/O) errors. The tool’s documentation shall be correct. :
Business continuity and contingency planning The NIST IT contingency planning guide
Develop the contingency-planning policy statement
Conduct the business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training, and exercises Plan maintenance
Develop the contingency-planning policy statement The contingency plan must be based on a clearly
defined policy. The contingency planning policy statement
should define the agency’s overall contingency objectives and establish the org. framework and responsibilities.
The senior management (CIO, Chief Information Officer) must support a contingency program.
The contingency program should comply with federal guidance contained in the NIST SP 800-34
Key policy elements Roles and responsibilities Scope and applied to the type(s) of
plateform(s) and organization functions subject to contingency planning
Resource requirements Training requirements Exercise and testing schedules Plan maintenance schedule Frequency of backup and storage of
backup media
Conduct the Business Impact Analysis (BIA) The BIA is the key step in the
contingency-planning process. It enables the coordinator to fully
characterize the system requirements, processes, and interdependencies.
The purpose of the BIA is to correlate specific system components with the critical services that they provide.
The BIA characterize the consequences of a disruption to the system components.
Identity preventive controls Preventive methods are preferable to
actions that may be necessary to recover the system after a disruption.
Preventive controls should be documented in the contingency plan.
Some common measures are listed here: Appropriated size uninterruptible power
supplies (UPS) to provide short-term backup power to all system components (including environmental and safety controls)
Identity preventive controls
Gasoline-or diesel-powered generators to provide long-term failure power
Air-conditioning systems with adequate excess capacity to permit failure of certain components such as a compressors
Fire suppression systems Fire and smoke detectors Water sensors in the computer room ceiling
and floor. Plastic tarps that may be unrolled over IT
equipment to protect it from water damage
Identity preventive controls
Heat-resistant and waterproof containers for backup media and vital nonelectronic records
Emergency master system shutdown switch Offsite storage of backup media,
nonelectronic records, and system documentation
Technical security controls, such as cryptographic key management and least-privilege access controls
Frequent, scheduled backups
Develop recovery strategies Recovery strategies provide a means to restore IT
operations quickly and effectively following a service disruptions.
Strategies should address disruption impacts and allowable outage times identified in the BIA.
Several alternatives should be considered when developing the strategy, including cost, allowable outage time, security, and integration with larger, organization-level contingency plans.
The strategy should include a combination of methods that complement one another to provide capability over the full spectrum of incidents.
Develop an IT contingency plan The plain contains detailed roles,
responsibilities, teams, and procedures associated with restoring an IT system.
The plan should document technical capabilities designed to support contingency operations.
The plan should comprise five main components: Supporting Information, Notification/Activation, Recovery, Reconstitution, and Plan Appendices.
Plan testing, training, and exercises Testing enables plan deficiencies to be
identified and addressed. The following areas should be
addressed in a contingency test: System recovery on an alternate platform
from backup media Coordination among recovery teams Internal and external connectivity Restoration of normal operations Notification procedures
Plan maintenance The contingency plan should be reviewed
and updated regularly, as part of the organization’s change management process.
The plan should be reviewed for accuracy and completeness at least annually or whenever significant changes occur to any element of the plan.
Certain elements, such as contact lists, will require more frequent reviews.
Windows Registry, Recycle Bin, and Data Storage
The Windows Registry
The registry is used to store Operating system configuration
Application configuration information
Hardware configuration information
User security information
Current user information
Registry structure
The Registry has a hierarchy structure similar to the directory structure.
Each main branch is called a hive. Located within those hives are keys. Each key may contain other keys called
subkeys along with their value. It is the values that contain the actual information that is stored within the Registry.
Windows Registry
HKEY_CLASSES_ROOT contains File-association types Object Linking and Embedding (OLE)
information Shortcut data
HKEY_CURRENT_USER points to the section of HKEY_USERS appropriate for the user currently logged into the PC.
Windows Registry
HKEY_LOCAL_MACHINE contains info about computer hardware, software,
and other preferences for the local PC. is used for all users who log onto this computer.
HKEY_USERS contains individual preferences for each user of the computer. Each user is represented by a security identifier
(SID) subkey.
Windows Registry
HKEY_CURRENT_CONFIG links to
HKEY_LOCAL_MACHINE\Config for
machine specific information.
HKEY_DYN_DATA contains info.
that must be kept in RAM.
Types of values
String or REG_SZ
Binary or REG_BINARY DWORD or REG_DWORD Multistring value or REG_MULTI_SZ Expandable string value or
REG_EXPAND_SZ
Viewing and Editing Registry
Registry backup and restore
The Windows Recycle Bin The purpose of the Recycle Bin was to
provide users with the ability to reclaim deleted files.
Before users “empty” the Recycle Bin, the deleted files remains on disks.
Even the Recycle Bin is empty, but the actually information remains on its original place on the hard drive (until the OS overwrites it).
The Windows Recycle Bin Property
Recovery Utilities PC Inspector File Recovery
Recovery Utilities EasyRecovery Professional
www.ontrack.com
UNIX/Linux ext2 File System In ext2, the complete inode for a deleted
file is preserved, Only the name is removed from the
directory and the time of the deletion in the inode is marked.
Using e2undel
Analyzing and Detecting Malicious Code and Intruders
Analyzing Abnormal System Processes
Monitors should look for the following signs: Unusual resource utilization or
process behavior Missing processes Added processes Processes that have unusual user
identification associated with them
Causes of abnormal system processes
Programs that log a user’s keystrokes or monitor and steal passwords.
Malicious code (virus, Internet worms, and Trojan horse applications)
Spyware (software that transmits information back to a third party without notifying the user)
Windows Event Viewer
Log files allows you to check for:
Unusual login entries
Failures of services
Abnormal processes
OS and Network Logs When reviewing OS or network logs,
look for the following: Process consuming excessive resources Processes starting or running at unexpected
times Unusual processes not the result of normal
authorized activities Previously inactive user accounts that
suddenly begin to spawn processes and consume computer or network resources
OS and Network Logs Processes that prematurely terminate Unexpected or previously disabled processes,
which may indicate that a hacker or intruder has installed his own version of a process or service
A workstation or terminal that starts exhibiting abnormal input/output behavior
Multiple processes with similar names (Explorer.exe vs. explorer.exe)
An unusually larger number of running processes
Windows Task Manager
The Select Columns box in Windows Task Manager
Default processes in Windows NT, 2000, and XP Csress.exe: is the Client/Server Run-time
Subsystem. Explorer.rxr: is the GUI for the taskbar and
desktop environment. Lsass.exe: handles security administration on the
local computer. Mstask.exe: is the task scheduler service. Services.exe: is the Windows Services Control
Manager, which is responsible for starting and stopping system services.
Smss.exe: is the Session Manager Subsystem, which is responsible for starting the user session.
Default processes in Windows NT, 2000, and XP Spoolsv.exe: is the Windows spooler service
and is responsible for the management of spooled print and fax jobs.
Svchost.exe: is a generic process, which acts as a host for other processes running from DLLs.
System: permits system kernel-mode threads to run as the System process.
System Idle Process: is a single thread running on each processor. Its sole task is accounting for processor time when the system isn’t processing other threads.
Gathering Process Information
UNIX/Linux
ps -ef Windows
PsToolscoded
www.sysinternals.com
PsTools suite
Unusual or Hidden Files
Start ->
Control Panel ->
View menu ->
Options
Viewing Hidden Files under Unix/Linux The find command is able to
display files with unusual names such as “.. ” (dot-dot-space) or ..^G (dot-dot-control-G)find / -name “.. ” –print –xdevfind / -name “.*” –print -xdev
Keep track of SUID programsfind / -type f –perm -4000 –print | mail
root
Rootkits and Backdoors “It takes a thief to catch a thief.” Windows rootkits are usually detected
by any reputable antivirus s/w. Rootkit is one of the most widely used
hackers tools and it contains a suite of hacker utilities (log clean-up
scripts and network packet sniffers) and specialized replacements of core Unix/Linux
utilities such as netstat, ifconfig, ps, and ls.
Rootkits and Backdoors Rootkit is used to accomplish the
following functions: Prevent logging of activity Establish backdoors for reentry Hide or remove evidence of initial entry Hide specific contents of files Hide files and directories Gather intelligence (ex: usernames and
passwords)
Detecting Rootkits on Unix/Linux Manual inspection
The strings command. It can produce readable data such as the names of files where intruder passwords are kept.
Rootkit detection programs Chkrootkit
www.chkrootkit.org Pedestal Software
www.pedestalsoftware.com
Functions of a Backdoor
Main functions of a backdoor Getting back into the system with the
least amount of visibility. Getting back into a machine even if the
administrator tries to secure it Permitting the hacker to regain entry
into the system in the least amount of time.
Detecting Backdoors
Most reputable antivirus products are able to detect backdoor Trojans
Freeware tools are available Fport.exe Superscan (right) Nmap. Listdlls.exe
Removing Rootkits and Trojans The steps for removing a Trojan:
Identify the Trojan horse file on your system hard disk.
Find out how it is being initiated (ex: via Registry, Startup Folder, and so on) and take action(s) necessary to prevent it from being restarted after a reboot.
Reboot your machine and delete the Trojan horse.
Removing Rootkits and Trojans The steps involved in recovering
from a rootkit are: Isolate the affected machine.
(Disconnect it from the network and/or Internet.)
Determine the severity of the compromise. (Are other networked computers also infected?)
Begin the cleanup by reinstalling the OS and applications from a trusted backup..
Detecting and Defending Against Network Sniffers Nearly every rootkit includes utilities for
sniffing network traffic. Network adapters running in promiscuous
mode receive not only the data directed to the machine hosting the software, but also all other data traffic on the physically connected local network.
The ifconfig command allows the privileged administrator to determine whether any interfaces are in promiscuous mode.
Removing Rootkits and Trojans
Unix/Linux User ifconfig –a and look for the
string PROMISC
Windows PromiscDetect
www.ntsecurity.nu/toolbox/promiscdetect/
Retrieving and Analyzing Clues
Performing Keyword Searches Purposes of keyword searches
To locate occurrences of words or strings of text in data stored in files or slack and unallocated file space.
Internal audits to identify violations of corporate policy
To find evidence in corporate, civil, and criminal investigations, which involve computer related evidence.
To find embedded text in formatted word-processing documents or fragments of such documents.
Industrial Strength Keyword-Searching Programs
AccessData Forensic Toolkit ($995)
Encase Forensic Pro Suite by
Guidance Software, Inc. ($895)
Maresware Suite by Mares and
Company, LLC ($375)
Freeware Keyword Search Tools
BinText by Foundstone, Inc. www.foundstone.com
Disk Investigator by Kevin Soloway www.theabsolute/sware/
SectorSpyXP by Nick McCamy home.carolina.rr.com/lexunfreeware
SectorSpyXP 2.1
Examining the Windows Swap File
The Windows swap file is space on a hard disk reserved for the OS to do paging.
The swap file is important when conducting a forensics investigation since a large volume of data can exist within the swap file.
Windows swap files can be dynamic or permanent.
Locating and Viewing the Windows Swap File
Enable viewing the hidden files Search the swap file (ex:
pagefile.sys) Tools for viewing swap files
Norton Commander Norton DiskEdit EnCase www.guidancesoftware.com Filter_1 www.forensics-intl.com
Tutorial on PC Inspector File Recovery
Download
http://www.pcinspector.de Install Delete files Recover deleted files
Tutorial on PsTools
Download
http://www.sysinternals.com Install Delete files Recover deleted files
References Incident Response-Computer Forensics
Toolkit, by Douglas Schweitzer Hacking Exposed Web Applications, by
Joel Scambrey and Mike Shema Computer Forensics, by 「護好國家關鍵基礎建設,才能安心去拼經濟」 - 國政基金會科經組顧問 陳友武
電腦鑑識科學的現在與未來 - 台灣電腦網路危機處理暨協調中心 (TWCERT/CC)