bh usa 01 Greg Miles

40 %
60 %
Information about bh usa 01 Greg Miles

Published on August 20, 2007

Author: Sharck


BlackHat BriefingsJuly 12 2001:  BlackHat Briefings July 12 2001 Computer Forensics: A Critical Process in Your Incident Response Plan Gregory S. Miles, Ph.D.:  Gregory S. Miles, Ph.D. Director – JAWZ Cyber Crime Unit COO – Security Horizon Inc. Information Technology – 14 Years Information Security – 10 Years e-mail: Web: Agenda:  Agenda Incident Response Overview Computer Forensics Defined Contemporary Issues in Computer Forensics Forensic Process Forensic Tools Forensic Problems The Future of Computer Forensics Incident Response:  Incident Response Incident Response – Why is it Critical?:  Incident Response – Why is it Critical? Resolve the problem Find out what happened How it happened Who did it Create a record of the incident for later use Create a record to observe trends Create a record to improve processes Avoid confusion Elements of Incident Response:  Elements of Incident Response Preparation Identification Containment Eradication Recovery Follow-up Preparation:  Preparation Without adequate preparation, it is extremely likely that response efforts to an incident will be disorganized and that there will be considerable confusion among personnel. Preparation limits the potential for damage by ensuring response actions are known and coordinated. Identification:  Identification The process of determining whether or not an incident has occurred and the nature of an incident. Identification may occur through the use of automated network intrusion equipment or by a user or SA. Identification is a difficult process. Noticing the symptoms of an incident is often difficult. There are many false positives. However, noticing an anomaly should drive the observer to investigate further. Who can identify an Incident:  Who can identify an Incident Users – My system is slow, my mail is missing, my files have changed System support personnel – servers locked up, files missing, accounts add/deleted, weird stuff happening , anomalies in the logs Intrusion Detection Systems and Firewalls – Automatically ID violations to policies Possible Incident Classifications:  Possible Incident Classifications Unauthorized Privileged (root) Access – Access gained to a system and the use of root privileges without authorization. Unauthorized Limited (user) Access – Access gained to a system and the use of user privileges without authorization. Unauthorized Unsuccessful Attempted Access – Repeated attempt to gain access as root or user on the same host, service, or system with a certain number of connections from the same source. Possible Incident Classifications (cont.):  Possible Incident Classifications (cont.) Unauthorized Probe – Any attempt to gather information about a system or user on-line by scanning a site and accessing ports through operating system vulnerabilities. Poor Security Practices – Bad passwords, direct privileged logins, etc, which are collected from network monitor systems. Denial of Service (DOS) Attacks – Any action that preempts or degrades performance of a system or network affecting the mission, business, or function of an organization. Slide12:  Malicious Logic – Self-replicating software that is viral in nature; is disseminated by attaching to or mimicking authorized computer system files; or acts as a trojan horse, worm, malicious scripting, or a logic bomb. Usually hidden and some may replicate. Effects can range from simple monitoring of traffic to complicated automated backdoor with full system rights. Possible Incident Classifications (cont.) Possible Incident Classifications (cont.):  Possible Incident Classifications (cont.) Hardware/Software Failure – Non-malicious failure of HW or SW assets. Infrastructure Failure – Non-malicious failure of supporting infrastructure to include power failure, natural disasters, forced evacuation, and service providers failure to deliver services. Unauthorized Utilization of Services – This can include game play, relaying mail without approval, creating dial-up access, use organizational equipment for personal gain, and personal servers on the network. Containment:  Containment The process of limiting the scope and magnitude of an incident. As soon as it is recognized that an incident has occurred or is occurring, steps should immediately be taken to contain the incident. Containment - Example:  Containment - Example Incidents involving using malicious code are common, and since malicious code incidents can spread rapidly, massive destruction and compromise of information is possible. It is not uncommon to find every workstation connected to a LAN infected when there is a virus outbreak. Internet Worm of 1988 attacked 6,000 computers in the U.S. in one day. LoveBug Virus affected over 10Million computers with damage estimated between $2.5B-$10B US Kournikova worm affects still being analyzed Eradication:  Eradication The process of removing the cause of the incident. For a virus – anti-virus software is best For a network may involve block/filter IP address at the router/firewall Ideally, but difficult, best eradicated by bringing the perpetrators into legal custody and convicting them in a court of law. Recovery:  Recovery The process of restoring a system to its normal operating status Unsuccessful incidents – assure system operation and data not affected Complex and/or successful incidents – May require complete restoration from known clean system backups. Essential to assure the backups integrity and to verify restore operation was successful Follow-Up:  Follow-Up Critical Helps to improve incident handling procedures Address efforts to prosecute perpetrators Activities Include: Analyze the Incident and the Response Analyze the Cost of the Incident Prepare a Report Revise Policies and Procedures Computer Forensics:  Computer Forensics What is Computer Forensics?:  What is Computer Forensics? Computer Forensics can be defined simply, as a process of applying scientific and analytical techniques to computer Operating Systems and File Structures in determining the potential for Legal Evidence. Why is Evidence important?:  Why is Evidence important? In the legal world, Evidence is EVERYTHING. Evidence is used to establish facts. The Forensic Examiner is not biased. Who needs Computer Forensics?:  Who needs Computer Forensics? The Victim! Law Enforcement Insurance Carriers Ultimately the Legal System Who are the Victims?:  Who are the Victims? Private Business Government Private Individuals Slide24:  Slide25:  Slide26:  Reasons for a Forensic Analysis:  ID the perpetrator. ID the method/vulnerability of the network that allowed the perpetrator to gain access into the system. Conduct a damage assessment of the victimized network. Preserve the Evidence for Judicial action. Reasons for a Forensic Analysis Slide28:  Disk Forensics Network Forensics E-mail Forensics Internet (Web) Forensics Source Code Forensics Types of Computer Forensics Disk Forensics:  Disk Forensics Disk forensics is the process of acquiring and analyzing the data stored on some form of physical storage media. Includes the recovery of hidden and deleted data. Includes file identification, which is the process used to identify who created a particular file or message. Melissa Virus Network Forensics:  Network Forensics Network forensics is the process of examining network traffic. It includes: After the fact analysis of transaction logs Real-time analysis via network monitoring Sniffers Real-time tracing E-mail Forensics:  E-mail Forensics E-mail forensics is the study of source and content of electronic mail as evidence. It includes the process of identifying the actual sender and recipient of a message, the date and time it was sent, and where it was sent from. E-mail has turned out to be the Achilles Heal for many individuals and organizations. Many time issues of sexual harassment, racial and religious prejudice, or unauthorized activity are tied to e-mail. Internet Forensics:  Internet Forensics Internet or Web forensics is the process of piecing together where and when a user has been on the Internet. For example, it is used to determine whether the download of pornography was accidental or not. Source Code Forensics:  Source Code Forensics Source code forensics is used to determine software ownership or software liability issues. It is not merely a review of the actual source code. It is an examination of the entire development process, including development procedures, review of developer time sheets, documentation review and the review of source code revision practices. Technological Progress:  Technological Progress The Population is More Computer Literate The World is Networked, Yet Users Can Retain a Sense of Anonymity The Use of Encryption is Becoming Common Network Bandwidth is Increasing while Cost is Decreasing Disks are Less Expensive and have Higher Capacities More Data Available On-Line Technological Progress:  Technological Progress Albert Einstein said 'Technological progress is like an axe in the hands of a pathological criminal.' Technological Progress:  Technological Progress Computers are Tools and Targets Instrumentality Data Repository Many Criminals Are Using Computers in the Normal Course of Business Computer Crime Today Crime Without Punishment Media Sensationalism Public Apathy Easy to Commit What is Cyber Crime?:  What is Cyber Crime? A crime in which technology plays an important, and often a necessary, part. The computer is: the target of an attack the tool used in an attack used to store data related to criminal activity Types of Cyber Crime:  Types of Cyber Crime Unauthorized Access Denial of Service Extortion Theft Sabotage Espionage Computer Fraud Embezzlement Copyright Violation Forgery and Counterfeiting Internet Fraud – 'Imposter Sites' SEC Fraud and Stock Manipulation Child Pornography Stalking andamp; Harassment Credit Card Fraud andamp; Skimming Contemporary Issues in Computer Forensics:  Contemporary Issues in Computer Forensics Criminal Justice System is not Prepared to Handle High-Tech Crime Shortage of Trained Investigators andamp; Analysts Lack of Forensic Standards Too Much Data! Large Disk Drives and Disk Arrays High Speed Network Connections Issues Relating to Time Contemporary Issues in Computer Forensics:  Contemporary Issues in Computer Forensics Evidence Collection and Examination Must not Violate the following: 4th Amendment Privacy Protection Act Electronic Communications Privacy Act Forensics Process:  Forensics Process Preparation Protection Imaging Examination Documentation Preparation:  Preparation Confirm the authority to conduct analysis/search of media. Verify the purpose of the analysis and the clearly defined desired results. Ensure that sterile media is available and utilized for imaging. (ie..Free of virus, Non-essential files, and verified before use.) Ensure that all software tools utilized for the analysis are tested and widely accepted for use in the forensics community. Legal Overview:  Legal Overview Employer Searches in Private-Sector Workplaces          Warrantless workplace searches by private employers rarely violate the Fourth Amendment.  So long as the employer is not acting as an instrument or agent of the Government at the time of the search, the search is a private search and the Fourth Amendment does not apply.  See Skinner v. Railway Labor Executives’ Ass’n, 489 U.S. 602, 614 (1989).   Consult with your Legal Counsel Protection:  Protection Protect the integrity of the evidence. Maintain control until final disposition. Prior to Booting target computer, DISCONNECT HDD and verify CMOS. When Booting a machine for Analysis, utilize HD Lock software. Imaging:  Imaging Utilize disk 'imaging' software to make an exact image of the target media. Verify the image. When conducting an analysis of target media, utilize the restored image of the target media; never utilize the actual target media. Examination:  Examination The Operating System Services Applications/processes Hardware LOGFILES! System, Security, and Application File System Examination (Cont):  Examination (Cont) Deleted/Hidden Files/NTFS Streams Software Encryption Software Published Shares/Permissions Password Files SIDS Network Architecture/Trusted Relationships Off-Site Storage:  Off-Site Storage 'X-Drives' FTP Links FTP Logs Shares on internal networks Documentation:  Documentation Document EVERYTHING Reason for Examination 'The Scene' Utilize Screen Capture/Copy Suspected files All apps for Analysis/apps on Examined system. Forensic Tools:  Forensic Tools Forensic Tool Kit Forensic Computer System Forensic Software Forensic Tool Kit:  Forensic Tool Kit Forensic System Hardware:  Forensic System Hardware Main Systems Pentium-based Computer Multiple O/S UNIX, Windows, MAC Media Options Removable Media (REM-KIT) Disk Imaging Hardware Image MASSter 500 andamp; 1000 Static-Dissipative Grounding Kit w/Wrist Strap UPS Media Options:  Media Options Your Forensic System should have plenty of room for expansion and external media. This is usually best supported by SCSI Systems. Media Options:  Media Options Internal Hard Disk Tape Media QIC Tape Drive Travan Tape Drive DAT Optical Media CD-ROM CD-Writer DVD Removable Media:  Removable Media Hard Drives ZIP Drives Jazz Drives PCMCIA Flash Disks Disk Imaging Hardware:  Disk Imaging Hardware Supports IDE andamp; SCSI Sector by Sector Copy DOS, Windows 3.1, Windows 95, NT, SCO, UNIX, OS/2 andamp; Mac O/S Full Read/Write Verification andamp; Reporting Logging Capability No Writing to Master Disk Forensic Software:  Forensic Software Clean Operating System(s) Disk Image Backup Software Search andamp; Recovery Utilities File Viewing Utilities Cracking Software Archive andamp; Compression Utilities Validate Software:  Validate Software Determine Functionality Verify operation Identify limitations Identify bugs Court Presentation Testify from own experience Disk Imaging Software:  Disk Imaging Software Bit Level Copy of the Disk, not File Level Not Operating System Dependent Must have Logging or Error Reporting Must Copy Deleted Files and Slackspace Tools EnCase SafeBack SnapBack Search Utilities:  Search Utilities Forensic Software EnCase The Coroners Tool Kit File System Utilities DOS, Windows, NT, UNIX Norton Utilities File Viewing Utilities:  File Viewing Utilities Quick View Plus Drag andamp; View Thumbs Plus Forensic Analysis:  Forensic Analysis Computer Forensics Lock the Disk Create an Image of the Disk(s) File System Authentication List Disk Directories and File Systems Locate Hidden or Obscured Data Cluster Analysis File System Authentication:  File System Authentication Integrity of data related to any seizure is essential Message Digest - One-way Hash Algorithm CRC32 (32 bits) MD5 (128 bits) SHA (160 bits) Create MD for system directories and files File System Authentication:  File System Authentication List Directories and Files:  List Directories and Files Create Hierarchical Directory Listing (Tree) Identify Suspect Files Inventory All Files on the Disk Search Communications Programs Registry Files Last Files Accessed Document Association Identify Suspect Files:  Identify Suspect Files File Name Search based on Case Characteristics Key Word Search based on Case Characteristics Modified File Extensions that Do Not Match the File Type Hidden or Deleted Files Hidden & Obscure Data:  Hidden andamp; Obscure Data Hidden File Attributes Hidden Directories Temporary Directories Deleted Files Slack Space Unallocated Space Swap Space Steganography Steganography:  Steganography The Art of Hiding Communications While Encryption Conceals the Data, Steganography Denies the Data Exists Files Can Be Hidden within an Image Disguising Data as Innocent Text S-Tools:  S-Tools Hides Data inside Images, Audio Files and Slack Space Ghosting:  Ghosting White letters on a white background, or black letters on a black background Ghosting:  Ghosting White letters on a white background, or black letters on a black background. Cluster Analysis:  Cluster Analysis Cluster Analysis Criteria Content, Location and Condition Identifies System Usage andamp; History Initial Load of the System Defragmentation 'Repacks' data files w/o Changing Date/Times System Wipes and Reloads All Slack Space and Unallocated Blocks set to Zero All Date/Times close to the same Analysis Problems:  Analysis Problems Searching Access Controlled Systems Virus Infection Formatted Disk Corrupted Disk DiskWipe or Degaussed Media Defragmented Disk Cluster Boundaries Evidence Eliminator Evidence Protection:  Evidence Protection Transparent Static Shielding Bags Provides shielding from electrostatic discharge by safely enveloping static sensitive devices in a humidity-independent Faraday cage. The nickel shielding layer creates a Faraday type shield. Meets MIL-B-81705 and DoD-STD-1686A Foam-Filled Disk Transport Box EMF Warning Labels Evidence Protection:  Evidence Protection Network Forensics:  Network Forensics Analyze Packet Traces Establish a Sequence of Events Goal is Identify the Intruder Tools Network Sniffer System Logs NTSC Adapter Network Forensics:  IP Spoofing Hijacking Password Attacks Social Engineering Cracking Passwords Sniffers Distributed-Coordinated Attacks Identity Concealed by Connection Laundering Network Forensics Connection Laundering:  Connection Laundering E-mail Forensics:  E-mail Forensics E-mail Usage in 2000 108 Million E-mail Subscribers 25.2 Billion Message Daily E-mail is a asynchronous communications mechanisms that allows venting. People have a tendency to include more in an e-mail message than they would say in person of over the phone. E-mail Spoofing E-mail Spoofing:  E-mail Spoofing Requires Only: Mail Relay Server Knowledge of Mail Commands telnet andlt;relay serverandgt; helo mail from: rcpt to: Data andlt;messageandgt; The Future Forensics:  The Future Forensics Crimes and Methods to Hide Crimes are becoming more Sophisticated, thus Investigators and Analyst must become more Technical Specialist are Needed More Training is needed in both the Public and Private Sectors Encryption will Continue to be an Issue, but Only Time will Tell The Future Forensics:  The Future Forensics Forensic Tools Must Become Automated Forensic Search Engines Must include Fuzzy Logic and Intelligence to handle Cluster Boundaries UNIX Tools Must be Developed Better Network Analysis Tools need to be Developed Tools to Analyze Distributed Applications such as Java, COM, and DCOM will need to be Developed. Conclusions:  Conclusions Computer forensics is an integral function within incident response Processes are the most important aspects of computer forensics The future of cyber crime will lead to an increased need for computer forensic capabilities Questions ?:  Questions ?

Add a comment

Related presentations

Related pages

The Black Hat Briefings Conference List of Speakers at www ...

The Black Hat Briefings '01, ... Gregory S. Miles, Ph.D., Director, ... Greg has over fourteen years in Computer and Information Systems.
Read more

Basics of IT Security - Black Hat Briefings

Greg Miles Company: JAWS, Inc. Other titles: Times New Roman Arial Black Arial Arial Narrow Century Schoolbook Tahoma Default Design Corel PHOTO -PAINT ...
Read more

The flight is right when you fly with us - Lufthansa ® Bahrain

Your benefit with Miles & More: earn miles, ... Lufthansa UK - Flights; Lufthansa USA - Flights; Imprint; Terms & Conditions ; Passenger Rights; Privacy ...
Read more

Use Miles for Travel, Upgrades and More | United Airlines

Use your miles to buy eGift cards and certificates for thousands of restaurants 2 or to pay for food and beverages at select Newark Airport restaurants.
Read more

Turkish Airlines - Special Offers New -

Special Offers From Our Program Partners ... Discover all that Europe has to offer and enjoy up to 1,000 bonus Miles with Marriott.
Read more


WIRELESS BROADBAND INTERNET ACCESS PLATFORM. ... approximately 35 miles. The BH uplink ... 01) and associated RJ45 connector. The BH Module can ...
Read more

BMC Switzerland - Performance Bikes

USA/Canada English; ... roadmachine 01 Endurance roadmachine 02 Endurance ... BMC Group Holding AG │ BMC Switzerland AG; Impressum; Disclaimer;
Read more

Miley Cyrus

Miley Cyrus. Home; New Music; news; events; Videos; Performances; Shop; N e w s l e t t e r S i g n U p Submit ℗ & © 2016 Smiley Miley, Inc; Privacy ...
Read more

Flights and Airlines Ticket Booking | Turkish Airlines

Flights & Airline tickets to more than 270 international destinations via Best Airlines in Europe.Turkish Airlines ... 01, 2016. Turkish Airlines ... Miles ...
Read more

Buchen Sie Flüge, Urlaubsreisen & checken Sie online ein ...

Book flights to London, New York and many other international holiday destinations with British Airways. offer flights, hotels, holidays, car rental ...
Read more