Professional Documents
Culture Documents
People
Networks
Processes
Procedures
Agenda
Confidential
Computer crime statistics Case studies Internal attacks Introduction to computer forensics Methodology Tools Proactive measures Conclusion
www.niiconsulting.com
Confidential
www.niiconsulting.com
Selected Costs
Sasser:
Clean-up: $1billion+ and growing
Confidential
www.niiconsulting.com
Case Studies
People Networks
Processes
Procedures
w w w . n i i co n s u l t I n g . c o m
Case study 1
Client was a major telecom company Was receiving very malicious and demoralizing emails from an anonymous email ID The content indicated it was either an insider, or an ex-employee We collected all emails, checked their headers got information about the Internet Service Provider
Confidential www.niiconsulting.com
Case study 1
Presented information to Cyber Crime Cell They sent formal letters to the concerned ISP and the Mail Service Provider (Indiatimes, Yahoo, Hotmail, Rediffmail, etc.) ISP replied back within 72 hours Mail Service Provider gave access to the senders account ISP information showed the source IP address was of the Internet connection given to a competing telecom company
Confidential
www.niiconsulting.com
Case study 1
We collected a list of all separations from the client for the period covering the emails Took the list to the competitor along with the Cyber Crime Cells Sub-inspector They told us one name matched that list the lady had joined them recently That person was the actual sender Called in for gentle persuasion a confession Client chose not to pursue a legal case, but let her off with a stern warning
Confidential
www.niiconsulting.com
Case study 2
Cyber Crime Cell site itself was hacked Site was hosted by a third-party web hosting company The logs of the server showed a number of failed login attempts to the File Transfer Protocol (FTP) Service Then a successful login attempt Then a file transfer of the main index.htm file
Confidential www.niiconsulting.com
Case study 2
The IP address was similarly traced to the Internet Service Provider From the ISP to a cyber caf Seemed like a dead-end The cyber caf owner and engineer were arrested mistakenly There was no record of who had come to the cyber caf on that day Hacker calls up Sub-Inspectors and taunts him Reveals his name as Dr. Neukar
Confidential www.niiconsulting.com
Case study 2
Internet search reveals the home page of Dr. Neukar with his picture on it!! Police take that, and he is immediately recognized as someone in the vicinity Taken into custody confesses immediately Case pending in court
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Citibank Phishing
The site in the background is actually www.citibank.com The window in the front belongs to a Russian hacker group. When some user actually enters those details, they get transmitted to the hackers Message is shown, saying Information entered correctly, credit card will NOT be expired But it will surely be heavily misused!
Confidential
www.niiconsulting.com
Processes
Procedures
w w w . n i i co n s u l t I n g . c o m
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Data Hiding
There are several techniques that intruders may hide data.
Obfuscating data through encryption and compression. Hiding through codes, steganoraphy, name embedding, obscurity and nonames on files Blinding investigators through changing behavior of system commands and modifying operating systems.
Confidential
www.niiconsulting.com
Steganography
The practice of hiding a message within a larger one in such a way that others cannot discern the presence or contents of the hidden message. Can be used for legitimate purpose like copyright protection However used mostly for illegitimate reasons - To steal data by concealing it in another file and send it out as email attachment
Confidential
www.niiconsulting.com
Steganography
Tools are freely available for steganography F5 hides messages in JPEG files SecureEngine hides text files in larger text files MP3Stego hides files in MP3 files How to prevent or detect steganography? There is no spicific answer. A preventive step- A corporate security policy restricting installation of unauthorized programs
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
May determine users or applications system activity. Analyze e-mails for source information and content.
Confidential www.niiconsulting.com
Basic Methodology
Without altering or damaging original source, acquire evidence Authenticate that recovered evidence is the same as the original. Establish audit trail of all processes applied to computer based evidence.
Must be third party repeatable
Confidential
www.niiconsulting.com
Methodology
Failure to utilize appropriate methodologies may prevent successful prosecution
May cost your organization $4.3 Million!
Confidential
www.niiconsulting.com
System Forensics
O/S Dependent
Network Forensics
Includes ID systems
Internet Forensics
Includes ISP logs etc.
Confidential
www.niiconsulting.com
Disk Forensics
Requires (bit-stream) Image copies
Include slack, unallocated space, and deleted file fragments.
Investigating officers must be able to demonstrate compliance with evidence rules Integrity can be demonstrated with a message digest.
Confidential
www.niiconsulting.com
Network Forensics
Evidence collected from normal operation
Logs Intrusion Detection Systems
IP headers contain source and destination IP addresses DataLink headers contain source and destination MAC addresses
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Computer Addresses
Logical or IP addresses
Public IP addresses are assigned by ARIN
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Evidence Life Cycle Discovery and recognition Protection Recording Collection Identification Preservation Transportation Presentation in court Return to owner Confidential
www.niiconsulting.com
Digital evidence
Digital evidence must be authentic and must be able to be proven that it has not been modified
Confidential
www.niiconsulting.com
Rules of Evidence
Distinguish between hearsay and direct evidence Require proof of authenticity and integrity
Chain of custody requires that:
No information has been added or changed A complete copy was made A reliable copying process was used All media was secured.
A Message Digest can demonstration Integrity A digital signature can demonstrate Authentication and Non Repudiation
Confidential
www.niiconsulting.com
Common Problems
No established incident response team.
Evidence compromised while it was gathered
Inappropriate methodology
Peer review
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Linux DD
Used by FBI, among other tools, in Zacarias Moussaouis Case By Dan Farmer and Wietse Venema Used for investigating Unix systems Inexpensive hex, disk, and RAM editor. Data analysis features include identification of certain file types (such as images) in unknown data, like that of recovered files. Includes drive imaging and deleted data recovery capabilities.
Confidential
www.niiconsulting.com
Corporate security and incident team Security investigator Emergency response core team Application owner Application developer System owner/administrator Network administrator Firewall administrator Security consultants
www.niiconsulting.com
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Conclusion
With the new attack vectors being introduced every days .
Confidential
www.niiconsulting.com
Internal Attackers
People Networks
Processes
Procedures
w w w . n i i co n s u l t I n g . c o m
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Network servers
See the Internet web sites visited from that users IP address See the files downloaded or accessed from central servers by that user Watch out for multiple failed login attempts from that users PC
Confidential
www.niiconsulting.com
Surveillance Software
Most effective tools to monitor a suspicious user These software run transparently in the background, and capture:
Users keystrokes Screen snapshots Emails sent Attachments sent via email Instant messenger conversations
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com
Confidential
www.niiconsulting.com