IDAHO STATE POLICE Cyber Crimes Unit

1
IDAHO STATE POLICECyber Crimes Unit

• Detective Bret Kessinger
• bret.kessinger_at_isp.idaho.gov
• 208-884-7216
• CFE Richard Goldston
• richard.goldston_at_isp.idaho.gov
• 208-884-7103

2
After you have found that youre a victim of a
Network Intrusion, whats next?

• The bottom line for any computer related computer
  crime is computer forensics.
• Find and present the evidence needed for court.

3
GuidanceSoftwares EnCase
4
http//www.ilook-forensics.org/
5
http//www.x-ways.net/forensics/index-m.html
6
www.accessdata.com Forensic Tool kit
7
www.Wetstonetech.com
8
Leg Work

• Administrators
• Get the passwords
• Users (how many)
• How is the system set up
• Windows, linux, Novell, HP, AS400, Unix, etc.

9
Network logs

• What logs avalible
• Get the logs
• Remember a lot of network people do not keep
  logs.
• Logs take up too much space.

10
Volatile Data

• injucted (.dlls)
• cache files
• netstat -an cryptcat -k mypassword 192.168.2.11
  9999
• cryptcat -k mypassword -v -l -p 9999 gt
  netstat.txt
• xscan -host 10.0.20.xx -iis

11
Recently Accessed Programs

• check all dates
• Prefectch files (xp-2k3)

12
Auto Start

• Check the Registry
• http//www.accessdata.com/media/en_US/print/papers
  /wp.Registry_Quick_Find_Chart.en_us.pdf
• EnCase has an Enscript available

13
Packed and Compressed Files

• Look for packed and compressed files,
• upx, dbx, gz, tgz, gzip, pst, tar,
• tdb ("thumbs.db"), zip, etc.

14
Anything Hidden

• Check hidden files
• Alternate Data Stream locations (Accessdatas
  Forensic Took Kit)

15
Time and Date Analysis

• Time created
• Time last accessed
• (helpful but not all telling)

16
Anti-virus and Malware scan

• Run Anti-virus and Malware software.
• If you have Imaged the computer us VMware, Mount
  Anything, etc.

17
GETDATA.COM
18
Vector of Attack

• USB Devices
• Like a U3 thumb drive
• USB Hard drives
• CD Rom

19
Users, Shares, Mapped drives

• Any unknown users
• Any files or folders being shared that should not
  be
• Mapped drive that is no longer there

20
Files and Programs

• Installed programs that should not be there
• Organized files that would belong to a particular
  program that should not be there

21
Keyword Search

• Conduct text search
• Consider grep expressions
• Consider Swap File
• Consider Registry Files

22
Signature, hash, File analysis

• EnCase does a nice file and Signature Analysis
• Hash searches and Analysis

23
http//www.nist.gov/srd/nistsd28.htm
24
http//tech.groups.yahoo.com/group/hashkeeper/
25
Restore Evidence to is Native form

• Make an exact copy and boot the copy in the
  suspected computer.
• Use virtual software
• VMware, MSs Virtual PC

26
http//www.vmware.com/
27
http//www.microsoft.com/windows/virtualpc/default
.mspx
28
What G2 Research do the most of

• Wrongful termination suits
• Employee is fired, six months later sues
• Network Systems people add new user on same
  computer or ghost new image onto computer.
• Theft of trade secrets
• Employee quits and goes to work for competitor,
  taking all of his past work papers
• Sometimes employee hacks into his old company and
  downloads all the data he can find

29
What should IT do

• When a employee leaves get them out of the
  network system asap
• Image the hard drive or remove it from the
  computer. Write down the computers date and
  time and label the employees hard drive or image.
  Hard drives are cheaper than the law suit.

30
(No Transcript)