Title: EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 Frank DeCandido, CPA, Vice President Prudential Financial
1COMPUTER FORENSICS
- EMERGING TECHNOLOGIES COMMITTEEJUNE 17,
2002Frank DeCandido, CPA, Vice
PresidentPrudential Financial - Thomas Doughty, First Vice President, Manager
Information SecurityPrudential Financial
2Table of Contents
COMPUTER FORENSICS
- Content
Page - Evolution of Fraud 3-5
- 2002 FBI/Computer Security Institute Annual
Survey 6-8 - Incident Response 9-42
- Congressional Statutes 43-45
- Whats Next 46
- Computer Crime Organizations 47
- Other Websites 48
- Website of the Month for June 2002 49
- Presenters 50
- Bibliography 51-52
3Evolution of Fraud
COMPUTER FORENSICS
- CPE Classes used to concentrate on Corporate
Fraud - Check Kiting
- Check Fraud
- Credit Card Fraud
- Advise do not write checks with Felt Pen
-
4Evolution of Fraud
COMPUTER FORENSICS
- Over the years Computer Fraud became more
prevalent - Hackers
- Viruses
- Firewalls
5Evolution of Fraud
COMPUTER FORENSICS
- Evolution of the Internet has opened up the flood
gates in the way of access to personal and
business information.
62002 FBI/Computer Security Institute Annual
Survey7
COMPUTER FORENSICS
- Computer Security Institute--Computer Security
Institute (CSI) http//www.gocsi.com/ is the
world's leading membership organization
specifically dedicated to serving and training
the information, computer and network security
professional. - Started Survey in 1995
- On April 7, 2002 issued the results of its
Seventh Annual Computer Crime and Security
Survey - Heaviest concentration in High Tech (19) and
Financial Services (19)
72002 FBI/Computer Security Institute Annual
Survey7
COMPUTER FORENSICS
- Results
- 90 of respondents detected computer security
breaches with the last 12 months - 80 acknowledged financial losses due to computer
breaches - 44 were willing to and/or able to quantify their
losses (445 million) - Most serious financial losses occurred through
the theft of proprietary information and
financial fraud - For the 5th year in a row, more respondents cited
their Internet connection as a frequent point of
attack than cited their internet systems as a
frequent point of attack - 34 - reported the intrusions to law enforcement
(1996-16) - 44 - systems penetration from the outside
- 44 - denial of service attacks
- 78 - employee abuse of Internet access
privileges (downloading) - 85 - detected computer viruses
82002 FBI/Computer Security Institute Annual
Survey7
COMPUTER FORENSICS
- If your Organization Has Experienced Computer
Intrusion(s) Within the Last Twelve Months, Which
of the Following Actions Did You Take - 77 Patched Holes
- 40 Did Not Report
- 34 Reported to Law Enforcement
- 19 Reported to Legal Counsel
9Incident Response
COMPUTER FORENSICS
- Methodologies 1
- Definition of Computer Forensics
- Pre-Incident Preparation
- Detection
- Initial Reponses
- Strategies (Tom Doughty to Discuss)
- Forensic Process
- Investigation
- Security Measure Implementation
- Network Monitoring
- Recovery
- Reporting
- Follow-up
10Computer Forensics
COMPUTER FORENSICS
- forensics6 Pronunciation Key (f -r n s ks, -z
ks)n. (used with a sing. verb) - The art or study of formal debate argumentation.
- The use of science and technology to investigate
and establish facts in criminal or civil courts
of law. - __________________________________________________
___________________ - Computer Forensic Service deals with
preservation, identification, extraction and
documentation of computer related evidence on
computer storage media.5 - Process of unearthing data of probative value
from computer and information systems.1 - Computer Forensics is the collection,
preservation, analysis and court presentation of
computer related evidence.12
11Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation1-Why is it
important?-Common Themes - Preparation of a computer related incident will
- help create an infrastructure that provides quick
resolutions after an incident occurs (Computer
Data is easily altered, erased) - help in the preservation of the evidence
- provide thorough, complete documentation needed
to verify integrity of files - help provide technical and procedural measures
that need to be in place so some of the basic but
vital questions can be answered quickly to
expedite the collection of evidence - Preserve Chain of Custody
- prevent poor performance
- University studies have found that more than 90
of all information is now created in digital form
(University of Berkley 93)
12Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation 1 (cont)
- Establish Computer Incident Response Team
- Point of Contact?
- During business hours, after business hours,
holidays and weekends - 24/7 Availability
- Establish Teams Mission
- Members of the Team
- Systems
- Human Resources
- Corporate Security
- Legal (Internal)
- Accounting (Financial Fraud)
- Outside Consultants (Incident by Incident)
- Law Enforcement (Incident by Incident)
- Senior Management (Incident by Incident)
13Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation 1(cont)
- Preparation steps to take to verify integrity of
files - Response Tool Kit
- Hardware (see page 14)
- Software (Safeback, EnCase, or other Forensic
software packages)(see page 15) - Network Monitoring Platform
- Create a known-good copy of the system on a
regular basis. Allows the comparability of the
known-good files to the corrupted files. - Cryptographic Checksums/Fingerprint
- Created by applying an algorithm to a file
- Unique to that file
- Create Checksums for critical files BEFORE an
incident occurs and compare to the file after the
incident occurs - Most commonly used is the MD5 Algorithm (SAVE
OFFLINE)
14Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation 1(cont)
- Hardware Needed
15Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation 1(cont)
- Software Needed
16Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation 1(cont)
- Preparation steps to take to verify integrity of
files - Increase or Enable Secure Audit
Logging-Configuring log files can make them more
complete and less likely to be corrupted. - UNIX Controlling Logging, Remote Logging and
Process Accounting - WINDOWS Security Auditing, Auditing File and
Directory Actions, Remote Logging - Topology/Architecture Maps
- The arrangement in which the nodes of a LAN are
connected to each other - Enhance Host and Network Logging to make sure
that backups are performed on a regular basis.
17Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation 1(cont)
- What are the threats to your organization?
- Types of Damage Loss of Business? Reputation?
- Concerned about loss of Intellectual Property?
- Destruction of Databases?
- Who poses a threat?
- Do you fear an outside intrusion?
18Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation 1 (cont)
- Preparation steps to take to verify integrity of
files - Others (Security)
- Firewalls/Intrusion Detection
- Ford Levy, CPA from Maxwell, Shmerler Company
will be presenting a session on Firewalls on
Tuesday, July 9, 2002 _at_ 9am. - Perform a Trap and Trace (check legal
requirements) - Monitoring at the User Level
- Violation Logs
- Improperly Configured Devices
- Exception Processes
- Monitor Internet Activity
- Monitor Employee Modems
19Incident Response
COMPUTER FORENSICS
- Pre-Incident Preparation 1 (cont)
- Preparation steps to take to verify integrity of
files - Others (Security)
- Scanning Network
- Back up critical data
- Access Control Lists on Routers
- Encrypt Network Traffic
- Build Up Your Hosts Defense-Use the latest
release and make sure that all patches, hot fixes
and updates are installed - Educate Users
- No external software
20Incident Response
COMPUTER FORENSICS
- Detection 1
- Alerts about suspicious activities should be made
through Firewall/Intrusion Detection Systems(IDS) - Alert should be immediate
- Black Ice at the Individual level
21Incident Response
COMPUTER FORENSICS
- Initial Response 1
- Use of Notification Checklist to list all
pertinent details - Point of Contact
- Assemble Response Team
- Which hardware/software?
- What time/place?
- Nature?
- Record all pertinent facts (Platform, Ports/IP
Address, etc) - Immediate Actions to be taken from the standpoint
of who is monitoring - Network Mapping confirming an incident has or is
occurring - Evaluation of incident (use of Cryptographic
Checksums/Fingerprint) - Type of Incident and Business Impact is
determined.
22Incident Response
COMPUTER FORENSICS
- Strategies 1
- Denial of Service Reconfigure Routers
- Virus Outbreak Isolate machine as soon as
possible - If a workstation in a development population is
affected, segregate the network(turn off choke
points) - Awareness/Communication/Documentation of
Policies - Factors
- Critical Systems Affected?
- Sensitivity of the compromised information?
- Who are the perpetrators and what is their skill
level? - Is the incident known to the public?
- Dollar lose involved?
- Tolerance of user and system downtime?
23Incident Response
COMPUTER FORENSICS
- Strategies 1 (Cont)
- Host Based Intrusion Detection
- Response Focused/Overhead Maintenance Intensive
- Perimeter Based Intrusion Detection
- Easier to administer
- Review Risk Assessment Policies.
24Incident Response
COMPUTER FORENSICS
- Forensics Process 1
- Also known as Digital Evidence Analysis or
Computer Media Analysis - Common Themes
- Preservation of Evidence is key
- Thorough documentation
- Look at the Judicial Process
25Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Maintain Chain of Custody of evidence
- Create evidence tags
- Time and Date of the action
- Number assigned to the case
- Evidence Tag
- Was consent required?
- Who the evidence belonged to?
- Description of the evidence
- Who received the evidence and signature?
- Track any transfers of evidence
- E.g. hard drives to CD-Rom
26Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Maintain Chain of Custody of evidence
- Document Information about the Item(s)
- E.g. duplication of mail servers
- Occupants of the office
- Names of employees who have access to the office
- Location of computer systems in the room
- State of systems(powered on or not)
- People present in the room at the time of the
forensic duplication - Serial numbers, models and makes of the hard
drives - Peripherals attached to the systems.
27Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Maintain Chain of Custody of evidence
- Initial Response
- Steps before Forensic Duplication3
- If the Computer is OFF, DO NOT TURN ON
- If the Computer is ON,
- (1) DO NOT POWER DOWN-items will be lost such as
memory contents, state of network connections,
state of running processes, contents of the
storage media and contents of removable and
backup media1 - (2) Photograph screen and disconnect all power
sources unplug from the back of the computer - (3) Interrupting power from the back of the
computer will defeat an uninterruptible power
supply
28Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Maintain Chain of Custody of evidence
- Initial Response
- Steps before Forensic Duplication (cont)
- For Laptops, locate and remove the battery pack
if the laptop does not shutdown when the power
cord is removed - Place evidence tape over each drive slot
- Photograph/diagram and label back to computer
components with existing connections - Label all connector/cable ends to allow
reassembly as needed - If transporting is required, package components
and transport/store components as fragile cargo - Keep away from magnets, radio transmitters and
other potentially damaging elements
29Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Maintain Chain of Custody of evidence
- Initial Response
- Steps before Forensic Duplication (cont)
- Collect all peripheral devices, cables, keyboards
and monitors - Collect all instructional manuals, documentation
and notes (user notes may contain passwords) - On Networked or Business Computers Secure the
scene. Do not let anyone touch except Network
trained personnel - Pulling the plug could severely damage the
system, disrupt legitimate business and create
officer and department liability
30Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Performing Forensic Duplication1
- Perform all analysis on a copy restored from the
duplicate image - When is Forensic duplication necessary?
- Likely to be judicial action
- High Profile Incident
- Significant dollar loss
- Will you need to undelete data or search free or
slack space to unearth evidence - If you said yes to any of these questions, then
you would need to perform a forensic backup
31Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Performing Forensic Duplication1
- Approaches
- Remove from the suspect computer and attaching it
to a forensics workstation - Traditional
- Safeback, UNIX dd command, EnCase
- Attaching a hard drive to the suspect computer
- Just as common as the first
- Same methodology as first
- Forensics experts typically carry a forensics
workstation-minimizes hardware and software
problems - Sending the disk image over a closed network to
the forensics workstation as it is created. - Usually done when a UNIX system is used as the
imaging platform.
32Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Performing Forensic Duplication1
- Requirements for Forensic Duplication Tools
- Must image every byte of data on the storage
medium from beginning of the drive to the
maintenance track - Handle read errors in a robust manner
- Must not make changes to the original evidence
- Must be able to be held up to scientific testing
and analysis - Results must be repeatable and verifiable by a
third party - File created using a checksum or hashing
algorithm - This functionality may be performed concurrent to
the creation of a the file or at the end of the
imaging process
33Incident Response
COMPUTER FORENSICS
- Forensics Process 1 (Cont)
- Performing Forensic Analysis1
- Divided into two layers
- Physical Analysis
- String Searches
- Search and Extract
- Extracting File Slack and Free Space
- Logical Analysis
- Understanding Where Evidence Resides
- The Physical Layer
- Data Classification Layer
- Blocking Format Layer
- Storage Space Allocation Layer
- Information Classification and Application
Storage Layers
34Incident Response
COMPUTER FORENSICS
- Investigation
- Conducted on a forensic duplication of a relevant
system - Collecting information stage
- What was harmed?
- How was if damaged?
- Who was to blame? Establishing identity behind
the people on a network is increasingly
difficult - How to fix the compromise.
- The proper collection and analysis of computer
evidence through accepted computer science
protocol is a critical component to any internal
investigation or audit where the results have
potential to be presented in legal proceedings12
35Incident Response
COMPUTER FORENSICS
- Investigation
- Windows NT/20001
- Review all pertinent logs
- Perform keyword searches
- Review relevant files
- Identify unauthorized user accounts of groups
- Identify rogue processes
- Look for unusual or hidden files
- Check for unauthorized access points
- Examine jobs run by the scheduler service
- Analyze trust relationships
- Review security identifiers.
36Incident Response
COMPUTER FORENSICS
- Investigation
- UNIX1
- Review all pertinent logs
- Perform keyword searches
- Review relevant files
- Identify unauthorized user accounts of groups
- Identify rogue processes
- Check for unauthorized access points
- Analyze trust relationships.
37Incident Response
COMPUTER FORENSICS
- Security Measure Implementation1
- If you are accumulating evidence for potential
civil, criminal, or administrative action, obtain
that evidence BEFORE you implement any security
measures. - Isolation and Containment
- Prevent attackers from continuing their
activities - Could be as simple as disconnecting compromised
computer from the network - Problem here is that you may have to still
monitor the attackers activities to gather
evidence for criminal prosecution - Electronically isolate the computer, removing
other computers from the same broadcast domain
will limit the exposure of other systems - Network filtering (fishbowling) will allow you
to continue monitoring malicious activity while
limiting further activity
38Incident Response
COMPUTER FORENSICS
- Network Monitoring1
- Should start during the initial response and
continue until the recovery is complete - It allows you to track the attacker, gaining
crucial evidence - It provides assurance that there are no
recurrences of similar incidents during recovery. - Comprehensive monitoring should be used on the
subnet hosting the target computer (laptop
configured with a sniffer that flags packet
attributes as well as record content is most
appropriate) - Less comprehensive monitoring should be
considered at the network boundaries - Decide what to monitor.
- Log all traffic to and from the victim machine
- Traffic originating at the victim system
39Incident Response
COMPUTER FORENSICS
- Recovery1
- Hot Backup on Critical Platforms
- Restoration of relevant systems to a secure,
operational state - Take into consideration both the level of
compromise and the type and location of system
compromised - If the system compromised is part of a large
trust environment, an attacker is likely to have
cracked passwords for accounts that are valid
across the domain. In that case every system
that shares that account must be investigated and
recovered - Choosing a Recovery Strategy
- Rebuilding from Known-good media is essential
40Incident Response
COMPUTER FORENSICS
- Recovery1
- Choosing a Recovery Strategy (cont)
- Securing (hardening) the system involves
- Turning off unused services
- Applying operating system and application
patches - Enabling strong passwords
- Continuing competent administration
- Backups can be used during recovery but only if
you are sure that the incident occurred after a
backup was made - Security Countermeasures
- Host based controls, packet filters, firewalls,
ISD, user education, and policy and procedures.
41Incident Response
COMPUTER FORENSICS
- Reporting1
- Goals
- Document
- Document
- Document
- Reporting should be performed at every stage of
Incident Response - Tedious, Methodical Process
- Failure to do so will lead to faulty conclusions
and inadequate response - Reports may be subject to the eyes of a judge,
jury and attorneys - Reporting activities include supporting criminal
or civil prosecutions, producing final reports
and suggesting process development.
42Incident Response
COMPUTER FORENSICS
- Follow-up1
- Analyze the process conducted
- Record lessons learned
- Fix any problems
- Steps after an employee leaves
- An employees hard drive is imaged to CD-ROM
disks upon resignation, termination or internal
transfer should an examination need to take place
at a later date - Recheck Policies
- Training www.sans.org
43Congressional Statutes
COMPUTER FORENSICS
- Computer Fraud and Abuse Act (CFAA)4
- CFAA was first passed in 1984
- At its inception, the Act was directed at the
protection of classified information that was
maintained on federal government computers, as
well as the protection of financial records and
credit information on government and financial
institution computers. - Broadened in 1986 when certain amendments
extended protection to federal interest
computer. - Amended in 1996, with the phrase protected
computer replacing the previous concept of
federal interest computer. Protection now
covered all computers involved in interstate and
foreign commerce, whether or not any federal
government proprietary interest is implicated.
44Congressional Statutes
COMPUTER FORENSICS
- Computer Fraud and Abuse Act (CFAA)4
- Effects of the Shurgard Storage Centers vs.
Safeguard Self Storage Case - The judge agreed Unless otherwise agreed, the
authority of any agent terminates if, without
knowledge of the principal, he acquires adverse
interests or if he is otherwise guilty of a
serious breach of loyalty to the principal. - The court found that the authority of the
plaintiffs former employees ended when they
allegedly became agents of the defendant. - The employee could be subject to federal criminal
sanction. - Employers can now defend themselves in
proprietary rights agreements. - As a result, the disloyal employee was in effect
treated as a hacker, from and after the time he
started acting as an agent for Safeguard.
45Congressional Statutes
COMPUTER FORENSICS
- State Computer Crime Laws can be found at
- http//nsi.org/Library/Compsec/computerlaw/statela
ws.html - Another general site for State Laws
- www.lawsource.com
- Incident Response, by Kevin Mandia and Chris
Prosise
46Whats Next
COMPUTER FORENSICS
- Smart Cards
- VPNs (Virtual Private Networks)
- Biometrics
- Business To Customer Digital Certificates
47Computer Crime Organizations1
COMPUTER FORENSICS
- Forum of Incident Response and Security Teams
(FIRST) - www.first.org
- Incident Response Investigating Computer Crime
- www.incidentresponsebook.com
- Carnegie Mellons CERT Coordination Center
- www.cert.org
- Security Focus
- www.securityfocus.com
- National Infrastructure Protection Center
- www.nipc.gov
- Federal Computer Incident Response Center
(FEDCIRC) - www.fedcirc.gov
- Department of Defense Computer Emergency Response
Team (DOD-CERT) - www.cert.mil
48Other Web Sites
COMPUTER FORENSICS
- Cisco Computer Security (www.ciscoisecurity.com.sg
) - Search Security.com (www.searchsecurity.com)
- Defaced Web Sites (www.attrition.org/mirror/attrit
ion) - The Information Systems Audit and Control
Association Foundation (www.isaca.org) - Association of Federal Fraud Examiners
(www.cfenet.com) - Safeback (New Technologies) (www.forensics-intl.co
m) - EnCase (www.guidancesoftware.com)
- Center for Computer Forensics (www.computer-forens
ics.net) - Computer Forensics Inc. (www.forensics.com)
- SANS Institute (www.sans.org)
- Computer Security Institute (www.gocsi.com)
- Infragard (www.infragard.net)
- Cyber Crime (www.cybercrime.gov)
49Web Site of the Month of June 2002
COMPUTER FORENSICS
50Presenters
COMPUTER FORENSICS
Frank J. DeCandido, CPA, Vice President,
Prudential Financial Email frank_decandido_at_prusec
.com Phone 212-214-2037 Thomas Doughty, First
Vice President, Prudential Financialemail
thomas_doughty_at_prusec.com Phone 212-778-4610
51Bibliography
COMPUTER FORENSICS
52Bibliography
COMPUTER FORENSICS