EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 Frank DeCandido, CPA, Vice President Prudential Financial

1
COMPUTER FORENSICS

• EMERGING TECHNOLOGIES COMMITTEEJUNE 17,
  2002Frank DeCandido, CPA, Vice
  PresidentPrudential Financial
• Thomas Doughty, First Vice President, Manager
  Information SecurityPrudential Financial

2
Table of Contents
COMPUTER FORENSICS

• Content
  Page
• Evolution of Fraud 3-5
• 2002 FBI/Computer Security Institute Annual
  Survey 6-8
• Incident Response 9-42
• Congressional Statutes 43-45
• Whats Next 46
• Computer Crime Organizations 47
• Other Websites 48
• Website of the Month for June 2002 49
• Presenters 50
• Bibliography 51-52

3
Evolution of Fraud
COMPUTER FORENSICS

• CPE Classes used to concentrate on Corporate
  Fraud
• Check Kiting
• Check Fraud
• Credit Card Fraud
• Advise do not write checks with Felt Pen

4
Evolution of Fraud
COMPUTER FORENSICS

• Over the years Computer Fraud became more
  prevalent
• Hackers
• Viruses
• Firewalls

5
Evolution of Fraud
COMPUTER FORENSICS

• Evolution of the Internet has opened up the flood
  gates in the way of access to personal and
  business information.

6
2002 FBI/Computer Security Institute Annual
Survey7
COMPUTER FORENSICS

• Computer Security Institute--Computer Security
  Institute (CSI) http//www.gocsi.com/ is the
  world's leading membership organization
  specifically dedicated to serving and training
  the information, computer and network security
  professional.
• Started Survey in 1995
• On April 7, 2002 issued the results of its
  Seventh Annual Computer Crime and Security
  Survey
• Heaviest concentration in High Tech (19) and
  Financial Services (19)

7
2002 FBI/Computer Security Institute Annual
Survey7
COMPUTER FORENSICS

• Results
• 90 of respondents detected computer security
  breaches with the last 12 months
• 80 acknowledged financial losses due to computer
  breaches
• 44 were willing to and/or able to quantify their
  losses (445 million)
• Most serious financial losses occurred through
  the theft of proprietary information and
  financial fraud
• For the 5th year in a row, more respondents cited
  their Internet connection as a frequent point of
  attack than cited their internet systems as a
  frequent point of attack
• 34 - reported the intrusions to law enforcement
  (1996-16)
• 44 - systems penetration from the outside
• 44 - denial of service attacks
• 78 - employee abuse of Internet access
  privileges (downloading)
• 85 - detected computer viruses

8
2002 FBI/Computer Security Institute Annual
Survey7
COMPUTER FORENSICS

• If your Organization Has Experienced Computer
  Intrusion(s) Within the Last Twelve Months, Which
  of the Following Actions Did You Take
• 77 Patched Holes
• 40 Did Not Report
• 34 Reported to Law Enforcement
• 19 Reported to Legal Counsel

9
Incident Response
COMPUTER FORENSICS

• Methodologies 1
• Definition of Computer Forensics
• Pre-Incident Preparation
• Detection
• Initial Reponses
• Strategies (Tom Doughty to Discuss)
• Forensic Process
• Investigation
• Security Measure Implementation
• Network Monitoring
• Recovery
• Reporting
• Follow-up

10
Computer Forensics
COMPUTER FORENSICS

• forensics6  Pronunciation Key  (f -r n s ks, -z
  ks)n. (used with a sing. verb)
• The art or study of formal debate argumentation.
  
• The use of science and technology to investigate
  and establish facts in criminal or civil courts
  of law.
• __________________________________________________
  ___________________
• Computer Forensic Service deals with
  preservation, identification, extraction and
  documentation of computer related evidence on
  computer storage media.5
• Process of unearthing data of probative value
  from computer and information systems.1
• Computer Forensics is the collection,
  preservation, analysis and court presentation of
  computer related evidence.12

11
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation1-Why is it
  important?-Common Themes
• Preparation of a computer related incident will
• help create an infrastructure that provides quick
  resolutions after an incident occurs (Computer
  Data is easily altered, erased)
• help in the preservation of the evidence
• provide thorough, complete documentation needed
  to verify integrity of files
• help provide technical and procedural measures
  that need to be in place so some of the basic but
  vital questions can be answered quickly to
  expedite the collection of evidence
• Preserve Chain of Custody
• prevent poor performance
• University studies have found that more than 90
  of all information is now created in digital form
  (University of Berkley 93)

12
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation 1 (cont)
• Establish Computer Incident Response Team
• Point of Contact?
• During business hours, after business hours,
  holidays and weekends
• 24/7 Availability
• Establish Teams Mission
• Members of the Team
• Systems
• Human Resources
• Corporate Security
• Legal (Internal)
• Accounting (Financial Fraud)
• Outside Consultants (Incident by Incident)
• Law Enforcement (Incident by Incident)
• Senior Management (Incident by Incident)

13
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation 1(cont)
• Preparation steps to take to verify integrity of
  files
• Response Tool Kit
• Hardware (see page 14)
• Software (Safeback, EnCase, or other Forensic
  software packages)(see page 15)
• Network Monitoring Platform
• Create a known-good copy of the system on a
  regular basis. Allows the comparability of the
  known-good files to the corrupted files.
• Cryptographic Checksums/Fingerprint
• Created by applying an algorithm to a file
• Unique to that file
• Create Checksums for critical files BEFORE an
  incident occurs and compare to the file after the
  incident occurs
• Most commonly used is the MD5 Algorithm (SAVE
  OFFLINE)

14
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation 1(cont)
• Hardware Needed

15
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation 1(cont)
• Software Needed

16
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation 1(cont)
• Preparation steps to take to verify integrity of
  files
• Increase or Enable Secure Audit
  Logging-Configuring log files can make them more
  complete and less likely to be corrupted.
• UNIX Controlling Logging, Remote Logging and
  Process Accounting
• WINDOWS Security Auditing, Auditing File and
  Directory Actions, Remote Logging
• Topology/Architecture Maps
• The arrangement in which the nodes of a LAN are
  connected to each other
• Enhance Host and Network Logging to make sure
  that backups are performed on a regular basis.

17
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation 1(cont)
• What are the threats to your organization?
• Types of Damage Loss of Business? Reputation?
• Concerned about loss of Intellectual Property?
• Destruction of Databases?
• Who poses a threat?
• Do you fear an outside intrusion?

18
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation 1 (cont)
• Preparation steps to take to verify integrity of
  files
• Others (Security)
• Firewalls/Intrusion Detection
• Ford Levy, CPA from Maxwell, Shmerler Company
  will be presenting a session on Firewalls on
  Tuesday, July 9, 2002 _at_ 9am.
• Perform a Trap and Trace (check legal
  requirements)
• Monitoring at the User Level
• Violation Logs
• Improperly Configured Devices
• Exception Processes
• Monitor Internet Activity
• Monitor Employee Modems

19
Incident Response
COMPUTER FORENSICS

• Pre-Incident Preparation 1 (cont)
• Preparation steps to take to verify integrity of
  files
• Others (Security)
• Scanning Network
• Back up critical data
• Access Control Lists on Routers
• Encrypt Network Traffic
• Build Up Your Hosts Defense-Use the latest
  release and make sure that all patches, hot fixes
  and updates are installed
• Educate Users
• No external software

20
Incident Response
COMPUTER FORENSICS

• Detection 1
• Alerts about suspicious activities should be made
  through Firewall/Intrusion Detection Systems(IDS)
• Alert should be immediate
• Black Ice at the Individual level

21
Incident Response
COMPUTER FORENSICS

• Initial Response 1
• Use of Notification Checklist to list all
  pertinent details
• Point of Contact
• Assemble Response Team
• Which hardware/software?
• What time/place?
• Nature?
• Record all pertinent facts (Platform, Ports/IP
  Address, etc)
• Immediate Actions to be taken from the standpoint
  of who is monitoring
• Network Mapping confirming an incident has or is
  occurring
• Evaluation of incident (use of Cryptographic
  Checksums/Fingerprint)
• Type of Incident and Business Impact is
  determined.

22
Incident Response
COMPUTER FORENSICS

• Strategies 1
• Denial of Service Reconfigure Routers
• Virus Outbreak Isolate machine as soon as
  possible
• If a workstation in a development population is
  affected, segregate the network(turn off choke
  points)
• Awareness/Communication/Documentation of
  Policies
• Factors
• Critical Systems Affected?
• Sensitivity of the compromised information?
• Who are the perpetrators and what is their skill
  level?
• Is the incident known to the public?
• Dollar lose involved?
• Tolerance of user and system downtime?

23
Incident Response
COMPUTER FORENSICS

• Strategies 1 (Cont)
• Host Based Intrusion Detection
• Response Focused/Overhead Maintenance Intensive
• Perimeter Based Intrusion Detection
• Easier to administer
• Review Risk Assessment Policies.

24
Incident Response
COMPUTER FORENSICS

• Forensics Process 1
• Also known as Digital Evidence Analysis or
  Computer Media Analysis
• Common Themes
• Preservation of Evidence is key
• Thorough documentation
• Look at the Judicial Process

25
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Maintain Chain of Custody of evidence
• Create evidence tags
• Time and Date of the action
• Number assigned to the case
• Evidence Tag
• Was consent required?
• Who the evidence belonged to?
• Description of the evidence
• Who received the evidence and signature?
• Track any transfers of evidence
• E.g. hard drives to CD-Rom

26
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Maintain Chain of Custody of evidence
• Document Information about the Item(s)
• E.g. duplication of mail servers
• Occupants of the office
• Names of employees who have access to the office
• Location of computer systems in the room
• State of systems(powered on or not)
• People present in the room at the time of the
  forensic duplication
• Serial numbers, models and makes of the hard
  drives
• Peripherals attached to the systems.

27
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Maintain Chain of Custody of evidence
• Initial Response
• Steps before Forensic Duplication3
• If the Computer is OFF, DO NOT TURN ON
• If the Computer is ON,
• (1) DO NOT POWER DOWN-items will be lost such as
  memory contents, state of network connections,
  state of running processes, contents of the
  storage media and contents of removable and
  backup media1
• (2) Photograph screen and disconnect all power
  sources unplug from the back of the computer
• (3) Interrupting power from the back of the
  computer will defeat an uninterruptible power
  supply

28
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Maintain Chain of Custody of evidence
• Initial Response
• Steps before Forensic Duplication (cont)
• For Laptops, locate and remove the battery pack
  if the laptop does not shutdown when the power
  cord is removed
• Place evidence tape over each drive slot
• Photograph/diagram and label back to computer
  components with existing connections
• Label all connector/cable ends to allow
  reassembly as needed
• If transporting is required, package components
  and transport/store components as fragile cargo
• Keep away from magnets, radio transmitters and
  other potentially damaging elements

29
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Maintain Chain of Custody of evidence
• Initial Response
• Steps before Forensic Duplication (cont)
• Collect all peripheral devices, cables, keyboards
  and monitors
• Collect all instructional manuals, documentation
  and notes (user notes may contain passwords)
• On Networked or Business Computers Secure the
  scene. Do not let anyone touch except Network
  trained personnel
• Pulling the plug could severely damage the
  system, disrupt legitimate business and create
  officer and department liability

30
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Performing Forensic Duplication1
• Perform all analysis on a copy restored from the
  duplicate image
• When is Forensic duplication necessary?
• Likely to be judicial action
• High Profile Incident
• Significant dollar loss
• Will you need to undelete data or search free or
  slack space to unearth evidence
• If you said yes to any of these questions, then
  you would need to perform a forensic backup

31
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Performing Forensic Duplication1
• Approaches
• Remove from the suspect computer and attaching it
  to a forensics workstation
• Traditional
• Safeback, UNIX dd command, EnCase
• Attaching a hard drive to the suspect computer
• Just as common as the first
• Same methodology as first
• Forensics experts typically carry a forensics
  workstation-minimizes hardware and software
  problems
• Sending the disk image over a closed network to
  the forensics workstation as it is created.
• Usually done when a UNIX system is used as the
  imaging platform.

32
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Performing Forensic Duplication1
• Requirements for Forensic Duplication Tools
• Must image every byte of data on the storage
  medium from beginning of the drive to the
  maintenance track
• Handle read errors in a robust manner
• Must not make changes to the original evidence
• Must be able to be held up to scientific testing
  and analysis
• Results must be repeatable and verifiable by a
  third party
• File created using a checksum or hashing
  algorithm
• This functionality may be performed concurrent to
  the creation of a the file or at the end of the
  imaging process

33
Incident Response
COMPUTER FORENSICS

• Forensics Process 1 (Cont)
• Performing Forensic Analysis1
• Divided into two layers
• Physical Analysis
• String Searches
• Search and Extract
• Extracting File Slack and Free Space
• Logical Analysis
• Understanding Where Evidence Resides
• The Physical Layer
• Data Classification Layer
• Blocking Format Layer
• Storage Space Allocation Layer
• Information Classification and Application
  Storage Layers

34
Incident Response
COMPUTER FORENSICS

• Investigation
• Conducted on a forensic duplication of a relevant
  system
• Collecting information stage
• What was harmed?
• How was if damaged?
• Who was to blame? Establishing identity behind
  the people on a network is increasingly
  difficult
• How to fix the compromise.
• The proper collection and analysis of computer
  evidence through accepted computer science
  protocol is a critical component to any internal
  investigation or audit where the results have
  potential to be presented in legal proceedings12

35
Incident Response
COMPUTER FORENSICS

• Investigation
• Windows NT/20001
• Review all pertinent logs
• Perform keyword searches
• Review relevant files
• Identify unauthorized user accounts of groups
• Identify rogue processes
• Look for unusual or hidden files
• Check for unauthorized access points
• Examine jobs run by the scheduler service
• Analyze trust relationships
• Review security identifiers.

36
Incident Response
COMPUTER FORENSICS

• Investigation
• UNIX1
• Review all pertinent logs
• Perform keyword searches
• Review relevant files
• Identify unauthorized user accounts of groups
• Identify rogue processes
• Check for unauthorized access points
• Analyze trust relationships.

37
Incident Response
COMPUTER FORENSICS

• Security Measure Implementation1
• If you are accumulating evidence for potential
  civil, criminal, or administrative action, obtain
  that evidence BEFORE you implement any security
  measures.
• Isolation and Containment
• Prevent attackers from continuing their
  activities
• Could be as simple as disconnecting compromised
  computer from the network
• Problem here is that you may have to still
  monitor the attackers activities to gather
  evidence for criminal prosecution
• Electronically isolate the computer, removing
  other computers from the same broadcast domain
  will limit the exposure of other systems
• Network filtering (fishbowling) will allow you
  to continue monitoring malicious activity while
  limiting further activity

38
Incident Response
COMPUTER FORENSICS

• Network Monitoring1
• Should start during the initial response and
  continue until the recovery is complete
• It allows you to track the attacker, gaining
  crucial evidence
• It provides assurance that there are no
  recurrences of similar incidents during recovery.
• Comprehensive monitoring should be used on the
  subnet hosting the target computer (laptop
  configured with a sniffer that flags packet
  attributes as well as record content is most
  appropriate)
• Less comprehensive monitoring should be
  considered at the network boundaries
• Decide what to monitor.
• Log all traffic to and from the victim machine
• Traffic originating at the victim system

39
Incident Response
COMPUTER FORENSICS

• Recovery1
• Hot Backup on Critical Platforms
• Restoration of relevant systems to a secure,
  operational state
• Take into consideration both the level of
  compromise and the type and location of system
  compromised
• If the system compromised is part of a large
  trust environment, an attacker is likely to have
  cracked passwords for accounts that are valid
  across the domain. In that case every system
  that shares that account must be investigated and
  recovered
• Choosing a Recovery Strategy
• Rebuilding from Known-good media is essential

40
Incident Response
COMPUTER FORENSICS

• Recovery1
• Choosing a Recovery Strategy (cont)
• Securing (hardening) the system involves
• Turning off unused services
• Applying operating system and application
  patches
• Enabling strong passwords
• Continuing competent administration
• Backups can be used during recovery but only if
  you are sure that the incident occurred after a
  backup was made
• Security Countermeasures
• Host based controls, packet filters, firewalls,
  ISD, user education, and policy and procedures.

41
Incident Response
COMPUTER FORENSICS

• Reporting1
• Goals
• Document
• Document
• Document
• Reporting should be performed at every stage of
  Incident Response
• Tedious, Methodical Process
• Failure to do so will lead to faulty conclusions
  and inadequate response
• Reports may be subject to the eyes of a judge,
  jury and attorneys
• Reporting activities include supporting criminal
  or civil prosecutions, producing final reports
  and suggesting process development.

42
Incident Response
COMPUTER FORENSICS

• Follow-up1
• Analyze the process conducted
• Record lessons learned
• Fix any problems
• Steps after an employee leaves
• An employees hard drive is imaged to CD-ROM
  disks upon resignation, termination or internal
  transfer should an examination need to take place
  at a later date
• Recheck Policies
• Training www.sans.org

43
Congressional Statutes
COMPUTER FORENSICS

• Computer Fraud and Abuse Act (CFAA)4
• CFAA was first passed in 1984
• At its inception, the Act was directed at the
  protection of classified information that was
  maintained on federal government computers, as
  well as the protection of financial records and
  credit information on government and financial
  institution computers.
• Broadened in 1986 when certain amendments
  extended protection to federal interest
  computer.
• Amended in 1996, with the phrase protected
  computer replacing the previous concept of
  federal interest computer. Protection now
  covered all computers involved in interstate and
  foreign commerce, whether or not any federal
  government proprietary interest is implicated.

44
Congressional Statutes
COMPUTER FORENSICS

• Computer Fraud and Abuse Act (CFAA)4
• Effects of the Shurgard Storage Centers vs.
  Safeguard Self Storage Case
• The judge agreed Unless otherwise agreed, the
  authority of any agent terminates if, without
  knowledge of the principal, he acquires adverse
  interests or if he is otherwise guilty of a
  serious breach of loyalty to the principal.
• The court found that the authority of the
  plaintiffs former employees ended when they
  allegedly became agents of the defendant.
• The employee could be subject to federal criminal
  sanction.
• Employers can now defend themselves in
  proprietary rights agreements.
• As a result, the disloyal employee was in effect
  treated as a hacker, from and after the time he
  started acting as an agent for Safeguard.

45
Congressional Statutes
COMPUTER FORENSICS

• State Computer Crime Laws can be found at
• http//nsi.org/Library/Compsec/computerlaw/statela
  ws.html
• Another general site for State Laws
• www.lawsource.com
• Incident Response, by Kevin Mandia and Chris
  Prosise

46
Whats Next
COMPUTER FORENSICS

• Smart Cards
• VPNs (Virtual Private Networks)
• Biometrics
• Business To Customer Digital Certificates

47
Computer Crime Organizations1
COMPUTER FORENSICS

• Forum of Incident Response and Security Teams
  (FIRST)
• www.first.org
• Incident Response Investigating Computer Crime
• www.incidentresponsebook.com
• Carnegie Mellons CERT Coordination Center
• www.cert.org
• Security Focus
• www.securityfocus.com
• National Infrastructure Protection Center
• www.nipc.gov
• Federal Computer Incident Response Center
  (FEDCIRC)
• www.fedcirc.gov
• Department of Defense Computer Emergency Response
  Team (DOD-CERT)
• www.cert.mil

48
Other Web Sites
COMPUTER FORENSICS

• Cisco Computer Security (www.ciscoisecurity.com.sg
  )
• Search Security.com (www.searchsecurity.com)
• Defaced Web Sites (www.attrition.org/mirror/attrit
  ion)
• The Information Systems Audit and Control
  Association Foundation (www.isaca.org)
• Association of Federal Fraud Examiners
  (www.cfenet.com)
• Safeback (New Technologies) (www.forensics-intl.co
  m)
• EnCase (www.guidancesoftware.com)
• Center for Computer Forensics (www.computer-forens
  ics.net)
• Computer Forensics Inc. (www.forensics.com)
• SANS Institute (www.sans.org)
• Computer Security Institute (www.gocsi.com)
• Infragard (www.infragard.net)
• Cyber Crime (www.cybercrime.gov)

49
Web Site of the Month of June 2002
COMPUTER FORENSICS
50
Presenters
COMPUTER FORENSICS
Frank J. DeCandido, CPA, Vice President,
Prudential Financial Email frank_decandido_at_prusec
.com Phone 212-214-2037 Thomas Doughty, First
Vice President, Prudential Financialemail
thomas_doughty_at_prusec.com Phone 212-778-4610
51
Bibliography
COMPUTER FORENSICS
52
Bibliography
COMPUTER FORENSICS