Cyber Forensics: Collecting evidence for today’s data breaches - Eric Vanderburg - ISACA

Cyber Forensics:
Collecting evidence for today’s data breaches

ISACA
March 20, 2013

Eric A. Vanderburg, MBA, CISSP
Director, Cyber Security, Information Systems and
Computer Forensic and Investigation Services

Who Are We?

JurInnov works with organizations that want to
more effectively manage matters involving
“Electronically Stored Information” (ESI).
– Computer Forensics
– Cyber Security
– Electronic Discovery
– Document and Case Management

© 2013 Property of JurInnov Ltd. All Rights Reserved

JurInnov Ltd.
• Microsoft Certified Partner 2003 – 2012

• Ringtail Legal Volume Matters Award 2009, most data hosted

• Ringtail Legal 2010 Partner Consultants of the Year

• Industry Partners:
• Ringtail – 10 Year Partner
• Viewpoint
• Venio
• OrcaTec

• Honored by Inc. 5000 as One
of the Fastest-Growing Private
Companies, 2010


Blogs & Podcasts
• 50,000 Medicaid providers’
data breached
• Data breach threats of 2013
• Ignorance of the breach is
no excuse

• Over processing of ESI and
the Microsoft letter
• Predictive coding gets a
glossary
• LegalTech 2013


Overview
• Computer Forensics
• Cyber Forensics
– Detecting intrusions
– Network evidence
– Traffic analysis
– Statistical flow analysis
– Attack pattern analysis


What is Computer Forensics?
• Computer Forensics involves the preservation,
identification, extraction, documentation and
interpretation of computer data
– Kruse and Heiser, 2002


Why Computer Forensics?

• Reasons to use Computer Forensics
– Internal Company Investigations
• Alleged criminal activity
• Civil or Regulatory Preservation
– Receivership, Bankruptcy
– EEO issues
– Improper use of company assets
– Recovery of Accidentally or Intentionally Deleted Data
• Deleted is not necessarily deleted
• Recovery from Improper shutdowns


Collecting “ESI”

• Forensic Harvesting - Logical v Physical
– Logical copy (Active Files)
• Data that is visible via the O.S.
– Physical
• Logical + File Slack + Unallocated Space +
system areas (MBR, Partition table, FAT/MFT)

9

Types of “ESI”

• E-mail
• Office Files
• Database
• Volatile
• Legacy Systems
• Metadata


Sources of “ESI”
• Desktops • E-Mail
• Laptops • Archives
• CDs/DVDs • Cell Phones/PDAs
• Network Attached Storage
• Thumb Drives
Devices (NAS)
• Storage Area Networks • Memory Cards
(SAN) • External Storage Devices
• Servers • Cameras
• Databases • Printers
• Backup Tapes • GPS Devices


First Response
• First Steps Taken
– Identify users/custodians, electronic devices and
begin Chain of Custody
– Photograph and document full environment and
condition/state of devices
– Determine next steps depending on device(s) and
situation

1
© 2013 Property of JurInnov Ltd. All Rights Reserved 2

Computer Imaging
• Photograph, document and begin Chain of Custody
• Acquire live RAM (if possible/necessary)
• Shut down computer
– Pull plug (Windows/Mac)
– Properly shut down (Server/Linux/Unix)
• Determine imaging method and format
– Write Blocker
– Boot Disk
• USB / eSata / FireWire
• Crossover Cable

1

Microsoft Exchange Cont.
• Select Mailbox Collection
– Exchange 2003
• ExMerge
– Exchange 2007 & 2010
• Command Line/Power Shell


Registry Overview
• Windows Registry – central database of the
configuration data for the OS and applications.
• Registry Keys
– Software
– System
– SAM (Security Account Manager)
– NTUSER.dat


Software Key

• What Operating System Installed?
• Date/Time OS Installed
• Product ID For Installed OS
• Installed software
• Programs That Run Automatically at Startup (Place
to Hide Virus)
• User Profiles


System Key

• Mounted Devices
• Computer Name
• USB Plugged-In Devices (USBSTOR)
• Last System SHUT DOWN Time
• Time Zone


SAM & NTUSER.DAT Keys
• SAM
– Domain Accounts

• NTUSER.DAT
– Network Assigned Drive Letters
– Last Clean Shutdown Date/Time
– Recent Documents
– Program settings


Forensic Analysis
• Registry Analysis
– OS Install date/time
– Installed Software
– Startup programs
– Time Zone settings
– Last Shutdown time
– User information / Accounts
– Recently opened files
– Connected USB Devices
– Mounted Drives
– Recently used programs


Registry – OS Install Date


Registry – Installed Software


Registry – Startup Programs


Registry – Time Zone Settings


Registry – Last Shutdown Time


Registry – User Info/Accounts


Registry – Recently Opened


Registry – USB Devices


Registry – Mounted Drives


Registry – Recent Programs


Forensic Analysis
• USB / External HDD Analysis
– Serial Number
– Volume Serial Number
– Model
– First Connected
– Last Connected
– Friendly Name
– User who connected drive
– .LNK Files


USB/External HDD Analysis


Forensic Analysis
• Internet History
– Default internet browser
– Sites visited and frequency
– Date and time of last visit
• Recent Folder
– Recently accessed files/programs
• My Documents / User Folder(s)
– Usually where most user created data is located


Internet History Analysis


Forensic Analysis
• Deletion
– Recycle Bin
• Examine INFO2 records if file was sent to the recycle bin
– Contains the date & time the file was sent to the recycle bin
– Shows where the file resided before being sent to the recycle
bin
– Data Carving
– Evidence of wiping or wiping software
• Hex Editor sometimes helps to see wiping pattern if one
exists

– Example recovery of deleted document…..


“deleted.txt” exists on a disk


The file has been deleted


The directory listing…
Note the sigma character


Is the data really gone???

4

Sigma changed to Underscore

4

Hey … it’s back!


VOILA…


Deleted & Overwritten File


Recycle Bin Info Record Finder
• These files were recovered by searching for recycle bin header signatures in unallocated and slack space. These
records represent files that were contained in the recycle bin before it was emptied.

• Info records for file:
• Demo caseRevised demo imagesCRECYCLERS-1-5-21-1229272821-1592454029-839522115-1003INFO2

• Index :2
• Deleted : 11/06/07 03:30:54PM
• FileSize : 20480 bytes (20 KB)
• FilePath : C:Documents and SettingsDemoMy DocumentsABC Sports Agency - DeletedRec
• ycle Bin - ABC Balance Sheet.xls
• Offset : 820

• Index :2
• Deleted : 11/06/07 10:30:54AM
• FileSize : 20480 bytes (20 KB)
• FilePath : C:Documents and SettingsDemoMy DocumentsABC Sports Agency - DeletedRec
• ycle Bin - ABC Balance Sheet.xls
• Offset : 1080


Forensic Analysis
• File Signature Analysis
• File Hash Analysis

• Analysis Examples …

4

Signature Analysis


Open the picture


Hash Analysis


Forensic Analysis
• Key Term Searching
– Index full contents of the image for searching
– Tips for this method

• File Filtering
– Date ranges
– File type(s)
– Duplicates
– Known Files (KFF)
– Even combinations of multiple filters

5

Forensic Analysis
• Email Activity

• Printing Activity
– Look for printing spool/shadow files
• Can possibly contain the data that was sent to a printer

• Network Activity
• Network connections
• Wireless access points
• Shared network folders/files

5

Forensic Analysis
• Hiberfil.sys Analysis
– Data is written to “hiberfil.sys” file when a machine is put
in hibernation mode on the Windows OS
• Usually recent data
– May contain passwords, login information, temporary data,
whole or partial documents
• RAM Analysis
– Can only be acquired on a live system
• Analyst will change data on the system
– May contain passwords, login information, temporary data,
whole or partial documents, currently running processes

5

Forensic Analysis
• Unallocated Space
– Partial documents
– Overwritten files

• Drive Free Space

• File Slack

5

Mobile Device Acquisition
• Photograph, document and begin Chain of Custody
• Obtain password if enabled
• Obtain charger and maintain power to the device
• Cut off network communications
– Faraday bag or Airplane Mode
• Determine acquisition/data extraction method
– Device
• Cellebrite
• CellDek
• Device Seizure
• MPE+
– SIM Card – CellDek, Device Seizure or MPE+
– Media/SD Card - EnCase 5

Mobile Device Analysis
• Not to be considered an “Image”
– Extraction of artifacts from device’s databases
• Some Items That Can Be Acquired
– SMS/MMS
– Email
– Contacts
– Calendar
• Searching
– Able to search within the device’s extracted data for key
terms.
– Bookmark items that are relevant to the case

5

Mobile Device Analysis
• Reporting
– Tools include report generators
• HTML
• CSV / XLS
• PDF
– Include ALL items or only Bookmarked items
• Helps to limit amount of irrelevant data in the reports

5

Detecting Intrusions
• Validate authenticity of incident
– Indicators
– Automated identification and notification
• Detecting malware


Indicators
• Possible Indicators
– Presence of unfamiliar files
– Execution of unknown programs
– Unusual consumption of computing resources
– Unusual network activity
– System crashes


Indicators
• Probable indicators
– Unknown accounts
– Use of dormant accounts
– Reported attacks
– Activity at unexpected times
– Unusual email traffic


Indicators
• Most likely indicators
– Log alteration
– Presence of malicious code
– Presence of hacker tools
– Notification by partner or peer
– Notification by hacker
– Loss of availability
– Corrupt files
– Data breach
– Violation of policy
– Violation of law


Detecting Malware

• Virus – piggybacks on
other files or media. Virus
Replicates when loaded. Worm
• Worm – Self replicating,
multi-vector propagation
Bot
• Trojan - opens back
doors
• Bot
Trojan


Life Cycle
Await Clean
Exploit Rally Preserve Inventory
instructions
Update Execute Report
up

• Exploit
– Malicious code
– Unpatched vulnerabilities
– Trojan
– Password guessing
– Phish
• Rally - Reporting in
– Log into designated IRC channel and PM master
– Make connection to http server
– Post data to FTP or http form


Life Cycle
Await Clean
instructions
up

• Preserve
– Alter A/V dll’s
– Modify Hosts file to prevent A/V
updates
– Remove default shares (IPC$,
ADMIN$, C$)
– Rootkit
– Encrypt
– Polymorph
– Retrieve Anti-A/V module
– Turn off A/V or firewall services
– Kill A/V, firewall or debugging processes


Life Cycle
Await Clean
instructions
up

• Inventory
– determine capabilities such as RAM, HDD,
Processor, Bandwidth, and pre-installed tools
• Await instructions from C&C server
• Update
– Download payload/exploit
– Update C&C lists


Life Cycle
Await Clean
instructions
up

• Execute commands
– DDoS
– Spam
– Harvest emails
– Keylog
– Screen capture
– Webcam stream
– Steal data
• Report back to C&C server
• Clean up - Erase evidence


Detecting malware
• Look for their activity
– Monitor traffic and directionality
– Look for IRC traffic
– Monitor A/V service states
– Look for modified A/V files
– Search for known bot file signatures offline


Network Evidence
• Volatile evidence
– Users logged on
– Open ports
– Active network connections
– Running processes
– Open files
• Network data
• Event logs


Command line
• Netstat –an lists active connections/open ports
• Netstat –rn Lists the local routing table
• Pslist Lists running processes
• Psloggedon List user logged on (local & remote)
• Now Displays current date and time
• Nlsinfo Lists system name and time zone
• Psfile Lists files opened remotely
• Ipconfig /all Shows adapter configuration
• Autorunsc Lists programs that run at startup
• Diskmap Lists drive information


Tools
• EnCase Portable
• FTK Imager

• Both tools can:
– Collect users, ports, processes, network
interfaces, ARP and routes
– Data carving


Equipment
• Network equipment storage
– Dynamic Random Access Memory (DRAM) – OS
config, process memory, routing tables, firewall
stats
– Content Addressable Memory (CAM) – MAC
address table
– Nonvolatile Random Access Memory (NVRAM) –
OS and startup config
– Read Only Memory (ROM) – boot loader


Switches
– Stored packets before they are forwarded
– CAM tables – MAC to port mapping
– ARP table – MAC to IP mapping
– ACL
– I/O Memory
– Running configuration
– Processor memory


Switches
• Persistent evidence
– OS Image
– Boot loader
– Startup configuration
• Off-system evidence
– Automatic configuration backups
– Compare running config or existing startup config
to backup and change mgmt


Routers
• Investigate routers to…
– Determine traffic flow
– Identify compromised routers
– Obtain log data from a choke point


Routers
– Routing tables
– Stored packets before they are forwarded
– Packet counts and statistics
– ARP table
– DHCP lease assignments
– ACL
– Running configuration


Routers
– OS image
– Boot loader
– If internal HDD, logs
– Alerts and logs from: Syslog, TFTP, SNMP


Firewalls
• Investigate firewalls to…
– Identify connection attempts
– Determine data volumes
– Open ports
– Allowed protocols
– Network segmentation (DMZ)


Firewalls
– Interface configurations
– ACLs
– VPN tunnels
– Routing table
– ARP cache
– Packet and frame statistics
– Command history


Firewalls
– OS image
– Boot loader
– If internal HDD, logs
– Config will show exported items
– Alerts and logs from: Syslog, TFTP, SNMP
– Access history
– Backup configurations


Web proxy
• Investigate web proxies to…
– View browsing history for the site
– Blocked web requests
– Attempts to circumvent monitoring
– Browsing baselines
– View pages as they were viewed by the individual


Web proxy
– Cached content in RAM
– Authentication information for web sites
– HTTP/HTTPS traffic history
• Blogs
• IM
• Web mail
• Web sites
– Blocked requests


Equipment
• Physical devices
– Video cameras
– Access control systems


Windows logs

– Windows NT – 2003 – Server 2008 - 2012
• Application • Includes 2003 logs plus:
• Security – Administrative events
• System – Setup
• Special – Server roles
– Directory Service • Organized by
– DNS Server installed roles with
– File Replication custom filters
Service
– Powershell


Linux Logs
• Logs based on syslog
• Organized by facility such as mail or web
• Syslog-ng – supports TLS encryption for shipped
logs
• Rsyslogd – Supports IPv6, RELP (Reliable Event
Logging Protocol), TLS, time stamping and zone
logging


Mac Logs
• Stored in library/logs
• Over 100 logs including:
– System.log
– Mail.log
– Appfirewall.log
– Install.log


Event Log Sources
• What logs exist?
• Where are they stored?
• What are our technical options for accessing
them?
• Who controls the event logs?
• How do we get permission to access and collect
them?
• How forensically sound are the event logs?
• Are the target systems capable of additional
logging?


Event Log Resources
• How much storage space will we need?
• How much time do we have for collection and
analysis?
• What tools, systems and staff are available for
collection and analysis?


Event Log Sensitivity
• How critical are the systems that store event
logs?
• Can they be removed from the network?
• Can they be powered off?
• Can they be accessed remotely?


Event Log Sensitivity
• Would copying logs from these systems have a
detrimental impact on equipment or network
performance or availability?
– If so, can we minimize the impact by collecting
evidence at specific times?
– Will a delay in collection reduce the quality of the
evidence?
– Will a delay in collection reduce the likelihood of
containing and resolving the incident?


Log Collection - Summary
• Physical
• Manual remote
• Central log aggregation


Log Collection - Physical

• Make bit-for-bit forensic HDD copy
• Extract logs from copy
– Pros: – Cons:
• Exact copy available for • Potentially need to touch
court many machines
• Well-established forensic • Forensic image takes time
process • Forensic image impacts
production
• Direct access needed –
potential travel and
increased time for data to
grow stale


Network Data Collection
• Photograph and document
• Coordinate with IT to determine location of desired
shares/folders
• Obtain proper credentials to access target data
• Attach forensically wiped hard drive to server or
workstation with local network access
• Run FTK Imager Lite from attached hard drive
• Create Custom Content Image (.AD1) of target
shares/folders
• Verify image MD5 hash value

9

Network Data AD1 Image

Add Contents of a
Folder

9

Network Data AD1 Image
Create Custom Content
Image

Verify Hash Value of AD1

9

Log Collection – Manual Remote

• Collect through: RDP, SSH, SMB, or HTTP
• Hash log on source
• Copy log to remote media
• Hash log on remote media and verify
– Pros: – Cons:
• Fast collection of logs • Increased network
activity
• System is modified
through logon


Log Collection - Central Log

• Logs automatically synced or shipped to central
server
• Make bit-for-bit forensic HDD copy of collection
server
• Extract logs from copy
– Pros: – Cons:
• Avoids log rollover • Possibly a huge forensic
• Fastest collection image
• Forensic image can be taken • Logs could be incomplete
offline w/o production due to network congestion
impact or corruption
• Original systems not
changed


Traffic Analysis
• Where to start
• Collection


Starting point
• Network schematic
• Server roles
• Baselining – normal profile
– Destination IP addresses
– Ports
– Protocols
– Volume of data and directionality


Collection
• Packet analysis
– Libpcap and WinPcap
– Wireshark
• Traffic analysis
– Networkminer
• Persistent packet sniffing
– Data available when needed
– High disk and CPU requirement
– Must be highly secure
• Activity pattern matching


Wireshark - Interface

Packet list 

Packet details 

Packet bytes 


Wireshark
• Filtering
– Frame contains “search term”
• Flow – sequence of packets comprising a single
communication segment.
– EX: Connection, Negotiation, File Request, File
delivery, checksum, acknowledgment, termination
– Flow record – subset of information from a flow
such as source and destination IP, protocol, date
or time


Networkminer
• Traffic analysis tool
• Graphical breakdown of…
– Hosts
– Images
– Files
– Email
– DNS
– Sessions


Statistical Flow Analysis
• Analyze for trends and anomalies
• Flow record
• Forensic steps
• Tools


Flow record
• Information on communication
• Source and destination IP
• Source and destination port
• Protocol
• Date and time
• Size

1

Forensic steps
• Identify suspicious:
– IP addresses
– Ports
– Dates and times
• Were lots of packets denied?
• Was more traffic than normal sent?
• Were protocols used that are not normally used?
• Was the directionality of the flow different?


Quick and Fast Rules
• Compromised hosts generally send out more
information
• Patterns (sending perspective)
– Many-to-one – DDoS, Syslog, data repository,
email server
– One-to-many – web server, email server, SPAM
bot, warez, port scanning
– Many-to-many – P2P, virus infection
– One-to-one – normal communication, targeted
attack


Flow record export protocols
• Netflow
• sFlow
• IPFIX (IP Flow Information Export)
– Push protocol


Tools
• Graphical • Command Line
– EtherApe – Iperf
– FlowTraq – Argus
– Cacti – Nfdump
– FlowMon – SiLK
– MTRG
– NetLimiter
– OmniPeek


EtherApe
• Network traffic is displayed
graphically
• Node and link color shows
the most used protocol
• View protocol stack
• Shows within your network,
end to end IP, or even port
to port TCP
• Data can be captured "off
the wire" from a live
network connection, or read
from a capture file


FlowTraq

• Alerting
• Scheduled
Reports
• Support for IPv6
• Supports
NetFlow, Sflow,
Cflow, Jflow
• Dashboard


Cacti
• Great graphs that can be modified
to show time periods, protocols,
devices and more


FlowMon
• Can handle large amounts of
data (up to 10Gbps)
• Supports NefFlow v5/v9 and
IPFIX


Attack Pattern Analysis
• Using an IDS to analyze data
• Scan for viruses on images
• Review darknet or honeynet data


Snort Architecture

Determine actions
• Drop and log
Capture Anomaly (pcap)
packets detection • Drop, no log
Reassemble Passed
on
and analyze • protocol to rule • Accept
bound
protocol • frame engine • Accept and log
interfac
e(s) • packet (pcap)
• Notify

114

Send pcap to snort
• Install snort on analysis machine
• Update rules
• snort -c C:snortetcsnort.conf -l c:snortlog -y
-r c:sample-pcap_3-19-2013.pcap


Snort output from pcap

Source: https://sickbits.net/snort-offline-analysis/


Prioritize
• Determine impact
– Productivity loss
– Reputation loss
– Damage to customers or partners
– Competitive advantage loss
• Determine regulatory requirements
• Determine whether legal action is required or
desired


Notify
• Contact key individuals
• Provide each with
information on need to
know basis
• Involve necessary outside
parties


Strategize
• Follow IRP steps if it exists
• Determine preservation need
– Computers
– Network data
– Email accounts
– System logs
– Volatile data
• Rapid containment vs. monitoring/tracking
• Outline data necessary for regulatory notification
requirements
• Document preservation and remediation steps
• Assign specific responsibilities and due dates


Analyze
• Analyze data
• Provide evidence to attorneys
• Testify if necessary
• Keep data until destruction or return is
requested


Remediate
• Notify external parties such as customers,
government agencies or shareholders
• Perform remediation steps
– Server hardening
– Patch deployment
– Data removal request
– Disable accounts
– Change permissions
– Modify security settings
• Validate that remediation was successful


Reflect
• Debrief (After-action review)
– Rank less discussion
– What was the goal?
– Were goals achievable?
– Successes
– Pitfalls
– Lessons learned
– Action items and responsibilities
• Refine plans and processes
• Create new IRPs


For assistance or additional information

• Phone: 216-664-1100
• Web: www.jurinnov.com
• Email: eric.vanderburg@jurinnov.com

JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115


Cyber Forensics: Collecting evidence for today’s data breaches - Eric Vanderburg - ISACA

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Cyber Forensics: Collecting evidence for today’s data breaches - Eric Vanderburg - ISACA

Semelhante a Cyber Forensics: Collecting evidence for today’s data breaches - Eric Vanderburg - ISACA (20)

Mais de Eric Vanderburg

Mais de Eric Vanderburg (20)

Último

Último (20)

Cyber Forensics: Collecting evidence for today’s data breaches - Eric Vanderburg - ISACA