Is the use of science and technology to investigate and establish facts in criminal or civil courts of law?

Presentation on theme: "1 Forensics: The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics: Commonly defined."— Presentation transcript:

1 1 Forensics: The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics: Commonly defined as the collection, preservation, analysis and court presentation of computer related evidence. Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a computer system. What is Computer Forensics?

2 2 Understand what happened oProper acquisition and preservation of computer evidence. oAuthentication of collected Data for court Presentation oRecovery of all available data, including delete files oPrevention of future incidents  Often similar problems to Audit But audit trail may be inadequate! oAudit information incomplete/insufficient oAudit trail damaged oWe don’t own the computer What is Computer Forensics?

3 3 What is the Challenge? Audit information incomplete/erased oReconstruct deleted information “Acceptable” state of system unknown oNeed to identify violation in spite of this Goal not obvious oTransformations may have been applied to data Strong burden of proof oNot enough to know what happened oMust be able to prove it

4 4 FBI List of Computer Forensic Services Content (what type of data) Comparison (against known data) Transaction (sequence) Extraction (of data) Deleted Data Files (recovery) Format Conversion Keyword Searching Password (decryption) Limited Source Code (analysis or compare) Storage Media (many types)

5 5 The Coroner’s Toolkit (TCT) Overview Collections of tools to assist in a forensic examination of a computer (primarily designed for Unix systems) mactimes - report on times of files ils - list inode info (usually removed files) icat - copies files by inode number unrm - copies unallocated data blocks lazarus - create structure from unstructured data file - determine file type pcat - copy process memory grave-robber - captures forensic data

6 6 mactime mactime is shorthand reference to the three time attributes - mtime, atime, and ctime oatime - time of last access omtime - time of last modification octime - time of last status change of inode odtime - time of deletion (Linux only) Examples # mactime -m /var/adm

7 7 ils ils lists inode information of removed files. Can be used to identify deleted files for possible attempt to undelete with possible attempt to undelete with icat. Specify a device file which contains a file system. Example ils /dev/hdb1

8 8 Unix file

9 9 Icat, file icat copies files by copies files by inode number from a device which contains a file system Can be used to recover a deleted file Example icat /dev/hdb1 17 file – determine file type Similar to UNIX System V file command, but may generate better indication of file type

10 10 unrm unrm – copies unallocated data blocks oUsed to copy unallocated blocks to an output file in order to be processed by lazarus. Example # unrm /dev/hdb1 > /tmp/unrm.of.hdb1 lazarus – attempts to make sense out of raw data blocks Example # lazarus /tmp/unrm.of.hdb1

11 11 pcat pcat – copies process memory oThis is used to try to understand what a program is (doing), especially when the executable file has been deleted. Modern UNIX systems have a /proc file system that makes process information available in a convenient manner, including the executable file, current directory, and process memory.

12 12 grave-robber grave-robber captures system forensic data oRuns many of TCT tools under the covers Three types of options ogeneral options where output goes, verbosity, etc omicro options finer control over what data is collected omacro options puts micro data collection into logical groups

13 13 Law Enforcement Challenges Many findings will not be evaluated to be worthy of presentation as evidence Many findings will need to withstand rigorous examination by another expert witness The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.

14 14 Broader Picture: What to Do do not start looking through files start a journal with the date and time, keep detailed notes unplug the system from the network if possible do not back the system up with dump or other backup utilities if possible without rebooting, make byte by byte copies of the physical disk capture network info capture process listings and open files capture configuration information to disk and notes collate mail, DNS and other network service logs to support host data capture exhaustive external TCP and UDP port scans of the host contact security department or CERT/management/police or FBI if possible freeze the system such that the current memory, swap files, and even CPU registers are saved documented short-term storage packaging/labeling Shipping

15 15 Risk management

16 16 Likelihood Vs. Consequence

17 17 –A countermeasure is an action, device, procedure, or technique used to eliminate or reduce one or more vulnerabilities. COUNTERMEASURE

18 18 –Procedures: security policies and procedures training personnel transfer –Hardware: doors, window bars, fences paper shredder alarms, badges –Manpower: guard force Examples of Countermeasures

19 19 –A consequence is that which logically or naturally follows an action or condition. CONSEQUENCE

20 20 –“The worse the consequence of a threat harming the system, the greater the risk” Attack Consequence Success Determination of the Consequence of the Attack

21 21 –determine: the threat the vulnerability the likelihood of attack the consequence of an attack –apply this formula by: postulating attacks estimating the likelihood of a successful attack evaluating the consequences of those successful attacks Risk Calculation Process

22 22 –Developed in the NSA Information Systems Security Organization (ISSO) –Used for INFOSEC Products and Systems –Can Use During Entire life Cycle –Not Widely Used Outside of the ISSO NSA ISSO Risk Assessment Methodology

23 23 –Understanding the system –Developing attack scenarios –Understanding the severity of the consequences –Creating a risk plane –Generating a report The NSA ISSO Risk Assessment Process

24 24 The Risk Plane Source: Courtesy of Professors Chris Clifton & Matt Bishop

25 25 Risk Index Risk Index, as defined by the “Yellow Book”, is the disparity between the minimum clearance or authorization of system users and the maximum sensitivity of data processed by a system –Minimum User Clearance=Rmin –Maximum Data Sensitivity=Rmax –Risk Index=Rmax – Rmin Risk index is between O and 7

26 26 Rating Scale for Minimum User Clearance (Rmin)

27 27 Rating Scale for Maximum Data Sensitivity (Rmax)

28 28 * = Security Requirements Beyond State of the Art Computer Security Requirements

29 29 Examples of documented risk assessment systems –Aggregated Countermeasures Effectiveness (ACE) Model –Risk Assessment Tool –Information Security Risk Assessment Model (ISRAM) –Dollar-based OPSEC Risk Analysis (DORA) –Analysis of Networked Systems Security Risks (ANSSR) –Profiles –National Security Agency (NSA) Information Systems Security Organization (ISSO) INFOSEC Risk Assessment Tool

30 30 Conclusion Why should I bother doing security risk management? –Risk Management and assessment prepares you with deciding what to do about a risk –Allows you to identify assets, vulnerabilities, and controls –Helps you understand what you do & do not know – improve basis for decisions –Assists in justifying expenditures for security

Which term is defined as the practice of collecting evidence from computer systems to a standard that will be accepted in a court of law?

What is forensic science?

What is meant by digital evidence?

What term describes information that forensic specialists use to support or interpret real or documentary evidence?