Incident Response/�Forensics

Incident Response

Objectives:

The student should be able to:

• Define and explain OSCAR
• Describe the types of information found using computer logs, DHCP, Wireless access point, NIDS, active directory.
• Describe guidelines for collecting this information concerning chain of custody and authenticity.

Sample Cases

Hospital laptop walks away

Corporation hosting recent movies?

Rootkit found in government server

Case: Hospital Laptop is Missing

Questions:

• When did the laptop disappear? Can it be retrieved
• What patient data was on the laptop? Whose information was breached?
• Was the network further compromised?

Case: Hospital Laptop is Missing

When did the laptop disappear? Can we recover it?

• Interviews: Talk to the doctor about when she last used/had it and when it appeared missing.
• Network Access Logs:
• Wireless Access Point: When was the laptop connected and to where?
• DHCP: When was the laptop last allocated an IP address? How long is the IP address good for?
• Active Directory Events: What happened recently via active directory?
• Video Surveillance: Did anyone walk out with baggage at time laptop disappeared?

Case: Hospital Laptop is Missing

What patient data was on laptop?

• Email: When did the doctor last access email?
• Which email attachments were downloaded?
• Whose email records were processed that day?
• Lab/DB: Which lab results/database results were downloaded that day

Was the network further compromised?

• What is in the logs of Active Directory concerning access to network resources?
• What VPN and other medical DB access occurred after the theft?

Case: Hospital Laptop is Missing

Results:

• Wireless AP logs indicate laptop travelled to visitor parking facility
• Cameras showed a man in scrubs leaving the facility
• Cameras recorded the license plate of a car with two people in it
• The police tracked the license plate and eventually recovered the laptop
• VPN & other logs showed no additional connection activity
• Laptop logs showed PC was not powered up after being stolen
• Conclusion: Patient data had not been stolen.

​

Case: Hospital Laptop is Missing

Solution

• Encrypt hard disk to avoid HIPAA/HITECH infringement
• Deploy physical laptop locking mechanism
• Consider Lojack for Laptops: locates laptops

Case: P2P File Sharing

• Peer-to-peer filesharing happening in a corporate network: stolen recent movies
• Found by NIDS
• Violation of Digital Millennium Copyright Act (DMCA)
• Company did not want to be accused of trading pirated music or films, resulting in lawsuits

Case: P2P File Sharing

Questions:

• Where is the P2P data stored?
• Who is responsible for the file sharing?
• What data was shared?

Case: P2P File Sharing

Where is the P2P data stored? Who is responsible?

• NIDS records indicate IP address
• NIDS requested to record all P2P traffic
• DHCP provided MAC address for violator IP address
• MAC address provided id of network card manufacturer (Dell)
• Switches provided port interfacing with the IP address: Email sys admin
• Evening raid recovered computer for forensic analysis
• MAC address did not match

Case: P2P File Sharing

Where is the P2P data stored? Who is responsible?

• Email server: indicated email sys admin had read emails about investigation
• Investigators used alternate means to communicate.
• Physical search of premises: desktop found in reimaging queue.

​

What data was stored?

• Forensic analysis found video files of copyrighted files
• Found usernames and email address associated with suspect

Case: �Government Server has Rootkit

Antivirus detected suspicious files on government server

• Server held password hashes.
• Other local servers held SSNs and personal financial info

​

Questions:

• How was the system compromised?
• Were other computers compromised?
• What information was stolen?

Case: �Government Server has Rootkit

How was the system compromised?

• Monitoring file system:
• Files on the system had names commonly associated with rootkit; known malware
• Files were in a home directory of a forgotten, inactive administrator account
• Local authentication logs were deleted

Case: Gov’t Server has Rootkit

How was the system compromised?

• Searching central logging server:
• SSH logs indicate brute-force password guessing attack.
• The attack originated in Brazil
• Brazil was to be filtered by firewall
• Check password file: The account had a too-simple password
• Check firewall: SSH was permitted from outside U.S.

​

Case: Gov’t Server has Rootkit

Were other computers compromised?

What information was stolen?

• Check Servers: for access to stolen account
• No access; antivirus had found files early before damage could be done
• Check firewall: No exfiltration evident

​

Result:

• Fix firewall; audit twice a year
• Remove old accounts and audit accounts quarterly

​

How to investigate a case: OSCAR

OSCAR

• Obtain Information
• Strategize Theories
• Collect Evidence
• Analyze Evidence
• Report

Oscar: Obtain Information

Obtain info about the Incident:

• What happened
• When it occurred
• Who was involved
• Where did it occur (devices, data)
• How found

Obtain info about the Environment:

• Business environment, org chart
• Network topology and resources
• Sources of evidence
• Incident response process & legal issues
• Methods of communication
• Available resources

Collected information includes…

Volatile information:

• System memory: Unix /dev/mem or /dev/kmem
• Currently running processes
• Logged in users
• Network connections: Recent connections and open applications/sockets
• Currently open files: File system time & date stamps
• System date & time

​

oScar: Strategize

• Determine sources of evidence
• Prioritize the acquiring of evidence
• Value: What info is most important?
• Effort: What info is easily accessible?
• Volatility: What info will disappear (e.g., in memory)?
• Consider person power, goals, data retention policies, system configuration, access procedures, timeframe
• Reiterate: As you need more information, go back for more

osCar: Collect Evidence

• Once a priority is decided, acquire evidence from each source ASAP
• Document all systems accessed
• Record date/time, device accessed, how acquired, investigator; start chain of custody.
• Preserve evidence integrity
• Store securely
• Chain of custody: track who accessed or possessed evidence, when, for how long.
• Signed and accurate

osCar: Collect Evidence

• Analyze only copies
• In creating copy confirm integrity hashes
• Use reputable tools
• Document all that you do

​

Useful information to collect…

• Photos of computer, surroundings, display (if on), back panel plugs, etc.
• IDS, Firewall, and System logs
• Employees web pages, emails, internet activities
• Employees access of files (created/modified/viewed)
• Local peripheral paraphernalia (CDs, floppies, papers)
• Better to collect too much than too little

​

After computer is turned off…

• Reboot will change disk images. Do not reboot!
• Make forensic backup = system image = bit-stream backup
• Copy every bit of the file system, not just the disk files!
• Example tools include:
• Intelligent Computer Solutions: Image MASSter
• EnCase (www.guidancesoftware.com)
• SafeBack (www.forensics-intl.com/safeback.html)
• Unix dd command
• Compute hash value of disk and backup

​

Incident Response Procedure

• A clear procedure defines what should happen when an intrusion is suspected
• Define expected responses to different types of intrusions
• Decide early because time will be limited during an attack

​

Live Response

Goal: Minimize reaction time by:

• Acting quickly by being prepared in advance
• Automate the collection of the forensic data
• Minimize interacting with the suspected compromised computer
• Minimize changes to the suspected computer

​

Chain of Custody

10:53 AM

Attack

observed

Jan K

11:04

Inc. Resp. team arrives

11:05-11:44

System copied

PKB & RFT

11:15

System

brought

Offline

RFT

11:45

System

Powered down

PKB & RFT

11:47-1:05

Disk

Copied

RFT & PKB

1:15

System locked in static-free bag

in storage room

RFT & PKB

Who did what to evidence when?

(Witness is required)

Time

Line

Creating a Forensic Copy

Original

Mirror

Image

3) Forensically Sterile:

Wipes existing data;

Records sterility

4) One-way Copy:

Cannot modify

original

​

5) Bit-by-Bit Copy:

Mirror image

2) Accuracy Feature:

Tool is accepted as accurate by the scientific community:

e.g., CoreRESTORE, Forensic Replicator, FRED

1) & 6) Calculate Message Digest:

Before and after copy

​

7) Calculate Message Digest

Validate correctness of copy

Data Collection

• All data is evidence.
• Bag and tag:
• Evidence tag describes the collected data
• Chain of custody documents where evidence has been
• Keep data on encrypted file system, locked up.
• Perform analysis on data-identical copies

oscAr: Analyze Evidence

• Theorize what may have happened
• Correlate: Involve multiple sources of evidence
• Build a timeline
• Recover additional evidence
• Corroborate through multiple sources
• Interpret evidence: Build the case/theory based upon evidence

​

oscaR: Report

• Communicate your case to nontechnical people
• Legal teams
• Human resources
• Management
• Courts
• The case must be factual and defensible

Writing a Report

• The contents of a report should contain:
• How and why the computer became suspect
• Each finding of what occurred, including its source and earliest evidence of compromise
• Examined evidence: What was examined and found.
• Timeline of Events: presented as a table
• Details: For each analysis, what was found in detail.

Step 0: Establish Detection Procedures

• Data Loss Prevention software
• SNMP: Monitors availability, response times, etc. and notifies administrator
• IDS/IPS: Monitors for attacks and notifies administrator
• Logs from all devices must be synchronized, monitored and audited
• Monitoring current configurations against baselines
• After a break-in administrators wish they had had stronger logging

​

Redline’s recommendations

For a compromise machine:

• Do not interact with the computer unless you have a plan.
• Assume anything you connect will become infected
• Assume any data you transfer to the computer will be compromised.
• Do not analyze the computer directly, because you modify important data on the machine.
• Focus on system data (logs, file system) not user data
• Collect a lot of data for analysis if you have time;
• Collecting just what you need if not.

Live Response Process

• Define the goal and deliverables
• Define organizational roles and responsibilities
• Design the process to be:
• Repeatable and as much as possible, automated
• Clear and easy to follow
• Documented
• Well tested
• Train people to accomplish the process

​

Forensic Analysis

• User-created documents: Microsoft Office, PDF, etc.
• Corporate Email
• File Shares
• Paper Documents
• USB Devices
• Mobile Devices & Apps
• Cloud services

​

​

• Internet History
• Event Logs
• Social Media
• Disk Volume Shadow Copies/Backups
• Personal Webmail
• Unallocated Disk Space
• Program Execution History

Evidence, internal affair

• Emails
• Computers
• Phones
• External hard drives
• Security camera footage
• Keycard access logs
• Printer logs
• Server/database logs
• Extranet access logs

• Deleted files may be recoverable with forensic software
• OS/App history points to files accessed most recently (links, last modified date)

​

Thank You