Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Module 1 Incident Handling : Digital Forensic

No description

Faham Usman

on 23 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Module 1 Incident Handling : Digital Forensic

Information Security
Module 1
Awareness Campaign
Salim is your Cyber Security Advisor.
About aeCERT
One of the initiatives of the UAE Telecommunications Regulatory Authority.
aeCERT is the United Arab Emirates Computer Emergency Response Team.
About aeCERT
Incident Handling
Digital Evidence
Computer Forensics
Forensic Tools
Cyber Crime
Policies and Procedures
Apt case study
Anti-Forensics Tools
Salim (aeCERT)
For more information
Calls user impersonating as bank manager
Aims at promoting, building and ensuring a safer & secure cyber environment and culture in the UAE.
Incident Handling : Digital Forensic
Incident Handling
What is a Security Incident?
An incident is the act of violating an explicit or
implied security policy “NIST Special
Publication 800-61.”
Examples of security incidents include:
Unauthorized access,
Denial of services,
Leaks of classified data in electronic form,
Malicious destruction or modification of data,
Misuse of computer resources
Execution of computer viruses and malicious codes/scripts
A CSIRT is a Computer Security Incident Response Team
A CSIRT is a group of people that performs, coordinates, and supports the response to the security incidents
Security Incident Handling
Security Incident handling is an ongoing process which governs the activities that happen before, during and after the incident
This process starts with the planning and preparation of resources and is then followed by the development of procedures i.e. escalation and security response procedures
Objectives of Security Incident Handling
Availability of the resource
Follow pre-defined procedure
during an incident
Efficient response and prompt
recovery of the compromised
To minimize the impact of
an incident
Incident Handling Process
The Six-Step Process:
Detection & Analysis
Post Incident Activity
Step 1: Preparation
The preparation phase is where an incident handler spends most of his time preparing for an incident call
The significant factor in successfully handling any incident is the amount of preparation by a skillful incident handler
Step 1: Preparation contd..
Relationships with Key Individuals
Response Kit
Communication Plan
Incident Response Team
An organization must have the following items in place before any incident occurs:
Step 2: Detection & Analysis
An organization must have the following items in place before any incident occurs:
Determine whether or not an incident has occurred
To evaluate events objectively and determine if they truly define an incident or not
Logs – Hopefully a SIEM
Workstation \ Server
Internet Proxy \ Filter
Gather all the facts and make judgment based on those facts
Step 3: Containment
An organization must have the following items in place before any incident occurs:
After the identification of an incident, next step is to contain the incident
Ensure that the impact of an incident is controlled during the containment phase
This is the crucial step of incident handling process, because at times it gets tricky when dealing with live and/or production systems
Step 4: Eradication
In this phase, analyze the information that was gathered to determine how an attack took place

It is important to understand how this attack was carried out in order to prevent it from happening again

In rare cases, you might eradicate an attack without rebuilding the system
Case Study: When Code Red attacked in June of 2000, many companies attempted to recover their systems from backups only to find that the backups of the systems were also infected with Code Red
Step 5: Recovery
In this phase, you have to place the system back into live production environment. For this you have to :

Validate that the system recovery is successful with the help of system administrators

Test the system to ensure all the business functions and operations are back to normal and put it back in live environment

Monitor the system to ensure that it is not compromised again
Step 6: Post Incident Activity
In this final phase, analyze what you have learned during the handling of an incident

Enhance and improve your incident-handling process

Document this incident and look forward to improve the process
Incident Response Planning
Detecting an incident or an intrusion activity is not sufficient unless you are prepared to respond in a timely manner
An intruder can do substantial damage to a Computer system or network very quickly, so immediate action is required
An intrusion response strategy eliminates potential delays, errors, and omission in advance of an actual incident
Policies and Procedures
Detection policies and procedures should clearly identify duties regarding intrusion detection
Monitoring procedures should be developed and provided to only personnel responsible for monitoring.
Periodic review of the policy and procedures
Security Incidents
Security Incidents
Did you know ?
In 2012;
92% breaches were performed by external attackers.
75% were driven by financial motives
38% impacted large organizations
52% involves hacking
40% involves malware
54% involves compromised servers
RSA Attack Analysis
A Spear-Phishing Real World Case
RSA Background
RSA Attack: Analysis
March 2011, RSA had a data breach
In an APT attack, hackers stole information which affected some 40 million two-factor authentication tokens
These devices are used in private sector, industries and government agencies
Produces a 6 digit number every 60 seconds.
An Advanced Persistent Threat (APT)
A structured attack (advanced),
targeted attack (persistent),
intent on gaining information (threat)
RSA Attack: Initial Steps
Attacker captures valid email addresses
Attacker did not perform the spamming because it would have been caught by RSA spam filter

RSA Attack: Spear Phishing Emails
Two different phishing emails sent over a two-day period.
Emails were sent to two groups of employees and who were not high profile or high value employees
Subject line read: 2011 Recruitment Plan
SPAM filtering Did catch it and put in the Junk folder

RSA Attack: Employee Mistake
One employee retrieved the email from the Junk mail folder
Email contained an Excel spreadsheet entitled: 2011 Recruitment plan.xls
RSA Attack: Remote Administration Tool (RAT)
Attackers chose to use the Poison Ivy RAT.
Very tiny footprint
Gives attacker complete control over the system
RSA Attack: Harvesting
Initial host wasn’t adequate, therefore attackers harvested credentials i.e. User IDs, Domain Admin, Service accounts etc.

Now, attackers performed privilege escalation on non-admin users on other targeted systems

Goal: To gain access to high value system
RSA Attack: Digital Shoulder-Surfing
Next the attackers just sat back and digitally listened to what was going on with the system
RSA Attack: The Battle
During the jumping from one workstation to another, RSA security controls detected an attack in progress. The battle was on.
Therefore, attackers had to move very quickly during this stage to find a highly valuable target.
RSA Attack: Data Gathering
Found staging servers
Copied data to staging servers
Data transferred out
RSA Attack: Receiving Host
Remains anonymous
Compromised receiving host
Removed the traces
A handful of Users are targetted by two phishing attacks; one user opens Zero day payload (CVE-02011-0609)
The user machine is accessed remotely by poison lvy tool
Attacker elevates access to important user, services and admin accounts , and specific systems
Data is acquired from target servers and staged for exfiltration
Data is exfiltrated via encrypted files over ftp to external , compromised machine at a hosting provider
Lessons Learned
Weakest Link
Layered Security
Upside / Positive Impact
2012 – Victim Industry
Top 20 Threats by Region
Category of Compromised Data
Threat Players Categories Over Time
Computer Forensics
Introduction to Computer
Nowadays, Computer and Internet has become an important part of our everyday life
Computer and related devices became more accessible to increased use in criminal activities
According to a survey;
85% of business and government agencies detected security.
breaches Security agencies estimates that the United States loses up to $10 billion a year to cyber crime
Computer forensics is defined as a process of investigation and analysis to gather and Preserve a digital evidence in a specialized way that can be presentable in a court of law for cyber crime prosecution

According to
Dr. H.B.Wolfe, a security
“It is a methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format”
Introduction to Computer Forensics
Computer Forensics – As a Profession
Computer Forensics is relatively a new and growing career field because of the rapid increase in cyber crimes

To start a career in computer forensics, a related degree e.g. computer science or criminal science is required with computer forensics training and education

Technical and analytical skills are typically a must for all computer forensics careers
Computer Forensics Jobs
History of Computer Forensics
Forensics Science
Francis Galton (1822–1911) made the first recorded study of fingerprints
Leone Lattes (1887–1954) discovered blood groupings (A, B,AB, and 0)
Calvin Goddard
(1891–1955) allowed firearms and bullet comparison for solving many pending court cases
Albert Osborn (1858–1946) developed essential features of document examination
Hans Gross
(1847–1915) made use of scientific study to head criminal investigations.
FBI(1932) set up a lab to provide forensic services to all field agents and other law authorities across the country
History of Computer Forensics
Computer Forensics Evolution
1984 - FBI Computer Analysis and Response Team (CART) emerged
1991 - International Law Enforcement meeting was conducted to discuss computer forensics & the need for standardized approach
1994 – Department of Justice (DOJ) - Federal Guidelines for Searching & Seizing Computer
1997 - FBI- Scientific Working Group on Digital Evidence (SWGDE) was established to develop standards in computer forensics.
2001 - USAF - Digital Forensics Research Workshop was held,
2003 - Academic - International Journal of Digital Forensics & Incident Response, Elsevier
Why Computer Forensics
According to The University of California study;
93% of information was generated in digital form, on computers
7% of information originated in other media such as paper
Computer Forensic is required to recover the following data which can be helpful in the court of law, while presenting the digital evidence;
Deleted files,
Encrypted files or,
Corrupted files from a system
Why Computer Forensics
Many organizations including Law enforcement agencies, government sectors organizations, public and private sectors IT firms, law attorney and investigators dependent upon the qualified computer forensic experts to investigate their cases
Search and identify data in a computer to dig out the trail of activities by perpetrators left on computers
When is Computer Forensics Needed?
Forensic analysis is needed when there is any security incident or cyber crime occurred and real evidence is required to reconstruct an incident with the Sequence of events.
When breach of contract occurs
Where there is any copyright and intellectual property theft occurs
Damage to resources occurs during employee disputes
What is Cyber Crime?
3T’s of Cyber Crime?
It involves various hacking tools that have been used to commit a crime.
It involves the computer or workstation (include hardware such as the keyboard, mouse and monitor) from where the crime has been committed.
Cyber crime involves 3 T’s :
Also termed as the victim and it can be government agencies, public and private organizations , websites and consultancy agencies.
It refers to the location where the computer forensic investigator goes about the process of examining the crime scene
It refers to a situation where computer is used as a secondary tool
It refers when computer is not used in a crime as a primary tool but it only facilitates it
Examples of Cyber Crimes
Example: Sending fraudulent emails with the intention of obtaining credit card details, date of birth, social security number, login credentials etc.
Example: Stealing passwords for online banking services
Example: Stalker sends emails, spread false information by using online forums and social networking websites.
Example: Stealing credit card information used to fraudulently purchase goods online
Example: Used to purchase good by Using someone’s credit card. Often use for blackmailing and terrorism
Example: Software, movie, sound recordings piracy etc.
More Examples
Theft of Intellectual Property
Damage of Company Service Networks
Financial Fraud
Network or System Penetrations
Denial of Service Attacks
Planting of virus and worms
Cyber Crimes – Attack types
Cyber crime falls into two types of attack;
Insider attacks
External attacks
Digital Evidence
Digital evidence, also known as electronic evidence refers to any information that can be used in a court of law for cyber crime investigation .
Examples of Digital Evidence
Digital evidence can be:
Properties of Digital Evidence
There are four properties of Digital evidence;
Processes of Computer Forensics
Processes of Computer Forensics
Seizing Evidence
Consultation with the investigator
Copy the evidence according to the local procedures
Restrict the suspect/witness from access to the digital evidence
Necessary information of the system from potential suspects should be seized
Processes of Computer Forensics
Evidence Handling
If the computer is turned off, do not turn on the computer
Before powering down a computer, consider the potential of encryption software being installed on the computer
Document the condition of the evidence
Take clear photographs (screen, computer front and back, and area around the computer to be seized)
Processes of Computer Forensics
Equipment Preparation
“Equipment” refers to the non-evidentiary hardware and is utilized to conduct the forensic imaging or analysis of the evidence
Equipment must be monitored and documented to ensure proper performance is maintained.
The manufacturer’s operation manual and other relevant documentation for each piece of equipment should be accessible
Proper operating equipment shall be employed and analysis/ Imaging software should be validated prior to use
Processes of Computer Forensics
Forensic Imaging
Document the current condition of evidence and integrity of the data should be preserved
Examiner should be trained
Prevent the evidence from the exposure
Prevent the evidence from being modified
Processes of Computer Forensics
Forensic Analysis/Examination
Documentation review process by the examiner
Examination strategy
should be agreed upon mutually
Appropriate controls and standards should be used during examination
Analysis on original evidence
should be avoided
Processes of Computer Forensics
Evidence handling documentation should include;
Copy of legal
Chain of custody
The initial count of evidence to be examined
Information regarding the packaging and condition of the evidence upon receipt by the examiner,
Description of the
regarding the case
Processes of Computer Forensics
Examination reports should meet the requirements of the examiner’s agency
Reports issued by the examiner should address the requestor’s needs
The report is to provide the reader with all the relevant information in a clear and concise, manner
Processes of Computer Forensics
The examiner’s agency should have a written policy establishing the protocols for technical/peer and administrative review.
The examiner’s agency should have a written policy to determine the course of action if an examiner and reviewer fail to reach agreement
Forensics Tools
EnCase is an industry standard computer forensic investigation tool
This tool is used by computer forensic practitioners who need to conduct efficient, forensically sound data collection and investigations using a repeatable and defensible process
This tool lets examiners acquire data from a wide variety of devices, extract potential evidence with disk level forensic analysis, and develop comprehensive reports on their findings, all while maintaining the integrity of their evidence
Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and many more
It proactively audit large groups of machines for sensitive or classified information, as well as unauthorized processes and network connections
It also identify and remediate zero-day events, injected dll files, rootkits and hidden/rogue processes
This tool also identify fraud, security events and employee integrity issues and then investigate/remediate with immediacy and without alerting targets
EnCase Reports
FTK - Forensic Tool Kit
FTK is a world recognized digital investigations platform for complete and thorough forensic examinations.
It has full text indexing, advanced searching, deleted file recovery, data-carving email and graphics analysis data carving, email and graphics analysis.
This tool is perfect for Advance searches for JPEG images and Internet text, Locate binary patterns and automatically recover deleted files and partitions
It also target key files quickly by creating custom file filters
FTK - Forensic Tool Kit
FTK - Forensic Tool KitInternet/Chat Tab
FTK - Forensic Tool KitInternet/Chat Tab
FTK - Forensic Tool KitMemory Analysis
SANS Investigative Forensics Toolkit – SIFT
Cookie Viewer
Internet History Tool
This software discovers the information that web sites store on your computer.
This tool automatically scans your computer, looking for "cookies" created by Microsoft’s Internet Explorer, Mozilla’s FireFox web browsers and Google Chrome browser.
It can also delete any unwanted cookies stored by these browsers
Cookie Viewer
Internet History Tool
Cookie Viewer
Internet History Tool
Cache ViewInternet History Tool
Cache viewer is a tool which is used to view the web cache’s of different web browser’s i.e. fire fox, internet explorer and Google chrome
This tool extracts the following information;
Cache View
Internet History Tool
Cache View
Internet History Tool
Internet History Tool
Net Analysis is a forensic tool, used for the analysis of the internet history data.
This tool automatically rebuild HTML web pages from an extracted cache.
This tool also allows examiner to easily view JPEG and other image files that have been viewed by the suspect, extract from the cache.
Internet History Tool
Internet History Tool
Visual TimeAnalyzer
Forensic Tool
Visual Time Analyzer is a tool that is designed to track and control the computer usage
This tool tracks all the computer activities automatically and analyzes them graphically
It perform following activities;
Track internet surfing related activities i.e. websites visited
Track computer
monitoring activities
Track software
related activities
Track user related
Visual TimeAnalyzer
Forensic Tool
Email ExaminerEmail Forensic Tool
Email ExaminerEmail Forensic Tool
Email examiner is an industry leading email examination tool, forensically examines different email formats including Microsoft Outlook (PST & OST), Thunderbird, Outlook Express, and many more.
This tool not only recovers email in the deleted folders but also recovers email deleted from the deleted items.
This tool not only allows you to analyze message headers and bodies, but you can also review and search through attachments so that not a single evidence is missed out
Email ExaminerEmail Forensic Tool
Email ExaminerEmail Forensic Tool
Forensic Explorer
Forensic Explorer is an cutting-edge forensic software which is used for the preservation, analysis and presentation of digital evidence
This tool has a flexible GUI interface with following features; keyword searching, scripting, previewing and advanced filtering features
It helps investigators to;
Forensic Explorer
Directory Snoop
Data Recovery Tool
Directory snoop is a search tool which allows Windows users to investigate their FAT and NTFS formatted hard drives to see the hidden data
It recovers deleted files and supports different media like hard drives, floppy disks and flash card drives
Other features of this tool are as;
Recover deleted files, including those emptied from the recycle bin
Destroy sensitive files with the secure wiping functions
Securely wipe file slack and free drive space
Search, filter and sort files globally by name and other parameters
View, search, print and copy raw cluster data
Examine the FAT and Master File Tables
Directory Snoop
Data Recovery Tool
Directory Snoop
Data Recovery Tool
 Forensics Apprentice
Forensic Apprentice is a tool which helps you as a assistant during a forensic examination of a computer
It let you focus on the important parts of digital examination and automates the tedious data extraction tasks that you do repeatedly
It has 6 built-in analysis tools;
 Forensics Apprentice
 Forensics Apprentice
Windows Forensics
Finding Evidence on Windows System
The Registry
Searching index.dat files
Hidden files
Evidence can be found in following areas;
Windows Forensics: Registry Analysis
Windows Registry is the largest central source of artifacts on a Windows system
It contains the following information:
Registry Organization
Registry Key sections:
Registry Analysis Tools
Registry Key sections:
Scripting tools
Windows Registry
Registry Forensics
Perform a GUI-based live-system analysis
Perform a command-line live-system analysis
Remote live system analysis
Offline analysis on registry files
Registry Analysis
Registry Forensics
Registry Forensics: USB Devices
Windows Forensic Tool: Helix 3 Pro
Helix 3 Pro is an essential computer forensic tool with a Live and Bootable CD for any computer incident investigation
This tool operates for three environments; Mac OS X, Windows and Linux
It performs the following functions;
Create forensic images of
physical memory
Create forensic images of
all devices
It searches file systems for specific file types i.e. image files, doc files
Helix 3 Pro
Helix 3 Pro
Helix 3 Pro
LockDown - Forensic Hardware Tool
LockDown - Forensic Hardware Tool
Lock Down is a cutting-edge hardware based forensic write-blocker tool, used to acquire IDE hard drive media rapidly and securely
It can connect through FireWire or USB
It can read IDE hard disk media through common computer port interfaces i.e. Fire wire or USB
It enables a forensic investigator to swap out the suspected hard disk without restarting the computer
It works faster in Windows environment than DOS-based for hard drive acquisition
A portable device with ease of use in the field
Easy to hook up and start analysis.
LockDownForensic Hardware Tool
Forensic Hardware Tool
Drive Lock IDEForensic Hardware Device
The Drive Lock IDE is a WRITE protection tool, a hardware device which prevents data writes to hard drives connected to a computer system
Windows Forensic Analysis
Identifying Illegal activities conducted through USB devices
Case Study:
Case Study: USB Devices
To identify illegal activities conducted through USB devices attached to the computer
Launch the tool USBDeview
Interesting Columns
Interesting columns where you could find details are:
Created Date:
Last Plug/Unplug Date
Instance ID
Now find the user(s) who logged in while USB dongle was plugged in through Cygwin tool
Now identify connection data of the USB dongle i.e. SSID, IP addresses etc. and map the dongle to the one listed by tool USBDeview
Cygwin: /cygdrive/c/forensics/tools $ python who_was_logged_in.py ‘yyy-mm-dd hh:mm:ss‘
Now we have to identify the following;
Who used the USB dongle?
When was the USB dongle used?
Basic connection details i.e. SSIDs
After finding out the above details, now try to find out the motive of the user like;
What the user did with the internet connection?
The Windows Registry
Internet Explorer browser stores the 25 most recent typed URLs in the registry;
We can’t examine this key directly in the regedit.exe tool
In order to analyze the above, we need to use a third party tool “RegRipper” to analyze this hive offline

Web Browsing History
Now we only know with the typed URLs what user actually typed into the progress bar
But we still don’t know when did this happen?
In order to get additional information about internet browsing activities we need to get information from the browsing history
Elements of Web-Browsing History
Interesting File Locations..
Did the user visit the webpage intentionally?
Where can we find information on what users did with IE?
Data is deleted from these locations (cache/history/cookie file)?
Yes, if it’s in the cache/history/cookie file
Pasco: Index.dat File Parser
Pasco Output
Sample Output from Pasco:
Type: URL
Last accessed time: 10/09/2007 11:18:48
Filename: 302-3061595-9808016[2].htm
Directory: BRNONATM
HTTP headers:
HTTP/1.1 200 OK
Content-Length: 120986
Content-Type: text/html
Anti-Forensics Practice
It refers to a process which makes an investigation on digital media more difficult by limiting or corrupting evidence that could be collected by an investigator
Performs data hiding and distortion
Exploits limitations of known and used forensic tools
Exploits limitations of known and used forensic tools
Anti-Forensics Practice
General anti-forensic categories are;
Infrastructure development
Payment infrastructures
Privacy and Security
Anti-Forensics Tools
PE Builder
Create an XP bootable CD
Boot from the CD and create an encrypted environment on the HD
No trace on the PC
Encryption: TrueCrypt
Settings are not stored in the registry
It uses a “key file” rather then a crypto key
Creates a virtual encrypted disk within a file and mounts it as a disk
Steganography: Hermetic Stego
It can hide data in graphic or audio files
Steganography Tools
4T HIT Mail Privacy Lite
R-Wipe & Clean
Evidence Eliminator
Forensic Investigator Professional Conduct
Maintaining Professional Conduct
Should maintain moral integrity and ethical behavior
Should maintain professional
Should be unbiased
Should maintain confidentiality
during investigation
Maintaining Professional Conduct
Should not conclude the investigation in a hurry
Should ignore external biases
Should stay up-to-date with
his field
Should be smart in learning the latest forensic investigation techniques
In today’s world, the need for security incident handling and consequently computer forensics has grown due to the rapid increase in cyber crimes
A computer can be used as a tool for investigation or as
A computer forensic investigator must be aware of the steps involved in the investigative process
3A’s of Computer forensics methodologies are Acquire,
Authenticate, and Analyze
In order to be successful computer forensic investigator, you must be familiar with more than one computing environment
Public forensic investigations typically require a search warrant before the digital evidence is seized
A computer forensic investigator must be aware of the steps involved in the investigative process
During public investigations, forensic investigator must search for evidence to support criminal allegations
In order to be successful computer forensic investigator, you must be familiar with more than one computing environment

Encryption: TrueCrypt
R-Wipe & Clean
Full transcript