1 computer crime and forensics ed crowley cissp. 2 today’s topics is security models education...
Post on 16-Jan-2016
232 Views
Preview:
TRANSCRIPT
1
Computer Crime and Forensics
Ed Crowley CISSP
2
Today’s Topics
IS Security Models Education
Computer Crime Statistics Trends Categories Laws
Incident Response
Computer Forensics Development Timeline
CF Categories Disk Forensics System Forensics Network Forensics Internet Forensics
Case Demonstration Digital Evidence
Rules of Evidence Daubert Rule
3
Who am I?
Certified Information System Security Professional (CISSP) Security + Certified, other certifications from Cisco,
CompTIA, Microsoft IST Assistant Professor at UH Military Police Academy Graduate.
Trained in Investigative Techniques Former:
IS Director Researcher in Academic Computing
4
Who are They?
Alexey Ivanov and
Vasiliy Gorshkov
Datastream
Robert Morris
Michael Buen &
Onel de Guzman
5
CSI/FBI Survey Crime Statistics
6
CERT Computer Crime Statistics
0
5000
10000
15000
20000
25000
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
Incidents
3-DColumn 2
7
Attack Trends Overview
Automation: increasing speed of attacks Increasingly sophisticated attack tools Faster discovery of vulnerabilities Increasing permeability of firewalls Increasingly asymmetric threat Increasing threat from infrastructure attacks
--CERT/CC
8
Selected Costs
SirCam: 2.3 million computers affected Clean-up: $460 million Lost productivity: $757 million
Code Red: 1 million computers affected Clean-up: $1.1 billion Lost productivity: $1.5 billion
Love Bug: 50 variants, 40 million computers affected $8.7 billion for clean-up and lost productivity
http://energycommerce.house.gov/107/hearings/11152001Hearing420/McCurdy724.htm
9
Trends Summary
…organizations relying on the Internet face significant challenges to ensure that their networks operate safely and that their systems continue to provide critical services even in the face of attack.
--CERT/CC By inference, any organization utilizing digital computers needs
to be concerned
10
General Computer Crime Categories Computer as the target
Computer intrusion, Data Theft Computer as the instrumentality of the crime
Credit card fraud, telecomm fraud Computer as incidental to other crime
Drug trafficking, money laundering Crimes associated with the prevalence of computers
Copyright violation, software piracy
11
Other Computer Crimes
Child Pornography Traveler cases
Criminal Copyright Threats Fraud
To prove what happened and who is responsible, all crimes require forensic evidence.
What are the relevant laws?
12
Selected Laws
Economic Espionage Act Federal Computer Fraud and Abuse Act Federal Sentencing Guidelines National Infrastructure Protection Act Patriots Act Privacy Laws
13
Economic Espionage Act 1996 Enables FBI to investigate industrial and
corporate espionage cases. Deals with industry and corporate espionage. Defined trade secrets to be technical,
business, engineering, scientific, or financial.
14
Federal Computer Fraud and Abuse Act 1986, 1994 Title 18, U.S. Code, 1030, outlaws accessing
computers used in interstate commerce to : Acquire national defense information Obtain financial information Deny the use of the computer Affect a fraud
Also outlaws: Damaging or denying use of an FIC thru transmission of
code, program, information or command Loss of at least $5000 in a year
Furthering a fraud by trafficking in passwords
15
U.S. Federal Sentencing Guidelines 1991, 1997 Degree of punishment is a function of demonstrated
due diligence (due care or reasonable care) in establishing a prevention and detection program Specifies Levels of Fines Mitigation of fines through implementation of precautions
In 1997, extended to apply to computer crime. Management has the obligation to protect the organization
from losses due to natural disaster, malicious code, compromise of proprietary information, damage to reputation, violation of the law, employee privacy suits, and stockholder suits.
16
U.S. National Information Infrastructure Protection Act, 1996 Address protection of data and systems
confidentiality, integrity, and availability Addresses industrial and corporate
espionage. Extends the definition of property to include
proprietary economic information
17
Patriots Act, 2001
After 9-11, expands reach of law enforcement in efforts to pursue or capture terrorists.
Authorizes interception of wire, oral, and electronic communications relating to terrorism and to computer fraud and abuse.
Authorizes sharing of criminal investigative information
18
Privacy Laws
Goal is the protection of information on private individuals from intentional or unintentional disclosure or misuse.
Include: Graham-Leach-Bliley, 1999 Health Insurance Portability and Accountability
Act (HIPAA) US Privacy Laws differ from European Laws.
19
IS Security Education
Four new IS Security courses in the Project Management Masters (COT) UH Main Campus (IS Specialization)
CISSP prep course for the Applied Business and Technology Center UH Downtown
Applying for NSA 4011 certification UH Main Campus
20
Security Goals
Historical Goals: Confidentiality Integrity Availability
Expanded to include: Authentication Non repudiation Dynamic Environment
NSA Security Model
21
Security Models and Knowledges NSA
Initial and Evolved Model ISC(2)
Common Body of Knowledge (CBK) Layered Security Model
Defense in depth
22
ISC2 Common Body of Knowledge (CBK) Security Management Security Models and
Architectures Operations Security Access Control Physical Security Application and System
Development
Law, Investigation, and Ethics
Telecomm and Networking
Cryptography Disaster Recovery and
Business Continuity
23
Layered Security Model
24
ISAlliance on Security
“Security is not a one-time activity but rather a continuous, risk managed process,”
-- ISAlliance Executive Director Dave McCurdy.
25
Countermeasures
Detective Forensics Incident Response Intrusion Detection
Preventative Access Control Physical Security Network Security
26
What is an Incident?
Any adverse event that impact an organization’s security or ability to do business.
Incident Handling Addressed by establishing a Computer Incident Response
Team (CIRT). Many incidents are the result of incompetent
employees, malicious employees, other insiders, accidental actions, and natural disasters.
See Carnegie Mellon’s CERT
27
Incident Response Teams
Makes decisions on system viability Shutdown? Unplug from net?
Conduct Forensics Search for evidence Secure and preserve evidence
When necessary, contacts outside experts, forensic or LE Calling LE may limit your ability to investigate the
incident Documents incident
28
Forensics
Attempts to determine:1. What happened?2. Who is responsible?
While most computer crimes are not prosecuted, we should still consider acceptability in a court of law as our standard for investigative practice.
-- Kruise and Hiese
Forensics are based upon Locard’s Exchange Principle
29
Locard’s Exchange Principle
Anyone, or anything, entering a crime scene takes something of the
scene with them, and leaves something behind when they depart.
30
Forensic -- Traditional
Fingerprints Hairs and Fibers Ballistics DNA Collection and Testing
31
Computer Forensics Defined
Computer Forensics is the name for the field of investigating computer crime. Relatively young discipline.
Unique issues associated with computer crime cases include: Compressed investigation time frame (detective) Intangible (digital) information Potential interference with the normal conduct of
the business
32
Computer Forensics
Developed outside of the main traditions of Forensics Science
Forensic Science implies: Repeatability of investigations Testing of methods A normal process of determining “what is generally
scientifically agreed” via peer reviewed journal articles
--Peter Sommer
33
A Brief CF Development Timeline Early ’90s, feeling that digital evidence might
be important Mid ’90s, Law Enforcement discovers
computer crime and computer evidence. Kiddie porn and the threat of computer crime LE struggles to understand how to respond
34
A Brief CF Development Timeline Mid 90’s, LE experiments with Computer Forensic
delivery models. LE forms units, specialties, and labs. Begins to develop CF policies and procedures
Late 90s,critical mass achieved CF critical to many cases
Note, CF was developed from the bottom up.
--Mark Pollitt, Director FBI National Program Office for Regional Computer Forensic Laboratories
35
Basic Methodology
Without altering or damaging original source, acquire evidence
Authenticate that recovered evidence is the same as the original.
Establish audit trail of all processes applied to computer based evidence. Must be third party repeatable
Analyze the data without modifying it.
36
Methodology
Failure to utilize appropriate methodologies may prevent successful prosecution May cost your organization $4.3 Million!
Failure to maintain evidence integrity may invalidate the evidence. You may know who committed the crime, but without your
evidence, you may not be able to prove it in court.
For further information, consult the ACPO Good Practices Guide.
37
Computer Forensics Development Disk Forensics
Well developed System Forensics
O/S Dependent Network Forensics
Includes ID systems Internet Forensics
Includes ISP logs etc.
38
What can Disk Forensics do?
Recovers: Deleted files Passwords Cryptographic keys
Analyzes file access, modification and creation times.
Views/analyzes: System logs Application logs
May determine users or applications system activity. Analyze e-mails for source information and content.
39
Disk Forensics
Requires (bit-stream) Image copies Include slack, unallocated space, and deleted file
fragments. Investigating officers must be able to
demonstrate compliance with evidence rules Integrity can be demonstrated with a
message digest.
40
Disk Forensics
Most mature computer forensics area. Methodology for preserving and presenting in
court Disk Data is well established. Commercial Tools readily available
Love Bug Case Study Hex Editors and Microsoft Office Michael Buen & Onel de Guzman Jurisdiction Issues
41
Commercial Forensics Tools
Tools and Vendors include: EnCase
Guidance Software Pasadena, CA SafeBack
New Technologies, Inc. (NTI), Gresham, Oregon
42
EnCase
Considered the leader in stand-alone forensics analysis.
Widely accepted in court. Facilitates examination of files, including
deleted files and unallocated data. Produces reports and extracts without
altering the original data.
43
Other Forensic Tools
Linux DD Used by FBI, among other tools, in Zacarias Moussaoui’s
Case Coroners Tool Kit (CTK)
By Dan Farmer and Wietse Venema Used for investigating Unix systems
Winhex State-of-the-Art Software Inexpensive hex, disk, and RAM editor. Data analysis features include identification of certain file
types (such as images) in unknown data, like that of recovered files.
Includes drive imaging and deleted data recovery capabilities.
MD5Sum, 128 bit Message Digest generator
44
Message Digests and Digital Signatures Message digests provide a method of near
individualization and, therefore, are sometimes referred to as digital fingerprints.
--Eoghan Casey Digital signatures add reliability to a message digest
Essentially, a digital signature indicates that a given (trusted) individual calculated the message digest of a certain file.
45
System Forensics
Include ambient data such as: Swap Files Temporary Files File Systems
Internet Tokens Key Stroke Loggers
Alexey Ivanov and Vasiliy Gorshkov, Invita Case Study
46
Computer Addresses
Logical or IP addresses Public IP addresses are assigned by ARIN
Physical or MAC addresses MAC addresses are burned in and have been
used to identify a particular computer Melissa and the Love Bug Viruses were identified this
way
47
Network Forensics
Evidence collected from normal operation Logs Intrusion Detection Systems
Evidence collected in specific surveillance Extended logs Sniffers
IP headers contain source and destination IP addresses
DataLink headers contain source and destination MAC addresses
48
Sniffer
49
Network Forensics
Most networks have the capability to track the user activity These capabilities may or may not be configured They may or may not be corrupted by an intruder
Frequently involve multiple machines Includes discovery of IP addresses, host names,
network routes and Web site information.
50
Log File
51
Internet Forensics
Remote machines on the Internet also have the capability of tracking events.
Case Study University of Tulsa Camera Equipment Theft Several thousand dollars worth of camera equipment
shipped to a shack. After delivery and prior to LE being notified, the shack was
knocked down. Utilizing Internet Forensics, culprits were identified
and caught.
52
Computer or Communications Evidence? May have an international scope.
Issues Jurisdictions Time and labor
Different laws apply to unread email than to information stored on a hard drive
Rome Labs Case Study
53
Digital Evidence
Digital evidence must be authentic and must be able to be proven that it has not been modified
Evidence Life Cycle Discovery and
recognition Protection Recording Collection Identification Preservation Transportation Presentation in court Return to owner
54
Evidence Characteristics
Sufficient, reliable, and relevant Sufficient means it must be persuasive enough to
convince a reasonable person of the validity of the findings.
Reliable, or competent, means it must be consistent with fact.
Relevant means it must have a reasonable and sensible relationship to the findings.
55
Rules of Evidence
Distinguish between hearsay and direct evidence Require proof of authenticity and integrity
Chain of custody requires that: No information has been added or changed A complete copy was made A reliable copying process was used All media was secured.
A Message Digest can demonstration Integrity A digital signature can demonstrate Authentication
and Non Repudiation
56
Evidence Handling
If evidence is handled improperly, the rest of the investigation may be comprised.
A documented chain of custody must include: Who collected the evidence? How and where? Who took possession? How was it stored and protected? Who took it out of storage?
57
Common Problems
No established incident response team. Evidence compromised while it was gathered
No established incident response policies Evidence may be compromised prior to gathering
Inappropriate methodology Peer review
Broken chain of custody Appropriate evidence was gathered but can not be
presented in court
58
Who Gathers Forensic Evidence? Incident Response Team, or other trained
professionals, respond to an incident. Specific actions should be based on the specific
incident and the organization’s Incident Response Policy.
An incident response team ensures that: There is a group of properly skilled professionals. There is a standard set of procedures Resources and processes are available when an incident
occurs.
59
Types of Evidence
Best evidence -- Original or primary evidence Secondary evidence -- A copy or oral description Direct evidence -- Proves or disproves a specific act
through oral testimony Conclusive evidence -- Incontrovertible: overrides all
other evidence Hearsay Evidence -- (3rd party) not generally
admissible
60
Hearsay Rule
Key for Computer Generated Evidence Second Hand Evidence Admissibility Based on Veracity and Competence of Source
Exceptions: Rule 803 of Federal Rules of Evidence Business Documents created at the time by person with knowledge, part of regular business, routinely kept, supported by testimony.
61
Hearsay Exceptions
Computer generated records and other business records fall into this category
Exceptions if records: Are made during the regular conduct of business and
authenticated by witnesses familiar with them Relied upon in the regular course of business Made by a person with knowledge of the records In the custody of the witness on a regular basis
62
System Logs as Evidence
According to the US Federal Rules of Evidence:
Log files that are created routinely an contain information about acts and events made at specific times by, or from information transmitted by, a person with knowledge
Are not excluded by the hearsay rule.
63
Daubert Rules
To assist the lower courts in applying Daubert, the Court provided the following list of factors that courts should consider before ruling on the admissibility of scientific evidence:
1. Whether the theory or technique has been reliably tested;2. Whether the theory or technique has been subject to peer review
and publication;3. What is the known or potential rate of error of the method used;
and4. Whether the theory or method has been generally accepted by
the scientific community.
64
Surveillance, Search, and Seizure Computer surveillance pertains to audition events,
which passively or actively monitors events by using network sniffers, keyboard monitors, wiretaps, and line monitors
Active monitoring may require a search warrant. To legally monitor an individual, the person had to
have been warned ahead of time that her activities may be subject to this type of monitoring.
65
Guidelines for Searching and Seizing Computers US Federal Guidelines for Searching and
Seizing Computers (DOJ 1994)
66
For Further Study
Eoghan Casey; Digital Evidence and Computer Crime; Academic Press; March 15, 2000; ISBN: 012162885X
Kruse and Heiser Computer Forensics: Incident Response Essentials; Addison-Wesley Pub Co; September 26, 2001; ISBN: 0201707195
67
Questions
68
top related