ch3 - digital evidence & frauds

DIGITAL EVIDENCE amp FRAUDS Session Objectives

At the end of this Session you will be able to understand ndash

Meaning of Digital Evidence

Steps of Computer Forensics

Firewall Forensics

Firewall Log Ananlysis amp Management

Database Forensics

Computer Frauds

Types of Computer Crimes

Steps for Computer Crime Investigation

Reccomendations

Chapter-3

All Rights Reserved wwwsedulitygroupscom 1

31 WHAT IS DIGITAL EVIDENCE_______________________

Digital Evidence or Electronic Evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial Digital evidence is information of probative value that is stored or transmitted in a binary form This field includes not only computers in the traditional sense but also includes digital audio and video It includes all facets of crime where evidence may be found in a digital or binary form Perhaps the most common computer crime in the news is child pornography but computers are also instrumental in crimes ranging from check fraud to conspiracy to commit murder

Digital Evidence comes in numerous form factors such as

While these are obvious form factors there are numerous form factors that are not so obvious such as


32 Definitions________________________________________

1 Acquisition of Digital Evidence Begins when information andor physical items are collected or stored for examination purposes The term evidence implies that the collector of evidence is recognized by the courts The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee

2 Data Objects Objects or information of potential probative value that is associated with physical items Data objects may occur in different formats without altering the original information

3 Digital Evidence Information of probative value stored or transmitted in digital form

4 Physical Items Items on which data objects or information may be stored andor through which data objects are transferred

5 Original Digital Evidence Physical items and the data objects associated with such items at the time of acquisition or seizure

6 Duplicate Digital Evidence An accurate digital reproduction of all data objects contained on an original physical item

7 Copy An accurate reproduction of information contained on an original physical item independent of the original physical item

The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails digital photographs ATM transaction logs word processing documents instant message histories files saved from accounting programs spreadsheets internet browser histories databases the contents of computer memory


computer backups computer printouts Global Positioning System tracks logs from a hotelrsquos electronic door locks and digital video or audio files As compared to the more traditional evidence courts have noted that digital evidence tends to be more voluminous more difficult to destroy easily modified easily duplicated potentially more expressive and more readily available As such some courts have sometimes treated digital evidence differently for purposes of authentication hearsay the best evidence rule and privilege Regarding computer related crimes cases evidences are classified into three main categories according to SWGDEIOCE standards

Digital evidence where the information are stored or transmitted in electronic or magnetic form

Physical items where the digital information is stored or transmitted through a physical media

Data objects where the information are linked to physical items Generally speaking there are three requirements for the evidence to be admissible in the court

1 Authentication 2 The best evidence rule and 3 Exceptions to the hearsay rule

Authentication means showing a true copy of the original best evidence means presenting the original and the allowable exceptions are when a confession business or official records are involved Authentication appears to be the most commonly used rule but experts disagree over what is the most essential or most correct element of this in practice Some say documentation (of what has been done) others say preservation (or integrity of the original) and still others say authenticity (the evidence being what you say it is) Good arguments could be made for the centrality of each or all as the standard in computer forensic law In addition the Indian courts require the legality of the evidence it must be obtained in accordance with the laws governing search and seizure including laws expressed in the IT ACT 2000 and IT ACT 2008

33 Digital Forensic Examiner Proficiency and Competency Tests Law enforcement investigators and forensic laboratory examiners must be prepared to respond to the increased use of technology by the criminal element Digital evidence examiners are being called upon to demonstrate their competencies in court and to their own management These trends in the digital forensics profession have made it necessary for laboratories police agencies and corporate investigative practices to find ways to evaluate the capabilities of their personnel both individually and as a group In other forensic sciences proficiency and competency tests have become a standard method of documenting the knowledge skills and abilities of forensic examiners at all levels


However digital forensics is so new that few standards exist that have been tried and tested by the scientific law enforcement and judicial communities The digital forensics profession is in great need of evaluation and assessment tools that will bring this newest forensic science into the of universally accepted laboratory examination specialties Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court In order to comply with the need to maintain the integrity of digital evidence British examiners comply with the Association of Chief Police Officers (ACPO) guidelines These are made up of four principles as follows- Principle 1 No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court Principle 2 In exceptional circumstances where a person finds it necessary to access original data held on a computer or on storage media that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions Principle 3 An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved An independent third party should be able to examine those processes and achieve the same result Principle 4 The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to

There are many reasons to employ the techniques of computer forensics

In legal cases computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases)

To recover data in the event of a hardware or software failure To analyze a computer system after a break-in for example to determine how

the attacker gained access and what the attacker did To gather evidence against an employee that an organization wishes to

terminate To gain information about how computer systems work for the purpose of

debugging performance optimization or reverse-engineering

There are five basic steps to the computer forensics

1 Preparation (of the investigator not the data) 2 Collection (the data) 3 Examination 4 Analysis 5 Reporting


Preparation The investigator must be properly trained to perform the specific kind of investigation that is at hand Tools that are used to generate reports for court should be validated There are many tools to be used in the process One should determine the proper tool to be used based on the case

Collection Digital evidence can be collected from many sources Obvious sources include computers cell phones digital cameras hard drives CD-ROM USB memory devices and so on Non-obvious sources include settings of digital thermometers black boxes inside automobiles RFID tags and web pages (which must be preserved as they are subject to change)

Special care must be taken when handling computer evidence most digital information is easily changed and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere usually in an investigators notebook so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated

Other specific practices that have been adopted in the handling of digital evidence include

Imaging computer media using a write blocking tool to ensure that no data is added to the suspect device

Establish and maintain the chain of custody Documenting everything that has been done Only use tools and methods that have been tested and evaluated to validate their

accuracy and reliability

Examination Some of the most valuable information obtained in the course of a forensic examination will come from the computer user An interview with the user can yield valuable information about the system configuration applications encryption keys and methodology Forensic analysis is much easier when analysts have the users pass phrases to access encrypted files containers and network servers

In an investigation in which the owner of the digital evidence has not given consent to have his or her media examined (as in some criminal cases) special care must be taken to ensure that the forensic specialist has the legal authority to seize copy and examine the data Sometimes authority stems from a search warrant As a general rule one should not examine digital information unless one has the legal authority to do so Amateur forensic examiners should keep this in mind before starting any unauthorized investigation

Traditionally computer forensic investigations were performed on data at rest for example the content of hard drives This can be thought of as a Dead Analysis Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased


In recent years there has increasingly been an emphasis on performing analysis on live systems One reason is that many current attacks against computer systems leave no trace on the computers hard drive the attacker only exploits information in the computers memory Another reason is the growing use of cryptographic storage it may be that the only copy of the keys to decrypt the storage are in the computers memory turning off the computer will cause that information to be lost

34 Imaging Electronic Media (Evidence)__________________

The process of creating an exact duplicate of the original evidentiary media is often called Imaging Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd IXimager or Guymager the entire hard drive is completely duplicated This is usually done at the sector level making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data rather than duplicating the filesystem The original drive is then moved to secure storage to prevent tampering During imaging a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process

The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms such as MD5 At critical points throughout the analysis the media is verified again known as hashing to ensure that the evidence is still in its original state In corporate environments seeking civil or internal charges such steps are generally overlooked due to the time required to perform them They are essential for evidence that is to be presented in a court room however

35 Collecting Volatile Data_____________________________

If the machine is still active any intelligence which can be gained by examining the applications currently open is recorded If the machine is suspected of being used for illegal communications such as terrorist traffic not all of this information may be stored on the hard drive If information stored solely in RAM is not recovered before powering down it may be lost This results in the need to collect volatile data from the computer at the onset of the response

Several Open Source tools are available to conduct an analysis of open ports mapped drives (including through an active VPN connection) and open or mounted encrypted files (containers) on the live computer system Utilizing open source tools and commercially available products it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format Open Source tools for PCs include Knoppix and Helix Commercial imaging tools include Access Datas Forensic Toolkit and Guidance Softwares EnCase application

The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the loginpassword combination used Additionally these tools can also yield loginpassword for recently accessed local email applications including MS Outlook


In the event that partitions with EFS are suspected to exist the encryption keys to access the data can also be gathered during the collection process With Microsofts most recent addition Vista and Vistas use of BitLocker and the Trusted Platform Module (TPM) it has become necessary in some instances to image the logical hard drive volumes before the computer is shut down RAM can be analyzed for prior content after power loss Although as production methods become cleaner the impurities used to indicate a particular cells charge prior to power loss are becoming less common However data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods The likelihood of such recovery increases as the originally applied voltages operating temperatures and duration of data storage increases Holding unpowered RAM below minus 60 degC will help preserve the residual data by an order of magnitude thus improving the chances of successful recovery However it can be impractical to do this during a field examination

36 Analysis__________________________________________ All digital evidence must be analyzed to determine the type of information that is stored upon it For this purpose specialty tools are used that can display information in a format useful to investigators Such forensic tools include AccessDatas FTK Guidance Softwares EnCase Dr Golden Richard IIIs file carving tool Scalpel and Brian Carriers Sleuth Kit In many investigations numerous other tools are used to analyze specific portions of information Typical forensic analysis includes a manual review of material on the media reviewing the Windows registry for suspect information discovering and cracking passwords keyword searches for topics related to the crime and extracting e-mail and images for review

37 Reporting_________________________________________ Once the analysis is complete a report is generated This report may be a written report oral testimony or some combination of the two

Searching and Seizing the Digital Evidence

1 The first successful step in searching and seizing the digital evidence is to know and understand that what should be searched and seized Secondly Cyber Crime Investigators and the Law Enforcement officers must have a warrant to search which covers the location and description of the system Thirdly the digital evidence shall be well seized when it is located

2 When speaking about searching or seizing computers we usually do not refer to the CPU (Central Processing Unit) only computer is useless without the devices that allow for input (eg the Keyboard or the mouse) and output (eg a monitor or printer) of Information These devices are known as peripherals and they are an integral part of any computer system It means the inputoutput units and auxiliary storage units of a computer system attached by cables to the central processing unit


3 Thus searching and seizing the Digital Evidence in computers will often refer to the hardware software and data contained in the main unit Printers external modems (attached by cable to the main unit) monitors and other external attachments will be referred to collectively as peripherals and discussed individually where appropriate When we are referring to both the computer and all attached peripherals as one huge package we will use the term computer system Information refers to all the information on a computer system including both software applications and data

4 Software is the term used to describe all of the programs we use when we

employ the computer for some task it is usually delivered to us on either one or more small magnetic disks or CD-ROMs There are two basic categories of software system software and application software System software consists of the programs that manage our operation of the computer while application software consists of the programs that allow us to work on higher-level tasks They all compose the evidence searched

5 Hardware searches are not conceptually difficult Like searching for weapons the

items sought are tangible They occupy physical space and can be moved in familiar ways Searches for data and software are far more complex For purposes of clarity these types of searches must be examined in two distinct groups (1) searches where the information sought is on the computer at the search scene and (2) searches where the information sought has been stored off-site and the computer at the search scene is used to access this off-site location

6 When investigators are dealing with smaller networks desktops PC and

workstations an attempt to justify the taking of the whole system should be based on the following criteria When an entire organization is pervasively involved in an ongoing criminal scheme with little legitimate business (in non-essential services) and evidence of the crime is clearly present throughout the network an entire system seizure might be proper In small desktop situations investigators should seize the whole system after requesting to do so in the affidavit Investigators seizing whole systems should justified it by wording their affidavits in such a way so as to refer to the computer as a system dependant on set configurations to preserve best evidence in a state of original configuration This can and often does include peripherals components manuals and software In addition to the above investigators should make every effort to lessen the inconvenience of an on-site search Some estimates of manual data search and analyses are 1 megabyte for every 1hour of investigation work Based on this equation a 1-Gigabyte hard drive can take up to 1000 hours to fully examine This equation assumes that each piece of data is decrypted decoded compiled read interpreted and printed out

The field of computer forensics also has sub branches within it such as


37 Firewall Forensics_________________________________

You will need to conduct a forensics analysis using your firewall logs at some point The underlying objective of a forensic analysis is trying to determine what happened and to establish facts that can be used in court If you have never reviewed the firewall logs previously this can be a costly and almost insurmountable process because you do not necessarily have any idea what may or may not be a normal event for the firewall

Performing a forensic analysis is generally an extremely time-consuming and expensive process because in many cases it is much like trying to find a needle in the haystack You may know what was done but you do not know necessarily when or how it was done which can make it tricky indeed to be successful This is compounded by the fact that you need to gather evidence from the earliest moment possible to establish exactly what transpired

Because of the potentially sensitive nature of forensic analysis it is a good idea to use tools that can assist in performing the forensics analysis or to bring in experts who have special training in exactly what should and should not be done This is where tools like NetIQ Security Manager and Cisco CS-MARS come in particularly handy because they include built-in correlation query and reporting functionality that is particularly suited to this kind of situation For example Figure 31 illustrates a forensic analysis report from NetIQ Security Manager

Figure 31 NetIQ Security Manager Forensic Analysis Report


On the surface the firewall denying traffic is not necessarily something to be concerned about However by looking at the data (for example the data in Figure 31 with a bit more of a critical eye the traffic is all originating from the same source (1011200) to the same destination (10112) on a whole slew of different port numbers

This is a classic example of a reconnaissance attack the attacker is running a port scan in an attempt to determine which ports are open and thereby gain information about the kinds of applications that may be running on those ports For example if TCP port 80 is open it is safe bet that a web server is running on that port and attackers can begin customizing their attack to determine with certainty that yes indeed a web server is running This information can then be used to determine the methods of attack that may be successful against the targeted host

38 The Value (or Not) of IP Addresses____________________

One pitfall to keep in mind when you review your firewall logs is that just because the logs report that a certain IP address attempted to connect that does not necessarily mean that IP address was indeed responsible IP addresses can be spoofed relatively easily That is not to say that spoofing addresses and actually doing something malicious as a result is a trivial process which is a frequent misconception regarding IP address spoofing Although it is easy to spoof an IP address it is not easy to pull off an attack while spoofing addresses Think of it like this if the attacker needs to get some information as a part of the attack and he is spoofing his IP address the information is going to be sent to the spoofed IP addresswhich means that in general it is not going to the attacker Figure 32 illustrates how attackers may spoof their IP address

Figure 32 How Spoofing Works In the example in Figure 32 the attacker builds packets with a source IP address of 2091652011 (the IP address of the innocent victim) to transmit to the firewall When the firewall receives the data it logs the packets as coming from 2091652011 because that is what the source IP address of the packet is In reality the packet came from the attacker but the firewall has no way of knowing that


In fact if the firewall needs to respond to any of the traffic that it received it will actually attempt to connect to the innocent victim which could well cause alerts to be generated by the folks who monitor and manage that computer This is also a good reason it is a bad idea (and in many cases is illegal) to launch retributive strikes against systems that you think may be attacking your systems If that were to occur in this case you have gone from being the good guy to attacking someone who was not even involved in the security incident

Where spoofing is particularly effective however is when the attacker does not necessarily need a response to the data that he sent (for example when trying to flood the firewall with bogus data) such as when performing attacks that are based on connectionless protocols such as UDP and ICMP For example if an attacker attempts to spoof using TCP and is not blocking traffic between the firewall and the innocent victim when the innocent victim receives a packet based on the spoofed connection the innocent victim will send a TCP reset because it is not aware of the connection in question This is one of the reasons that spoofing using TCP (or any connection-oriented protocol) is difficult to successfully pull off

The bottom line when it comes to the IP addresses that are logged is that after you have what you suspect is the IP address of the system that was involved in the security incident you still need to perform a more detailed investigation to ensure that the IP address in question was really involved and that the attacker was not spoofing his IP address in an attempt to mask his trail One method of identifying this is TCP resets from the innocent victim in your firewall logs

39 Deciphering Port Numbers__________________________

Like IP addresses port numbers are not an absolute guarantee of what application or service may have been running For example many applications can run on any port that is configured allowing things such as peer-to-peer file sharing to use a port such as TCP port 80 for communications which will frequently allow the application to bypass most packet filtering firewalls (but not necessarily application proxy or application-aware inspection) because TCP port 80 is frequently permitted through the firewall

The lists of default TCP and UDP port numbers IP protocol numbers and ICMP message types are managed by the Internet Assigned Numbers Authority (IANA) and can be accessed as follows

TCP and UDP port numbers httpwwwianaorgassignmentsport-numbers

IP protocols httpwwwianaorgassignmentsprotocol-numbers

ICMP message types httpwwwianaorgassignmentsicmp-parameters

Again although you will need to do additional verification to ensure that the ports logged are actually running the applications and services that are claimed these lists provide at least an initial starting point from which to begin the investigation


310 Securing the Firewall______________________________

An important result of performing a forensic analysis is to use that information to determine what needs to be done in the future to secure the firewall As you identify what transpired and how the incident occurred use that information to identify flaws in both the written security policy of the organization as well as the actual firewall policy and ruleset For example if an attacker was able to compromise a resource on a DMZ segment and then use that resource to gain access to the firewall that is probably a good indication that access to the firewall from that resource (or from the entire DMZ for that matter) should probably not be permitted 3101 How to configure the new Windows Server 2008 advanced firewall MMC snap-in How to configure the new Windows Server 2008 advanced firewall MMC snap-in Since its inception the Windows Server 2003 SP1 firewall has been a basic inbound-only host based stateful firewall With Windows Server 2008 the built-in firewall has been dramatically improved Lets find out how the new advanced firewall can help you and how to configure it using the MMC snap-in 3102 Why should you use the Windows host-based firewall Many companies today secure their network using the hard outer shell gooey center approach What this means is that they create a strong perimeter around their network with firewalls and IPS systems protecting themselves from malicious attackers on the Internet However if an attacker could penetrate the outer perimeter and gain access to the internal network there would only be Windows authentication security to stop them from gaining access to the companys most valuable assets - their data This is because most IT Pros dont secure their servers with host-based firewalls Why is that We see host-based firewalls as being more trouble than they are worth After reading this article I hope that many of you will take a second look at the Windows host-based firewall With Windows Server 2008 the host-based firewall is built in to Windows is already installed now has more features and is now easier to configure Plus it is really one of the best ways to secure a crucial infrastructure server So what can the Windows Server Advanced firewall do for you and how do you configure it Letrsquos find out 3103 What does the new advanced firewall offer amp how can it help you New with Windows Server 2008 the built-in firewall is now ldquoadvancedrdquo And it isnrsquot just me saying that Microsoft now calls it the ldquoWindows Firewall with Advanced Securityrdquo (letrsquos abbreviate that as WFAS) Here are the new features that help justify that new name

New GUI interface ndash an MMC snap-in is now available to configure the advanced firewall

Bi-directional ndash filters outbound traffic as well as inbound traffic


Works better with IPSEC ndash now the firewall rules and IPSec encryption

configurations are integrated into one interface

Advanced Rules configuration ndash you can create firewall rules (exceptions) for Windows Active Directory (AD) service accounts amp groups sourcedestination IP addresses protocol numbers source and destination TCPUDP ports ICMP IPv6 traffic and interfaces on the Windows Server

With the addition of being a bi-directional firewall a better GUI and advanced rules configuration the Windows Advanced firewall is bordering on being as good as traditional host-based firewalls (like ZoneAlarm Pro for example) I know that the first concern of any server admin in using a host-based firewall is what if it prevents critical server infrastructure apps from functioning While that is always a possibility with any security measure WFAS will automatically configure new rules for any new server roles that are added to the server However if you run any non-Microsoft applications on your server that need inbound network connectivity you will have to create a new rule for that type of traffic By using the advanced windows firewall you can better secure your servers from attack your servers from attacking others and really nail down what traffic is going in and out of your servers Letrsquos see how it is done

3104 What are the options for configuring Windows Firewall with Advanced Security Previously with Windows Server you could configure the Windows firewall when you went to configure your network adaptor or from the control panel The configuration was very basic With Windows Firewall with Advanced Security (WFAS) most admins will configure the firewall either from Windows Server Manager or the MMC with only the WFAS snap-in Here is what they both look like


Figure 33 Windows 2008 Server Manager


Figure 34 Windows 2008 Firewall with Advanced Security MMC only

The quickest amp easiest way to start the WFAS MMC is to just type firewall in the Start menu Search box like this


There is also a new netsh advfirewall CLI option for configuring WFAS 3105 What can I configure using the new WFAS MMC Snap-in Because there are so many possible features you can configure with the new WFAS MMC snap-in I canrsquot possibly cover them all If you have ever seen the configuration GUI for Windows 2003 built-in firewall you will quickly notice how many more options there appear to be with WFAS However let me hit on a few of the most frequently used When you first go into the WFAS MMC snap in by default you will see that WFAS is ON and blocking inbound connections that donrsquot have a matching outbound rule In addition the new outbound firewall is turned off Something else you will notice is that there are also different profiles for WFAS (see Figure 35 below)


Figure 36 Profiles now available in Windows 2008 Firewall with Advanced Security

There is a domain profile private profile and public profile for WFAS What these different profiles allow you to do is take the many inbound amp outbound rules you may have and apply that group of firewall rules to your computer based on where your computer is connected to the network (say the corporate LAN vs the local coffee shop) Out of all the improvements we have talked about with WFAS in my opinion the most significant improvement is the more sophisticated firewall rules Take a look at the Windows 2003 Server Firewall option to add an exception (a rule) in Figure 36


Figure 37 Windows 2003 Server Firewall Exception window

Now letrsquos compare that to Windows 2008 Server


Figure 38 Windows 2008 Server Advanced Firewall Exception window

Notice how the Protocols and Ports tab is just a small part of the multi-tabbed window You can also configure rules to apply to Users amp Computers Programs and Services and IP address Scopes With this type of sophisticated firewall rules configuration Microsoft has pushed WFAS more toward Microsoftrsquos IAS server The number of default rules offered by WFAS is truly amazing In Windows 2003 Server there were the 3 default exceptions (rules) Not so in Windows Server WFAS offers about 90 default inbound firewall rules and at least 40 default outbound rules ndash WOW


Figure 39 Windows 2008 Server Advanced Firewall Default Inbound Rules

3106 How to Create an Inbound Custom Firewall Rule So how do you create a rule using the new Windows Advanced Firewall Letrsquos step through it Say that you have installed Apache web server for Windows on your Windows 2008 Server If you had used IIS built-in with Windows the port would have been automatically opened for you However as you are using a third party web server and you have the inbound firewall enabled you must manually open the port Here are the steps to follow

Identify the protocol you want to filter ndash in our case it is going to be TCPIP (as opposed to UDPIP or ICMP)

Identify the source IP address source port number destination IP address and destination port number ndash our web traffic will be coming from ANY IP address and any port number going to this server on port 80 (note that you could also create a rule for a certain program such as the apache HTTP Server)

Open the Windows Firewall with Advanced Security MMC Add the Rule - Click on the New Rule button in Windows Firewall with Advanced

Security MMC to bring up the New Inbound Rule Wizard


Figure 310 Windows 2008 Server Advanced Firewall MMC ndash new rule button

Select that you want to create a rule for a port Configure protocol amp port number ndash take the default of TCP and enter the port

number as 80 and click Next Take the default of ldquoallow this connectionrdquo amp click Next Take the default of applying this rule to all profiles amp click Next Give the rule a name and click Finish

At this point you should have a rule that looks like this

Figure 311 Windows 2008 Server Advanced Firewall MMC ndash after rule was

created

I tested that my newly installed Apache web server would not work when just installed with the firewall enabled However after the rule it works great 3107 Basic Firewall Configuration in Linux OS Just as a firewall in a building attempt to prevent a fire from spreading a computer firewall attempts to prevent computer viruses from spreading to your computer and to prevent unauthorized users from accessing your computer A firewall exists between your computer and the network It determines which services on your computer remote users on the network can access A properly configured firewall can greatly increase the security of your system It is recommended that you configure a firewall for any Red Hat Linux system with an Internet connection During the Firewall Configuration screen of the Red Hat Linux installation you were given the option to choose a high medium or no security level as well as allow specific devices incoming services and ports These levels are based on the GNOME Lokkit firewall configuration application After installation you can change the security level of your system by using GNOME Lokkit GNOME Lokkit allows you to configure firewall settings for an average user by constructing basic ipchains networking rules Instead of having to write the rules this program asks you a series of questions about how you use your system and then writes it for you in the file etcsysconfigipchains


You should not try to use GNOME Lokkit to generate complex firewall rules It is intended for average users who want to protect themselves while using a modem cable or DSL Internet connection To configure specific firewall rules refer to the Firewalling with iptables chapter in the Official Red Hat Linux Reference Guide To start GNOME Lokkit type the command gnome-lokkit at a shell prompt as root If you do not have the X Window System installed or if you prefer a text-based program use the command lokkit to start the text-mode version of GNOME Lokkit 3108 Basic

Figure 312 Basic After starting the program choose the appropriate security level for your system

High Security mdash This option disables almost all network connects except DNS replies and DHCP so that network interfaces can be activated IRC ICQ and other instant messaging services as well as RealAudioTM will not work without a proxy

Low Security mdash This option will not allow remote connections to the system including NFS connections and remote X Window System sessions Services that run below port 1023 will not accept connections including FTP SSH Telnet and HTTP

Disable Firewall mdash This option does not create any security rules It is recommended that this option only be chosen if the system is on a trusted network (not on the Internet) if the system is behind a larger firewall or if you write your own custom firewall rules If you choose this option and click Next proceed to the Section called Activating the Firewall The security of your system will not be changed


3109 Local Hosts If there are Ethernet devices on the system the Local Hosts page allows you to configure whether the firewall rules apply to connection requests sent to each device If the device connects the system to a local area network behind a firewall and does not connect directly to the Internet select Yes If the Ethernet card connects the system to a cable or DSL modem it is recommended that you select No

Figure 313 Local Hosts

31010 DHCP If you are using DHCP to activate any Ethernet interfaces on the system you must say Yes to the DHCP question If you say no you will not be able to establish a connect using the Ethernet interface Many cable and DSL Internet providers require you to use DHCP to establish an Internet connection


Figure 314 DHCP

31011 Configuring Services GNOME Lokkit also allows you to turn common services on and off If you answer Yes to configuring services you are prompted about the following services

Web Server mdash Choose this option if you want people to connect to a Web server such as Apache running on your system You do not need to choose this option if you want to view pages on your own system or on other servers on the network

Incoming Mail mdash Choose this option if your system needs to accept incoming mail You do not need this option if you retrieve email using IMAP POP3 or fetchmail

Secure Shell mdash Secure Shell or SSH is a suite of tools for logging into and executing commands on a remote machine over an encrypted connection If you need to access your machine remotely through ssh select this option

Telnet mdash Telnet allows you to log into your machine remotely however it is not secure It sends plain text (including passwords) over the network It is recommended that you use SSH to log into your machine remotely If you are required to have telnet access to your system select this option

31012 Activating the Firewall Clicking Finish on the Activate the Firewall page will write the firewall rules to etcsysconfigipchains and start the firewall by starting the ipchains service It is highly recommended that you run GNOME Lokkit from the machine not from a remote X session If you disable remote access to your system you will no longer be able to access it or disable the firewall rules


Click Cancel if you do not want to write the firewall rules 31013 Mail Relay A mail relay is a system that allows other systems to send email through it If your system is a mail relay someone can possibly use it to spam others from your machine If you chose to enable mail services after you click Finish on the Activate the Firewall page you will be prompted to check for mail relay If you choose Yes to check for mail relay GNOME Lokkit will attempt to connect to the Mail Abuse Prevention System website at httpwwwmail-abuseorg and run a mail relay test program The results of the test will be displayed when it is finished If your system is open to mail relay it is highly recommended that you configure Sendmail to prevent it 31014 Activating the ipchains Service

The firewall rules will only be active if the ipchains service is running To manual start the service use the command sbinservice ipchains restart

To ensure that it is started when the system is booted issue the command sbinchkconfig --level 345 ipchains on

311 Network Forensics________________________________ (httpsearchsecuritytechtargetcomsDefinition0sid14_gci85957900html)

Network forensics is the capturing recording and analysis of network events in order to discover the source of security attacks or other problem incidents According to Simson Garfinkel author of several books on security network forensics systems can be one of two kinds

Catch-it-as-you-can systems in which all packets passing through certain traffic point are captured and written to storage with analysis being done subsequently in batch mode This approach requires large amounts of storage usually involving a RAID system

Stop look and listen systems in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis This approach requires less storage but may require a faster processor to keep up with incoming traffic

Both approaches require significant storage and the need for occasional erasing of old data to make room for new The open source programs tcpdump and windump as well as a number of commercial programs can be used for data capture and analysis One concern with the catch-it-as-you-can approach is one of privacy since all packet information (including user data) is captured Internet service providers (ISPs) are expressly forbidden by the Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted contents except with user permission for limited operations monitoring or under a court order The US FBIs Carnivore is a controversial example of a network forensics tool Network forensics products are sometimes known as Network Forensic Analysis Tools (NFATs) (httpwwworeillynetcomlpta1733)


312 Build a Monitoring Workstation______________________ In many ways a system that you would use for monitoring a computer network looks a lot like any other high-end Windows or UNIX workstation Most run on a standard Intel-based PC and capture packets with an Ethernet interface running in promiscuous mode Catch it as you can systems immediately write the packets to a disk file buffering in memory as necessary and perform analysis in batches As a result these systems need exceptionally large disks -- ideally RAID systems Stop look and listen systems analyze the packets in memory perform rudimentary data analysis and reduction and write selected results to disk or to a database over the network Of course no matter which capture methodology is employed the disks eventually fill up so all of these systems have rules for erasing old data to make room for new data How much attention you need to give the hardware you use for network monitoring depends to a large extent on the complexity of your network the amount of data at the points you wish to monitor and how good a job you want to do If you are trying to capture packets as they travel over a 384kbps DSL link a 66Mhz 486 computer will do just fine If you are trying to make extended recordings of every packet that goes over a fully-loaded gigabit link you will find it quite a challenge to build a suitable capture platform and disk farm To explore the differences between different operating systems and hardware platforms letrsquos take two identically-configured Pentium III-based dual-processor systems with removable disk drives Set up one system as a packet generator using a program that transmitted individually serialized Ethernet packets of varying sizes Set up the second system with rudimentary capture software -- either tcpdump on the UNIX systems or windump for Windows Then write an analysis package that examined the recorded dump files and calculated both the percentage of dropped packets and the longest run of dropped packets under varying network load By holding the processor bus and Ethernet cards constant and loading different operating systems onto different hard disks we will be able to determine effects of different operating systems on overall capture efficiency Once we found the best operating system we will be able to swap around Ethernet adapters and disable the second CPU to determine the effects of different hardware configurations The results of this testing will be more reassuring than surprising Over the six operating systems tested FreeBSD had the best capture performance and Windows NT had the worst Under FreeBSD we found that Intels EtherExpress cards had the best packet capture performance Finally we found that FreeBSD did a somewhat better job capturing packets when run with a single processor than when run with two processors although if additional analysis work was being done at the same time on the same computer having two processors was vastly preferable The reason for this is that no process can dominate both processors at the same time and thus one processor ends up doing packet capture and the other processor ends up doing analysis


We could use the results of this testing to choose the hardware configuration for its NetIntercept appliance although the results are applicable to any organization setting up a monitoring system Of course for many installations the choice of hardware and software will largely be determined by available equipment training and the supported hardware or software of the monitoring software to be used

For example organizations with significant Linux experience will almost certainly prefer using Linux-based operating systems for their packet capture systems rather than acquiring experience with FreeBSD And unless you are on a heavily loaded 100BaseT network the overall packet capture differences between FreeBSD and Linux are probably irrelevant If you intend to record most or all of the traffic moving over your network you need to spend as much time thinking about your disk subsystem as your processor and Ethernet card Last year Sandstorm spent several months comparing IDE drives with the UDMA100 interface to SCSI LVD-160 drives We also explored a variety of RAID systems The conclusion todays IDE drives are significantly faster than SCSI drives costing two or three times more per gigabyte stored This is not the result we were expecting and it goes directly against the conventional wisdom that says SCSI is inherently better than IDE Nevertheless it does seem to be the ugly truth at least for straightforward readwrite tests in a single-user environment Although we saw the highest performance with a hardware-based RAID 5 system manufactured by Advanced Computer amp Network Corporation we saw nearly the same performance with a RAID 5 system based on the 3Ware Escalade 7000 RAID controller Long-term storage of captured data is another problem entirely Although you can build a terabyte RAID system for less than $2000 backing this system up will set you back $4000 for the AIT II tape drive and $120 for each 100GB cartridge Absent extraordinary requirements most users will elect not to back up their capture disks and instead archive specific capture runs to CD-R or DVD-RAM drives

313 Analyzing the Data________________________________ After youve taken measures to collect the information your next big decision will be the analysis tools that you can bring to the table If you have built your own system your primary analysis tools will be tcpdump and the strings command You can use tcpdump to display the individual packets or filter a few packets out of a large data set The strings command meanwhile will give you a rough transcript of the information that passed over the network Snort will allow you to define particular conditions that generate alarms or traps If you purchase a commercial system your analysis will be pretty much limited to the capabilities the system provides Thats OK though because analysis is really the strength of the commercial offerings In a world in which strong encryption was ubiquitous the monitoring performed by these network forensics systems would be restricted to whats called traffic analysis -- every IP packet contains the address of its destination and the address of its sender By examining the flow of packets over time its possible to infer when a person is working who they are communicating with what Web sites they are visiting and other sorts of tantalizingly vague information Traffic analysis is the stuff that a lot of military intelligence is built upon and it can be very powerful Unfortunately we do not live in a world in which strong encryption is ubiquitous Largely as a result of the US governments war on encryption in the 1980s and 1990s the vast majority of personal sensitive and confidential information sent over the Internet today is sent without encryption open to eavesdropping analysis and misuse


Using a network forensics tool you can spy on peoples email learn passwords determine Web pages viewed even spy on the contents of a persons shopping cart at Amazoncom The tremendous power these systems have over todays networks makes them subject to abuse If you install a monitoring system you should have a policy regarding who has access to use the system under what circumstances it should be used and what can be done with the information collected In fact you should have such policies even if you do not install an NFAT since every UNIX workstation is a potential network wiretapping tool

Indeed none of these network forensics tools -- not even the FBIs Carnivore -- provide capabilities that are fundamentally new Back in the 1980s packet capture programs were available for DOS and UNIX Using these programs it was possible to eavesdrop on peoples email learn passwords sent without encryption and otherwise covertly monitor information sent over networks This vulnerability to covert monitoring is a fundamental property of most communications systems including telegraph wires long-range microwave links and even semaphore

But while monitoring was always possible in a networked environment NFAT tools make monitoring considerably easier than ever before On a gigabit network it is simply not possible for a human to examine each passing packet to see if it contains useful information The power of these tools is their ability to rapidly distill down a large data set into manageable chunks

As such these systems are a double-edged sword for security and privacy On the one hand a powerful NFAT makes it possible to put a spotlight on a particular subject You can for example covertly monitor all of the email messages sent between a pair of users But on the other hand these systems also make it possible to conduct surveillance of a network being used by thousands of people and limit the information captured and disclosed to external intrusions system glitches or one or two individuals under surveillance Of course this selective capability makes it far more likely that these surveillance capabilities will actually be used

For example in 1996 the FBI obtained its first Internet search warrant for the Internet backbone at Harvard University The FBI was investigating a series of computer break-ins all over the world they were all originating at Harvard from a variety of different machines belonging to the faculty of Arts and Sciences But rather than record the contents of every TCPIP connection which would have subjected Harvards entire community to unacceptable monitoring the FBI used a program called I-Watch (developed by the Automated Systems Security Incident Support Team at the Defense Information Systems Agency in Washington DC) that could be programmed to only capture TCPIP connections that contained a particular keyword

It turned out that the hacker was breaking into other computers and setting up a program called sni256 So by only recording TCPIP connections that contained the letters sni256 the FBI was able to restrict the data collection to those TCPIP connections made by the attacker (As it turns out during the monitoring period two other TCPIP connections belonging to legitimate users contained the same keyword and were inadvertently captured)


Ultimately the monitoring capabilities made possible by an NFAT are not a tremendously big deal to anyone who has spent time working as a system administrator since these are exactly the same sort of capabilities granted to a person with UNIX root or Windows System Administrator privileges Most system administrators regard being able to read peoples email and look into their files more as an unwanted responsibility than a right It is a necessary capability that occasionally needs to be used but generally administrators have better things to do than to nose around through other peoples business And while there are exceptions generally people who abuse positions of trust do not retain those positions

From a legal point of view your right to monitor (or to be free from monitoring) depends on who you are where you are working and who is doing the monitoring Corporations generally have free rein to monitor their own networks provided that employees and network users are told in advance that the monitoring may be taking place (It is not necessary to inform the employees before each specific instance of monitoring however so most corporations generally inform their employees with a posted policy and leave it at that)

ISPs are required under the Electronic Communications Privacy Act (ECPA) to protect the privacy of their customers electronic communications -- they cant eavesdrop on communications or disclose intercepted contents -- unless one of the parties to the communication has given consent or if the monitoring is needed to maintain system operations or in cases of a court-authorized intercept

Generally speaking most ISPs require their users to give implicit consent to any and all monitoring as part of their terms of service agreement so for most practical purposes the ECPA doesnt give ISP users any privacy at all Law enforcement agencies have the right to monitor without the consent or the knowledge of the individuals being monitored provided they can obtain authorization from a court However they have the added restriction of minimization -- they can only capture and record information specified in their warrant

Today there is gaping disconnect between the level of privacy that most users expect and what is both technically possible and legal That is most users expect that their computer use is largely anonymous and untracked At the same time computers are getting better at monitoring more products are being introduced specifically for the purpose of monitoring and legislation such as the USA PATRIOT Act is making monitoring even easier than it was in the past

314 Firewall Log Analysis and Management_______________ 3141 Comprehensive Analysis of Firewall Logs

Firewall logs reveal a lot of information on the nature of traffic coming in and going out of the firewall allows you to plan your bandwidth requirement based on the bandwidth usage across the firewalls Analyzing these firewall traffic logs is vital to understanding network and bandwidth usage and plays an important role in business risk assessment Firewall Analyzer offers many features that help in collecting analyzing and reporting on firewall logs


Firewall Analyzer supports Check Point Log Analysis Cisco Device Log Analysis CyberGuard Log Analysis Fortigate Log Analysis Microsoft ISA Log Analysis NetScreen Log Analysis SonicWALL Log Analysis WatchGuard Log Analysis and many others

3142 Automatic Firewall Detection Simply configure your firewall to export logs to Firewall Analyzer Firewalls are then automatically detected and reports are generated instantly For all firewalls that support exporting logs in WELF format this is the best configuration option

3143 Firewall Log Import In the case of Squid proxy servers and firewalls that do not export logs in an acceptable format you can import log files directly from Firewall Analyzer and generate reports for the same

3144 Firewall Log ArchivingLogs received from firewalls squid proxy servers and Radius servers are archived at specific intervals You can load these log archives into the database at any time and generate reports for specific activity However log archiving takes up disk space so you can disable this option at any time

3145 Specific Check Point SettingsFirewall Analyzer lets you add LEA servers to establish connections and retrieve logs from Check Point firewalls You can add as many LEA servers as needed and set up authenticated or unauthenticated connections to retrieve firewall logs

3146 Embedded Syslog Server Firewall Analyzer comes pre-bundled with a syslog server that listens for exported firewall logs at the defined listener ports You can add more listener ports to this syslog server in order to collect logs from different firewalls The syslog server is a part of Firewall Analyzer and does not require a separate installation

3147 Exporting and Importing Report and Alert Profiles

Firewall Analyzer provides an easy way of saving the report and alert profiles You can export the profiles and save it You can import the profiles to get the profiles back This will come handy in case of exigencies like when you are moving the server to a different machine etc You can also save the exported profiles file


315 Network Forensics Tools__________________________

(httpwwwnetworkcomputingcomdata-protectionnetwork-forensic-toolsphp)

1 Forensic ToolKit 2 AccessData Corp 3 Email Examiner 4 Encase 5 Guidance Software 6 Paraben Corp 7 ProDiscover 8 Sleuth Kit 9 Tech-nology Pathways 10 chain of custody 11 dtSearch 12 dtSearch Corp 13 evidence 14 hash 15 incident investigation 16 intellectual property theft 17 le-gal team 18 network forensics 19 network penetration 20 Access and Physical Security 21 Cyberterrorism 22 Data Protection 23 Other Security Policies and Management Security and Privacy Software

Software and Web Development Threats and Attacks information security

316 Database Forensics_______________________________

Database Forensics is a computer science term referring to the forensic study of databases It means the Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system Computer forensics principles can be applied to a database which is a persistent data store often relational For example the timestamps that apply to the update time of a row in a relational table can be inspected and tested for validity in order to verify the actions of a database user Additionally copies of database evidence can be made in order to preserve that evidence for future presentation during a legal process The forensic study of relational databases requires a knowledge of the standard used to encode data on the computer disk A documentation of standards used to encode information in well known brands of DB such as SQL Server and Oracle has been contributed to the public domain According to one recent Forrester study 80 percent of data security breaches involve insiders employees or those with internal access to an organization putting information at risk The big challenge for companies today ndash particularly as email and the Internet make sharing and distributing corporate information easier than ever - is to strike the right balance between providing workers with appropriate access and protecting sensitive information as much as possible


For example database users traditionally are assigned a database administrator (DBA) role or granted multiple system privileges As well DBAs enjoy unbridled system access in order to manage companiesrsquo IT infrastructure 247 and to respond to emergency situations As companies continue to consolidate databases and streamline operations to maximize both efficiency and the protection of data from external threats this user- and role-based security model no longer complies with ldquoneed-to-knowrdquo security best-practices Nor does the model meet SOX or PIPEDA regulatory requirements for adequate protection of data privacy Today to help ensure the safety integrity and privacy of corporate information more companies are pursuing a comprehensive multi-factored security approach

3161 A multi-factored security model What exactly is a multi-factored security approach Simply put this approach is built on the defense-in-depth principle which introduces multiple mechanisms to augment the traditional user and role security model That means controls restrictions and boundaries are set up so that even employees with database access privileges cannot freely use alter or export sensitive information These mechanisms can be grouped into four categories realms rules roles and policies

3162 Realms Realms are established to encapsulate within a protection zone an existing application or set of database objects One advantage of a consolidated database is the elimination of information silos and increased economies of scale At the same time however information contained within a single database may require different levels of protection By segmenting a database into mini-virtual private databases employees can gain access only to the information that is pertinent to their jobs Companies in turn can conveniently monitor and control the use of sensitive information and retrieve data usage records for auditing as required

3163 Rules Rules further restrict operations based upon specific requirements and needs This is accomplished using environmental or domain-specific decision factors such as database machine IP addresses time-of-day and authentication modes For example an organization can prevent an administrator from making changes to a database system from outside of the corporate intranet or when working outside of normal business hours Such rules are becoming more crucial as employees increasingly require remote access to corporate information Organizations cannot control the security standards of external networks so the best defense is to restrict select information traffic over pre-approved IP addresses

3164 Roles


As companies adjust their organizational structure to meet new or rapidly evolving business needs they need to ensure that employee access to information complies with their specific roles and responsibilities For example for large enterprises the role of database administration and security administration should ideally be separated


Not only should database administrators have limited or no access to sensitive information that is irrelevant to their duties such as employeesrsquo personal records security administrators need to be empowered to restrict such access according to corporate security policy At the same time a security administrator and a database administrator can share the responsibility of managing sensitive information Tools need to be in place so that the security administrator can prevent the database administrator from intentionally or accidentally altering or destroying data assets

3165 System Policies The schema of a database defines the structure and the type of contents that each data element within the structure can contain Thanks to new database security technologies restrictions can now be set by security administrators to prevent employees with access to sensitive information from modifying the schema By separating the schema and data management within a database system the policy further supports the separation of duties principle allowing DBAs to perform their database management duties while leaving the security administrator to protect the database infrastructure Striking a correct and efficient balance between employeesrsquo needs corporate security policies and required workflow practices is often a moving target Changing business needs evolving technologies emerging regulations and shifting economic pressures exert a real and constant impact on every organization Success in business is about change and for that reason a multi-factored security model supported by comprehensive policies and the appropriate technologies is increasingly being seen today as the best defense that an enterprise can deploy to protect itself and its reputation Database security is the system processes and procedures that protect a database from unintended activity Unintended activity can be categorized as authenticated misuse malicious attacks or inadvertent mistakes made by authorized individuals or processes Database security is also a specialty within the broader discipline of computer security Traditionally databases have been protected from external connections by firewalls or routers on the network perimeter with the database environment existing on the internal network opposed to being located within a demilitarized zone Additional network security devices that detect and alert on malicious database protocol traffic include network intrusion detection systems along with host-based intrusion detection systems Database security is more critical as networks have become more open Databases provide many layers and types of information security typically specified in the data dictionary including

Access control Auditing Authentication Encryption Integrity controls

Database security can begin with the process of creation and publishing of appropriate security standards for the database environment The standards may include specific controls for the various relevant database platforms a set of best practices that cross over the platforms and linkages of the standards to higher level polices and governmental regulations

3166 Vulnerability Assessments and ComplianceAn important procedure when evaluating database security is performing vulnerability assessments against the database A vulnerability assessment attempts to find vulnerability holes that could be used to break into the database Database administrators or information security administrators run vulnerability scans on databases to discover misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software The results of the scans should be used to harden the database in order to mitigate the threat of compromise by intruders A program of continual monitoring for compliance with database security standards is another important task for mission critical database environments Two crucial aspects of database security compliance include patch management and the review and management of permissions (especially public) granted to objects within the database Database objects may include table or other objects listed in the Table link The permissions granted for SQL language commands on objects are considered in this process One should note that compliance monitoring is similar to vulnerability assessment with the key difference that the results of vulnerability assessments generally drive the security standards that lead to the continuous monitoring program Essentially vulnerability assessment is a preliminary procedure to determine risk where a compliance program is the process of on-going risk assessment The compliance program should take into consideration any dependencies at the application software level as changes at the database level may have effects on the application software or the application server In direct relation to this topic is that of application security

3167 Abstraction Application level authentication and authorization mechanisms should be considered as an effective means of providing abstraction from the database layer The primary benefit of abstraction is that of a single sign-on capability across multiple databases and database platforms A Single sign-on system should store the database users credentials (login id and password) and authenticate to the database on behalf of the user 3168 Activity MonitoringAnother security layer of a more sophisticated nature includes real-time database activity monitoring either by analyzing protocol traffic (SQL) over the network or by observing local database activity on each server using software agents or both Analysis can be performed to identify known exploits or policy breaches or baselines can be captured over time to build a normal pattern used for detection of anomalous activity that could be indicative of intrusion These systems can provide a comprehensive Database audit trail in addition to the intrusion detection mechanisms and some systems can also provide a degree of protection by terminating user sessions andor quarantining users demonstrating suspicious behavior


3169 Native Audit In addition to using external tools for monitoring or auditing native database audit capabilities are also available for many database platforms The native audit trails are extracted on a regular basis and transferred to a designated security system where the database administrators do not have access This ensures a certain level of segregation of duties that may provide evidence the native audit trails were not modified by authenticated administrators Generally the native audit trails of databases do not provide sufficient controls to enforce separation of duties therefore the network andor kernel module level host based monitoring capabilities provides a higher degree of confidence for forsenics and preservation of evidence

31610 Process and Procedures A database security program should include the regular review of permissions granted to individually owned accounts and accounts used by automated processes The accounts used by automated processes should have appropriate controls around password storage such as sufficient encryption and access controls to reduce the risk of compromise For individual accounts a two-factor authentication system should be considered in a database environment where the risk is commensurate with the expenditure for such an authentication system In conjunction with a sound database security program an appropriate disaster recovery program should exist to ensure that service is not interrupted during a security incident or any other incident that results in an outage of the primary database environment An example is that of replication for the primary databases to sites located in different geographical regions After an incident occurs the usage of database forensics should be employed to determine the scope of the breach and to identify appropriate changes to systems andor processes to prevent similar incidents in the future

317 Testing For SQL Injection Vulnerabilities______________ SQL Injection attacks pose tremendous risks to web applications that depend upon a database backend to generate dynamic content In this type of attack hackers manipulate a web application in an attempt to inject their own SQL commands into those issued by the database For an example see the article SQL Injection Attacks on Databases In this article we take a look at several ways you can test your web applications to determine whether theyre vulnerable to SQL Injection attacks

3171 Automated SQL Injection Scanning One possibility is using an automated web application vulnerability scanner such as HPs WebInspect IBMs AppScan or Cenzics Hailstorm These tools all offer easy automated ways to analyze your web applications for potential SQL Injection vulnerabilities However theyre quite expensive running at up to $25000 per seat

3172 Manual SQL Injection Tests


Whatrsquos a poor application developer to do You can actually run some basic tests to evaluate your web applications for SQL Injection vulnerabilities using nothing more than a web browser


First a word of caution the tests I describe only look for basic SQL Injection flaws They wont detect advanced techniques and are somewhat tedious to use If you can afford it go with an automated scanner However if you cant handle that pricetag manual testing is a great first step The easiest way to evaluate whether an application is vulnerable is to experiment with innocuous injection attacks that wont actually harm your database if they succeed but will provide you with evidence that you need to correct a problem For example suppose you had a simple web application that looks up an individual in a database and provides contact information as a result That page might use the following URL format httpmyfakewebsitecomdirectoryasplastname=chappleampfirstname=mike We can assume that this page performs a database lookup using a query similar to the following SELECT phone FROM directory WHERE lastname = chapple and firstname= mike Lets experiment with this a bit With our assumption above we can make a simple change to the URL that tests for SQL injection attacks httpmyfakewebsitecomdirectoryasplastname=chappleampfirstname=mike+AND+(select+count()+from+fake)+3e0+OR+13d1 If the web application hasnt been properly protected against SQL injection it simply plugs this fake first name into the SQL statement it executes against the database resulting in SELECT phone FROM directory WHERE lastname = chapple and firstname=mike AND (select count() from fake)gt 0 OR 1=1 Youll notice that the syntax above is a little different than that in the original URL I took the liberty of converting the URL-encoded variable for their ASCII equivalents to make it easier to follow the example For example 3d is the URL-encoding for the = character I also added some line breaks for similar purposes

3173 Evaluating the Results

The test comes when you try to load the webpage with the URL listed above If the web application is well-behaved it will strip out the single quotes from the input before passing the query to the database This will simply result in a weird lookup for someone with a first name that includes a bunch of SQL Youll see an error message from the application similar to the one below Error No user found with name mike+AND+(select+count()+from+fake)+3e0+OR+13d1 Chapple On the other hand if the application is vulnerable to SQL injection it will pass the statement directly to the database resulting in one of two possibilities First if your server has detailed error messages enabled (which you shouldnt) youll see something like this Microsoft OLE DB Provider for ODBC Drivers error 80040e37


[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name fake directoryasp line 13 On the other hand if your web server doesnt display detailed error messages youll get a more generic error such as

3174 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request Please contact the server administrator to inform of the time the error occurred and of anything you might have done that may have caused the error More information about this error may be available in the server error log If you receive either one of the two errors above your application is vulnerable to SQL injection attack Some steps that you can take to protect your applications against SQL Injection attacks include

Implement parameter checking on all applications For example if youre asking someone to enter a customer number make sure the input is numeric before executing the query

Limit the permissions of the account that executes SQL queries The rule of least privilege applies

If the account used to execute the query doesnt have permission to execute it it will not succeed

Use stored procedures (or similar techniques) to prevent users from directly interacting with SQL code

318 Mobile Forensics_________________________________ Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions This includes full data retrieval and examination of data found on the SIMUSIM the phone body itself and the optional memory cards Data retrieved and examined can include images videos text or SMS messages call times and contact numbers Mobile Phone Forensics or Cell Phone Forensics is improving daily These services are now commercially available through certain specialist companies and is no longer reserved for the most high profile murder enquiries but by individuals checking to see if their partner or lover has been cheating on them by Human Resources who need to prove if ldquothatrdquo phone call was actually taken or by Private Investigators who are checking to see if the client was where they say they were at a given specific time Above are of course just a few of the hundreds of examples of why mobile phone forensics are becoming more and more important in the lives of the military investigative agencies (police forces security agencies private investigators) human resources and indeed private individuals These days along with the computer mobile phone forensics is the police officers first point of call Where are you likely to record everything Where are the records of wrong doings going to be stored Even if you are not the sort of person to record wrong doings human nature states that you will tell at least someone On a computer they could be stored within your PST file(Microsoft Outlook personal storage file) your EDB file (Microsoft Exchange storage file) your NSS (Lotus Notes) your MSG (Microsoft Outlook Express) and your EML (generic email files) amongst others


All these records are kept digitally on various storage devices be they mobile phone SIM cards perhaps mobile phone 3G USIM cards the generic mobile phone memory or internal memory cards mainly MMC memory cards but not exclusively Nowadays the forensic investigator does not have to solely rely on his mobile phone investigative resources but has to have a sound knowledge of evidence handling write-blocking and general computer forensics to ensure that a full examination of all available data has been achieved for the client in a sound and forensically correct manner A more recent development in this technology is the cellular transmitter location which is used to assist agencies in pinpointing the approximate whereabouts of the investigated This sort of investigation technique was first used in a very high profile case in the United Kingdom namely the murder of two young girls in a town called Soham called Jessica Chapman and Holly Wells This technology is relatively new and although proved in a British court of law does not necessarily mean that it is accepted throughout the world There are of course downsides to this technology Simply by passing the mobile phone in question to a colleague or accomplice with a disregard for the law would mean that the phone in question would be in another place at the time of a phone call and therefore not be at the scene of the crime in question There is also the problem with lsquoPay-As-You-Go Prepaidrsquo type of phones which have no legal tie to the owner This is something which is still to be addressed

319 DIGITAL FRAUDS_________________________________

Digital Fraud or Computer crime refers to a criminal activity where a computer laptop network or other such digital device is utilized for any criminal purposes A digital device such as a computer or cell phone can be a significant source of evidence even if it was not used directly for a criminal activity In some ways a computer is like constantly running video camera ndash an experienced computer forensics investigator can extract digital evidence which shows emails pictures deleted files instant messages and much more all with time and date history This digital evidence is produced in a manner that will hold up in a court of law Digital Computer Fraud is rampant as the use of computers becomes part of our daily lives with greater and greater frequency The definition of what constitutes computer fraud becomes ever more complex with the ingenuity of people who intend to deceive misrepresent destroy steal information or cause harm to others by accessing information through deceptive and illegal means Just as you have to be careful when yoursquore walking down the street or in your own home when you lock up at night yoursquove got to be careful of the many examples of computer fraud that will make their way onto your computer 3191 What is Computer Fraud You dont have to be an expert in business marketing to know that E-commerce is here to stay Throughout the globe more consumers have discovered the convenience of this system and now feel comfortable purchasing goods and services online As the internet continues to thrive with technology and millions in sales the malicious crime of computer fraud has become an issue bigger than the experts ever could have predicted


In modern times hackers are more than just bored teenagers with a few computer skills Cyber criminals of today are made up of sophisticated professionals who have chosen to use their talents for fraudulent purposes These individuals have easy access to advanced software that enables them to remotely manipulate your computer to obtain the sensitive information they seek To make matters worse you can be a victim of computer fraud without even knowing your machine has been compromised In order to protect yourself against this type of fraud it is important to first learn more about it

3192 The Basis of Computer FraudAn internet attacker needs access to your personal information before they are able to victimize you Many of them use malicious programs known as spyware to obtain it Spyware is a type of software often used by hackers and legitimate companies Once installed onto a computer it has the ability to monitor a users activity and collect information without their knowledge or consent Whether you know it or not your computer automatically stores numerous files that contain your most sensitive data including your name address telephone number and email domain This information is often found in virtual storage units such as your browser history cache or temporary internet files A sophisticated piece of spyware can easily retrieve this information and report the details back to the source that launched it Spyware is typically able get into a system by manipulating a Microsoft technology known as Active X Active X is a web-based language that adds ease to the process of surfing the internet This technology makes it possible to view many of your favorite web pages However when Active X is manipulated by a cyber criminal it can then be used to install spyware and other malicious programs onto your system

3193 From computer to easy theft

Once a criminal has access to your data they have all the ammunition needed to commit computer fraud This information can then be used to accrue debt open accounts and even receive medical benefits in your name A worst case scenario involves your identity being completely stolen a growing issue that is quite difficult to rectify In most cases victims of identity theft spend months or years attempting to clear their name and repair damaged credit Until these issues are resolved you are likely to be refused for credit mortgage and automobile loans You may even find yourself in trouble with the law for crimes you didnt commit Computer fraud has the power to be one of the devastating crimes youll ever experience For this reason protecting the personal data in your computer should be a top priority This can be done by implementing solid security in the way of firewalls anti-virus programs and intrusion detection systems If you plan on discarding a computer be sure to completely erase the contents of your hard drive Like the saying goes one mans trash is another mans treasure There are many different legal ramifications for those practicing computer fraud especially when such practice can be shown to be harmful and physically or financially damaging to others Most laws make the distinction between a person who knowingly commits fraud and someone who does so accidentally For instance passing on a hoax letter about a potential virus is a common trait among new computer users and isnrsquot really fraudulent

Deliberately generating a hoax letter to scare others is fraud with the intent to at least emotionally harm others Generally when the a person has intentionally committed a fraudulent act via computer they can be subject to both criminal and sometimes civil prosecution and at minimum they will pay fines if theyrsquore convicted of minor fraud At maximum people who steal information or steal peoplesrsquo money via computer either directly or through fraudulent means face jail time and large fines Types of computer fraud vary and can be complex or simple Simple types of fraud might include

Sending hoax emails intended to scare people Illegally using someone elsersquos computer or ldquoposingrdquo as someone else on the

Internet Using spyware to gather information about people Emails requesting money in return for ldquosmall depositsrdquo Pyramid schemes or investment schemes via computer with the intent to take

and use someone elsersquos money Emails attempting to gather personal information to be used to access and use

credit cards or social security numbers Using someone elsersquos computer to access personal information with the intent to

use such fraudulently Using the computer to solicit minors into sexual alliances Violating copyright laws by copying information with the intent to sell information

like DVDs CDs Hacking into computer systems to gather large amounts of information for illegal

purposes Hacking into or illegally using a computer to change information such as grades

work reports etc Sending computer viruses or worms with the intent to destroy or ruin someone

elsersquos computer

320 Computer Crimes_________________________________ Computer crimes are criminal activities which involve the use of information technology to gain an illegal or an unauthorized access to a computer system with intent of damaging deleting or altering computer data Computer crimes also include the activities such as electronic frauds misuse of devices identity theft and data as well as system interference Computer crimes may not necessarily involve damage to physical property They rather include the manipulation of confidential data and critical information Computer crimes involve activities of software theft wherein the privacy of the users is hampered These criminal activities involve the breach of human and information privacy as also the theft and illegal alteration of system critical information The different types of computer crimes have necessitated the introduction and use of newer and more effective security measures

3201 Types of computer crime


The different types of computer crimes involve an illegal exploitation of the computer and communication technology for criminal activities While the advancing technology has served as a boon to mankind the destructively directed human intellects are all set to turn technology into a curse


However crimes are sure to end as it is truth that always triumphs Types of the Computer Crimes are as follows

Hacking The activity of breaking into a computer system to gain an unauthorized access is known as hacking The act of defeating the security capabilities of a computer system in order to obtain an illegal access to the information stored on the computer system is called hacking The unauthorized revelation of passwords with intent to gain an unauthorized access to the private communication of an organization of a user is one of the widely known computer crimes Another highly dangerous computer crime is the hacking of IP addresses in order to transact with a false identity thus remaining anonymous while carrying out the criminal activities

Phishing Phishing is the act of attempting to acquire sensitive information like usernames passwords and credit card details by disguising as a trustworthy source Phishing is carried out through emails or by luring the users to enter personal information through fake websites Criminals often use websites that have a look and feel of some popular website which makes the users feel safe to enter their details there Computer Viruses Computer viruses are computer programs that can replicate themselves and harm the computer systems on a network without the knowledge of the system users Viruses spread to other computers through network file system through the network Internet or by the means of removable devices like USB drives and CDs Computer viruses are after all forms of malicious codes written with an aim to harm a computer system and destroy information Writing computer viruses is a criminal activity as virus infections can crash computer systems thereby destroying great amounts of critical data

Cyberstalking

The use of communication technology mainly the Internet to torture other individuals is known as cyberstalking False accusations transmission of threats and damage to data and equipment fall under the class of cyberstalking activities Cyberstalkers often target the users by means of chat rooms online forums and social networking websites to gather user information and harass the users on the basis of the information gathered Obscene emails abusive phone calls and other such serious effects of cyberstalking have made it a type of computer crime

Identity Theft

This is one of the most serious frauds as it involves stealing money and obtaining other benefits through the use of a false identity It is the act of pretending to be someone else by using someone elses identity as ones own Financial identity theft involves the use of a false identity to obtain goods and services and a commercial identity theft is the using of someone elsersquos business name or credit card details for commercial purposes Identity cloning is the use of another users information to pose as a false user Illegal migration terrorism and blackmail are often made possible by means of identity theft

Data Transfer Theft Thieves can take your personal information by tapping into your phone line outside your house and run the line directly into their own computer This can often be done without even you knowing it through split lines Some thieves will even take this a step further When youre done using your computer and sign off the network they simply remain online and continue using the system as if it were actually you

Misuse of Computer Time This is one of the most common computer crimes happening all over the country Public and private employees who on the taxpayers or companys time and money surf the computer or play games without proper authorization This kind of behavior in many instances is not accepted by supervisors but theres little way to regulate it

Computer Output Theft This is probably one of the easiest computer crimes today Thieves steal information that came from your personal or company computer for the sake of finding out secret or personal information They do this by taking computer printouts mailing lists customer lists and etc

Desktop Forgery This is becoming increasingly common in corporate America With computer technology and desktop publishing programs thieves copy official letterhead documents passports birth certificates cash receipts for personal gain

Wrongful Programming This is a complicated computer crime Wrongful programming crimes occur when someone alters a computer program and directs it to manipulate information on the network or someones personal information 321 Steps for Computer Crime Investigation______________ In order to investigate a cyber crime a team is commissioned that usually contains members including the case supervisor interview team sketch and physical search team photo team technical evidence seizure team logging team and security and arrest team Some important steps that are followed during an investigation include

Documenting hardware configuration of the affected system Making copies of relevant logs and data This includes make bit stream backups

of all hard disk drives Transporting the computer to a secured location so that any potential evidence

does not get destroyed or hampered Authenticating data mathematically on all storage devices in order to prove that

no alterations have been done to any of the evidence after the computer was taken into possession

Documenting the date and time associated with computer files when the computer was taken into evidence

A list of keywords needs to be generated in order to facilitate the evaluation of data on a computer hard disk drive


The most critical step in investigating a computer crime is to evaluate the Windows Swap file that contains valuable information Next important thing is to evaluate the file slack or the data storage area File slack is a good source to investigate crimes committed through internet

Evaluating of unallocated space provides necessary information about deleted files on the computer Encrypted compressed and graphic files should be evaluated manually

Finally it is important to document findings and issues that have been identified during the computer search

322 Recommendations________________________________ Even though there are stiff penalties for committing computer fraud laws governing against it may be difficult to enforce Some of the email scams for investment opportunities and get rich quick schemes originate outside of the US and it may be difficult to instigate investigations on foreign soil Itrsquos therefore wise to be wary and commit to the following computer philosophy when yoursquore on the net

Do not give personal information to anyone or to any company yoursquove never heard of before This includes your full name your address your phone number credit card number social security numbers or information about the people in your household

Do not pay attention to get rich quick schemes If they seem too good to be true they absolutely are

Do not open emails from strangers Install anti-viral software and spam blocking programs on your computer and your email program

Donrsquot download attachments from people you donrsquot know Teach your children about safe communication on the Internet to protect them

from Internet predators Donrsquot keep passwords on your computer and do not use common passwords like

the names of your kids birthdays or other guessable words Never give your password to someone else



Figure 32 How Spoofing Works

Data Transfer Theft

Misuse of Computer Time

Computer Output Theft

Desktop Forgery

Wrongful Programming

31 WHAT IS DIGITAL EVIDENCE_______________________

Digital Evidence or Electronic Evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial Digital evidence is information of probative value that is stored or transmitted in a binary form This field includes not only computers in the traditional sense but also includes digital audio and video It includes all facets of crime where evidence may be found in a digital or binary form Perhaps the most common computer crime in the news is child pornography but computers are also instrumental in crimes ranging from check fraud to conspiracy to commit murder

Digital Evidence comes in numerous form factors such as

While these are obvious form factors there are numerous form factors that are not so obvious such as


32 Definitions________________________________________






























































































































created













Figure 314 DHCP


























































3164 Roles
































319 DIGITAL FRAUDS_________________________________
















elsersquos computer









Cyberstalking


Identity Theft



























Data Transfer Theft



Desktop Forgery


32 Definitions________________________________________






























































































































created













Figure 314 DHCP


























































3164 Roles
































319 DIGITAL FRAUDS_________________________________
















elsersquos computer









Cyberstalking


Identity Theft



























Data Transfer Theft



Desktop Forgery






















































































































created













Figure 314 DHCP


























































3164 Roles
































319 DIGITAL FRAUDS_________________________________
















elsersquos computer









Cyberstalking


Identity Theft



























Data Transfer Theft



Desktop Forgery












Figure 314 DHCP


























































3164 Roles
































319 DIGITAL FRAUDS_________________________________
















elsersquos computer









Cyberstalking


Identity Theft



























Data Transfer Theft



Desktop Forgery




















































3164 Roles
































319 DIGITAL FRAUDS_________________________________
















elsersquos computer









Cyberstalking


Identity Theft



























Data Transfer Theft



Desktop Forgery































319 DIGITAL FRAUDS_________________________________
















elsersquos computer









Cyberstalking


Identity Theft



























Data Transfer Theft



Desktop Forgery
















elsersquos computer









Cyberstalking


Identity Theft



























Data Transfer Theft



Desktop Forgery






Cyberstalking


Identity Theft



























Data Transfer Theft



Desktop Forgery



























Data Transfer Theft



Desktop Forgery


ch3 - digital evidence & frauds

Documents