computer forensics in practice
DESCRIPTION
Computer Forensics in Practice. Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005. Communication and Information System Control and Operation Centre Information Security Centre. InfoSec Centre Chief mjr. Ing. Albert VAJÁNYI Division Chief - PowerPoint PPT PresentationTRANSCRIPT
Computer Forensics in Practice
Armed Forces of the Slovak Republic
mjr. Ing. Albert VAJÁNYI
1Lt. Ing. Boris ZEMEK
(c) May 2005
Communication and Information System Control and Operation Centre
Information Security Centre
InfoSec Centre Chiefmjr. Ing. Albert VAJÁNYI
Division Chief1Lt. Ing. Boris ZEMEK
(c) May 2005
What is computer forensics anyway?
The application of computer investigations and analysis techniques in the interests of determining potential legal evidence.
Computer specialists can draw on an array of methods for discovering deleted, encrypted or damaged file information.
(Rorrins, 1997)
You don’t know what happened on your network.
A network forensic analysis tool can effectively answer the difficult
question “What happened?” in the aftermath of a security incident.
That tool provides a passive network monitoring solution that visualizes
the network activity.
A network forensics analysis tool can visualize and analyze data from
firewalls, IDS, IPS, syslogs, audit systems and more.
Key Features of Forensic Tools
• Data collection and visualization– Monitor and analyze data from all seven layers of the Open
Systems Interconnection (OSI) stack– Relational, Tree ontology for knowledge base– TCP dump recording: records traffic being monitored in an
unprocessed, binary state
• Pattern and content analysis– Powerful visualizations expose anomalous activities, providing
visibility into network communications before, during and after a suspicious event
– Functions irrespective of language using n-gram analysis
Key Features of Forensic Tools
• Forensic analysis and investigation
- Graphical arrangements include source, destination, time, type and duration of communication and content
- Rebuild crime pattern
- Playback events
- Generate reports and visual representations of the suspicious activity
- Report on key security and network parameters
Forensics Technology Services – FTS
• Digital Evidence Recovery
It is a technique of finding and extraction evidence. A lot of times the
legislative designates how to confidence a digital evidence.
• Cyber Forensics
Some specialists score incidents to the network. Cyber Forensics
shows who made an attack.
Forensics Technology Services – FTS
• Forensic Data Analysis
It is an interpretation of vast multiple data by using visualization
techniques.
• Document Management Services
Making documents accessible helps sharing essential knowledge. In
your investigations you can draw upon modern document management
tools that allow you to archive, search, find, organising and reproduce
documents.
COLLECTING ANALYZING 2D or 3D VISUALIZATION
Traffic Analysis KnowledgeBase
KnowledgeBase
Data Visualization
DatabaseMeta Data and
Content Analysis
Real-Time Post Event
ContextAnalyzerContextAnalyzer
Requirements for Forensics Tools
Types of Collecting Data
Types:
- IDS/IPS logs
- Firewall logs
- Sys logs
- SQUID logs
- Audit system logs
- and more
All logs are collecting to the Central logs base!!!
Network monitoring
Network operation centre Security operation centre
Intranet
Any Public
Network
Central logs base
Server Farm
Server Farm
Server Farm
Server Farm
Service AlarmsSecurity Alarms
Security Information Management System
What is Security Information Management (SIM)?
SIM provides a simple mechanism that allows security teams
to collect and analyze vast amounts of security alert data.
More specifically, SIM solutions collect, analyze and correlate – in real-time – all security device information across an entire enterprise.
Correlated results are then displayed on a centralized real-time console that is part of an intuitive graphical user interface.
Security Information Management
Security Information Management
SIM can be divided into four different phases:
1) Normalization 2) Aggregation3) Correlation4) Visualization
SIM utilizes normalization, aggregation, and correlation to sift through mountains of security activity data on a real-time basis – correlating events, flagging and rating the potential seriousness of all attacks, compromises, and vulnerabilities. The power of SIM technology allows a relatively small security staff to dramatically reduce the time between attack and response.
.
Security Information Management
Normalization is the process of gathering individual security device
data and putting it into a context that is easier to understand, mapping
different messages about the same security events to a common alarm
ID. Keeping in mind that there are no standards in the security device
industry, normalization alone is a tremendous asset to security teams.
Aggregation eliminates redundant or duplicate event data from the
security event data stream, refining and optimizing the amount of
information that is presented to security analysts.
Security Information Management
Correlation uses software technology to analyze aggregated data, in real-time,
to determine if specific patterns exist. These patterns of similar security events
often correspond to specific securityattacks – whether denial of service,anti
virus, or some other form of attack.
Visualization, the final step in SIM, is the graphical representation of
correlated information in a single, real-time console.
Effective visualization lets security operators quickly identify and respond to
security threats as they occur, before they create problems within the
enterprise.
Systems alarms remapping
Original logs from systems - around 20 000 types
Sep 27 16:22:43 dmzserver
su(pam_unix)[10983]: session opened for user
nf by root(uid=0)
Sep 27 16:22:43 dmzserver
su(pam_unix)[10983]: session opened for user
nf by root(uid=0)
Sep 27 16:36:12 [192.168.177.1] Sep 27 2004 16:36:12: %PIX-6-
605005: Login permitted from
192.168.177.2/44743 to inside:192.168.177.1/ssh for user "pix_ADMIN“
Sep 27 16:36:12 [192.168.177.1] Sep 27 2004 16:36:12: %PIX-6-
605005: Login permitted from
192.168.177.2/44743 to inside:192.168.177.1/ssh for user "pix_ADMIN“
Changed to 100 NF types
Forbidden Database Access
Privilege Escalation
Security Policy Change
Authentication succeed
9 categories of NF alarms
Access / Authentication / Authorization
Application Exploit
Configuration / System Status
Evasion
Policy Violations
Reconnaissance
AttemptsUnknown / Suspicious
Virus / Trojan
Place Forensics Tool in Network
Network operation centre Security operation centre
Intranet
Any Public
Network
Central logs base
Server Farm
Server Farm
Server Farm
Server Farm
Service AlarmsSecurity Alarms
Security Information Management System
Forensics Tool
Network Forensics Analyzer
Examples of Visualization
Visualization of Firewall Data
• Quickly visualize and understand relationships in firewall data across time• Source_IP ——— # of occurrences ——— Dest_IP
Source_IP versus Firewall Action
• Source_IP ——— # of occurrences ——— Firewall Action• Green = Accept Red = Reject Blue = Drop
VPN Traffic Events
Overlay Intrusion Detection
System Alerts
Blocked FirewallTraffic
Event Correlation
Exercises of anomaly
Exercises of anomaly
E – mail: [email protected]