digital forensics on future hk infrastructure · digital forensics on future hk infrastructure...

1

INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY

Digital Forensics on Future Digital Forensics on Future HK Infrastructure HK Infrastructure

Ricci IEONG, CISSP, CISA, CEH, F.ISFS, ISSAP, ISSMP,

Secretary of Information Security and Forensics SocietyPrincipal Consultant of eWalker Consulting Limited

ICT Expo 07


2007

04

16

HK IT infrastructureHK IT infrastructureHK IT infrastructure

Internet Service ProviderTelcom network

Service Content providerEmail Services

Web Content Services (e.g. Government Services, Public utilities,

eBanking Services

2

ICT Expo 07


2007

04

16

HK IT infrastructureHK IT infrastructureHK IT infrastructure

InternetInternet

ICT Expo 07


2007

04

16

More Web hackingMore Web hackingMore Web hacking

3

ICT Expo 07


2007

04

16

Single IP attack (2004 – 2006)Single IP attack (2004 Single IP attack (2004 –– 2006)2006)

0

5000

10000

15000

20000

25000

30000

Jan-

04Fe

b-04

Mar

-04

Apr

-04

May

-04

Jun-

04Ju

l-04

Aug

-04

Sep

-04

Oct

-04

Nov

-04

Dec

-04

Jan-

05Fe

b-05

Mar

-05

Apr

-05

May

-05

Jun-

05Ju

l-05

Aug

-05

Sep

-05

Oct

-05

Nov

-05

Dec

-05

Jan-

06Fe

b-06

Mar

-06

Apr

-06

May

-06

Jun-

06Ju

l-06

Aug

-06

Sep

-06

Oct

-06

Nov

-06

Dec

-06

ICT Expo 07


2007

04

16

Phishing (Dec 06) – By CountryPhishingPhishing (Dec 06) (Dec 06) –– By By CountryCountry

4


What is Computer ForensicsWhat is Computer Forensics

ICT Expo 07


2007

04

16

Computer Forensics BasicsComputer Forensics BasicsComputer Forensics Basics

Forensic computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceeding

5

ICT Expo 07


2007

04

16

What a Computer Forensics Investigator do?What a Computer Forensics What a Computer Forensics Investigator do?Investigator do?

To dig out the evidence related to computer crime

Preserve the chain of custody of the entire case

To build the case from the fragmented information

ICT Expo 07


2007

04

16

General procedures in Forensics InvestigationGeneral procedures in General procedures in Forensics InvestigationForensics Investigation

Determine level of volatilityPreserve volatile informationDuplicate the original hard disk to at least 2 copies of hard diskSearch for the obvious evidenceChange the parameters on the system

Restore the deleted filesRecover information from the swap driveRemove the back door or trojan horse filesChange of some system parameters

Document all the steps and response of the system during the Investigation procedure

6

ICT Expo 07


2007

04

16

Goals of Forensics InvestigationGoals of Forensics Goals of Forensics InvestigationInvestigation

Identify the attackers

Identify the method/motivation of the attacks

Modus Operandi

Identify the gain of the attacksDamage assessment

Preserve the evidence

Present the evidence in a law case

ICT Expo 07


2007

04

16

Who Wants Digital Evidence?Who Wants Digital Who Wants Digital Evidence?Evidence?

Criminal Prosecutor

Civil Litigation

Insurance Companies

Corporations

Law Enforcement Officials

Individuals

7


Traditional Network Traditional Network Forensics investigationForensics investigation

ICT Expo 07


2007

04

16

Types of attackTypes of attackTypes of attack

Scanning/Probing

Denial of Service

Unauthorized Access

Leakage of information

Virus/Worm Attack

Web attack – defacement, login attempt

Intrusion

8

ICT Expo 07


2007

04

16

Potential source of evidencePotential source of evidencePotential source of evidence

System logs

Network devices logs

IDS logs

Web Server logs

Browser history, cookie, index

Network information

Process information

ICT Expo 07


2007

04

16

Log AnalysisLog AnalysisLog Analysis

Significant Events RecognitionIntrusion detection systems

Log correlation

Target SpecificWeb Defacement Through Known Exploits

Web Defacement Through Application Bugs

Virii

Establish Series of Events

9

ICT Expo 07


2007

04

16

Damage AnalysisDamage AnalysisDamage Analysis

Identify the attacks

Identify the motivations

Identify the gains

Identify the attack paths

ICT Expo 07


2007

04

16

HK Future Infrastructure ChangeHK Future Infrastructure HK Future Infrastructure ChangeChange

Infrastructure changeGo mobile

Go for free network

Content changeMore content driven

10


New Challenges & New Challenges & SolutionsSolutions

ICT Expo 07


2007

04

16

Mapping Requirements to 3R principleMapping Requirements to 3R Mapping Requirements to 3R principleprinciple

Completeness

Accuracy

Verifiability

Repeatability

IntegrityCase dependencies

Reasonableness

Order of volatility

Importance

Time required

Digital Forensics

Relevancy

Reconnaissance

Reliability

11

ICT Expo 07


2007

04

16

FORensics-ZAchman ModelFORensicsFORensics--ZAchmanZAchman ModelModel

FORZA framework is derived based on Zachman

It is an extended model that covers various forensics model using Zachmanmodel.

Focus more on the static attributes of the forensics aspects

ICT Expo 07


2007

04

16

FORZA FrameworkFORZA FrameworkFORZA Framework

Timeline of the entire event for Presentation

Entities in Litigation Procedures

Legal Jurisdiction Location

Legal Presentation Procedures

Legal Presentation Attributes

Legal Presentation ObjectivesLegal Prosecutor

(Presentation layer)

Event Timeline Reconstruction

Entity and Evidence Relationship Analysis

Network Address Extraction and Analysis

Forensics Analysis Procedures

Event Data Reconstruction

Forensics Examination Objectives

Forensics Investigators/Forensics Analysts(Analysis Layer)

Forensics Acquisition Timeline

Participants Interviewing and Hearing

Site Network Forensics Data Acquisition

Forensics Acquisition/Seizure Procedures

On-site Forensics Data Observation

Forensics Acquisition Objectives

Forensics Investigators/System Administrator/Operator(Collection Layer)

Hypothetical Forensics Event Timeline

Forensics Entity Model

Forensics Data Geography

Forensics Strategy Design

Forensics Data ModelForensics Investigation Strategy Objectives

IT Forensics Specialists(Technical Preparation Layer)

Security Timing and Sequencing

Users and Security Entity Model

Security Domain and Network Infrastructure

Security MechanismsSystem Information and Security Control Model

System/Security Control Objectives

Security/System Architect/Auditor(Conceptual Security Layer)

Legal TimeframeLegal Entities & Participants

Legal GeographyLegal Procedures for further investigation

Legal Background and preliminary issues

Legal ObjectivesLegal Advisor(Compliance Advisory Layer)

Business & Incident Timeline

Organization & Participants relationship

Business GeographyBusiness & System Process Model

Business & Event NatureBusiness ObjectivesSystem Owner (if any)(Contextual Layer)

Investigation Timeline

Initial ParticipantsInvestigation GeograhyRequested Initial Investigation

Event NatureInvestigation Objectives

Chief Investigator/Officer in Charge (Contextual Investigation Layer)

TimePeopleNetworkFunctionDataMotivation

WhenWhoWhereHowWhatWhy

Timeline of the entire event for Presentation

Entities in Litigation Procedures

Legal Jurisdiction Location

Legal Presentation Procedures

Legal Presentation Attributes

Legal Presentation Objectives

Legal Prosecutor(Presentation layer)

Event Timeline Reconstruction

Entity and Evidence Relationship Analysis

Network Address Extraction and Analysis

Forensics Analysis Procedures

Event Data Reconstruction

Forensics Examination ObjectivesForensics Investigators/Forensics

Analysts(Analysis Layer)

Forensics Acquisition Timeline

Participants Interviewing and Hearing

Site Network Forensics Data Acquisition

Forensics Acquisition/Seizure Procedures

On-site Forensics Data Observation

Forensics Acquisition Objectives


Hypothetical Forensics Event Timeline

Forensics Entity Model

Forensics Data Geography

Forensics Strategy Design

Forensics Data ModelForensics Investigation Strategy Objectives


Security Timing and Sequencing

Users and Security Entity Model

Security Domain and Network Infrastructure

Security MechanismsSystem Information and Security Control Model

System/Security Control Objectives


Legal TimeframeLegal Entities & Participants

Legal GeographyLegal Procedures for further investigation

Legal Background and preliminary issues

Legal Objectives

Legal Advisor(Compliance Advisory Layer)

Business & Incident Timeline

Organization & Participants relationship

Business GeographyBusiness & System Process Model

Business & Event NatureBusiness Objectives

System Owner (if any)(Contextual Layer)

Investigation Timeline

Initial ParticipantsInvestigation Geograhy

Requested Initial Investigation

Event NatureInvestigation ObjectivesChief Investigator/Officer in

Charge (Contextual Investigation Layer)





Legal Prosecutor(Presentation layer)

Forensics Investigators/Forensics Analysts(Analysis Layer)




Legal Advisor(Compliance Advisory Layer)

System Owner (if any)(Contextual Layer)

Chief Investigator/Officer in Charge (Contextual Investigation Layer)

12

ICT Expo 07


2007

04

16

What information to collectWhat information to collectWhat information to collect

MemoryNetwork information

System Info and Status

User InfoProcess

ICT Expo 07


2007

04

16

Scenario – Remote BotnetattackScenario Scenario –– Remote Remote BotnetBotnetattackattack

Attacker1Victim

NIDS1

Port Scan

Firewall

NIDS2

Remote attack

HIDS

Log Server

Windows

13

ICT Expo 07


2007

04

16

Scenario – Remote AttackScenario Scenario –– Remote AttackRemote Attack

Events Grouped from different devices:-NIDS1 (Scan / Attack)-Firewall (Port Scan)-NIDS2 (Attack)-HIDS (Attack)-Windows (Remote Login)

Application Attack Incident

ICT Expo 07


2007

04

16

LF Procedures for botnetLF Procedures for LF Procedures for botnetbotnet

Start Acquisition

Current network port & connection

Open Files& registry

Current Process Info

User Info

System Conf.Info

PresetProcess List

Preset Services List

Completion

Sniff the current NIC

Bootup listFile list/

file signature check

Current User Info

Physical Memory &Virtual Memory

Current Network Status

14


ChallengesChallenges

Technology Improvement

Forensics Tools

Legislation

Awareness

ICT Expo 07


2007

04

16

Technology ImprovementTechnology ImprovementTechnology Improvement

Operating Systems

Digital Devices

Cryptography, Steganography

Data Volume, Storage Architecture

Anti-forensics

Wireless Network

15

ICT Expo 07


2007

04

16

Forensics ToolsForensics ToolsForensics Tools

ExpensiveTo purchase

To maintain research and development labs

To catch up technology advanced

Not Yet a Formal CertificationHard to verify

Still Room For ImprovementIntelligent Analysis and Event Correlation

ICT Expo 07


2007

04

16

LegislationLegislationLegislation

Conflicting law

Ambiguous law

Lack of precedent

Not enough technical knowledge and tools

16

ICT Expo 07


2007

04

16

AwarenessAwarenessAwareness

Insufficient Preparation

Ignorance

Insufficient Security Knowledge/Skills

ICT Expo 07


2007

04

16

Future Direction in Computer ForensicsFuture Direction in Future Direction in Computer ForensicsComputer Forensics

Fast Network based Log correlation and analysis solution

Combination of Forensics Investigation tools with Intrusion Monitoring systems

Live Forensics Investigations Toolkits

More Technical and Legal Training

17


Questions?Questions?

Ricci IEONG

Ricci_ieong (at) isfs (dot) org (dot) hk

Ricci (at) ewalker (dot) com (dot) hk


About ISFSAbout ISFS

18

ICT Expo 07


2007

04

16

About ISFSAbout ISFSAbout ISFS

Information Security and Forensics Society (ISFS) founded in May 2000 by a group of digital forensics specialists and practitioners

ICT Expo 07


2007

04

16

GoalsGoalsGoals

to regulate and standardize the practice of information security and forensics professionals;to conduct examinations and act in such other manner as may be necessary to ascertain whether persons are qualified to be admitted to register as an information security and forensics professional;to encourage the study of information security and forensics by holding regular training courses and seminars;to promote public awareness of information security and forensics.

19

ICT Expo 07


2007

04

16

Council Members (2006 and 2007)Council Members (2006 and Council Members (2006 and 2007)2007)

Dr. KP CHOW

Mr. Vitus CHUNG

Mr. Anthony FUNG

Dr. W.W. FUNG

Mr. Vincent IP

Mr. Collins LEUNG

Council Members

Mr. Michael KWANTreasurer

Mr. Ricci IEONGSecretary

Mr. David LEUNGVice-Chairman

Dr. Hilton CHANChairman

digital forensics on future hk infrastructure · digital forensics on future hk infrastructure...

Documents