digital forensics on future hk infrastructure · digital forensics on future hk infrastructure...
TRANSCRIPT
1
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
Digital Forensics on Future Digital Forensics on Future HK Infrastructure HK Infrastructure
Ricci IEONG, CISSP, CISA, CEH, F.ISFS, ISSAP, ISSMP,
Secretary of Information Security and Forensics SocietyPrincipal Consultant of eWalker Consulting Limited
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
HK IT infrastructureHK IT infrastructureHK IT infrastructure
Internet Service ProviderTelcom network
Service Content providerEmail Services
Web Content Services (e.g. Government Services, Public utilities,
eBanking Services
2
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
HK IT infrastructureHK IT infrastructureHK IT infrastructure
InternetInternet
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
More Web hackingMore Web hackingMore Web hacking
3
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Single IP attack (2004 – 2006)Single IP attack (2004 Single IP attack (2004 –– 2006)2006)
0
5000
10000
15000
20000
25000
30000
Jan-
04Fe
b-04
Mar
-04
Apr
-04
May
-04
Jun-
04Ju
l-04
Aug
-04
Sep
-04
Oct
-04
Nov
-04
Dec
-04
Jan-
05Fe
b-05
Mar
-05
Apr
-05
May
-05
Jun-
05Ju
l-05
Aug
-05
Sep
-05
Oct
-05
Nov
-05
Dec
-05
Jan-
06Fe
b-06
Mar
-06
Apr
-06
May
-06
Jun-
06Ju
l-06
Aug
-06
Sep
-06
Oct
-06
Nov
-06
Dec
-06
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Phishing (Dec 06) – By CountryPhishingPhishing (Dec 06) (Dec 06) –– By By CountryCountry
4
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
What is Computer ForensicsWhat is Computer Forensics
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Computer Forensics BasicsComputer Forensics BasicsComputer Forensics Basics
Forensic computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceeding
5
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
What a Computer Forensics Investigator do?What a Computer Forensics What a Computer Forensics Investigator do?Investigator do?
To dig out the evidence related to computer crime
Preserve the chain of custody of the entire case
To build the case from the fragmented information
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
General procedures in Forensics InvestigationGeneral procedures in General procedures in Forensics InvestigationForensics Investigation
Determine level of volatilityPreserve volatile informationDuplicate the original hard disk to at least 2 copies of hard diskSearch for the obvious evidenceChange the parameters on the system
Restore the deleted filesRecover information from the swap driveRemove the back door or trojan horse filesChange of some system parameters
Document all the steps and response of the system during the Investigation procedure
6
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Goals of Forensics InvestigationGoals of Forensics Goals of Forensics InvestigationInvestigation
Identify the attackers
Identify the method/motivation of the attacks
Modus Operandi
Identify the gain of the attacksDamage assessment
Preserve the evidence
Present the evidence in a law case
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Who Wants Digital Evidence?Who Wants Digital Who Wants Digital Evidence?Evidence?
Criminal Prosecutor
Civil Litigation
Insurance Companies
Corporations
Law Enforcement Officials
Individuals
7
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
Traditional Network Traditional Network Forensics investigationForensics investigation
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Types of attackTypes of attackTypes of attack
Scanning/Probing
Denial of Service
Unauthorized Access
Leakage of information
Virus/Worm Attack
Web attack – defacement, login attempt
Intrusion
8
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Potential source of evidencePotential source of evidencePotential source of evidence
System logs
Network devices logs
IDS logs
Web Server logs
Browser history, cookie, index
Network information
Process information
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Log AnalysisLog AnalysisLog Analysis
Significant Events RecognitionIntrusion detection systems
Log correlation
Target SpecificWeb Defacement Through Known Exploits
Web Defacement Through Application Bugs
Virii
Establish Series of Events
9
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Damage AnalysisDamage AnalysisDamage Analysis
Identify the attacks
Identify the motivations
Identify the gains
Identify the attack paths
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
HK Future Infrastructure ChangeHK Future Infrastructure HK Future Infrastructure ChangeChange
Infrastructure changeGo mobile
Go for free network
Content changeMore content driven
10
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
New Challenges & New Challenges & SolutionsSolutions
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Mapping Requirements to 3R principleMapping Requirements to 3R Mapping Requirements to 3R principleprinciple
Completeness
Accuracy
Verifiability
Repeatability
IntegrityCase dependencies
Reasonableness
Order of volatility
Importance
Time required
Digital Forensics
Relevancy
Reconnaissance
Reliability
11
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
FORensics-ZAchman ModelFORensicsFORensics--ZAchmanZAchman ModelModel
FORZA framework is derived based on Zachman
It is an extended model that covers various forensics model using Zachmanmodel.
Focus more on the static attributes of the forensics aspects
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
FORZA FrameworkFORZA FrameworkFORZA Framework
Timeline of the entire event for Presentation
Entities in Litigation Procedures
Legal Jurisdiction Location
Legal Presentation Procedures
Legal Presentation Attributes
Legal Presentation ObjectivesLegal Prosecutor
(Presentation layer)
Event Timeline Reconstruction
Entity and Evidence Relationship Analysis
Network Address Extraction and Analysis
Forensics Analysis Procedures
Event Data Reconstruction
Forensics Examination Objectives
Forensics Investigators/Forensics Analysts(Analysis Layer)
Forensics Acquisition Timeline
Participants Interviewing and Hearing
Site Network Forensics Data Acquisition
Forensics Acquisition/Seizure Procedures
On-site Forensics Data Observation
Forensics Acquisition Objectives
Forensics Investigators/System Administrator/Operator(Collection Layer)
Hypothetical Forensics Event Timeline
Forensics Entity Model
Forensics Data Geography
Forensics Strategy Design
Forensics Data ModelForensics Investigation Strategy Objectives
IT Forensics Specialists(Technical Preparation Layer)
Security Timing and Sequencing
Users and Security Entity Model
Security Domain and Network Infrastructure
Security MechanismsSystem Information and Security Control Model
System/Security Control Objectives
Security/System Architect/Auditor(Conceptual Security Layer)
Legal TimeframeLegal Entities & Participants
Legal GeographyLegal Procedures for further investigation
Legal Background and preliminary issues
Legal ObjectivesLegal Advisor(Compliance Advisory Layer)
Business & Incident Timeline
Organization & Participants relationship
Business GeographyBusiness & System Process Model
Business & Event NatureBusiness ObjectivesSystem Owner (if any)(Contextual Layer)
Investigation Timeline
Initial ParticipantsInvestigation GeograhyRequested Initial Investigation
Event NatureInvestigation Objectives
Chief Investigator/Officer in Charge (Contextual Investigation Layer)
TimePeopleNetworkFunctionDataMotivation
WhenWhoWhereHowWhatWhy
Timeline of the entire event for Presentation
Entities in Litigation Procedures
Legal Jurisdiction Location
Legal Presentation Procedures
Legal Presentation Attributes
Legal Presentation Objectives
Legal Prosecutor(Presentation layer)
Event Timeline Reconstruction
Entity and Evidence Relationship Analysis
Network Address Extraction and Analysis
Forensics Analysis Procedures
Event Data Reconstruction
Forensics Examination ObjectivesForensics Investigators/Forensics
Analysts(Analysis Layer)
Forensics Acquisition Timeline
Participants Interviewing and Hearing
Site Network Forensics Data Acquisition
Forensics Acquisition/Seizure Procedures
On-site Forensics Data Observation
Forensics Acquisition Objectives
Forensics Investigators/System Administrator/Operator(Collection Layer)
Hypothetical Forensics Event Timeline
Forensics Entity Model
Forensics Data Geography
Forensics Strategy Design
Forensics Data ModelForensics Investigation Strategy Objectives
IT Forensics Specialists(Technical Preparation Layer)
Security Timing and Sequencing
Users and Security Entity Model
Security Domain and Network Infrastructure
Security MechanismsSystem Information and Security Control Model
System/Security Control Objectives
Security/System Architect/Auditor(Conceptual Security Layer)
Legal TimeframeLegal Entities & Participants
Legal GeographyLegal Procedures for further investigation
Legal Background and preliminary issues
Legal Objectives
Legal Advisor(Compliance Advisory Layer)
Business & Incident Timeline
Organization & Participants relationship
Business GeographyBusiness & System Process Model
Business & Event NatureBusiness Objectives
System Owner (if any)(Contextual Layer)
Investigation Timeline
Initial ParticipantsInvestigation Geograhy
Requested Initial Investigation
Event NatureInvestigation ObjectivesChief Investigator/Officer in
Charge (Contextual Investigation Layer)
TimePeopleNetworkFunctionDataMotivation
WhenWhoWhereHowWhatWhy
TimePeopleNetworkFunctionDataMotivation
WhenWhoWhereHowWhatWhy
Legal Prosecutor(Presentation layer)
Forensics Investigators/Forensics Analysts(Analysis Layer)
Forensics Investigators/System Administrator/Operator(Collection Layer)
IT Forensics Specialists(Technical Preparation Layer)
Security/System Architect/Auditor(Conceptual Security Layer)
Legal Advisor(Compliance Advisory Layer)
System Owner (if any)(Contextual Layer)
Chief Investigator/Officer in Charge (Contextual Investigation Layer)
12
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
What information to collectWhat information to collectWhat information to collect
MemoryNetwork information
System Info and Status
User InfoProcess
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Scenario – Remote BotnetattackScenario Scenario –– Remote Remote BotnetBotnetattackattack
Attacker1Victim
NIDS1
Port Scan
Firewall
NIDS2
Remote attack
HIDS
Log Server
Windows
13
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Scenario – Remote AttackScenario Scenario –– Remote AttackRemote Attack
Events Grouped from different devices:-NIDS1 (Scan / Attack)-Firewall (Port Scan)-NIDS2 (Attack)-HIDS (Attack)-Windows (Remote Login)
Application Attack Incident
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
LF Procedures for botnetLF Procedures for LF Procedures for botnetbotnet
Start Acquisition
Current network port & connection
Open Files& registry
Current Process Info
User Info
System Conf.Info
PresetProcess List
Preset Services List
Completion
Sniff the current NIC
Bootup listFile list/
file signature check
Current User Info
Physical Memory &Virtual Memory
Current Network Status
14
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
ChallengesChallenges
Technology Improvement
Forensics Tools
Legislation
Awareness
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Technology ImprovementTechnology ImprovementTechnology Improvement
Operating Systems
Digital Devices
Cryptography, Steganography
Data Volume, Storage Architecture
Anti-forensics
Wireless Network
15
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Forensics ToolsForensics ToolsForensics Tools
ExpensiveTo purchase
To maintain research and development labs
To catch up technology advanced
Not Yet a Formal CertificationHard to verify
Still Room For ImprovementIntelligent Analysis and Event Correlation
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
LegislationLegislationLegislation
Conflicting law
Ambiguous law
Lack of precedent
Not enough technical knowledge and tools
16
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
AwarenessAwarenessAwareness
Insufficient Preparation
Ignorance
Insufficient Security Knowledge/Skills
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Future Direction in Computer ForensicsFuture Direction in Future Direction in Computer ForensicsComputer Forensics
Fast Network based Log correlation and analysis solution
Combination of Forensics Investigation tools with Intrusion Monitoring systems
Live Forensics Investigations Toolkits
More Technical and Legal Training
17
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
Questions?Questions?
Ricci IEONG
Ricci_ieong (at) isfs (dot) org (dot) hk
Ricci (at) ewalker (dot) com (dot) hk
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
About ISFSAbout ISFS
18
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
About ISFSAbout ISFSAbout ISFS
Information Security and Forensics Society (ISFS) founded in May 2000 by a group of digital forensics specialists and practitioners
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
GoalsGoalsGoals
to regulate and standardize the practice of information security and forensics professionals;to conduct examinations and act in such other manner as may be necessary to ascertain whether persons are qualified to be admitted to register as an information security and forensics professional;to encourage the study of information security and forensics by holding regular training courses and seminars;to promote public awareness of information security and forensics.
19
ICT Expo 07
INFORMATION SECURITY AND FORENSICS SOCIETYINFORMATION SECURITY AND FORENSICS SOCIETY
2007
04
16
Council Members (2006 and 2007)Council Members (2006 and Council Members (2006 and 2007)2007)
Dr. KP CHOW
Mr. Vitus CHUNG
Mr. Anthony FUNG
Dr. W.W. FUNG
Mr. Vincent IP
Mr. Collins LEUNG
Council Members
Mr. Michael KWANTreasurer
Mr. Ricci IEONGSecretary
Mr. David LEUNGVice-Chairman
Dr. Hilton CHANChairman