First Responders Course:4 Forensic Readiness

Phil HugginsFebruary 2004

Forensic Readiness

The goals of Forensic Readiness are to decrease the time and cost of Forensic Analysis (and Scope Assessment) while increasing the effectiveness.

The main idea in Forensic Readiness is to build an infrastructure that supports the needs (data) of an investigation

The main areas include: Logging and monitoring Build Management & Inventory User Policies Reporting forms

Forensic Readiness Theory Data is critical to Forensic Analysis If the needed data is not being

recorded, then it can not be used in the investigation.

Forensic Readiness assesses what network and system information should be recorded every day and what should be recorded during an incident

Forms

Goal: To create data entry forms that will contain the information that needs to be gathered during an incident

Every action performed during an incident should be documented

Forms help to ensure that the proper data is recorded Examples:

Chain of Custody: Records who has control of the data at a given time

System Acquisition Form: When the response team takes a system from its owner, this records the system description and owner signature

Hard Disk Form: Records the history of each drive used during the incident, including serial numbers and what systems it was installed in

Investigator Log: Allows the responder to document their actions

Form templates are included in your course handbook and will be included on the course cd-rom.

Chain of Custody Example

System Acquisition Form Example

Hard Disk Form Example

Investigator Log Example

Logging

Log data can be crucial to the investigation

There are two major issues with logging and forensics:1.Many incidents involve someone having

unauthorized privileged user access and most logs can be modified or deleted by such a user.

2.Not all systems are logging the needed information that is useful to an investigation

Centralized Log Servers

All servers send a copy of their log data to a dedicated log server

Server can be on the normal network or a dedicated network

Server is secured to only allow log data (syslog) and SSH access and is considered a critical asset when patching systems

Syslog Example: UNIX servers are configured to redirect syslog

output Windows servers use 3rd party tools to send

event logs to server

Centralized Log Server Benefits All logs can be analyzed on a periodic basis to

detect anomalies Makes it more difficult for attacker to modify the

logs It is important to correlate events from multiple

sources, so we can compare the locally stored logs and the remotely stored logs

This server will be the target of many attacks, which may alert one to other attacks if it is watched closely

Windows to syslog

Windows stores logs in event files 3rd party programs run on a scheduler and send

new event entries to the syslog server: Event Reporter (www.eventreporter.com) NT Syslog (www.ntsyslog.sourceforge.net) evlogsys.pl (perl script) Back Log (NT-Only)

There is a slight window of opportunity with this model for the attacker to delete the logs before the collection tool runs

Logging Readiness Steps Goal: To ensure that the proper data is logged and

that it is stored in a method that can be used during forensics

Send logs to central server to secure them during an attack

Ensure log files have strict permissions so only a privileged user can write to them.

If possible, only allow the log to be appended to and deny all read access

Identify what OS events should be logged: User Logins System Reboots As much as possible, based on space requirements Process logging can require large amounts of storage

Logging Readiness Steps Identify which application events should be logged:

As much as possible, based on space requirements Log all network devices:

Firewalls VPNs Routers Dialups Servers

Use Network Time Protocol (NTP) to make log processing across multiple machines easier

Log by IP, do not resolve hostname

Logging Readiness Steps Log Integrity

Generate MD5 sums of log files when they are saved and rolled over

Use a secure (crypto-based) logging system: Core SDI syslog-ng IETF Secure Syslog

Network Monitoring

Goal: To record needed network traffic to provide new evidence and correlate activity. This is from the investigation perspective, not detection.

An IDS system can be used to record all events, but not generate alerts

A general sniffer can record all raw data tcpdump Ethereal

Protocol analyzers can process raw output of tcpdump NetWitness Ethereal

Network Monitoring

Available storage will be the only limitation of how much data can be stored

Specialized hardware or a SAN could be worthwhile

If monitoring is not always on, a dedicated system should exist that can start monitoring when an incident occurs

Host Monitoring

Goal: To record host activity, not already being logged, which will assist in a forensic investigation.

This level of recording is needed for only the most sensitive systems

Keystroke recorders can be either: software: Run as services and can hide data in an

encrypted file or will email them to a remote location hardware: Device that the keyboard plugs into and saves

the keystrokes in hardware (does not record the window title)

Change Management

Goal: To document a system’s state A common task in forensics is to identify which

binaries were replaced with a trojan version Change management identifies which patch-level

the systems should be MD5 checksums can be calculated for each

machine and stored off-line (similar to Tripwire) Configurations are recorded to identify which

services are supposed to be running and which are backdoors

Inventory

Goal: To document ownership of hardware and addresses

This is most useful with internal investigations

Allows one to identify the system with a given MAC address (from DHCP logs)

Allows one to identify who has a given hostname (which is found in system logs)

Privacy Policies Goal: To set users expectation of

privacy appropriately An investigation may need access to a

users mailbox or other “private” data Identifying how much privacy users

have should be discussed before an incident occurs

Data Protection Act requires users to be notified and to accept any monitoring and for monitoring to be a normal administration task. Suddenly increasing monitoring is not acceptable under the DPA.

Forensics Lab

Goal: To build the infrastructure needed for an in-house forensics lab (if one does not outsource it)

The forensics lab has unique requirements from other technology labs because of its legal requirements

Location: Little traffic Secured by key badge or other auditable mechanism Camera surveillance Separate computer network A safe for long-term data storage (with sign-out sheets)

Forensics Lab Equipment

Contents will vary depending on supported platforms

At least one system of each supported platform Linux can mount most file system images and

tools exist for more advanced analysis (The Sleuth Kit)

Windows does not have many tools native to it, but specialized tools exist for analysis of windows systems (EnCase etc.)

Binary analysis capabilities Malicious code monitoring capabilities

Summary

Many proactive steps can be performed to effectively handle incidents

Readiness forces an organization to consider how to handle an incident before it occurs

The amount of documentation required will depend on the organization