• No results found

Digital Forensics. Module 7 CS 996

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Digital Forensics. Module 7 CS 996"

Copied!
44
0
0

Loading.... (view fulltext now)

Download now ( 44 Page )

Full text

(1)

Digital Forensics

Module 7 CS 996

(2)

Outline of Module #7

„ Review of labs (Kulesh)

„ Review of module #6: sniffer tools

„ Network Forensics

„ Overview of tools „ Motivations

(3)

Why is Forensics Difficult?

„ More information v. better analysis

„ Information generated in 2002

„ 5 Exabytes (500,000 Libraries of Congress) „ 92% stored on magnetic media

„ Information communicated

„ 18 Exabytes (telephone, radio, TV, Internet) „ 400,000 Terabytes (email)

(4)

Network Forensics Tools

„ Traditional sniffers

„ May be portable

„ Real time and historical

„ Content and/or header information

„ Network recorders

„ Monitor all traffic

„ Log event analyzers (SIM)

„ SIM=Security Information Management „ Include event aggregation and correlation

(5)

Network Sniffers

„ Wildpackets Etherpeek: network engineers

„ Eeye IRIS: user friendly

„ Ethereal: free!

„ Kismet (Linux): wireless and free!

„ CommView (www.tamosoft.com)

„ CommView for WiFi

(6)

Eeye IRIS Features

„ Easy to use

„ Reconstructs TCP sessions

„ Renders HTML content

„ Filters

„ Usual IP, MAC, port, etc. „ Word filters

„ Does packet logging

„ No content

(7)
(8)
(9)
(10)
(11)

SIM Tools: Why Event Logging?

„ One critical part of security infrastructure

„ Prevention „ Detection „ Response „ Regulatory requirements „ Medical: HIPAA „ Financial: GLB

(12)

HIPAA Logging Requirements

„ § 164.308 Administrative Safeguards

„ (a) (1) Security Management Process

„ Information system activity review (Required)

„ (a) (5) Security Awareness and Training

„ Log-in monitoring (Addressable)

„ (a) (6) Security Incident Procedures

„ Identify and respond to suspected or known security

incidents; …document security incidents and their outcomes (Required)

„ § 164.312 Technical Safeguards

„ (b) Audit controls to record and examine activity

(13)

Gramm Leach Bliley (GLB)

„ FFIEC Handbook (Federal Financial

Institutions Examination Council)

„ “Control access to applications by logging

access and security events”

„ “Secure access to the OS of all system

components by logging and monitoring user or program access to sensitive resources and alerting on security events”

(14)

Log Files as Forensic Evidence

„ Federal Rules of Evidence

„ www.usdoj.gov/criminal/cybercrime/

usamarch2001_4.htm

„ Part of regularly conducted business activity

„ Authentication of records

„ Was data altered? „ Is software reliable?

„ Are computer records hearsay?

(15)

MANAGEMENT STATION AGGREGATOR FIREWALL/IDS HUB SWITCH ROUTER ARCHIVE STORAGE AGGREGATOR

(16)

Syslog Protocol

„ RFC 3164

„ Uses UDP port 514

„ Message format

„ Priority field: 0-7

„ Header field: host name and time stamp

„ Message field: ASCII characters describing event

DEVICE RELAY

(17)

Syslog Priority Levels

Normal Notifications 5 Warning message Warnings 4 Error messages Errors 3 Critical condition Critical 2 Immediate action Alerts 1 System unusable Emergencies 0 DESCRIPTION TYPE SEVERITY

(18)

Limitations of Syslog

„ UDP not reliable

„ No authentication or encryption

„ RFC 3195: reliable syslog

(19)

Security Information Vendors

Network Intelligence, Forensics Explorers

Data Aggregation/ Analysis

Intellitactics, NetForensics, ArcSight, GuardedNet, Open Services Correlate Information Secure Decisions Visualize Information Vendor Function

(20)

Network Traffic Recorders

„ Record all traffic on network

„ Niksun NetDetector

(21)

NetForensics Architecture

ORACLE DATABASE NF ENGINE: EVENT AGGREGATION AND CORRELATION ROUTER IDS HOST AGENTS

(22)

Event Correlation

„ Rules based: If…then…else

„ Statistical: monitor changes in event

statistics

(23)

Intellitactics Message Architecture

SYSLOG MESSAGE: DATE, TIME STAMP, SOURCE, DESTINATION, EVENT CODE (CISCO PIX 106001—DENY INBOUND TCP CONNECTION)

CREATE NORMALIZED TYPE FIELD BASED ON EVENT TYPE

ADD ZONE FIELDS BASED ON SOURCE LOCATION, TARGET LOCATION AND FIREWALL LOCATION

(24)

Log Logic Log Appliance

„ Archiving of log file data

„ Uses intelligent data compression technique

„ Allows real time and historical threat analysis

„ Cisco message ID „ Message volume

„ Regular expression filter

„ LX-1000

„ Up to 1000 messages/second „ 90 GB storage: 90 days storage

(25)

LogLogic Log Appliance

FIREWALL CHECK POINT LOG APPLIANCE STRIPPED-DOWN LINUX OS MYSQL DATABASE WWW, SMTP SYSLOG & PROPRIETARY MESSAGES

(26)

Summarization of Log Files

WWW SERVER PC USER PIX FIREWALL LOGLOGIC LOGAPPLIANCE 20-50 TCP CONNECTIONS PER WEB PAGE TAKES 60-150 MESSAGES AND SUMMARIZES TO ONE

DATABASE RECORD

SYSLOG MESSASGES

(27)

Applications of Log File Forensics

„ Help diagnose virus infections

„ Analysis of time zero events

„ Monitor inside traffic for infected machines

„ Help analyze hacker events

(28)

Log File Formats

„ CheckPoint

„ Proprietary binary format, not human readable

„ Time | Action | Firewall | Interface | Product |Source | Source Port | Dest. |

Service | Protocol |Translation (NAT)

„ Cisco PIX

„ Syslog format

„ Date | Time | IP/Hostname | Message Code | Message

„ NetScreen

„ Syslog format

(29)

Significance of Priority Levels

Key to performing audit and policy Informational

6

Work done on the firewall

Notifications 5

Packet anomalies, policy conflicts

Alert, Critical, Error, Warning

1-4

FUNCTION TYPES

(30)

Example PIX Syslog Messages

Deny inbound UDP from

A.B.C.D/Port to L.M.N.O/Port 106006

2

No response from other firewall 103001 1 Not used 0 Description Cisco # Severity

(31)

Example Syslog Messages, cont.

IP fragment malformed; total size exceeds 65,535 bytes

209004 4

Deny inbound from outside: IP_addr to inside: IP_addr 106010

3

Description Cisco #

(32)

Example Syslog Messages, cont.

User executed command string that does not alter configuration

111009 7

Start PIX firewall 199005

6

Description Cisco #

(33)

Severity 5 + 6 Messages

„ Contain critical information about traffic

in/out of network

„ %PIX-5-304001: user 192.168.69.71 Accessed

URL 10.133.219.25: www.example.com

„ %PIX-6-302013: Built TCP connection

number for interface_name: real_address/real_port to

(34)
(35)
(36)
(37)
(38)
(39)
(40)
(41)
(42)

Log Analysis Using Regular

Expressions

„ Search through historical logs

„ Configure alerts on real time logs

„ Examples

„ Character literals

„ /a/ Mary had a little lamb. And everywhere that Mary

went, the lamb was sure to go.

„ Special characters (11); examples

„ . Wildcard „ ^ Start of line „ $ End of line

(43)

Regular Expressions, Examples

„ ^Mary

„ Mary had a little lamb.

And everywhere that Mary went…

„ .a (wildcard)

„ Mary had a little lamb.

And everywhere that Mary went, the

Lamb was sure to go.

„ Further reference, see notes on web site:

(44)

References for Module #7

„ Bill Nelson, Guide to Computer

Investigations, 2004.

„ Warren Kruse, Computer Forensics, 2002.

„ Kevin Mandia, Incident Response, 2003.

„ http://www.hipaadvisory.com/regs/finalsecu

rity/regulationtext.htm (HIPAA security)

„ Corey, Vicka, et al, “Network Forensic

Analysis”, IEEE Internet Computing, Nov.-Dec., 2002.

References

Download now ( PDF - 44 Page - 3.42 MB )

Related documents

Optimizing energy audits for K-12 educational facilities

This chapter is structured as an instruction manual for an auditor or auditing team. It details the recommended procedure for performing building energy audits on educational K-12

School-Parent Communication: ls There an Association between Grade Levels and Parental Receipt of Information?

The literature suggests that parents, regardless of their child’s grade level, want modern methods of communication from teachers and schools to keep them informed,

syslog-ng Premium Edition Windows Event Collector Administration Guide

syslog-ng PE 7.0.25 Windows Event Collector Administration Guide Configure event source

Symantec Event Collector 4.3 for Cisco PIX Quick Reference

1 On the collector computer, navigate to the collector directory as follows: Introducing Symantec Event Collector for Cisco PIX. Running LiveUpdate for

The timing of vaccination with respect to anaesthesia and surgery. 1. Surgery following immunisation with inactivated vaccines

Recent vaccination does not impact upon the outcome of surgery, but it may be wise to postpone elective surgery for 48 hours after inactivated vaccine administration in order to

M3 Pi: OBD-II Touchscreen Car Computer

I knew that there were multiple aftermarket products that used this area to mount analog gauges ( ​Figure 2​), but I wanted to design one that would be easily removable, and would

Using timescales to interpret dissolved oxygen distributions in the bottom waters of Chesapeake Bay

A simplified conceptual model based on timescales of gravitational circulation, vertical exchange, and total oxygen consumption rate of the biochemical processes is presented to

Bringing the Lab to the Field: More than Changing Subjects

Even in the case of campus labs, students participating in experiments could become part of the research process, provided that a well controlled design and assuring the privacy