of 41/41
COEN 252 Computer Forensics Challenges of Network Forensics

COEN 252 Computer Forensics Challenges of Network Forensics

  • View
    217

  • Download
    2

Embed Size (px)

Text of COEN 252 Computer Forensics Challenges of Network Forensics

  • Slide 1
  • COEN 252 Computer Forensics Challenges of Network Forensics
  • Slide 2
  • Evidence in a network is dispersed. Scope of investigation fluid. No isolated crime scene. Hard to collect all evidence. Equally hard to destroy all evidence.
  • Slide 3
  • Challenges of Network Forensics: Preparation and Authorization System administrators routinely gather network data. But usually, more data is needed. Basic problem: Where to find all the relevant data.
  • Slide 4
  • Challenges of Network Forensics: Preparation and Authorization Step 1:Investigation of the network. Determine the location of servers, Determine their type Plan for the processing of the data Often, evidence needs to be gathered simultaneously at various sites. This should not disrupt operations. Network scanning is aggressive and can lead to automatic response.
  • Slide 5
  • Challenges of Network Forensics: Preparation and Authorization 2 nd Step: Seek authorization. Depends on Situation Country Type of data Who is collecting data. Sometimes, law enforcement needs to demonstrate that they exhausted all other means. A warrant for all sites involved is advisable.
  • Slide 6
  • Challenges of Network Forensics: Preparation and Authorization Using passwords obtained during investigation usually requires additional authorization. The FBI prosecuted successfully two Russian computer intruders, Aleksey Ivanov and Gorshkov, for breaking into e- commerce sites. The FBI lured the two by a factitious job- interview, then captured the passwords on their systems. The FBI used these passwords to gain access to their computers at home that yielded a wealth of evidence on the mens computer hacking and fraud.
  • Slide 7
  • Challenges of Network Forensics: Preparation and Authorization Russias counterintelligence service filed criminal charges against an FBI agent because the agent illegally seized evidence against them by downloading data from their computers in Chelyabinsk, Russia. But U.S. District Judge John C. Coughenour of Seattle ruled that Gorshkov and Ivanov gave up any expectation of privacy by using computers in what they believed were the offices of a public company.
  • Slide 8
  • Challenges of Network Forensics: Preparation and Authorization When (the) defendant sat down at the networked computer he knew that the systems administrator could and likely would monitor his activities, Coughenour wrote. Indeed, the undercover agents told (Gorshkov) that they wanted to watch in order to see what he was capable of doing. He also found that the Fourth Amendment did not apply to the computers, because they are the property of a non-resident and located outside the United States, or to the data at least until it was transmitted to the United States.
  • Slide 9
  • Challenges of Network Forensics: Preparation and Authorization The judge noted that investigators obtained a search warrant before viewing the vast store of data nearly 250 gigabytes, according to court records. He rejected the argument that the warrant should have been obtained before the data was downloaded, noting that the agents had good reason to fear that if they did not copy the data, (the) defendants co-conspirators would destroy the evidence or make it unavailable. Finally, Coughenour rejected defense arguments that the FBIs actions were unreasonable and illegal because they failed to comply with Russian law, saying that Russian law does not apply to the agents actions.
  • Slide 10
  • Challenges of Network Forensics: Preparation and Authorization Warrants can be too broad: Evidence collected under such a warrant might be admissible. Warrants can be too specific: Do not allow investigators to find all the relevant data.
  • Slide 11
  • Challenges of Network Forensics: Preparation and Authorization Warrants requesting email are harder to obtain. Rather ask for: Records associated with subscriber account: Screen Name Phone number Address Credit card numbers Connection records (including IP addresses, logon dates, phone numbers) Some subscribers (ebay) can provide law enforcement because the user agreement allows for that.
  • Slide 12
  • Challenges of Network Forensics: Preparation and Authorization Investigators need not be present when data at an internet provider is collected. In October of 2000, police officers in Minnesota began investigating Dale Robert Bach for potential child pornography crimes. As part of the investigation, an officer obtained a search warrant to be served upon Yahoo, an internet service provider (ISP) in California. Minnesota requires that an officer be present at the service of a search warrant. Rather than adhering to the requirements provided by Minnesota law, the officer investigating Mr. Bach served the search warrant to Yahoo by fax. Upon receiving the fax, Yahoo employees retrieved all data from Mr. Bach's account, including deleted email messages. Yahoo then mailed the disk to Minnesota, where the data became evidence in Bach's federal criminal prosecution.
  • Slide 13
  • Challenges of Network Forensics: Preparation and Authorization At trial, Bach moved to have the evidence suppressed, citing both violations of the Minnesota statute, as well as violations of a federal statute. The district court held that the evidence should be suppressed as the search was illegal under both federal and state laws. The government appealed to the circuit court. On October 10, 2002, the Eighth Circuit held oral arguments in United States v. Bach, the first Circuit case examining how a case examining how the Fourth Amendment protects stored e-mail and other files held by Internet Service Providers (ISPs). The district court suppressed the evidence, stating that the law enforcement practice of faxing search warrants for the contents of e-mails to ISPs violated the Constitution because the Fourth Amendment required the government to be physically present to execute the warrant. The government appealed to the circuit court. At oral argument, the government's attorney urged the court to resolve the question on narrow reasonableness grounds, without addressing the broader issue of whether an Internet user has an expectation of privacy in remotely stored files held by an ISP.
  • Slide 14
  • Challenges of Network Forensics: Preparation and Authorization The Eighth Circuit ruled that service of a warrant on an ISP by fax complies with the "reasonableness" requirements of the Fourth Amendment. The court resolved the case on the narrow ground that the government's actions were "reasonable," without deciding the broader issue of whether an Internet user has a Fourth Amendment expectation of privacy in their e-mail. In January 2003, the Circuit judges narrowly rejected the defendant's petition for reconsideration, voting 5 to 4 against the motion.
  • Slide 15
  • Challenges of Network Forensics: Identification Locate the systems that contain the most useful evidence. Seek end-points and intermediate systems (switches, routers, proxies). Look for log files that give an overview of system activities. Look for supporting systems such as authentication servers and caller-id systems.
  • Slide 16
  • Challenges of Network Forensics: Identification Example: Investigator examines compromised machine and determines the source and method of attack. Investigator locates other system that are compromised and observes traffic on compromised systems. This determines the source of the attack.
  • Slide 17
  • Challenges of Network Forensics: Identification Example: Investigator contacts ISP to preserve related evidence. Intruder has stolen a dial-up account. But ISP has Automatic Number Identification. This gives the phone number used to dial into the ISP modems.
  • Slide 18
  • Challenges of Network Forensics: Identification Example: Investigator contacts ISP to preserve related evidence. Intruder has stolen a dial-up account. But ISP has Automatic Number Identification. This gives the phone number used to dial into the ISP modems.
  • Slide 19
  • Challenges of Network Forensics: Identification Example: Phone number leads to intruders home. Search warrant is obtained and intruder is caught red-handed.
  • Slide 20
  • Challenges of Network Forensics: Identification Much network evidence is time-critical. Logs are expunged. Caches in highly active devices such as routers are volatile. This creates a need for instant analysis. Gathering evidence is usually higher priority. Plan becomes important.
  • Slide 21
  • Challenges of Network Forensics: Identification Mistakes because of haste are common. Subpoena to AOL for 3:13 pm instead of 3:13 am resulted in wrong subscriber information for IP address. Mistakes in IP address also leads to wrong subscriber information. Intruders try to mislead investigators by hiding their tracks. Corroborating Evidence is essential.
  • Slide 22
  • Challenges of Network Forensics: Identification Given the haste, the difficulties, the wide variety of evidence, we need a Methodical Approach. Digital Evidence Map: Lays out the evidentiary resources of a network.
  • Slide 23
  • Challenges of Network Forensics: Identification Digital Evidence Map UNIX ServerKerberos Server Firewall Firewall logsIntrusion Detection System IDS logs & evidence proc. Router logs Router Dial-up rotaries Firewall
  • Slide 24
  • Challenges of Network Forensics: Documentation, Collection, Preservation Byte-for-byte copy of network computers is often impossible. Systems cannot be shut down. Too much data to collect. Limited authority to access data. Impossible to gain physical access. Likely that evidence is altered before physical access is gained.
  • Slide 25
  • Challenges of Network Forensics: Documentation, Collection, Preservation Real Time Evidence Gathering From resources like hyperterminal or Script. IRC chat sessions Equivalent of video-taping the session might be required. Monitoring of network traffic. Intrusion Detection Systems (IDS) do not log everything.
  • Slide 26
  • Challenges of Network Forensics: Documentation, Collection, Preservation Real Time Gathering Preserving evidence and establishing a chain of custody is a challenge. Example: Log files can be preserved: With time and date stamp. Documentation of file location and metadata. Copied to disk, MD5ed, printed out,
  • Slide 27
  • Challenges of Network Forensics: Documentation, Collection, Preservation Case Example: In a homicide case, investigators collected all the log entries of network activity of the victim, but not the entire file. It was later determined that the offender might have logged in at the same time in order to chat and to arrange a meeting an hour later. By the time this was realized, the tapes with the log file was already reused and all other log entries were lost. It was now impossible to determine who else was logged on at the same time as the victim.
  • Slide 28
  • Challenges of Network Forensics: Documentation, Collection, Preservation Maintain a detailed record of the entire collection process to authenticate the evidence at a later time.
  • Slide 29
  • Challenges of Network Forensics: Documentation, Collection, Preservation Case Example: An intruder was caught breaking into a computer system on an organizations network via the internet. Before disconnecting the system from the network, investigators gathered evidence that showed clearly that a crime was being committed. To achieve the equivalent of a videotape of the crime, they used a sniffer to monitor network traffic. They logged onto the compromised system using a client that kept a log of the session, then gathered evidence of the intruders presence on the system and the programs the intruder was running. They found other compromised systems and connected to them through a backdoor created by the intruder. Because there was a risk that the intruder might destroy evidence, they collected evidence remotely. Recall that they used a program that monitored their keystrokes and thus documented the investigation.
  • Slide 30
  • Challenges of Network Forensics: Documentation, Collection, Preservation Standard Procedure Follow a standard operating procedure to reduce mistakes and increase consistency. Retain a log of all activities during the collection process (including screen shots). Document from which server the data actually comes. Calculate MD5 values of evidence prior to transferring it. Possibly digitally sign and encrypt the data. Possibly use write-once media to collect evidence.
  • Slide 31
  • Challenges of Network Forensics: Filtering Forensic analysis of a network incident typically contains too much data. Some collected data is privileged or confidential. For example, if all traffic through a router is collected during an incident.
  • Slide 32
  • Challenges of Network Forensics: Filtering Filter before collecting data? Can loose evidence. Better to filter after data is collected.
  • Slide 33
  • Challenges of Network Forensics: Filtering Filtering for log files: Usually part of command interface. Ntlast extracts from the NT Event log. Collect log from a Cisco router in a file, then use a filtering tool. Sniffers (commercial, non-commercial) have filters. Capture all, then filter the results.
  • Slide 34
  • Challenges of Network Forensics: Filtering Emails Filter for portions of headers Filter for IP addresses
  • Slide 35
  • Challenges of Network Forensics: Evidence Recovery Sometimes, we can recover deleted log files. At least portions of it.
  • Slide 36
  • Challenges of Network Forensics: Reconstruction of the Event Investigative Reconstruction Systematic process of piecing together evidence and information gathered during an investigation to gain a better understanding of what transpired. Use physical imprints to infer offense related behavior.
  • Slide 37
  • Challenges of Network Forensics: Reconstruction of the Event Some intruders use toolkits, which are left behind after an intrusion. Individualization of toolkit allows conclusions about intruder. Absence of a toolkit might indicate Successful removal of toolkit. Intruder skilful enough to not need a toolkit. Perhaps intruder had legitimate access.
  • Slide 38
  • Challenges of Network Forensics: Reconstruction of the Event Investigative reconstruction Develops leads Locates additional evidence Develops an understanding of case facts and their relations Locates concealed evidence Develop suspects with motive, means, opportunity Establishes evidence for insider knowledge Prioritizes investigations Anticipates intruder actions Links related crimes with same behavioral impact. Give insight into offender fantasy, motives, intents, state of mind. Guides suspect interviews. Presents case in court.
  • Slide 39
  • Challenges of Network Forensics: Reconstruction of the Event Evidence used to reconstruct a crime is Relational Example: Intruder obtained unauthorized access to a computer behind a firewall and then broke into the accounting system. Intruder needed to know a password. That fact can be used to locate potential sources of evidence: router error logs, intrusion detection logs, Example: Cyberstalking. How did the offender obtain information about the victim.
  • Slide 40
  • Challenges of Network Forensics: Reconstruction of the Event Evidence used to reconstruct a crime is Functional What conditions were necessary for certain aspects of the incident to be possible? E.g.: Defense attorney questions how you know that the suspect could create his floppy with his computer. Temporal Creates chronological list of events A timeline
  • Slide 41
  • Challenges of Network Forensics: Reconstruction of the Event Examples Relational evidence: Which computer generates most of the network traffic during an incident? Intruders might communicate in real time via IRC while breaking into computers around the world.