1 Forensics: The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics: Commonly defined.

1

•Forensics: • The use of science and technology to

investigate and establish facts in criminal or civil courts of law.

•Computer Forensics: • Commonly defined as the collection,

preservation, analysis and court presentation of computer related evidence.

• Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a computer system.

What is Computer Forensics?

2

•Understand what happenedo Proper acquisition and preservation of computer

evidence.o Authentication of collected Data for court Presentationo Recovery of all available data, including delete fileso Prevention of future incidents

Often similar problems to Audit But audit trail may be inadequate! o Audit information incomplete/insufficiento Audit trail damagedo We don’t own the computer

What is Computer Forensics?

3

What is the Challenge?

• Audit information incomplete/erased o Reconstruct deleted information

• “Acceptable” state of system unknown o Need to identify violation in spite of this

• Goal not obvious Goal not obviouso Transformations may have been applied to data

• Strong burden of proof Strong burden of proofo Not enough to know what happenedo Must be able to prove it

4

FBI List of Computer Forensic Services

• Content (what type of data) • Comparison (against known data) • Transaction (sequence) • Extraction (of data)• Deleted Data Files (recovery) • Format Conversion • Keyword Searching • Password (decryption) • Limited Source Code (analysis or compare) • Storage Media (many types)

5

The Coroner’s Toolkit (TCT) Overview

• Collections of tools to assist in a forensic examination of a computer (primarily designed for Unix systems)

• mactimes - report on times of files• ils - list inode info (usually removed files) • icat - copies files by inode number• unrm - copies unallocated data blocks• lazarus - create structure from unstructured data• file - determine file type• pcat - copy process memory• grave-robber - captures forensic data

6

mactime

• mactime is shorthand reference to the three time attributes - mtime, atime, and ctimeo atime - time of last accesso mtime - time of last modificationo ctime - time of last status change of

inodeo dtime - time of deletion (Linux only)

• Examples Examples# mactime -m /var/adm

7

ils

• ils lists inode information of removed files. • Can be used to identify deleted files for possible

attempt to undelete with possible attempt to undelete with icat.

• Specify a device file which contains a file system.

• Exampleils /dev/hdb1

8

Unix file

9

Icat, file

• icat copies files by copies files by inode number from a device which contains a file system

• Can be used to recover a deleted fileExample

icat /dev/hdb1 17

• file – determine file type• Similar to UNIX System V file command, but

may generate better indication of file type

10

unrm

• unrm – copies unallocated data blockso Used to copy unallocated blocks to an output

file in order to be processed by lazarus.Example# unrm /dev/hdb1 > /tmp/unrm.of.hdb1

• lazarus – attempts to make sense out of raw data blocksExample

# lazarus /tmp/unrm.of.hdb1

11

pcat

• pcat – copies process memoryoThis is used to try to understand what a program is (doing), especially when the executable file has been deleted.

• Modern UNIX systems have a /proc filesystem that makes process information available in a convenient manner, including the executable file, current directory, and process memory.

12

grave-robber

• grave-robber captures system forensic datao Runs many of TCT tools under the covers

• Three types of optionso general options

where output goes, verbosity, etc

o micro optionsfiner control over what data is collected

o macro optionsputs micro data collection into logical groups

13

Law Enforcement Challenges

• Many findings will not be evaluated to be worthy of presentation as evidence

• Many findings will need to withstand rigorous examination by another expert witness

• The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.

14

Broader Picture: What to Do

•do not start looking through files

•start a journal with the date and time, keep detailed notes

•unplug the system from the network if possible

•do not back the system up with dump or other backup utilities

•if possible without rebooting, make byte by byte copies of the physical disk

•capture network info

•capture process listings and open files

•capture configuration information to disk and notes

•collate mail, DNS and other network service logs to support host data

•capture exhaustive external TCP and UDP port scans of the host

•contact security department or CERT/management/police or FBI

•if possible freeze the system such that the current memory, swap files, and even CPU registers are saved documented

•short-term storage

•packaging/labeling

•Shipping

15

Risk management

16

Likelihood Vs. Consequence

17

– A countermeasure is an action, device, procedure, or technique used to eliminate or reduce one or more vulnerabilities.

COUNTERMEASURE

18

– Procedures:• security policies and procedures• training• personnel transfer

– Hardware:• doors, window bars, fences• paper shredder• alarms, badges

– Manpower:• guard force

Examples of Countermeasures

19

– A consequence is that which logically or naturally follows an action or condition.

CONSEQUENCE

20

– “The worse the consequence of a threat harming the system, the greater the risk”

AttackAttack ConsequenceConsequence SuccessSuccess

Determination of the Consequence of the Attack

21

– determine:• the threat• the vulnerability• the likelihood of attack• the consequence of an attack

– apply this formula by: • postulating attacks• estimating the likelihood of a successful attack• evaluating the consequences of those successful

attacks

Risk Calculation Process

22

– Developed in the NSA Information Systems Security Organization (ISSO)

– Used for INFOSEC Products and Systems– Can Use During Entire life Cycle– Not Widely Used Outside of the ISSO

NSA ISSO Risk Assessment Methodology

23

– Understanding the system– Developing attack scenarios– Understanding the severity of the

consequences– Creating a risk plane– Generating a report

The NSA ISSO Risk Assessment Process

24

The Risk Plane

Source: Courtesy of Professors Chris Clifton & Matt Bishop

25

Risk Index• Risk Index, as defined by the “Yellow

Book”, is the disparity between the minimum clearance or authorization of system users and the maximum sensitivity of data processed by a system– Minimum User Clearance=Rmin– Maximum Data Sensitivity=Rmax– Risk Index=Rmax – Rmin

• Risk index is between O and 7

26

Rating Scale for Minimum User Clearance (Rmin)

MINIMUM USER CLEARANCE RATING(Rmin)

Uncleared (U) 0Not Cleared but Authorized Access to Sensitive UnclassifiedInformation (N)

1

Confidential (C) 2Secret (S) 3Top Secret (TS)/Current Background Investigation (BI) 4Top Secret (TS)/Current Special Background Investigation(SBI)

5

One Category (1C) 6Multiple Categories (MC) 7

27

Rating Scale for Maximum Data Sensitivity (Rmax)

Maximum DataSensitivity RatingsWithout Categories

Rating(Rmax)

Maximum Data Sensitivity With Categories Rating(Rmax)

Unclassified (U) 0 N/ANot Classified But

Sensitive1 Unclassified but Sensitive With One or More

Categories2

Confidential (C) 2 Confidential With One or More Categories 3Secret (S) 3 Secret With No More Than One Category

Containing Secret Data

Secret With Two or More CategoriesContaining Secret Data

4

5Top Secret (TS) 5 Top Secret With One or More Categories

With No More Than one CategoryContaining Secret or Top Secret Data

Top Secret With Two or More CategoriesContaining Secret or Top Secret Data

6

7

28

* = Security Requirements Beyond State of the Art

Computer Security Requirements

RISKINDEX

MODE MINIMUM CRITERIA FOROPEN ENVIRONMENTS

MINIMUM CRITERIA FORCLOSED ENVIRONMENTS

0 Dedicated None None0 System High C2 C21 Compartmented

MultilevelB1 B1

2 CompartmentedMultilevel

B2 B2

3 Multilevel B3 B24 Multilevel A1 B35 Multilevel * A16 Multilevel * *7 Multilevel * *

29

Examples of documented risk assessment systems

– Aggregated Countermeasures Effectiveness (ACE) Model

– Risk Assessment Tool – Information Security Risk Assessment Model (ISRAM)– Dollar-based OPSEC Risk Analysis (DORA)– Analysis of Networked Systems Security Risks

(ANSSR)– Profiles– National Security Agency (NSA) Information Systems

Security Organization (ISSO) INFOSEC Risk Assessment Tool

30

Conclusion• Why should I bother doing security risk

management?– Risk Management and assessment prepares you

with deciding what to do about a risk– Allows you to identify assets, vulnerabilities, and

controls– Helps you understand what you do & do not know

– improve basis for decisions– Assists in justifying expenditures for security