8/4/2019 Digital Forensics in Fraud Investigations
1/55
8/4/2019 Digital Forensics in Fraud Investigations
2/55
Agenda
Computer crime statistics
Case studies
Internal attacks Introduction to computer forensics
w w w . n i i c o n s u l t i n g . c o mConfidential
e o o ogy Tools
Proactive measures
Conclusion
8/4/2019 Digital Forensics in Fraud Investigations
3/55
CSI/FBI Survey Crime Statistics
w w w . n i i c o n s u l t i n g . c o mConfidential
8/4/2019 Digital Forensics in Fraud Investigations
4/55
Selected Costs
Sasser: Clean-up: $1billion+ and growing
SirCam: 2.3 million computers affected Clean-up: $460 million
Lost productivity: $757 million
Code Red: 1 million com uters affected
w w w . n i i c o n s u l t i n g . c o mConfidential
Clean-up: $1.1 billion Lost productivity: $1.5 billion
Love Bug: 50 variants, 40 million computers
affected $8.7 billion for clean-up and lost productivity
8/4/2019 Digital Forensics in Fraud Investigations
5/55
Attack Trends Overview
Automation: increasing speed of attacks
Increasingly sophisticated attack tools
Faster discovery of vulnerabilities
Increasing permeability of firewalls
Increasingly asymmetric threats
w w w . n i i c o n s u l t i n g . c o mConfidential
vcustomized software
Due to lack of standard forensicsmethodology in India, evidence collection isfaulty
Time gap between a vendor patch, and thevirus/worm is now only 17 days!
8/4/2019 Digital Forensics in Fraud Investigations
6/55
NetworksPeople
Case Studies
ProceduresProcesses
w w w . n i i co n s u l t I n g . c o m
8/4/2019 Digital Forensics in Fraud Investigations
7/55
8/4/2019 Digital Forensics in Fraud Investigations
8/55
Investigating email header
SamSpade Demo
All emails carry the senders IP address
This is used to find out his ISP (InternetService Provider)
The ISPs maintain logs about everyone,
w w w . n i i c o n s u l t i n g . c o mConfidential
and are able to pin-point to the sourcePC
But it could be in a cyber-caf, or an
unsuspecting user whos PC the hackercompromised, or some PC in Russia!
8/4/2019 Digital Forensics in Fraud Investigations
9/55
Case study 1
Presented information to Cyber Crime Cell
They sent formal letters to the concerned ISPand the Mail Service Provider (Indiatimes,Yahoo, Hotmail, Rediffmail, etc.)
ISP replied back within 72 hours
w w w . n i i c o n s u l t i n g . c o mConfidential
Mail Service Provider gave access to thesenders account
ISP information showed the source IP
address was of the Internet connection givento a competing telecom company
8/4/2019 Digital Forensics in Fraud Investigations
10/55
Case study 1
We collected a list of all separations from theclient for the period covering the emails
Took the list to the competitor along with theCyber Crime Cells Sub-inspector
They told us one name matched that list the
w w w . n i i c o n s u l t i n g . c o mConfidential
y y That person was the actual sender
Called in for gentle persuasion a confession
Client chose not to pursue a legal case, butlet her off with a stern warning
8/4/2019 Digital Forensics in Fraud Investigations
11/55
Case study 2
Cyber Crime Cell site itself was hacked
Site was hosted by a third-party web
hosting company The logs of the server showed a
w w w . n i i c o n s u l t i n g . c o mConfidential
File Transfer Protocol (FTP) Service
Then a successful login attempt
Then a file transfer of the mainindex.htm file
8/4/2019 Digital Forensics in Fraud Investigations
12/55
Case study 2
The IP address was similarly traced to theInternet Service Provider
From the ISP to a cyber caf
Seemed like a dead-end The cyber caf owner and engineer were
w w w . n i i c o n s u l t i n g . c o mConfidential
There was no record of who had come to thecyber caf on that day
Hacker calls up Sub-Inspectors and taunts
him Reveals his name as Dr. Neukar
8/4/2019 Digital Forensics in Fraud Investigations
13/55
Case study 2
Internet search reveals the home pageof Dr. Neukar with his picture on it!!
Police take that, and he is immediatelyrecognized as someone in the vicinity
w w w . n i i c o n s u l t i n g . c o mConfidential
immediately
Case pending in court
8/4/2019 Digital Forensics in Fraud Investigations
14/55
Case Study 3 Phishing
The act of sending an e-mail to a user falselyclaiming to be an established legitimateenterprise in an attempt to scam the user into
surrendering private information that will beused for identity theft.
The e-mail directs the user to visit a Web site
w w w . n i i c o n s u l t i n g . c o mConfidential
w ere ey are as e o up a e personainformation, such as passwords and creditcard, social security, and bank accountnumbers, that the legitimate organization
already has. The Web site, however, is bogus and set up
only to steal the users information.
8/4/2019 Digital Forensics in Fraud Investigations
15/55
Case Study 3 - Phishing
It is easy to make the bogus site looklike the original site by copying and
replicating the HTML code of the page These scams have affected:
w w w . n i i c o n s u l t i n g . c o mConfidential
E-bay
Yahoo!
8/4/2019 Digital Forensics in Fraud Investigations
16/55
Citibank Phishing attack
Users sent email, informing that theircredit card will expire due to various
reasons, and they need to re-authenticate, by clicking on:
htt ://www.citibank.com:ac= iU 3027 c
w w w . n i i c o n s u l t i n g . c o mConfidential
Hw003nfuJ2@sd96V.pIsEm.NeTsd96V.pIsEm.NeTsd96V.pIsEm.NeTsd96V.pIsEm.NeT
The user would actually see something
like this:
8/4/2019 Digital Forensics in Fraud Investigations
17/55
w w w . n i i c o n s u l t i n g . c o mConfidential
8/4/2019 Digital Forensics in Fraud Investigations
18/55
Citibank Phishing
The site in the background is actuallywww.citibank.com
The window in the front belongs to a Russianhacker group.
When some user actually enters those
w w w . n i i c o n s u l t i n g . c o mConfidential
, y
Message is shown, saying Informationentered correctly, credit card will NOT be
expired But it will surely be heavily misused!
8/4/2019 Digital Forensics in Fraud Investigations
19/55
NetworksPeople
Cyber Crime Investigation
ProceduresProcesses
w w w . n i i co n s u l t I n g . c o m
8/4/2019 Digital Forensics in Fraud Investigations
20/55
Attack Trends Overview
Automation: increasing speed of attacks
Increasingly sophisticated attack tools
Faster discovery of vulnerabilities Increasing permeability of firewalls
w w w . n i i c o n s u l t i n g . c o mConfidential
ncreas ng y asymme r c rea Increasing threat from infrastructure
attacks--CERT/CC
8/4/2019 Digital Forensics in Fraud Investigations
21/55
What is computer forensics?
Computer forensics involves the preservation,identification, extraction, documentation, andinterpretation of computer media forevidentiary and/or root cause analysis.
Arose as a result of the growing problem of
w w w . n i i c o n s u l t i n g . c o mConfidential
Forensics experts follow clear, well-definedmythologies and procedures
8/4/2019 Digital Forensics in Fraud Investigations
22/55
Computer forensics when?
A year or more after an individual leftthe company
After the hard drive has been formatted To recover critical emails off of a hard
w w w . n i i c o n s u l t i n g . c o mConfidential
8/4/2019 Digital Forensics in Fraud Investigations
23/55
Data Hiding
There are several techniques that intrudersmay hide data. Obfuscating data through encryption and
compression.
Hiding through codes, steganoraphy, name
w w w . n i i c o n s u l t i n g . c o mConfidential
embedding, obscurity and nonames on files Blinding investigators through changing behaviorof system commands and modifying operatingsystems.
Use commonly known tools to overcome
8/4/2019 Digital Forensics in Fraud Investigations
24/55
Steganography
The practice of hiding a message within alarger one in such a way that others cannotdiscern the presence or contents of the
hidden message. Can be used for legitimate purpose like
copyright protection
w w w . n i i c o n s u l t i n g . c o mConfidential
However used mostly for illegitimate reasons- To steal data by concealing it in another fileand send it out as email attachment
8/4/2019 Digital Forensics in Fraud Investigations
25/55
Steganography
Tools are freely available for steganographyF5 hides messages in JPEG files
SecureEngine hides text files in larger text
filesMP3Stego hides files in MP3 files
w w w . n i i c o n s u l t i n g . c o mConfidential
There is no spicific answer. A preventive step- A corporate security policy
restricting installation of unauthorized
programs
8/4/2019 Digital Forensics in Fraud Investigations
26/55
Alternate Data Streams - ADS
Based on the concept of file-fork Contains link to resources
Can be used to hide data, as ads files are
hidden Example
w w w . n i i c o n s u l t i n g . c o mConfidential
text files, movies, sound files, executables,etc
Detection using tools like ScanADS, etc
8/4/2019 Digital Forensics in Fraud Investigations
27/55
What can Disk Forensics do?
Recovers: Deleted files
Passwords
Cryptographic keys
Analyzes file access, modification andcreation times.
w w w . n i i c o n s u l t i n g . c o mConfidential
Views/analyzes: System logs
Application logs
May determine users or applications systemactivity.
Analyze e-mails for source information and
content.
8/4/2019 Digital Forensics in Fraud Investigations
28/55
Basic Methodology
Without altering or damaging originalsource, acquire evidence
Authenticate that recovered evidence isthe same as the original.
Establish audit trail of all processes
w w w . n i i c o n s u l t i n g . c o mConfidential
app e o compu er ase ev ence. Must be third party repeatable
Analyze the data without modifying it.
8/4/2019 Digital Forensics in Fraud Investigations
29/55
Methodology
Failure to utilize appropriate methodologiesmay prevent successful prosecution
May cost your organization $4.3 Million!
Failure to maintain evidence integrity mayinvalidate the evidence.
w w w . n i i c o n s u l t i n g . c o mConfidential
,
without your evidence, you may not be able toprove it in court.
For further information, consult the ACPO GoodPractices Guide.
8/4/2019 Digital Forensics in Fraud Investigations
30/55
Computer Forensics Development
Disk Forensics Well developed
System Forensics O/S Dependent
Network Forensics
w w w . n i i c o n s u l t i n g . c o mConfidential
Includes ID systems Internet Forensics
Includes ISP logs etc.
8/4/2019 Digital Forensics in Fraud Investigations
31/55
Disk Forensics
Requires (bit-stream) Image copies Include slack, unallocated space, and
deleted file fragments.
Investigating officers must be able todemonstrate com liance with evidence
w w w . n i i c o n s u l t i n g . c o mConfidential
rules Integrity can be demonstrated with a
message digest.
8/4/2019 Digital Forensics in Fraud Investigations
32/55
Network Forensics
Evidence collected from normal operation Logs Intrusion Detection Systems
Evidence collected in specific surveillance Extended logs Sniffers
w w w . n i i c o n s u l t i n g . c o mConfidential
addresses DataLink headers contain source and
destination MAC addresses
8/4/2019 Digital Forensics in Fraud Investigations
33/55
Sniffer output - Ethreal
w w w . n i i c o n s u l t i n g . c o mConfidential
8/4/2019 Digital Forensics in Fraud Investigations
34/55
Computer Addresses
Logical or IP addresses Public IP addresses are assigned by ARIN
Physical or MAC addresses MAC addresses are burned in and have
been used to identif a articular com uter
w w w . n i i c o n s u l t i n g . c o mConfidential
Melissa and the Love Bug Viruses wereidentified this way
8/4/2019 Digital Forensics in Fraud Investigations
35/55
Investigating email header
w w w . n i i c o n s u l t i n g . c o mConfidential
Di i l E id lif l
8/4/2019 Digital Forensics in Fraud Investigations
36/55
Digital Evidence life cycle
Evidence Life Cycle
Discovery and recognition
Protection
w w w . n i i c o n s u l t i n g . c o mConfidential
Recording Collection
Identification
Preservation Transportation
Presentation in court
Return to owner
Di it l id
8/4/2019 Digital Forensics in Fraud Investigations
37/55
Digital evidence
Digital evidence must be authentic and mustbe able to be proven that it has not beenmodified
w w w . n i i c o n s u l t i n g . c o mConfidential
R l f E id
8/4/2019 Digital Forensics in Fraud Investigations
38/55
Rules of Evidence
Distinguish between hearsay and directevidence
Require proof of authenticity and integrity
Chain of custody requires that: No information has been added or changed A complete copy was made A reliable copying process was used
w w w . n i i c o n s u l t i n g . c o mConfidential
All media was secured. A Message Digest can demonstrationIntegrity
A digital signature can demonstrate
Authentication and Non Repudiation
C P bl
8/4/2019 Digital Forensics in Fraud Investigations
39/55
Common Problems
No established incident response team. Evidence compromised while it was gathered
No established incident response policies
Evidence may be compromised prior to gathering Inappropriate methodology
Peer review
w w w . n i i c o n s u l t i n g . c o mConfidential
Broken chain of custody Appropriate evidence was gathered but can not be
presented in court
C i l F i T l
8/4/2019 Digital Forensics in Fraud Investigations
40/55
Commercial Forensics Tools
Tools and Vendors include: EnCase
Guidance Software Pasadena, CA SafeBack
New Technolo ies Inc. NTI
w w w . n i i c o n s u l t i n g . c o mConfidential
Gresham, Oregon
Other Forensic Tools
8/4/2019 Digital Forensics in Fraud Investigations
41/55
Other Forensic Tools
Linux DD
Used by FBI, among other tools, in Zacarias Moussaouis Case
Coroners Tool Kit (CTK) By Dan Farmer and Wietse Venema
w w w . n i i c o n s u l t i n g . c o mConfidential
Used for investigating Unix systems
Winhex State-of-the-Art Software Inexpensive hex, disk, and RAM editor.
Data analysis features include identification of certain file types(such as images) in unknown data, like that of recovered files.
Includes drive imaging and deleted data recovery capabilities.
MD5Sum, 128 bit Message Digest generator
Internet Data Incident Response
8/4/2019 Digital Forensics in Fraud Investigations
42/55
p
Guidelines
Restore service safely Estimate extent and cost of incident
Identify source of attack and their motivation
Deter future crime Recover loss
w w w . n i i c o n s u l t i n g . c o mConfidential
u
Conduct due diligence
Assume corporate responsibility
Increase understanding of securitylandscape.
Roles and Responsibilities
8/4/2019 Digital Forensics in Fraud Investigations
43/55
Roles and Responsibilities
To facilitate teamwork the organizations roles
must be assigned as fallows: Corporate security and incident team
Security investigator
w w w . n i i c o n s u l t i n g . c o mConfidential
Emergency response core team
Application owner
Application developer
System owner/administrator
Network administrator Firewall administrator
Security consultants
What needs to be a forensics expert
8/4/2019 Digital Forensics in Fraud Investigations
44/55
? Operating systems (Windows, Linux,
Unix, Sun, etc)
Database Servers (Oracle, MS SQLserver, Sybase, etc)
Web Servers (Apache, IIS, etc)
w w w . n i i c o n s u l t i n g . c o mConfidential
Firewalls, IDS, Routers, etc Forensics Tools
Jack of all trades
What needs to be a forensics expert
8/4/2019 Digital Forensics in Fraud Investigations
45/55
?
Patience to sit in front of the computerand analyze data that could take aconsiderable amount of time
Nothing like click..next..next.. & finishforensics.
w w w . n i i c o n s u l t i n g . c o mConfidential
Conclusion
8/4/2019 Digital Forensics in Fraud Investigations
46/55
Conclusion
With the new attack vectors beingintroduced every days.
w w w . n i i c o n s u l t i n g . c o mConfidential
8/4/2019 Digital Forensics in Fraud Investigations
47/55
NetworksPeople
Internal Attackers
ProceduresProcesses
w w w . n i i co n s u l t I n g . c o m
The Rogue Internal User
8/4/2019 Digital Forensics in Fraud Investigations
48/55
The Rogue Internal User
Internal users are most dangerous They have much higher knowledge
levels about the system than anoutsider
w w w . n i i c o n s u l t i n g . c o mConfidential
is They sometimes have much more
motivation to cause damage than anoutsider does
Types of rogue users
8/4/2019 Digital Forensics in Fraud Investigations
49/55
Types of rogue users
The Malicious user About to quit his job, or be fired, isnt too happy
with the company, and wants to leave his mark
The Curious user Has some free time, wants to explore around and
w w w . n i i c o n s u l t i n g . c o mConfidential
The Ignorant user Has less ideas about how the systems work, might
accidentally delete a critical file, or enter wrong
data
Tracking the rogue internal user
8/4/2019 Digital Forensics in Fraud Investigations
50/55
Tracking the rogue internal user
Places to look at: Browser history, such as that of Internet
Explorer Demo
Cookies folder shows which sites he hasvisited - Demo
w w w . n i i c o n s u l t i n g . c o mConfidential
Documents and Settings folder Demo Recent file lists of Office applications, such
as Microsoft Word, Excel, etc. Demo
Nethood folder shows recent networkshares accessed by the user Demo
Tools to track the rogue user
8/4/2019 Digital Forensics in Fraud Investigations
51/55
Tools to track the rogue user
Keylogger Tracks all the keystrokes typed by the user
Emails them to a pre-determined email address
Captures everything, including passwords Can be detected by an anti-virus software
Network servers
w w w . n i i c o n s u l t i n g . c o mConfidential
See the Internet web sites visited from that usersIP address
See the files downloaded or accessed from centralservers by that user
Watch out for multiple failed login attempts fromthat users PC
Surveillance Software
8/4/2019 Digital Forensics in Fraud Investigations
52/55
Surveillance Software
Most effective tools to monitor asuspicious user
These software run transparently in the
background, and capture: Users keystrokes
w w w . n i i c o n s u l t i n g . c o mConfidential
creen snaps ots
Emails sent
Attachments sent via email
Instant messenger conversations Send this information to a remote server
8/4/2019 Digital Forensics in Fraud Investigations
53/55
w w w . n i i c o n s u l t i n g . c o mConfidential
8/4/2019 Digital Forensics in Fraud Investigations
54/55
w w w . n i i c o n s u l t i n g . c o mConfidential
Fooling the internal user
8/4/2019 Digital Forensics in Fraud Investigations
55/55
g
Social Engineering One of the most prevalent attack techniques
The attacker will use flattery, persuasion, show of
authority, or build a rapport to extract criticalinformation from the user
Could also be used to fool users into revealing or
w w w . n i i c o n s u l t i n g . c o mConfidential
changing their passwords attacker impersonatessystem administrator
Could be done via a faked email asking all usersto set their passwords to password. At least 5%
users will fall victim to such pranks (see phishing)