Digital Forensics in Fraud Investigations

8/4/2019 Digital Forensics in Fraud Investigations

1/55


2/55

Agenda

Computer crime statistics

Case studies

Internal attacks Introduction to computer forensics

w w w . n i i c o n s u l t i n g . c o mConfidential

e o o ogy Tools

Proactive measures

Conclusion


3/55

CSI/FBI Survey Crime Statistics



4/55

Selected Costs

Sasser: Clean-up: $1billion+ and growing

SirCam: 2.3 million computers affected Clean-up: $460 million

Lost productivity: $757 million

Code Red: 1 million com uters affected


Clean-up: $1.1 billion Lost productivity: $1.5 billion

Love Bug: 50 variants, 40 million computers

affected $8.7 billion for clean-up and lost productivity


5/55

Attack Trends Overview

Automation: increasing speed of attacks

Increasingly sophisticated attack tools

Faster discovery of vulnerabilities

Increasing permeability of firewalls

Increasingly asymmetric threats


vcustomized software

Due to lack of standard forensicsmethodology in India, evidence collection isfaulty

Time gap between a vendor patch, and thevirus/worm is now only 17 days!


6/55

NetworksPeople

Case Studies

ProceduresProcesses

w w w . n i i co n s u l t I n g . c o m


7/55


8/55

Investigating email header

SamSpade Demo

All emails carry the senders IP address

This is used to find out his ISP (InternetService Provider)

The ISPs maintain logs about everyone,


and are able to pin-point to the sourcePC

But it could be in a cyber-caf, or an

unsuspecting user whos PC the hackercompromised, or some PC in Russia!


9/55

Case study 1

Presented information to Cyber Crime Cell

They sent formal letters to the concerned ISPand the Mail Service Provider (Indiatimes,Yahoo, Hotmail, Rediffmail, etc.)

ISP replied back within 72 hours


Mail Service Provider gave access to thesenders account

ISP information showed the source IP

address was of the Internet connection givento a competing telecom company


10/55

Case study 1

We collected a list of all separations from theclient for the period covering the emails

Took the list to the competitor along with theCyber Crime Cells Sub-inspector

They told us one name matched that list the


y y That person was the actual sender

Called in for gentle persuasion a confession

Client chose not to pursue a legal case, butlet her off with a stern warning


11/55

Case study 2

Cyber Crime Cell site itself was hacked

Site was hosted by a third-party web

hosting company The logs of the server showed a


File Transfer Protocol (FTP) Service

Then a successful login attempt

Then a file transfer of the mainindex.htm file


12/55

Case study 2

The IP address was similarly traced to theInternet Service Provider

From the ISP to a cyber caf

Seemed like a dead-end The cyber caf owner and engineer were


There was no record of who had come to thecyber caf on that day

Hacker calls up Sub-Inspectors and taunts

him Reveals his name as Dr. Neukar


13/55

Case study 2

Internet search reveals the home pageof Dr. Neukar with his picture on it!!

Police take that, and he is immediatelyrecognized as someone in the vicinity


immediately

Case pending in court


14/55

Case Study 3 Phishing

The act of sending an e-mail to a user falselyclaiming to be an established legitimateenterprise in an attempt to scam the user into

surrendering private information that will beused for identity theft.

The e-mail directs the user to visit a Web site


w ere ey are as e o up a e personainformation, such as passwords and creditcard, social security, and bank accountnumbers, that the legitimate organization

already has. The Web site, however, is bogus and set up

only to steal the users information.


15/55

Case Study 3 - Phishing

It is easy to make the bogus site looklike the original site by copying and

replicating the HTML code of the page These scams have affected:


E-bay

Yahoo!


16/55

Citibank Phishing attack

Users sent email, informing that theircredit card will expire due to various

reasons, and they need to re-authenticate, by clicking on:

htt ://www.citibank.com:ac= iU 3027 c


Hw003nfuJ2@sd96V.pIsEm.NeTsd96V.pIsEm.NeTsd96V.pIsEm.NeTsd96V.pIsEm.NeT

The user would actually see something

like this:


17/55



18/55

Citibank Phishing

The site in the background is actuallywww.citibank.com

The window in the front belongs to a Russianhacker group.

When some user actually enters those


, y

Message is shown, saying Informationentered correctly, credit card will NOT be

expired But it will surely be heavily misused!


19/55

NetworksPeople

Cyber Crime Investigation

ProceduresProcesses



20/55

Attack Trends Overview

Automation: increasing speed of attacks

Increasingly sophisticated attack tools

Faster discovery of vulnerabilities Increasing permeability of firewalls


ncreas ng y asymme r c rea Increasing threat from infrastructure

attacks--CERT/CC


21/55

What is computer forensics?

Computer forensics involves the preservation,identification, extraction, documentation, andinterpretation of computer media forevidentiary and/or root cause analysis.

Arose as a result of the growing problem of


Forensics experts follow clear, well-definedmythologies and procedures


22/55

Computer forensics when?

A year or more after an individual leftthe company

After the hard drive has been formatted To recover critical emails off of a hard



23/55

Data Hiding

There are several techniques that intrudersmay hide data. Obfuscating data through encryption and

compression.

Hiding through codes, steganoraphy, name


embedding, obscurity and nonames on files Blinding investigators through changing behaviorof system commands and modifying operatingsystems.

Use commonly known tools to overcome


24/55

Steganography

The practice of hiding a message within alarger one in such a way that others cannotdiscern the presence or contents of the

hidden message. Can be used for legitimate purpose like

copyright protection


However used mostly for illegitimate reasons- To steal data by concealing it in another fileand send it out as email attachment


25/55

Steganography

Tools are freely available for steganographyF5 hides messages in JPEG files

SecureEngine hides text files in larger text

filesMP3Stego hides files in MP3 files


There is no spicific answer. A preventive step- A corporate security policy

restricting installation of unauthorized

programs


26/55

Alternate Data Streams - ADS

Based on the concept of file-fork Contains link to resources

Can be used to hide data, as ads files are

hidden Example


text files, movies, sound files, executables,etc

Detection using tools like ScanADS, etc


27/55

What can Disk Forensics do?

Recovers: Deleted files

Passwords

Cryptographic keys

Analyzes file access, modification andcreation times.


Views/analyzes: System logs

Application logs

May determine users or applications systemactivity.

Analyze e-mails for source information and

content.


28/55

Basic Methodology

Without altering or damaging originalsource, acquire evidence

Authenticate that recovered evidence isthe same as the original.

Establish audit trail of all processes


app e o compu er ase ev ence. Must be third party repeatable

Analyze the data without modifying it.


29/55

Methodology

Failure to utilize appropriate methodologiesmay prevent successful prosecution

May cost your organization $4.3 Million!

Failure to maintain evidence integrity mayinvalidate the evidence.


,

without your evidence, you may not be able toprove it in court.

For further information, consult the ACPO GoodPractices Guide.


30/55

Computer Forensics Development

Disk Forensics Well developed

System Forensics O/S Dependent

Network Forensics


Includes ID systems Internet Forensics

Includes ISP logs etc.


31/55

Disk Forensics

Requires (bit-stream) Image copies Include slack, unallocated space, and

deleted file fragments.

Investigating officers must be able todemonstrate com liance with evidence


rules Integrity can be demonstrated with a

message digest.


32/55

Network Forensics

Evidence collected from normal operation Logs Intrusion Detection Systems

Evidence collected in specific surveillance Extended logs Sniffers


addresses DataLink headers contain source and

destination MAC addresses


33/55

Sniffer output - Ethreal



34/55

Computer Addresses

Logical or IP addresses Public IP addresses are assigned by ARIN

Physical or MAC addresses MAC addresses are burned in and have

been used to identif a articular com uter


Melissa and the Love Bug Viruses wereidentified this way


35/55

Investigating email header


Di i l E id lif l


36/55

Digital Evidence life cycle

Evidence Life Cycle

Discovery and recognition

Protection


Recording Collection

Identification

Preservation Transportation

Presentation in court

Return to owner

Di it l id


37/55

Digital evidence

Digital evidence must be authentic and mustbe able to be proven that it has not beenmodified


R l f E id


38/55

Rules of Evidence

Distinguish between hearsay and directevidence

Require proof of authenticity and integrity

Chain of custody requires that: No information has been added or changed A complete copy was made A reliable copying process was used


All media was secured. A Message Digest can demonstrationIntegrity

A digital signature can demonstrate

Authentication and Non Repudiation

C P bl


39/55

Common Problems

No established incident response team. Evidence compromised while it was gathered

No established incident response policies

Evidence may be compromised prior to gathering Inappropriate methodology

Peer review


Broken chain of custody Appropriate evidence was gathered but can not be

presented in court

C i l F i T l


40/55

Commercial Forensics Tools

Tools and Vendors include: EnCase

Guidance Software Pasadena, CA SafeBack

New Technolo ies Inc. NTI


Gresham, Oregon

Other Forensic Tools


41/55

Other Forensic Tools

Linux DD

Used by FBI, among other tools, in Zacarias Moussaouis Case

Coroners Tool Kit (CTK) By Dan Farmer and Wietse Venema


Used for investigating Unix systems

Winhex State-of-the-Art Software Inexpensive hex, disk, and RAM editor.

Data analysis features include identification of certain file types(such as images) in unknown data, like that of recovered files.

Includes drive imaging and deleted data recovery capabilities.

MD5Sum, 128 bit Message Digest generator

Internet Data Incident Response


42/55

p

Guidelines

Restore service safely Estimate extent and cost of incident

Identify source of attack and their motivation

Deter future crime Recover loss


u

Conduct due diligence

Assume corporate responsibility

Increase understanding of securitylandscape.

Roles and Responsibilities


43/55

Roles and Responsibilities

To facilitate teamwork the organizations roles

must be assigned as fallows: Corporate security and incident team

Security investigator


Emergency response core team

Application owner

Application developer

System owner/administrator

Network administrator Firewall administrator

Security consultants

What needs to be a forensics expert


44/55

? Operating systems (Windows, Linux,

Unix, Sun, etc)

Database Servers (Oracle, MS SQLserver, Sybase, etc)

Web Servers (Apache, IIS, etc)


Firewalls, IDS, Routers, etc Forensics Tools

Jack of all trades

What needs to be a forensics expert


45/55

?

Patience to sit in front of the computerand analyze data that could take aconsiderable amount of time

Nothing like click..next..next.. & finishforensics.


Conclusion


46/55

Conclusion

With the new attack vectors beingintroduced every days.



47/55

NetworksPeople

Internal Attackers

ProceduresProcesses


The Rogue Internal User


48/55

The Rogue Internal User

Internal users are most dangerous They have much higher knowledge

levels about the system than anoutsider


is They sometimes have much more

motivation to cause damage than anoutsider does

Types of rogue users


49/55

Types of rogue users

The Malicious user About to quit his job, or be fired, isnt too happy

with the company, and wants to leave his mark

The Curious user Has some free time, wants to explore around and


The Ignorant user Has less ideas about how the systems work, might

accidentally delete a critical file, or enter wrong

data

Tracking the rogue internal user


50/55

Tracking the rogue internal user

Places to look at: Browser history, such as that of Internet

Explorer Demo

Cookies folder shows which sites he hasvisited - Demo


Documents and Settings folder Demo Recent file lists of Office applications, such

as Microsoft Word, Excel, etc. Demo

Nethood folder shows recent networkshares accessed by the user Demo

Tools to track the rogue user


51/55

Tools to track the rogue user

Keylogger Tracks all the keystrokes typed by the user

Emails them to a pre-determined email address

Captures everything, including passwords Can be detected by an anti-virus software

Network servers


See the Internet web sites visited from that usersIP address

See the files downloaded or accessed from centralservers by that user

Watch out for multiple failed login attempts fromthat users PC

Surveillance Software


52/55

Surveillance Software

Most effective tools to monitor asuspicious user

These software run transparently in the

background, and capture: Users keystrokes


creen snaps ots

Emails sent

Attachments sent via email

Instant messenger conversations Send this information to a remote server


53/55



54/55


Fooling the internal user


55/55

g

Social Engineering One of the most prevalent attack techniques

The attacker will use flattery, persuasion, show of

authority, or build a rapport to extract criticalinformation from the user

Could also be used to fool users into revealing or


changing their passwords attacker impersonatessystem administrator

Could be done via a faked email asking all usersto set their passwords to password. At least 5%

users will fall victim to such pranks (see phishing)