Conducting an Incident Response

1
Conducting an Incident Response

• Ashley Gamble

2
References

• Digital Evidence and Computer Crime Forensic
  Science, Computers and the Internet Second
  Edition by Eoghan Casey
• Incident Response Investigating Computer Crime
  by Kevin Mandia and Chris Prosise
• Computer Forensics Incident Response Essentials
  by Warren G. Kruse II and Jay G. Heiser

3
Outline

• What is Incident Response
• Common Mistakes
• Initial Assessment
• Investigating
• Gathering and Handling Evidence
• Examining Different Types of Systems

4
What is Incident Response?

• Incident response is the steps taken to
  investigate how a computer security incident
  occurred in order to prevent it from happening
  again and sometimes prosecute or reprimand the
  attacker.
• An incident is any event where some aspect of
  computer security could be threatened.
• Loss of data
• Disruption of system integrity
• Denial of service
• Unauthorized use of an account or information

5
Common Mistakes

• Failure to Maintain Proper Documentation
• Failure to Notify or Provide Accurate Information
  to Decision Makers
• Failure to Control Access to Digital Evidence
• Failure to Report the Incident in a Timely
  Fashion to Management or Law Enforcement
• Underestimate the Scope of the Incident
• No Incident Response Plan in Place

6
Initial Assessment
7
Incident Notification Checklist

• Its a good idea to have a sheet ready with
  questions to ask when an incident is reported.
• Items that might be included
• Person reporting the incident
• Nature of the incident
• When did it occur
• How was it detected
• When was it detected
• Information about the computer compromised
• Intruders actions
• Client actions
• Tools available
• Contact for questions

8
Verify Policies

• Actions taken in an investigation are often
  driven by not only technical details, but
  policies as well.
• Law enforcement personnel usually have more
  restrictions than network administrators.

9
Examine Network Topology

• A Network Topology Map can sometimes be helpful
  in pin pointing the origin of the attacks.
• Three features
• External Connectivity
• Network Devices
• Broadcast Domain
• Any network devices between the victims system
  and the suspected attackers system should be
  examined for evidence.

10
Investigating
11
Conduct Interviews

• System Administrators
• Have you noticed any recent unusual activity?
• How many people have administrative access to the
  system?
• What applications provide remote access on the
  system?
• What are the logging capabilities of the system
  and network?
• What security precautions are currently taken on
  the system?
• Managers
• Is there anything particularly sensitive about
  the data and applications on the system?
• Are there any personnel issues of which we should
  be aware?
• Was any type of penetration testing authorized
  for the system or network?
• End Users
• Users may or may not be able to provide useful
  information, they are more likely to provide
  information if they reported the suspicious
  activity
• Was there any unusual behavior on the system?
• How secure is your password?

12
Identification and Seizure

• Identify and seize all potential evidence.
• Be sure to clearly follow procedures and
  understand legal issues associated with seizing.
• Record all necessary information about the
  evidence.

13
Chain of Custody

• A good Chain of Custody Policy ensures no
  corruption of evidence.
• Document information about the items seized.
• Evidence Tags for each hard drive or media.

14
Information on Seized Items

• Individuals who occupy the office
• Names of employees who have access to the office
• Location of systems in the room
• State of the system
• Network or modem connections
• People present at the time of duplication
• Serial numbers, Model numbers, and Makes
• Peripherals attached to the system
• Network and MAC Address

15
Evidence Tags

• Time and Date of the action
• Case Number
• Evidence Tag Number
• Signature Consenting the Seizure
• Who the evidence belonged to before seizure
• Description of Evidence
• Signature of Technician Receiving Evidence
• Tracking Information about Change of Hands
• Who had it and location
• Date of Receipt
• Reason
• Who received it and location

16
Gathering and Handling Evidence
17
Volatile Data

• Volatile data must be collected before a power
  down destroys it.
• Registers, Cache Contents
• Memory Contents
• State of Network Connections
• Open Sockets
• State of Running Processes
• Users Currently Logged On
• Contents of Storage Media
• Contents of Removable and Backup Media

18
Verifying Low-Level System Configuration

• Examine BIOS to determine
• Drive geometry of the evidence media
• Determines which hard drive to analyze.
• Boot Sequence
• You dont want to boot up from the OS on the
  evidence media.

19
Preservation and Duplication

• Investigators must ensure that potentially
  volatile items remain unchanged.
• The original material should be stored unmodified
  in a proper location.
• An exact copy of the material can be scrutinized
  as the investigation continues.
• Methods of imaging the storage medium
• Remove it from the seized computer and attaching
  it to the forensics workstation.
• Attach a hard drive to the seized computer.
• Send the disk image over a closed network to the
  forensics workstations as it is created.

20
Duplication Tool Characteristics

• The application must have the ability to image
  every bit of data on the storage medium.
• The application must handle read errors in a
  robust manner.
• The application must not make any changes to the
  original evidence.
• The application must have the ability to be held
  up to scientific testing and analysis. Results
  must be repeatable and verifiable by a third
  party, if necessary.
• The image file that is created must be protected
  by a checksum or hashing algorithm.

21
Recovery

• Any data that has been deleted, hidden,
  camouflaged, etc. must be extracted.
• Data fragments may have to be reconstituted to
  recover an item.
• Usually performed on copies of the data.

22
Harvesting

• Where concrete facts begin to support or falsify
  hypothesis.
• Gather descriptive material about the contents.
• Identify categories of data for later analysis.

23
Reduction

• Eliminate specific items in the collected data as
  potentially germane to an investigation.
• The result of this is the smallest set of digital
  information that has the highest potential for
  containing data of probative value.

24
Analysis

• Assessment Scrutinize digital data to try to
  determine factors such as means, motivation,
  opportunity
• Experimentation Unorthodox or previously untried
  methods may be called for during an investigation
• Fusion and Correlation Combining all of the
  evidence, digital and non-digital, together to
  tell the whole story. Fusion refers to finding
  the where, when and how. Correlation deals more
  with the cause and effect.
• Validation The proof of guilt or innocence found
  during the analysis.

25
Report

• Final reports should include important details
  from each step.
• Protocols and methods used to seize, document,
  collect, preserve, recover, reconstruct,
  organize, and search key evidence should be
  included.
• Detail the analysis leading to each conclusion.
• Describe supporting evidence.
• Describe alternative theories and explain why
  they were eliminated.

26
Follow-Up

• Analyze the process
• Record any lessons learned
• Fix any problems with the process

27
Examining Different Types of Systems
28
Windows

• Initial Response
• Obtain Storage Information
• Obtain Volatile Data
• Execute a Trusted cmd.exe
• Determine Who is Logged onto the System
• Determine Open Ports and Listening Applications
• List All Running Applications
• List Current and Recent Connections
• Obtain Event Logs
• Review the Registry
• Obtain Modification, Creation and Access Times of
  All Files
• Obtain System Passwords

29
Windows (Continued)

• Investigating
• Review Logical Files
• Review All Logs
• Perform Keyword Searches
• Review Relevant Files
• Review Email Files
• Recover Deleted Files and Data
• Review the Registry
• Review the Swap File
• Review Links
• Review Web Browser Files
• Identify Unauthorized User Accounts or Groups
• Identify Rogue Processes
• Look for Unusual or Hidden Files
• Check for Unauthorized Access Points
• Check Remote Control and Remote Access Services
• Determine the Patch Level
• Check Administrative Shares
• Examine Jobs Run by the Scheduler Service

30
Unix

• Initial Response
• Execute a Trusted Shell
• Determine Who is Logged onto the System
• Determine the Running Processes
• Detect Loadable Kernel Module Rootkits
• Determine Open Ports and Listening Applications
• Review /Proc File System
• Obtain Modification, Creation and Access Times of
  all Files
• Obtain the System Logs
• Obtain Important Configuration Files
• Investigating
• Review Network, Host and User Activity Logs
• Perform Keyword Searches using Grep and Find
• Recover Deleted Files and Data
• Identify Unauthorized User Accounts or Groups
• Identify Rogue Processes
• Check for Unauthorized Access Points

31
Handheld Devices

• Personal Digital Assistants
• Need specialized tools
• Need knowledge of how data is manipulated and
  stored
• ROM can sometimes retain its contents for several
  years even without power
• Ram will lose its contents if it does not have
  power, so the device must have adequately charged
  batteries at all times
• Mobile Telephones
• SIM cards can be examined for previously called
  numbers and text messages using specially
  designed devices to attach the card to a computer

32
Review

• Have an Incident Response Plan and Practice it
• All response personnel should know the plans
• All response personnel should know any policies
  related to seizure of evidence, reporting an
  incident, etc.
• Checklist, evidence tags, etc. prepared before an
  incident
• Know the personnel that will need to be involved,
  network admins, managers, etc.
• Plan should be specialized to your needs

33
Questions or Comments?