Computer Forensics in Practice

1
Computer Forensics in Practice

• Armed Forces of the Slovak Republic
• mjr. Ing. Albert VAJÁNYI
• 1Lt. Ing. Boris ZEMEK
• (c) May 2005

2
Communication and Information System Control and
Operation CentreInformation Security Centre

• InfoSec Centre Chief
• mjr. Ing. Albert VAJÁNYI
• Division Chief
• 1Lt. Ing. Boris ZEMEK
• (c) May 2005

3
What is computer forensics anyway?

• The application of computer investigations and
  analysis techniques in the interests of
  determining potential legal evidence.
• Computer specialists can draw on an array of
  methods for discovering deleted, encrypted or
  damaged file information.
• (Rorrins, 1997)

4
You dont know what happened on your network.

• A network forensic analysis tool can effectively
  answer the difficult
• question What happened? in the aftermath of a
  security incident.
• That tool provides a passive network monitoring
  solution that visualizes
• the network activity.
• A network forensics analysis tool can visualize
  and analyze data from
• firewalls, IDS, IPS, syslogs, audit systems and
  more.

5
Key Features of Forensic Tools

• Data collection and visualization
• Monitor and analyze data from all seven layers of
  the Open Systems Interconnection (OSI) stack
• Relational, Tree ontology for knowledge base
• TCP dump recording records traffic being
  monitored in an unprocessed, binary state
• Pattern and content analysis
• Powerful visualizations expose anomalous
  activities, providing visibility into network
  communications before, during and after a
  suspicious event
• Functions irrespective of language using n-gram
  analysis

6
Key Features of Forensic Tools

• Forensic analysis and investigation
• - Graphical arrangements include source,
  destination, time, type and duration of
  communication and content
• - Rebuild crime pattern
• - Playback events
• - Generate reports and visual representations of
  the suspicious activity
• - Report on key security and network parameters

7
Forensics Technology Services FTS

• Digital Evidence Recovery
• It is a technique of finding and extraction
  evidence. A lot of times the
• legislative designates how to confidence a
  digital evidence.
• Cyber Forensics
• Some specialists score incidents to the network.
  Cyber Forensics
• shows who made an attack.

8
Forensics Technology Services FTS

• Forensic Data Analysis
• It is an interpretation of vast multiple data by
  using visualization
• techniques.
• Document Management Services
• Making documents accessible helps sharing
  essential knowledge. In
• your investigations you can draw upon modern
  document management
• tools that allow you to archive, search, find,
  organising and reproduce
• documents.

9
Requirements for Forensics Tools

• COLLECTING ANALYZING 2D or 3D
  VISUALIZATION

Real-Time
Post Event
Data Visualization
Knowledge Base
Meta Data and Content Analysis
Context Analyzer
Traffic Analysis
Database
10
Types of Collecting Data
All logs are collecting to the Central logs
base!!!

• Types
• - IDS/IPS logs
• - Firewall logs
• - Sys logs
• - SQUID logs
• - Audit system logs
• - and more

11
Security operation centre
Network operation centre
Network monitoring
Security Alarms
Service Alarms
Central logs base
Security Information Management System
Any Public Network
Intranet
12
Security Information Management

• What is Security Information Management (SIM)?
• SIM provides a simple mechanism that allows
  security teams
• to collect and analyze vast amounts of security
  alert data.
• More specifically, SIM solutions collect,
  analyze and correlate in real-time all
  security device information across an entire
  enterprise.
• Correlated results are then displayed on a
  centralized real-time console that is part of an
  intuitive graphical user interface.

13
Security Information Management

• SIM can be divided into four different phases
• Normalization
• Aggregation
• Correlation
• Visualization
• SIM utilizes normalization, aggregation, and
  correlation to sift through mountains of
• security activity data on a real-time basis
  correlating events, flagging and rating the
• potential seriousness of all attacks,
  compromises, and vulnerabilities. The power of
  SIM
• technology allows a relatively small security
  staff to dramatically reduce the time between
• attack and response.
• .

14
Security Information Management

• Normalization is the process of gathering
  individual security device
• data and putting it into a context that is easier
  to understand, mapping
• different messages about the same security events
  to a common alarm
• ID. Keeping in mind that there are no standards
  in the security device
• industry, normalization alone is a tremendous
  asset to security teams.
• Aggregation eliminates redundant or duplicate
  event data from the
• security event data stream, refining and
  optimizing the amount of
• information that is presented to security
  analysts.

15
Security Information Management

• Correlation uses software technology to analyze
  aggregated data, in real-time,
• to determine if specific patterns exist. These
  patterns of similar security events
• often correspond to specific securityattacks
  whether denial of service,anti
• virus, or some other form of attack.
• Visualization, the final step in SIM, is the
  graphical representation of
• correlated information in a single, real-time
  console.
• Effective visualization lets security operators
  quickly identify and respond to
• security threats as they occur, before they
  create problems within the
• enterprise.

16
Systems alarms remapping
17
Security operation centre
Network operation centre
Place Forensics Tool in Network
Security Alarms
Service Alarms
Security Information Management System
Central logs base
Any Public Network
Forensics Tool
Intranet
18

• Network Forensics Analyzer
• Examples of Visualization

19
Visualization of Firewall Data

• Quickly visualize and understand relationships
  in firewall data across time
• Source_IP of occurrences Dest_IP

20
Source_IP versus Firewall Action

• Source_IP of occurrences Firewall
  Action
• Green Accept Red Reject Blue Drop

21
Event Correlation
Blocked Firewall Traffic
VPN Traffic Events
Overlay Intrusion Detection System Alerts
22
Exercises of anomaly
23
Exercises of anomaly
24
Thank You !
E mail infosec_at_mil.sk