Chapter 13: Advanced Security and Beyond

1
Chapter 13 Advanced Security and Beyond

• Security Guide to Network Security Fundamentals
• Second Edition

2
Objectives

• Define computer forensics
• Respond to a computer forensics incident
• Harden security through new solutions
• List information security jobs and skills

3
Understanding Computer Forensics

• Computer forensics can attempt to retrieve
  information even if it has been altered or
  erased that can be used in the pursuit of the
  criminal
• The interest in computer forensics is heightened
• High amount of digital evidence
• Increased scrutiny by legal profession
• Higher level of computer skills by criminals

4
Forensics Opportunities and Challenges

• Computer forensics creates opportunities to
  uncover evidence impossible to find using a
  manual process
• One reason that computer forensics specialists
  have this opportunity is due to the persistence
  of evidence
• Electronic documents are more difficult to
  dispose of than paper documents
• Deleting a data file does NOT actually delete the
  file from the computers hard drive, it changes
  the status of that storage location to unused

5
Responding to a Computer Forensics Incident

• Generally involves four basic steps similar to
  those of standard forensics
• Secure the crime scene
• Collect the evidence
• Establish a chain of custody
• Examine and preserve the evidence

http//en.wikipedia.org/wiki/Computer_forensics
6
Securing the Crime Scene

• Physical surroundings of the computer should be
  clearly documented
• Photographs of the area should be taken before
  anything is touched
• Cables connected to the computer should be
  labeled to document the computers hardware
  components and how they are connected
• Team takes custody of the entire computer along
  with the keyboard and any peripherals

7
Preserving the Data

• Computer forensics team first captures any
  volatile data that would be lost when computer is
  turned off and moves data to a secure location
• Includes any data not recorded in a file on the
  hard drive or an image backup
• Contents of RAM
• Current network connections
• Logon sessions
• Network configurations
• Open files

http//www.porcupine.org/forensics/forensic-discov
ery/ http//ntsecurity.nu/onmymind/2006/2006-06-01
.html
8
Preserving the Data (continued)

• After retrieving volatile data, the team focuses
  on the hard drive
• Mirror image backup (or bit-stream backup) is an
  evidence-grade backup because its accuracy meets
  evidence standards (exact duplicate or original)
• Mirror image backups are considered a primary key
  to uncovering evidence they create exact
  replicas of the computer contents at the crime
  scene

http//www.forensics-intl.com/def2.html
9
Mirror Image Backups

• Mirror image backups must meet the following
  criteria
• Mirror image software should only be used by
  trained professionals
• Those using the mirror image software must have
  evidence handling experience
• The mirror imaging tools must be able to find any
  bad sectors on the original drive that may cause
  problems for the imaging software
• Forensic imaging done in a controlled manner
• Imaging personnel should be a disinterested
  third-party

http//www.syschat.com/how-create-mirror-image-you
r-hard-438.html
10
Establishing the Chain of Custody

• As soon as the team begins its work, they must
  start and maintain a strict chain of custody
• Chain of custody documents that evidence was
  under strict control at all times and no
  unauthorized person was given the opportunity to
  corrupt the evidence
• A chain of custody includes documenting all of
  the serial numbers of the systems and devices
  involved
• Who handled the systems and for how long
• How systems were shipped and stored

11
Examining Data for Evidence

• After a computer forensics expert creates a
  mirror image of system, original system should be
  secured and the mirror image examined to reveal
  evidence
• All exposed application data should be examined
  for clues (documents, spreadsheets, email,
  digital photographs, cookies, cache)
• Microsoft Windows operating systems use Windows
  page file as a scratch pad to write data when
  sufficient RAM is not available

http//www.porcupine.org/forensics/forensic-discov
ery/chapter8.html
12
Windows Page File

• Windows page files can range from 1 megabyte to
  over a gigabyte in size and can be temporary or
  permanent
• By default, XP creates a page file which is 1.5
  times the amount of installed RAM
• pagefile.sys
• These files can contain remnants of work done in
  past
• Special programs are needed to search through the
  page file quickly

http//www.theeldergeek.com/paging_file.htm
13
Examining Data for Evidence

• Slack is another source of hidden data
• Windows computers use two types of slack
• RAM slack
• File slack
• http//www.forensics-intl.com/def7.html
• http//www.forensics-intl.com/def6.html

14
RAM Slack

• Windows stores files on a hard drive or other
  media type in 512-byte sectors
• Multiple sectors make up a cluster
• When a file saved is not long enough to fill up
  the last sector, Windows pads the remaining
  sector space (for that cluster) with data that is
  currently stored in RAM
• This padding creates RAM slack and pertains
  only to the last sector of a file
• If additional sectors are needed to round out the
  block size for the last cluster assigned to the
  file (if there is not enough data in RAM), a
  different type of slack is created

15
File Slack

• File slack (drive slack) padded data that
  Windows uses comes from data stored on the hard
  drive
• Such data could contain remnants of previously
  deleted files

16
(No Transcript)
17
Examining Data for Evidence
18
Summary of Examining Data for Evidence
19
Exploring Information Security Jobs and Skills

• Need for information security workers will
  continue to grow for the foreseeable future
• Information security personnel are in short
  supply those in the field are being rewarded
  well
• Security budgets have been spared the drastic
  cost-cutting that has plagued IT since 2001
• Companies recognize the high costs associated
  with weak security and have decided that
  prevention outweighs cleanup

20
Exploring Information Security Jobs and Skills

• Most industry experts agree security
  certifications continue to be important
• Preparing for the Security certification will
  help you solidify your knowledge and skills in
  cryptography, firewalls, and other important
  security defenses

21
TCP/IP Protocol Suite

• One of the most important skills is a strong
  knowledge of the foundation upon which network
  communications rests, namely Transmission Control
  Protocol/Internet Protocol (TCP/IP)
• Understanding TCP/IP concepts helps effectively
  troubleshoot computer network problems and
  diagnose possible anomalous behavior on a network

22
Packets

• No matter how clever the attacker is, they still
  must send their attack to your computer with a
  packet
• To recognize the abnormal, you must first
  understand what is normal

23
Firewalls

• Firewalls are essential tools on all networks and
  often provide a first layer of defense
• Network security personnel should have a strong
  background of how firewalls work, how to create
  access control lists (ACLs) to mirror the
  organizations security policy, and how to tweak
  ACLs to balance security with employee access

24
Routers

• Routers form the heart of a TCP/IP network
• Configuring routers for both packet transfer and
  packet filtering can become very involved
• As network connections become more complex (VPN,
  IPv6), understanding how to implement and
  configure routers becomes more important

25
Intrusion-Detection Systems (IDS)

• Security professionals should know how to
  administer and maintain an IDS
• Capabilities of these systems has increased
  dramatically since first introduced, making them
  mandatory for todays networks
• One problem is that IDS can produce an enormous
  amount of data that requires checking
• In addition, IDS/IPS systems can produce a number
  of false positives.

26
Other Skills

• A programming background is another helpful tool
  for security workers
• Security workers should also be familiar with
  penetration testing
• Once known as ethical hacking, probes
  vulnerabilities in systems, networks, and
  applications

27
Computer Forensic Skills

• Computer forensic specialists require an
  additional level of training and skills
• Basic forensic examinations
• Advanced forensic examinations
• Incident responder skills
• Managing computer investigations

http//www.infosecinstitute.com/courses/computer_f
orensics_training.html?cf
28
Summary

• Forensic science is application of science to
  questions of interest to the legal profession
• Several unique opportunities give computer
  forensics the ability to uncover evidence that
  would be extremely difficult to find using a
  manual process
• Computer forensics also has a unique set of
  challenges that are not found in standard
  evidence gathering, including volume of
  electronic evidence, how it is scattered in
  numerous locations, and its dynamic content

29
Summary (continued)

• Searching for digital evidence includes looking
  at obvious files and e-mail messages
• Need for information security workers will
  continue to grow, especially in computer
  forensics
• Skills needed in these areas include knowledge of
  TCP/IP, packets, firewalls, routers, IDS, and
  penetration testing