Computer Forensic and Incident Response

or

Why invest in a Digital Investigations Platform?

Damir DelijaInsig2

Presentation plan

Introduction into computer forensic and incident response

•what it is • legal and organisational issues

EnCase approach•Arhitecture, tools, methods •approach forensic and incident response

•How it is done

Computer Forensic – a Definition

A practical definition:

“Computer Forensics is simply the application of computer investigation

and analysis techniques in the interest of determining potential legal evidence

(Judd Robbins).”

Legal Definition of Forensics

Daubert/Frye: The most important decisions governing the use of scientific evidence in court are those of Daubert(Federal)/Frye(California).

There are four primary factors according to Daubert/Frye that should be considered before ruling on the admissibility of scientific evidence:

• Whether the theory or technique has been reliably tested;

• Whether the theory or technique has been subjected to peer review and publication;

• What is the known or potential rate of error of the method used;

• Whether the theory or method has been generally accepted by the scientific community.

Role of the EnCase suite EnCase Suite - Guidance Software

www.guidancesoftware.com

Central point in the system security, other usual security related tools are subordinates (feeds and actuators)

Act as standalone or as enterprise wide tool

It is supposed to react on incidents or to control system, both in same sound digital forensic way

Examiner wokstation is a workplace for incident responder, examiner, auditor, controler - all in same consitent manner, legaly acceptable

Predefined roles, ranges, users and events

Use other parts of incident response infrastructure like ticketing system, help desk, IPS, IDS, etc ...

Unauthorised software

Human error

Inappropriate content

Deliberate attack (hackers)

Competitors

Virus outbreaks

Regulatory compliance IP theft (eg. external consultants)

Fraud

What are our threats?

Disgruntled employeesClassifiedData leakage

Others (Unknown)

Client

Integrating Forensic into IR

What is an incident to you?

Virus outbreak? Stolen laptop? Inappropriate usage? Legal requirement for

electronic data? Unauthorised software? Inappropriate content? Classified data appearing in

the wrong environments? Data leakage? IP theft? Disgruntled employee?

How do you respond? Manual processes? Take Computers off the

network? Suspend Employees? External investigative

consultancy? Outsource data collection? Press release / PR? Hope and Pray? Ignore?

Latest analytics (1)Who is behind data breaches? 73% resulted from external sources 18% were caused by insiders 39% implicated business partners 30% involved multiple parties

How do breaches occur? 62% were attributed to a significant error 59% resulted from hacking and intrusions 31% incorporated malicious code 22% exploited a vulnerability 15% were due to physical threats

Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008

Latest analytics (2)

What commonalities exist?

66% involved data the victim did not know was on the system

75% of breaches were not discovered by the victim 83% of attacks were not highly difficult 85% of breaches were the result of opportunistic attacks 87% were considered avoidable through reasonable

controls

Source: "2008 DATA BREACH INVESTIGATIONS REPORT", A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM, 10th June 2008

Latest analytics (3)

Nine out of 10 data breaches incidents involved one of the following:

• A system unknown to the organization (or business group affected)

• A system storing data that the organization did not know existed on that system

• A system that had unknown network connections or accessibility

• A system that had unknown accounts or privileges

Source: "2008 DATA BREACH INVESTIGATIONS REPORT",

A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM

Reactively We manually investigate incidents, which is time consuming We employ 3rd party consultancies to collect data for compliance We quarantine computers from the network (disrupting operations) We need multiple tools to investigate and solve problems We have to wait for our AV vendor to supply signatures for new outbreaks

Proactively We cannot search the network for IP or other sensitive data We cannot search for unauthorised software or malicious code We cannot forensically remove data or malicious processes We don’t have time to investigate disgruntled employees We can’t identify potential risks comprehensively

How do we deal with these threats today?

How EnCase Enterprise and it’s modules link together

EnCase Enterprise Command Centre

API

Data Audit System Audit InvestigativeIntelligence

DocumentManagement

SecurityInformationManagement

IntrusionDetectionSystems

ContentManagementSystems

Current

Future

EnCase Infocon Hardening

Bit 9

HB Gary Responder

EnCase Data Audit & Policy Enforcement

EnCase eDiscovery

EnCase Enterprise Platform

(Examiner, SAFE, Snapshot, Connections, Pro Suite)

Critical Requirements of IR Capabilities

REACTIVE: Extreme End Point Visibility to answer hard Information Security questions at critical times….

Were we compromised or NOT ?

Precision Response to attacks

Remote & Immediate access to RAM and Raw Disk Level data

Preserve requisite info for Optimal Decision Making Process

“Freeze Crime Scene”

Enterprise Collateral Damage Assessment

Easily search for “intrusion footprint signatures”

Search the Enterprise for critical information

Implement Incident Response infrastructure Implement Encase Enterprise as a core

• define additional funcionalities and plugins for Encase• trainig, testing, support, etc

Integrate it with other tools • IDS, IPS, network management, physical security, system

administration, etc...• Help Desk system, trouble ticketing system

Develop lifecycle for effcient Incident Response System

• policies, controls, reports, tests etc...• keep IR system proactive, healty and efficient

Anti-Forensics Anti-forensics is any and all actions

taken by an unauthorized intruder to conceal evidence

• securely deleting critical log files is considered an antiforensic technique.

discovered use of antiforensics in 39% cases this will be a trend to watch over the next yearsSource:"2008 DATA BREACH INVESTIGATIONS REPORT",

A Study CONDUCTED BY THE VERIZON BUSINESS RISK TEAM

Incident Response Recommendations

Align process with policy Achieve “essential” then worry about “excellent” Secure business partner connections Create a data retention plan Control data with transaction zones Monitor event logs Create an incident response plan Increase awareness Engage in mock incident testing

IT security dependencies

IT security depends on core competencies:• People - skill and knowledge problem• Process - there are standards and best practices• Technologies - control of usage and fuctions

This can be achived by • developing enterprise investigative infrastructure • use of forensics technologies as core part of IR

EnCase Enterprise

“Core” Platform

Key capabilities Covertly investigate across the network on live machines Bit level analysis able to uncover deleted and hidden data Also able to analyse volatile data in RAM Sweep enterprise for hacker code like key loggers & root kits Court validated as forensically sound Role based access control and encrypted data flow

Business benefits Respond to HR/IT requests much faster Conduct many more investigations with the same resource Rules employees in or out of investigations covertly Collects court validate evidence of wrong doing

EnCase Enterprise (EE) Platform

HR Investigation – Specific Employee under suspicion for viewing inappropriate content on their office machine.

Specific Employee PC covertly previewed Suspects directory structure is viewed and all images are found A timeline analysis of when specific files/images were saved can

be seen Over 400 types of file formats can ‘natively’ be viewed without

having corresponding applications All deleted but not overwritten files are pulled up for further

evidence. Can be viewed though deleted USB/external storage device analysis can be done. Check to see

which files have been copied onto them. USB ID can be used to find where else the USB device has been

plugged into other machines on the network.

Case Review I - Core EE

Key capabilities Can integrate directly with IDS and SIM solutions Automatically collects volatile data at point of attack or infection Threat can be killed immediately on target machine Scan and kill threat across entire network very quickly

Business benefits Acts on intelligence provided by SIM Guarantees collection of intelligence 24x7x365 Removes threat from entire estate without disrupting operations Helps enhance defences by offering real actionable intelligence Drives the true value out of IDS and SIM solutions An effective way to counter “Day Zero” attacks !

EnCase Incident Response

A professional Malicious attacker tries to penetrate your network and you have netForensics deployed.

The SIM (netForensics) & other perimeter defence products throw

up hi-priority alerts Alert passed on to EnCase Enterprise Automatic Snapshot of target machine retrieved (all processes

running in RAM of target machine) Your SIRT team analyse snapshot results to determine malicious

processes Process can be killed remotely and forensically wiped on target

node Malicious/Rogue process hashed and enterprise sweep carried out

to determine extent of breach. Can be remotely wiped on all “infected” nodes to clean network

Case Review II

Kill Malicious Process – options

Choice of deleting the process file, or deleting and

wiping from hard drive

EnCase Data Audit & Compliance

Key capabilities Automate the search for IP (eg. Video on Demand), source code, PII

such as credit card numbers, financial statements, compliance data, Recharge card codes etc by keyword, hash value, metadata, document type, within a date range, using GREP

search expressions, across a defined node range

Move offending data to new location or wipe it completely Completed on desktops, laptops and servers irrelevant of OS

Business benefits Protects valuable intellectual property Reduces risk of credit card and customer data theft Limits negative press by removing risks before they happen Ensures swift compliance to regulator demands Forms basis for refining /tightening company policies /processes.

EnCase Data Audit & Compliance

Minimise the risk of leakage by sweeping the network for a known highly “Confidential” strategy document.

The confidential document is hashed to get its unique signature. An enterprise “sweep” is quickly done for this hash value. Whilst

keyword can be done, using the hash is much faster. Results are found. Further investigation done on those machines

to see where the document was emailed. This is done by analysing the local PST mail file. Search for

attachments with the same hash value. The main body content of the mail can also then be easily seen.

Remediation (forensically deleting) the classified data can also be done, if necessary.

Case Review III – protecting confidential info

Key capabilities Perform network wide system integrity checking

baseline servers, workstations and laptops perform scheduled and automated audits to look for threats from malicious and

risky applications of any kind without having to wait for signatures from antivirus vendors and other assessment tools

Identify undocumented and unauthorized configuration changes to systems Automate the auditing and reporting of systems across time to identify

installed software, new devices, and changes to users

Business benefits Ensures contraband, such as illegal software, is not on the network Ensures key system assets have not been compromised by external

hackers Identifies suspicious employee behaviour, such as trying to hide data

EnCase Infocon Hardening

Enterprise server (eg. Online mobile payments application ) is audited whilst live to check for potential compromise /threats

A “gold build” – ie all known good running processes is created for that server. This hash set forms baseline.

At a later point in time, an audit is done for same machine or other servers that should be identical.

Infocon hardening quickly compares the baseline with results from the snapshot of running processes. Any processes not in std. baseline are highlighted.

Based on further investigation and validation, the offending processes can be remotely “killed” and wiped if necessary.

Case Review IV – System Audit for a key Enterprise Server

On investigation, undesired processes can be killed remotely to restore baseline

Choice of deleting the process file, or deleting and

wiping from hard drive