Scribd
Upload
18 views

Forensics Analysis of Hacking Cases

The document discusses best practices for digital forensics analysis of hacking cases. It outlines challenges such as the large number of variables involved, including operating systems, applications, hardware and international legal issues. It emphasizes the importance of forensic readiness through proper logging, evidence handling and acquisition procedures. Maintaining a solid methodology is also highlighted as important for building a strong legal case and withstanding challenges in court.

Uploaded by

Bhaskar Lal Das
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
18 views

Forensics Analysis of Hacking Cases

The document discusses best practices for digital forensics analysis of hacking cases. It outlines challenges such as the large number of variables involved, including operating systems, applications, hardware and international legal issues. It emphasizes the importance of forensic readiness through proper logging, evidence handling and acquisition procedures. Maintaining a solid methodology is also highlighted as important for building a strong legal case and withstanding challenges in court.

Uploaded by

Bhaskar Lal Das
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Doctor A Security

Forensics Analysis of
Hacking Cases

Norman PAN cisa, pdcf


Doctor A Security Systems (HK) Ltd.
2003-09-22
[email protected]
(Professional correspondence only)
Today

§ Is for
– Need to know
Doctor A Security

– Should/should
not

§ Is NOT for
– How to do
– Legal advice

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 2


Case for discussion .. 1

§ Investigator
arrived the
crime scene and
Doctor A Security

§ used his
notebook and
created a new
partition in the
existing USB
Hard disk…

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 3


Case for discussion … 2

§ Used a
Forensic tools
installed
Doctor A Security

yesterday in
his notebook
using
colleague’s CD

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 4


Case for discussion … 3

§ Unplugged
the power
Doctor A Security

supply of the
target
computer

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 5


Case for discussion … 4

§ Copied the
files of the
target
Doctor A Security

computer to
the
Investigation
newly created
partition

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 6


Case for discussion … 5

§ Investigator
returned to
office, his
Doctor A Security

colleague
borrowed his
notebook for
another case,
and returned 2
days later.

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 7


The Cost of an Incident

§ Intruder: 2 Hours
§ the time spent to
clean up after them:
Doctor A Security

80 Hours
– not inlcude
v Intrusion Detection
(human element)
v Forensic acquisition of
disk images
v Restoration of
compromised system
v Hardening of
compromised system
v Network scanning for
other vulnerable
systems
v Communications with
stakeholders

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 8


Forensic, for the sake of Forensic?

§ Incident Respond
Procedure… .
– .. Snapshot of the
victim machine… (?)
Doctor A Security

§ Decide
– Recovery
v Virus
v Failed Harddisk…
– Forensic (if evidence
if important)
v Substantial
financial loss
v Computer crime
– Intrusion
– Theft of
proprietary
information…

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 9


Why Forensics is, a little bit, difficult?

1. Too many
variables
– Operating systems
Doctor A Security

– Software
application
– Cryptography
– Hardware platform
– Law
– International
boundaries
– Publicity

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 10


Elements of Forensic Readiness

§ How Logging is
Done
§ What is Logged
Doctor A Security

§ Forensic
Acquisition
§ Evidence
Handling

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 11


How Logging is Done

§ “needle in the
haystack”
Doctor A Security

– Data from an IDS


– Centralized logging
§ Time
– time
synchronization
becomes an issue.
§ Permissions
§ Reporting

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 12


Usefulness of Incident Data

§ The victim system(s) RAM,


registers and raw disk
§ The attacking system(s)
Doctor A Security

RAM, registers and raw


disk
§ Logs (from the victim and
attacking systems as well
as intermediary systems)
§ Physical security at the
attacking system (e.g.
camera monitoring, etc)

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 13


Solid Analysis and Case Building

§ You have to defend


– How you work
– Why you work this
way
Doctor A Security

§ To Juror (non tech)


– If you tell them you
have no defined
methodology
– Acquit for
Reasonable doubt
§ Methodology
become a
Discipline
– Think about car
driving

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 14


Document Everything

§ REFUTE because of
mishandling??
§ Chain of evidence
Doctor A Security

– 1 x Conduction the
investigation
– 1 x Document
§ What
– Time
– Date
– Steps were taken
– Name involved
– Whose authority’s
for step.

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 15


Crime Scene … . 1

§ Snapshort
– Photograph the scene
– Note the scene
Doctor A Security

v Personal items
– Photograph the actual
evidence
v E.g. What’s on the
screen
– Open the case
carefully
– Photograph the
internal
– Document the
internals (e.g. Serial#,
cable config – IDE,
SCSI… )

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 16


Crime Scene … 2

§ Label the evidence


– Consistently
§ Photograph the
Doctor A Security

evidence with label


§ Document who did
what at when.
§ Custodian double
checked your list,
initials next to yours
while at the scene
§ Videotape the team
entrance and evidence
transport, if possible

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 17


Evidence transportation

§ Legal
authority?
Doctor A Security

§ Guard
against
electrostatic
discharge

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 18


Preparing the Evidence

§ Unpack the evidence


– Document date, … .
§ Visually examine
§ Duplicate IMAGE of
Doctor A Security

hard drive
– Turn off virus
scanning software
– Record the time/date
of the CMOS
v Time zone
v Accurate
§ Make a second copy
§ Seal the original
evidence
– Electrostatic safe
– Catalog it
– Initial by everyone
touched.

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 19


Forensic Acquisition

§ to preserve the
entire digital crime
scene with minimal
Doctor A Security

or no modification
of data.
§ Order Of Volatility
(OOV) which implies
that collecting some
data impacts other
data.
– CDROM based tool kit

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 20


Imaging

§ Backup
– MAC?
Doctor A Security

– Deleted files?
§ Live system?
§ Open source tools
§ Cryptographic
hashes
§ Shutdown vs
Poweroff
§ Copy of the copy

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 21


Evidence Handling … 1

§ Chain of Custody
– track who had
access
Doctor A Security

§ start when the data


is first considered
as potential
evidence and
should continue
through
presentation of the
item as evidence
in court.
2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 22
Evidence Handling … 2

§ Physical
Transport
Doctor A Security

– FBI
§ Storage
– Paper char at
460F
– Data start
disappearing
at 120F

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 23


Examination of Evidence

§ disk image(s)
should be
Doctor A Security

mounted read-
only

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 24


Now, you have the evidence…

§ Where do we
start?
Doctor A Security

§ Think like an
Intruder

§ And Let’s
start …

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 25


Some useful links

General
§ http://www.cybercrime.gov/
§ http://www.e-evidence.info/
Doctor A Security

§ http://www.forensix.org/

Tools
§ http://www.sleuthkit.org/
§ http://fire.dmzs.com/

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 26

You might also like