Doctor A Security

Forensics Analysis of
Hacking Cases

Norman PAN cisa, pdcf

Doctor A Security Systems (HK) Ltd.
2003-09-22
npan@drasecurity.com
(Professional correspondence only)
 Today

§ Is for
– Need to know
Doctor A Security

– Should/should
not

§ Is NOT for
– How to do
– Legal advice

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 2

 Case for discussion .. 1

§ Investigator
arrived the
crime scene and
Doctor A Security

§ used his
notebook and
created a new
partition in the
existing USB
Hard disk…

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 3

 Case for discussion … 2

§ Used a
Forensic tools
installed
Doctor A Security

yesterday in
his notebook
using
colleague’s CD

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 4

 Case for discussion … 3

§ Unplugged
the power
Doctor A Security

supply of the
target
computer

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 5

 Case for discussion … 4

§ Copied the
files of the
target
Doctor A Security

computer to
the
Investigation
newly created
partition

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 6

 Case for discussion … 5

§ Investigator
returned to
office, his
Doctor A Security

colleague
borrowed his
notebook for
another case,
and returned 2
days later.

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 7

 The Cost of an Incident

§ Intruder: 2 Hours
§ the time spent to
clean up after them:
Doctor A Security

80 Hours
– not inlcude
v Intrusion Detection
(human element)
v Forensic acquisition of
disk images
v Restoration of
compromised system
v Hardening of
compromised system
v Network scanning for
other vulnerable
systems
v Communications with
stakeholders

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 8

 Forensic, for the sake of Forensic?

§ Incident Respond
Procedure… .
– .. Snapshot of the
victim machine… (?)
Doctor A Security

§ Decide
– Recovery
v Virus
v Failed Harddisk…
– Forensic (if evidence
if important)
v Substantial
financial loss
v Computer crime
– Intrusion
– Theft of
proprietary
information…

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 9

 Why Forensics is, a little bit, difficult?

1. Too many
variables
– Operating systems
Doctor A Security

– Software
application
– Cryptography
– Hardware platform
– Law
– International
boundaries
– Publicity

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 10

 Elements of Forensic Readiness

§ How Logging is
Done
§ What is Logged
Doctor A Security

§ Forensic
Acquisition
§ Evidence
Handling

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 11

 How Logging is Done

§ “needle in the
haystack”
Doctor A Security

– Data from an IDS

– Centralized logging
§ Time
– time
synchronization
becomes an issue.
§ Permissions
§ Reporting

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 12

 Usefulness of Incident Data

§ The victim system(s) RAM,

registers and raw disk
§ The attacking system(s)
Doctor A Security

RAM, registers and raw

disk
§ Logs (from the victim and
attacking systems as well
as intermediary systems)
§ Physical security at the
attacking system (e.g.
camera monitoring, etc)

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 13

 Solid Analysis and Case Building

§ You have to defend

– How you work
– Why you work this
way
Doctor A Security

§ To Juror (non tech)

– If you tell them you
have no defined
methodology
– Acquit for
Reasonable doubt
§ Methodology
become a
Discipline
– Think about car
driving

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 14

 Document Everything

§ REFUTE because of
mishandling??
§ Chain of evidence
Doctor A Security

– 1 x Conduction the
investigation
– 1 x Document
§ What
– Time
– Date
– Steps were taken
– Name involved
– Whose authority’s
for step.

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 15

 Crime Scene … . 1

§ Snapshort
– Photograph the scene
– Note the scene
Doctor A Security

v Personal items
– Photograph the actual
evidence
v E.g. What’s on the
screen
– Open the case
carefully
– Photograph the
internal
– Document the
internals (e.g. Serial#,
cable config – IDE,
SCSI… )

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 16

 Crime Scene … 2

§ Label the evidence

– Consistently
§ Photograph the
Doctor A Security

evidence with label

§ Document who did
what at when.
§ Custodian double
checked your list,
initials next to yours
while at the scene
§ Videotape the team
entrance and evidence
transport, if possible

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 17

 Evidence transportation

§ Legal
authority?
Doctor A Security

§ Guard
against
electrostatic
discharge

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 18

 Preparing the Evidence

§ Unpack the evidence

– Document date, … .
§ Visually examine
§ Duplicate IMAGE of
Doctor A Security

hard drive
– Turn off virus
scanning software
– Record the time/date
of the CMOS
v Time zone
v Accurate
§ Make a second copy
§ Seal the original
evidence
– Electrostatic safe
– Catalog it
– Initial by everyone
touched.

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 19

 Forensic Acquisition

§ to preserve the
entire digital crime
scene with minimal
Doctor A Security

or no modification
of data.
§ Order Of Volatility
(OOV) which implies
that collecting some
data impacts other
data.
– CDROM based tool kit

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 20

 Imaging

§ Backup
– MAC?
Doctor A Security

– Deleted files?
§ Live system?
§ Open source tools
§ Cryptographic
hashes
§ Shutdown vs
Poweroff
§ Copy of the copy

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 21

 Evidence Handling … 1

§ Chain of Custody
– track who had
access
Doctor A Security

§ start when the data

is first considered
as potential
evidence and
should continue
through
presentation of the
item as evidence
in court.
2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 22
 Evidence Handling … 2

§ Physical
Transport
Doctor A Security

– FBI
§ Storage
– Paper char at
460F
– Data start
disappearing
at 120F

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 23

 Examination of Evidence

§ disk image(s)
should be
Doctor A Security

mounted read-
only

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 24

 Now, you have the evidence…

§ Where do we
start?
Doctor A Security

§ Think like an
Intruder

§ And Let’s
start …

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 25

 Some useful links

General
§ http://www.cybercrime.gov/
§ http://www.e-evidence.info/
Doctor A Security

§ http://www.forensix.org/

Tools
§ http://www.sleuthkit.org/
§ http://fire.dmzs.com/

2003-09-22 Norman PAN Doctor A Security Systems (HK) Ltd. (c) 26