Documente Academic
Documente Profesional
Documente Cultură
QUICK INTRO
MUHAMMAD MUSLIM BIN MANSOR Forensic Analyst/ Certied Instructor +60136336310/ muslim.mansor@ieee.org MOHD FADZIL BIN MD ARAP IT Subject Matter Expert/ Mozilla Community fadz8L@gmail.com
!! !
INCIDENT HANDLING
Mission
1: Incident Response Incident Handling Procedures Dealing with Incident Scenarios 2: Forensic Imaging Anatomy of HDD & File System Recover Deleted Data
Mission
MISSION 1
INTRODUCTION TO INCIDENT RESPONSE
WHAT IS INCIDENT?
Computer
Security Incident: real or suspected adverse event in relation to the security state of computers or network
Port scanning, computer & network intrusions, web defacement Account lockdown, Denial of Service (DoS), virus/ worm outbreak, password leakage, stolen identity Hardware failure (servers/ backup), telecommunication/ network failure Power loss (blackout), force of nature (ood, tsunami, re)
It
is a violation or imminent threat of violation of computer security policies, acceptable use policies & standard security practice
INCIDENT CLASSIFICATIONS
High Level Posses immediate threat to various systems leads to criminal charges, regulatory nes or bad name Should be handled immediately after incident Active computer/ network intrusions Denial of Service attack Incidents which leads to violation of any laws Inactive internal/external unauthorized access to system Theft of personal data relevant to computer Localized virus/worm outbreak
More serious incidents Medium compared to low level Should be handled within the Level same day of incident Low Level
Least severe kind of incidents Loss of personal password Should be handled within one Unsuccessful scans & probes day after the incident occurs Presence of computer virus/ worms
SYMPTOMS OF INCIDENTS
Typical indications of computer incidents: Antivirus detects infected les Program take longer time to load than normal System les become inaccessible Computers hard drive & memory constantly runs out of free space Files with strange names which are not recognizable Systems become unstable & often crashes Specic indications of network incidents: Unusual open ports Increase of abnormal network activities (after ofce hours/ weekends)
Live
Non-volatile
The system Date and Time Current Network Connections Open TCP and UDP Ports Which executables are opening TCP or UDP Ports Cached NetBIOS name table Users currently logged on Internal routing table Running processes Running services Schedules jobs Open les Memory Dumps
Be stealthy while performing investigation on a live machine Use psloggedon from PSTOOLS suite by www.sysinternals.com
One of the most famous hacking methods is routing data is by altering routing table Command: netstat -rn will allow investigator to record current routing table for further analysis later
UnxUtils has an utility called nd which provides more information than dir (from www.unxutils.sourceforge.net) Also available from Cygwin File permissions, last access date, last access time, modify date, modify time, created date, created time, user ownership, group ownership, le size and full path of every le nd c:\ -printf %m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G; %s;%p\n
PRACTICAL TIME
Prepare
for our rst hands-on. GENTLEMEN, START YOUR ENGINE! steps: Perform First Responder Procedure using FRED (better to load it inside a ash drive) Let analyze the result cooked case: Case study I - FRP from simulated bank incident
Next
Ready
AUTOMATED ANALYSIS
Utilize various free resources to perform quick analysis of malware
Online Scanner Virus Total - http://www.virustotal.com Comodo - http://camas.comodo.com/ Jotti - http://virusscan.jotti.org/ Sandboxing GFI ThreatAttack (formerly CWS Sandbox) - http://www.threattrack.com/ Norman Sandbox - http://www.norman.com/security_center/security_tools/
analysis - studying a program without actually executing it. Advantage can reveal how a program would behave under unusual conditions, because we can examine parts of a program that normally do not execute. Disadvantage Tedious process and it is impossible to fully predict the behavior. of the analysis process: Packer Detection via PEiD String search Code analysis by reversing - use OllyDBG, IDA Pro,
Some
analysis - Studying a program as it executes. Advantage it can be fast and accurate. Disadvantage it is what you see is what you get. of the analysis process: Process monitoring Registry monitoring File monitoring Network snifng using Wireshark
Some
MISSION 2
FORENSIC IMAGING
IMPORTANT COMPONENT
Track Usually numbered starting from 0 (at the outside) and increasing towards center (typically of 1024) Each track can hold many thousands of bytes of data Sector Smallest physical storage unit on disk Normally 512 bytes in size Factory track-positioning data determines labeling of disk sector Cluster Smallest allocation unit of the hard disk (determine during formatting) Minimum size can be of one sector (1 sector/ cluster) Typical NTFS disk allocating 8 sectors/ cluster (4096 bytes each cluster)
Cluster size can be altered for optimum disk storage. Larger cluster size (greater than one sector) will encounter Minimizes fragmentation problem. Increases the probability for unused space in the cluster. Reduces disk storage area to save information. Reduces unused area on the disk. Introducing to slack space Slack space is the free space on the cluster after writing data on that cluster. DOS and Windows utilize xed size clusters for le system. If the size of stored data is less than the cluster size, the unused area remains reserved for the le resulting in slack space.
FILE SYSTEM
Disk File Systems ext2, ext3 (Popular Linux le system) FAT12 (oppy disk) FAT16, FAT32 (older Windows le system) NTFS (newer Windows le system) HFS, HFS+ (typical Mac OS le system) ISO9660 (Rock Ridge & Joliet are extended to this le system CDROM & DVDROM disk) ZFS (used on Solaris 10)
Network File Systems AFS (Andrew File System) AppleShare NFS SMB (sometimes also called as Samba lesystem) Special Purpose File System acme (Plan 9 - text windows) cfs (caching) ftpfs (ftp access) wikifs (wiki wiki) davfs2 (WebDAV)
WINDOWS OS - FAT
File Allocation Table FAT
stores all the les and resides at the beginning of the volume. creates 2 copies of le allocation table to protect the volume from damage. of FAT typically:
It
Content
WINDOWS OS - NTFS
New Technology
File System (NTFS) to replace FAT several improvements over FAT such as improved support for metadata and the use of advanced data structures to improve performance, reliability and disk space utilization. extensions: security access control lists, le system journaling
Has
Other
LINUX OS
2 most famous le systems for Linux are ext2 and ext3 Extended 3 (ext3) is a enhanced version of ext2 with journaling le system. Both used inode -a basic building block (for each le & directory) inode for each le system block are placed together in an inode table.
a le is deleted, the OS marks the les name in MFT with a special character that indicates the le has been deleted (0xE5) clusters in FAT are marked as unused.
Corresponding The
computer always looks at the cluster occupied by that le as being empty & therefore available to store any new le deleted le can be recovered if the space is not allocated to any le.
The
PRACTICAL TIME
Exercise
1: Lets try to see the process of disk imaging. Why we need imaging? 2: Load the disk image in FTK Imager/ FTK. Is it possible to analyze the deleted data? How about deleted partition/ formatted disk? 3: We will try to use automated recovery tools Restoration, Zero Assumption Recovery, Recuva. Is it 100% efcient? 4: Lets try to carve the le based on le signature.
Exercise
Exercise
Exercise
FTK IMAGER
Free
edition (with basic features of Forensic Toolkit - FTK from AccessData) perform GUI-based disk imaging & le manual analysis
Allow
Viewable using Hex Workshop, FTK Imager, etc Important for le carving, raw editing & le type determination
THANK YOU!