module 1 cs 996 - new york university tandon school of ... · 1/26/2004 module 1-introduction 2 ......
TRANSCRIPT
Digital Forensics
Module 1
CS 996
1/26/2004 Module 1-Introduction 2
Instructors
Dr. Frederick SchollOffice Hours: 5-6 PM, Mondays
E-mail: [email protected]
Phone 212-869-4458
I am not a lawyer!
Kulesh Shanmugasundaram
Professor Nasir Memon
1/26/2004 Module 1-Introduction 3
Course Calendar
Classes Start January 16
Presidents Day February 16
Mid-term Exam March 15 (in class)
April 5 Spring Break
May 3 Last Class
May 6-14 Final Exams
1/26/2004 Module 1-Introduction 4
Grading
Eight Labs (50%)
Mid-term Exam (25%)
Final Exam (25%)
1/26/2004 Module 1-Introduction 5
Textbooks
Incident Response & Computer Forensics, 2nd
Edition, Kevin Mandia, Chris Prosise, Matt Pepe, McGraw-Hill, 2003.
ReferencesCounter Hack, Ed Skoudis Prentice Hall, 2002
Digital Evidence and Computer Crime, EoghanCasey, Academic Press, 2000.
1/26/2004 Module 1-Introduction 6
My Background: Civil Litigation
Help businesses reduce risk through Internet forensics
Web site trespassingNetwork abuseSLA disputesOutsourcing disputesWeb site break-inPorn in the workplaceSpam investigationPatent infringement
Testified in state and Federal courts
1/26/2004 Module 1-Introduction 7
Outline of Lectures (Draft)
Module 1: Applications of ForensicsModule 2: Tracking SpamModule 3: Creating Forensic Ready InfrastructureModule 4: Evidence Collection from Network TrafficModule 5: Evidence Collection from HostsModule 6: Host Investigation Using EncaseModule 7: Evidence Handling, Reporting and Presentation in Court
1/26/2004 Module 1-Introduction 8
Outline of Lectures, cont.
Module 8: Evidence Collection from SIM Tools
Module 9: Using Network Intelligence Private I
Module 10: Investigating Cybercriminals—Guest lecturer NYPD or FBI
Module 11:
Module 12:
1/26/2004 Module 1-Introduction 9
Today’s Lecture: The Big Picture
Applications of Forensics
Business and law enforcement drivers
How forensics reduces risk and saves $$$ for businesses
Where are business opportunities?
Finding evidence on the Internet
1/26/2004 Module 1-Introduction 10
What is Digital Forensics?
Comes from Latin meaning: public forum
“Network and computer testing and analysis done in support of litigation”
Civil litigation
Criminal litigation
Homeland security: military tribunals
“Internet Forensics”: http://www.acm.org/~hlb/col-edit/digital_village/aug-03/dv_8-03.html
1/26/2004 Module 1-Introduction 11
Why is forensics important today?
Willie Sutton, born in Brooklyn 1901
Why do I rob banks?
That’s where the money is!
0
2000
4000
6000
8000
10000
12000
2001 2003
GDP
ECOMMERCE
1/26/2004 Module 1-Introduction 12
SOURCES OF INFORMATION
HARD DRIVEREGISTRY & CONTENT
ROUTER SYSLOG FILES
SERVER LOG FILES
LIVE SNIFFER DATA COLLECTION
FIREWALL LOG FILES
IP INVESTIGATIONSINTERNET ARCHIVES
ISP RECORDS
1/26/2004 Module 1-Introduction 13
Standards of Evidence
Criminal Case“Beyond a Reasonable Doubt”
Civil Case“Clear and Convincing Evidence”
“A Preponderance of the Evidence”
Legal standards go beyond engineering standards
Technical: primary, backups
Legal: as many ways as possible
1/26/2004 Module 1-Introduction 14
Challenges
Evidence collection done in adversarial environment
Judge and jury are not technical
Commercial testing tools may not work
Integrate business, technical and legal
Definition of terms in legal world
1/26/2004 Module 1-Introduction 15
Example: Legal vs. Engineering Practice
Evidence must be admissible and stand up to cross examination
Case: ISP vs. Internet backbone providerSLA dispute involving $100M
Ran independent tests measuring performance
Commercial software #1 failed to provide consistent data
Removed software; installed new test system
1/26/2004 Module 1-Introduction 16
Forensics Procedures/Best Practices
Few available
Common Body of Knowledge: “Law, Investigation and Ethics”
ISO 17799: System Auditing and Monitoring; not forensics
Hot off the presses: NIST “Computer Security Incident Handling Guide”
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
1/26/2004 Module 1-Introduction 17
Proactive and Reactive
Proactive“Detection is much more important than prevention. …it is fundamentally impossible to prevent attacks. …everything we know about complex systems tells us that we cannot find and fix every vulnerability. There will always be attackers; we just have to catch and punish them”. (Bruce Schneier, Secrets and Lies)
Reactive
1/26/2004 Module 1-Introduction 18
Proactive
Prevent bad behavior like network abuse
Sarbanes OxleyResponse to Enron
Companies must be able to acquire, search and preserve electronic data related to fraud
Effective July 20, 2002
Applies to public companies
1/26/2004 Module 1-Introduction 19
Example: Consequences of Bad Behavior
Eli Lilly disclosure of email addresses
www.prozac.com
Email went out with all addresses visible
Consequence: FTC will monitor their security program for 20+ years+!!
http://www.akingump.com/docs/publication/67.pdf
1/26/2004 Module 1-Introduction 20
Sarbanes Oxley
Section 302: CEO’s, CFO’s certify financial reports. $5M fine; 20 years prison
Section 404: …”controls related to the prevention, identification and detection of fraud” (Technology Auditor position created)
Risk: Inadequate control prevents financial auditor from signoff
http://www.guidancesoftware.com/corporate/whitepapers/downloads/Sarbanes-Oxley.pdf
1/26/2004 Module 1-Introduction 21
Recent Criminal Cases 18 U.S.C.§ 1030
US v. LamoJan. 8, 2004
Entered NY Times web site; $300,000 damages
Hacker
US v. BaasDec. 18, 2003
Stole customer data from Acxiom
Baas worked for outsourcer
1/26/2004 Module 1-Introduction 22
Recent criminal cases, cont.
US v. DiazDec. 5, 2003Remotely deleted critical programs; $80,000 damages to Hellman LogisticsDiaz was former IT employee
US v. PattersonDec. 2, 2003DOS attack against American Eagle OutfittersPatterson was former employee
http://www.usdoj.gov/criminal/cybercrime/index.html
1/26/2004 Module 1-Introduction 23
Homeland Security
Need for more survelliance
1/26/2004 Module 1-Introduction 24
Evidence on the Internet
Web searchwww.superpages.com
Google usenet listings
Archival sites
Whois search
Nslookup
www.samspade.org
1/26/2004 Module 1-Introduction 25
INTERNET ARCHIVE (WWW.ARCHIVE.ORG)
1/26/2004 Module 1-Introduction 26
1999 WWW.JOHNSONS.COM
1/26/2004 Module 1-Introduction 27
IDENTIFYING INTERNET RESOURCES
1/26/2004 Module 1-Introduction 28