DOCSLIB.ORG

University of Piraeus Department of Digital

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
University of Piraeus Department of Digital UNIVERSITY OF PIRAEUS DEPARTMENT OF DIGITAL SYSTEMS Postgraduate Programme in SECURITY OF DIGITAL SYSTEMS Registration, classification and presentation of digital forensics and incident response tools Argyro Liakopoulou Supervising Professor: Konstantinos Lambrinoudakis December 2015 1 2 Abstract The objective of this thesis is to record, categorize and present the tools available, freely and commercially, for the needs of digital forensics and security incident response process. Initially, this study presents the structure of the security incident response team and, then, the procedures and techniques applicable for a successful response to a security incident. The same procedure is followed for the digital forensics team. Afterwards, the specific procedures, that should be followed for the collection and processing of electronic evidence in order to be valid for legal use, are analyzed. Then, an overview of the legal framework within the EU, surrounding the security incident response and digital forensics procedures, is presented. Next is presented the structure of the web page created containing the collection of forensics tools categorized according to their functionality. Finally, some tools for digital forensics and security incident response are presented and categorized according to their functionality. 3 4 Table of Contents ABSTRACT ............................................................................................................................................ 3 TABLE OF CONTENTS ...................................................................................................................... 5 TABLE OF FIGURES ........................................................................................................................... 7 1. INTRODUCTION ....................................................................................................................... 9 2. SECURITY INCIDENT RESPONSE ...................................................................................... 11 2.1. EVENTS AND INCIDENTS ...................................................................................................... 11 2.2. THE NEED FOR SECURITY INCIDENT RESPONSE CAPABILITY .............................................. 11 2.3. COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) ............................................... 11 2.3.1. Structure Types ............................................................................................................ 12 2.3.2. Titles and Roles ............................................................................................................ 14 2.3.3. Knowledge and Skill Set Requirements ........................................................................ 15 2.4. THE SECURITY INCIDENT RESPONSE PROCESS .................................................................... 16 2.4.1. Preparation ................................................................................................................... 16 2.4.2. Detection and Analysis ................................................................................................ 17 2.4.3. Containment, Eradication and Recovery ..................................................................... 19 2.4.4. Post-Incident Activity .................................................................................................. 20 3. DIGITAL FORENSIC ............................................................................................................... 23 3.1. INTRODUCTION .................................................................................................................... 23 3.2. THE DIGITAL FORENSICS TEAM ........................................................................................... 23 3.2.1. Knowledge and Skill Set Requirements ........................................................................ 23 3.2.2. Forensic Specialist ........................................................................................................ 23 3.2.3. Forensics Investigator .................................................................................................. 24 3.2.4. Forensics Examiner ...................................................................................................... 24 3.3. THE DIGITAL FORENSIC PROCESS ......................................................................................... 24 3.3.1. Data Collection............................................................................................................. 25 3.3.2. Examination ................................................................................................................. 28 3.3.3. Analysis........................................................................................................................ 29 3.3.4. Reporting...................................................................................................................... 29 4. CRIME SCENES AND EVIDENCE COLLECTION ............................................................ 31 4.1.1. Identification ................................................................................................................ 31 4.1.2. Order of Volatility ........................................................................................................ 32 4.1.3. Documenting the Scene................................................................................................ 32 4.1.4. Chain of Custody .......................................................................................................... 32 4.1.5. Imaging and Hashing ................................................................................................... 33 4.1.6. Analysis........................................................................................................................ 33 4.1.7. Repeatability ................................................................................................................. 34 5. LEGAL FRAMEWORK WITHIN THE EU ............................................................................ 35 6. DIGITAL FORENSICS TOLLS WEB PAGE ......................................................................... 39 5 6.1. THE WEB PAGE ...................................................................................................................... 39 6.2. THE FORUM .......................................................................................................................... 41 7. INCIDENT RESPONSE AND DIGITAL FORENSIC TOOLS ......................................... 43 7.1. COMPUTER FORENSIC .......................................................................................................... 43 7.1.1. Disk and data acquisition ............................................................................................. 43 7.1.2. Filesystem and Data Analysis ...................................................................................... 52 7.1.3. Memory Acquisition .................................................................................................... 79 7.1.4. Memory Analysis ......................................................................................................... 81 7.1.5. Data Recovery .............................................................................................................. 85 7.1.6. Specific Tools ................................................................................................................ 87 7.2. NETWORK FORENSICS .......................................................................................................... 91 7.3. MOBILE FORENSICS ............................................................................................................ 112 7.3.1. Acquisition ................................................................................................................. 112 7.3.2. Analysis...................................................................................................................... 114 7.4. MACINTOSH FORENSIC TOOLS ........................................................................................... 120 7.5. FORENSIC DISTRIBUTIONS .................................................................................................. 126 8. CONCLUSION ......................................................................................................................... 129 TOOL INDEX .................................................................................................................................... 130 BIBLIOGRAPHICAL REFERENCES ............................................................................................ 132 6 Table of Figures Figure 1 Central Incident Response Team model ............................................................ 12 Figure 2 Distributed Incident Response Team model ..................................................... 13 Figure 3 NIST Incident Response Process ......................................................................... 16 Figure 4 NIST Incident Handling Checklist ..................................................................... 22 Figure 5 Digital Forensic Process, NIST ............................................................................ 25 Figure 6 Collecting digital evidence Flow Chart ............................................................. 28 Figure 7 Home Page ............................................................................................................
Load more

Recommended publications
  • A Decryption Process for Android Database Forensics
    International Journal of Computer Sciences and Engineering Open Access Research Paper Vol.-7, Issue-3, March 2019 E-ISSN: 2347-2693 A Decryption Process for Android Database Forensics Nibedita Chakraborty1*, Krishna Punwar2 1,2Dept. of Information Technology and Telecommunication, Raksha Shakti University, Ahmedabad, India *Corresponding Author: [email protected], Tel.: 7980118774 DOI: https://doi.org/10.26438/ijcse/v7i3.2326 | Available online at: www.ijcseonline.org Accepted: 18/Mar/2019, Published: 31/Mar/2019 Abstract— Nowadays, Databases are mostly usable in business applications and financial transactions in Banks. Most of the database servers stores confidential and sensitive information of a mobile device. Database forensics is the part of digital forensics especially for the investigation of different databases and the sensitive information stored on a database. Mobile databases are totally different from the major database and are very platform independent as well. Even if they are not attached to the central database, they can still linked with the major database to drag and change the information stored on this. SQLite Database is mostly needed by Android application development. SQLite is a freely available database management system which is specially used to perform relational functional and it comes inbuilt with android to perform database functions on android appliance. This paper will show how a message can be decrypted by using block cipher modes and which mode is more secured and fast. Keywords—Database Forensics,Mobile Device ,Android,SQLite, Modes, Tools I. INTRODUCTION In android mobile phone device, SQLite is mainly based on ACID properties docile relational database management Database is an assemble form of interrelated data which is system.
    [Show full text]
  • Implementing Cisco Cyber Security Operations
    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
    [Show full text]
  • Physical and Cyber Crime Detection Using Digital Forensic Approach: a Complete Digital Forensic Tool
    Jain Nilakshi et al., International Journal of Advance Research, Ideas and Innovations in Technology. ISSN: 2454-132X Impact factor: 4.295 (Volume3, Issue1) Available online at: www.ijariit.com Physical and Cyber Crime Detection using Digital Forensic Approach: A Complete Digital Forensic Tool Dr. Nilakshi Jain Neha Bhanushali Sayali Gawade Gauri Jawale Information Technology Information Technology Information Technology Information Technology Department Department Department Department Shah and Anchor kutchhi Shah and Anchor kutchhi Shah and Anchor kutchhi Shah and Anchor kutchhi Engineering college Engineering college Engineering college Engineering College nilakshijain1986@gmail. nehabhanushali2017@g [email protected] [email protected] com mail.com Abstract— Criminalization may be a general development that has significantly extended in previous few years. In order, to create the activity of the work businesses easy, use of technology is important. Crime investigation analysis is a section records in data mining plays a crucial role in terms of predicting and learning the criminals. In our paper, we've got planned an incorporated version for physical crime as well as cybercrime analysis. Our approach uses data mining techniques for crime detection and criminal identity for physical crimes and digitized forensic tools (DFT) for evaluating cybercrimes. The presented tool named as Comparative Digital Forensic Process tool (CDFPT) is entirely based on digital forensic model and its stages named as Comparative Digital Forensic Process Model (CDFPM). The primary step includes accepting the case details, categorizing the crime case as physical crime or cybercrime and sooner or later storing the data in particular databases. For physical crime analysis we've used k- means approach cluster set of rules to make crime clusters.
    [Show full text]
  • Design Document for IP Fabrics
    Design Document for IP Fabrics Author: May06-15 (Network Forensic UI) Andy Heintz (Communication Leader) Abraham Devine (Webmaster) Altay Ozen (Team Leader and Team Key Concept Holder) Dr. Joseph Zambreno (Adviser) Curt Schwaderer (Client) Version Date Author Change 1.0 10/26 AH Created initial version of design document 2.0 11/23 AH Created final version of design document Table of Contents 1 Problem Statement.................................................................................................................... 3 2 System Design ........................................................................................................................... 4 2.1 System Requirements................................................................................................................................ 4 2.2 Functional Requirements .......................................................................................................................... 4 2.3 Functional Decomposition ........................................................................................................................ 5 2.4 System Analysis ....................................................................................................................................... 6 3 Detailed Design ......................................................................................................................... 7 3.1 Input / Output Specification .....................................................................................................................
    [Show full text]
  • Hands-On Network Forensics, FIRST 2015
    2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Workshop Preparations: 1. Unzip the virtual machine from NetworkForensics_ VirtualBox.zip on your EXTENSIVE USE OF USB thumb drive to your local hard drive COMMAND LINE 2. Start VirtualBox and run the Security Onion VM IN THIS WORKSHOP 3. Log in with: user/password 1 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Erik Hjelmvik, Swedish Armed Forces CERT FIRST 2015, Berlin 2 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Workshop Preparations: 1. Unzip the virtual machine from NetworkForensics_ VirtualBox.zip on your EXTENSIVE USE OF USB thumb drive to your local hard drive COMMAND LINE 2. Start VirtualBox and run the Security Onion VM IN THIS WORKSHOP 3. Log in with: user/password 3 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE ”Password” Ned 4 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE SysAdmin: Homer 5 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE PR /Marketing: Krusty the Clown 6 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Password Ned AB = pwned.se 7 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE pwned.se Network [INTERNET] | Default Gateway 192.168.0.1 PASSWORD-NED-XP www.pwned.se | 192.168.0.53 192.168.0.2 [TAP]--->Security- | | | Onion -----+------+---------+---------+----------------+------- | | Homer-xubuntu Krustys-PC 192.168.0.51 192.168.0.54 8 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Security Onion 9 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Paths (also on Cheat Sheet) • PCAP files: /nsm/sensor_data/securityonion_eth1/dailylogs/ • Argus files:
    [Show full text]
  • Network Intell: Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic
    Chapter 1 NETWORK INTELL: ENABLING THE NON- EXPERT ANALYSIS OF LARGE VOLUMES OF INTERCEPTED NETWORK TRAFFIC Erwin van de Wiel, Mark Scanlon and Nhien-An Le-Khac Abstract In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wire- tapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully inter- cepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic cap- tured. The advent of Internet-of-Things further complicates the pro- cess for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an arXiv:1712.05727v2 [cs.CR] 27 Jan 2018 insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data. Keywords: Network Investigation, Big Data Forensics, Intercepted Network Traffic, Internet tap, Network Metadata Analysis, Non-Technical Investigator. 1. Introduction Lawful interception is a method that is used by the police force in some countries in almost all middle-to high-level criminal investigations.
    [Show full text]
  • Final Book Completed to Print in PRESS.Cdr
    S.Alagiavanan 3rd CSE GRAPHIC CARDS: V.Narendran 3rd CSE HOW THEY WORK voultion of computing over the last decade EVER Yet very few of you know exactly how these has seen a distinct differentiation based on marvels work. Today's graphic cards are the nature of the workload. On the one WONDERED marvels of engineering, with over 50 times the E raw computational power of current CPUs, but hand you have the computing heavy tasks while on the other, there are graphics intensive tasks. Rewind WHAT GOES they have far more specific and streamlined a back a decade, and you will remember almost every ON BEHIND task. There are two aspects to understanding other motherboard having a dedicated display port how a graphics card works. The first is to as the graphics processor was onboard. Also some THE SCENES understand how it works with the rest of the present day processors which sport integrated WHEN YOU components in a personal computer to generate graphics also have IGP ports on the board. But with an image. The second part would be to the graphical workloads getting more advanced and POWER UP understand the role of major components on outputs more realistic, you would need to invest in a video card. dedicated graphics processing unit to divide tasks YOUR between the CPU and the GPU. Another advantage GAME? of having a dedicated graphics processing unit is the fact that it lets your CPU be free to perform READ ON. other tasks. For instance you can rip a movie in the background while playing a game.
    [Show full text]
  • Digital Forensic Research: Current State-Of-The-Art
    Digital Forensic Research: Current State-of-the-Art Sriram Raghavan Queensland University of Technology Brisbane, Queensland 4000, AUSTRALIA [email protected] Abstract—Digital Forensics is the process of employing scientific last year, fully 45.6 percent of them reported they’d been the principles and processes analyze electronically stored subject of at least one targeted attack. According to the information to determine the sequence of events which led to a 2010/11 CSI Computer Crime Survey [60], almost 46% of the particular incident. In this digital age, it is important for respondents were affected by at least one form of computer researchers to become aware of the recent developments in this crime. According to 2010 Gallup Computer Crime survey dynamic field and understand scope for the future. The past decade has witnessed significant technological advancements to [73], 11% of American adults report that they were a victim of aid during a digital investigation. Many methodologies, tools and a computer or Internet crime on their home computer in the techniques have found their way into the field designed on past year, up from the 6% to 8% levels found in the previous forensic principles. Digital forensics has also witnessed many seven years. The 2012 Indian Risk survey [71] indicates that innovative approaches that have been explored to acquire and Computer and Internet crime remains the single largest source analyze digital evidence from diverse sources. In this paper, we of national threat at 10.81% closely followed by terrorism at review the research literature since 2000 and categorize 10.43%.
    [Show full text]
  • Scanned by Camscanner Annexure - 1 Broad Based Specifications for Forensic Platformfor National Cyber Forensic Laboratory
    Scanned by CamScanner Annexure - 1 Broad Based Specifications for Forensic Platformfor National Cyber Forensic Laboratory S. No. Name of the Tool Specifications 1. The integrated Integrated platform that enables centralized case management and web-based access to various digital forensic tools. Forensic Platform Interface to distributed processing support, Role Assignment, Password Cracking and Recovery, Wizard-Driven Multi-Machine, for sharing Customizable Processing. theDigital Forensic Integrated Simultaneous access to Forensic Lab, Attorneys and Investigators through centralised management console via web interface. tools with suitable Automate email notifications regarding case state. Should include the following with APIs APIs. o FTK Standalone Perpetual Licences – 10 Nos. o AccessData Lab - FTK Connection – 10 Nos. o AccessData Lab - Web User Account – 10 Nos. o Magnet AXIOM Complete Perpetual Licences – 10 Nos. o Comprehensive Mac and iOS forensic analysis and reporting software – 10 Nos. o Belkasoft Evidence Centre Perpetual Licences with integration – 10 Nos. o SPEKTOR Drive with 64GB USB drive running SPEKTOR software Black fabric case 1 x 1 TB collector 1 x 8GB USB Drive for exporting FIVE years' support and updates – 10 Nos. The solution should be deployed/operated on the inhouse Data Centre at CFSL, Hyderabad. The required server hardware and software components for the Integrated API is the responsibility of the solution provider. The platform should be flexible enough to accommodate more number of licences as per the need in future. Perpetual Licencing with 03 years warranty with support for updates up to 05 years. Solution should include certified training for 10 Experts from OEM with in India or at OEM location.
    [Show full text]
  • Title Smart Cites Forensics-Evaluating the Challenges of MK Smart City Forensics Name Ebenezer Okai
    Title Smart Cites Forensics-Evaluating the Challenges of MK Smart City Forensics Name Ebenezer Okai This is a digitised version of a dissertation submitted to the University of Bedfordshire. It is available to view only. This item is subject to copyright. INSTITUTE FOR RESEARCH IN APPLICABLE COMPUTING (IRAC) MASTERS BY RESEARCH MODE OF STUDY: FULL TIME Ebenezer Okai ID: 0708426 Smart Cites Forensics-Evaluating the Challenges of MK Smart City Forensics June 2019 I | P a g e Declaration “I, Ebenezer Okai declare that this thesis and the work presented in it are my own and has been generated by me as the result of my own original research. I confirm that: • This work was done wholly or mainly while in candidature for a research degree at this University; • Where any part of this thesis has previously been submitted for a degree or any other qualification at this University or any other institution, this has been clearly stated; • Where I have drawn on or cited the published work of others, this is always clearly attributed; • Where I have quoted from the work of others, the source is always given. With the exception of such quotations, this thesis is entirely my own work; • I have acknowledged all main sources of help; • Where the thesis or any part of it is based on work done by myself jointly with others, I have made clear exactly what was done by others and what I have contributed myself; • Either none of this work has been published before submission, or parts of this work have been published.
    [Show full text]
  • Current and Future Trends in Mobile Device Forensics: a Survey
    Current and Future Trends in Mobile Device Forensics: A Survey KONSTANTIA BARMPATSALOU, TIAGO CRUZ, EDMUNDO MONTEIRO, and PAULO SIMOES, Centre for Informatics and Systems of the University of Coimbra, Department of Informatics (CISUC/DEI), University of Coimbra, Portugal Contemporary mobile devices are the result of an evolution process, during which computational and networking capabilities have been continuously pushed to keep pace with the constantly growing workload requirements. This has allowed devices such as smartphones, tablets and Personal Digital Assistants (PDAs) to perform increasingly complex tasks, up to the point of efficiently replacing traditional options such as desktop computers and notebooks. However, due to their portability and size, these devices are more prone to theft, to become compromised or to be exploited for attacks and other malicious activity. The need for investigation of the aforementioned incidents resulted in the creation of the Mobile Forensics (MF) discipline. MF, a sub-domain of Digital Forensics (DF), is specialized in extracting and processing evidence from mobile devices in such a way that attacking entities and actions are identified and traced. Beyond its primary research interest on evidence acquisition from mobile devices, MF has recently expanded its scope to encompass the organized and advanced evidence representation and analysis of future malicious entity behavior. Nonetheless, data acquisition still remains its main focus. While the field is under continuous research activity, new concepts such as the involvement of Cloud Computing in the MF ecosystem and the evolution of enterprise mobile solutions – particularly Mobile Device Management (MDM) and Bring Your Own Device (BYOD) – bring new opportunities and issues to the discipline.
    [Show full text]
  • Multi-Boot Mit Sardu 2.0.2A: Das Tool Installiert Live-Systeme Wie Fedora 14 Auf Hungsweise Ihrer DVD Im Unterord- Len
    PRAXIS SARDU 2.0.2A Windows-System mit 64 Bit einsetzen, dann verwenden Sie stattdessen die Datei Multi-Boot mit “sardu_x64.exe“. Live-CDs einbinden Die Software-Auswahl erfolgt in Sardu über die Reiter “Antivirus“, “Utility“, “Linux Live“ Sardu 2.0.2a und “Windows“. Fast alle Live-Systeme der ersten drei Kategorien lädt Sardu direkt aus dem Internet. Nur die Live-Systeme der Rubrik Prüfen Sie PCs auf Viren, partitionieren Sie Festplatten neu und retten Sie Daten: “Windows“ müssen Sie selbst erstellen. Auf der Heft-DVD finden Sie zudem zahlrei- Sardu 2.0.2a installiert bis zu 50 Live-Systeme auf USB-Stick oder DVD. che ISO-Dateien, die Ihnen das zeitaufwendi- ge Herunterladen vom Internet ersparen. Wenn Sie diese Dateien in Sardu übernehmen wol- ardu 2.0.2a verwandelt USB-Sticks und Multi-Boot-Auswahl len, wechseln Sie in Ihr Sardu-Verzeichnis und S DVD-Rohlinge in multibootfähige All- kopieren die ISO-Dateien in den Unterordner round-Werkzeuge (kostenlos, www.sarducd.it Mit Sardu stellen Sie eine individuelle Aus- “ISO“. Nach einem Neustart des Tools lassen und auf ). Das Tool installiert bis zu 50 Live- wahl von Boot-CDs zusammen, die Sie auf Systeme auf einem Boot-Medium (Bild A). USB-Sticks installieren oder auf eine DVD Der Artikel beschreibt, wie Sie mit Sardu brennen. Kompakt ausgewählte Live-Systeme auf USB-Stick oder ■ Sardu 2.0.2a macht aus einem USB-Stick DVD installieren. Mit Hilfe dieser Systeme ret- Sardu starten oder einem DVD-Rohling eine Multi-Boot- ten Sie Daten, prüfen Rechner auf Viren und Sardu ist ein Sofort-Tool, das ohne Installation Plattform.
    [Show full text]