University of Piraeus Department of Digital

University of Piraeus Department of Digital

UNIVERSITY OF PIRAEUS DEPARTMENT OF DIGITAL SYSTEMS Postgraduate Programme in SECURITY OF DIGITAL SYSTEMS Registration, classification and presentation of digital forensics and incident response tools Argyro Liakopoulou Supervising Professor: Konstantinos Lambrinoudakis December 2015 1 2 Abstract The objective of this thesis is to record, categorize and present the tools available, freely and commercially, for the needs of digital forensics and security incident response process. Initially, this study presents the structure of the security incident response team and, then, the procedures and techniques applicable for a successful response to a security incident. The same procedure is followed for the digital forensics team. Afterwards, the specific procedures, that should be followed for the collection and processing of electronic evidence in order to be valid for legal use, are analyzed. Then, an overview of the legal framework within the EU, surrounding the security incident response and digital forensics procedures, is presented. Next is presented the structure of the web page created containing the collection of forensics tools categorized according to their functionality. Finally, some tools for digital forensics and security incident response are presented and categorized according to their functionality. 3 4 Table of Contents ABSTRACT ............................................................................................................................................ 3 TABLE OF CONTENTS ...................................................................................................................... 5 TABLE OF FIGURES ........................................................................................................................... 7 1. INTRODUCTION ....................................................................................................................... 9 2. SECURITY INCIDENT RESPONSE ...................................................................................... 11 2.1. EVENTS AND INCIDENTS ...................................................................................................... 11 2.2. THE NEED FOR SECURITY INCIDENT RESPONSE CAPABILITY .............................................. 11 2.3. COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) ............................................... 11 2.3.1. Structure Types ............................................................................................................ 12 2.3.2. Titles and Roles ............................................................................................................ 14 2.3.3. Knowledge and Skill Set Requirements ........................................................................ 15 2.4. THE SECURITY INCIDENT RESPONSE PROCESS .................................................................... 16 2.4.1. Preparation ................................................................................................................... 16 2.4.2. Detection and Analysis ................................................................................................ 17 2.4.3. Containment, Eradication and Recovery ..................................................................... 19 2.4.4. Post-Incident Activity .................................................................................................. 20 3. DIGITAL FORENSIC ............................................................................................................... 23 3.1. INTRODUCTION .................................................................................................................... 23 3.2. THE DIGITAL FORENSICS TEAM ........................................................................................... 23 3.2.1. Knowledge and Skill Set Requirements ........................................................................ 23 3.2.2. Forensic Specialist ........................................................................................................ 23 3.2.3. Forensics Investigator .................................................................................................. 24 3.2.4. Forensics Examiner ...................................................................................................... 24 3.3. THE DIGITAL FORENSIC PROCESS ......................................................................................... 24 3.3.1. Data Collection............................................................................................................. 25 3.3.2. Examination ................................................................................................................. 28 3.3.3. Analysis........................................................................................................................ 29 3.3.4. Reporting...................................................................................................................... 29 4. CRIME SCENES AND EVIDENCE COLLECTION ............................................................ 31 4.1.1. Identification ................................................................................................................ 31 4.1.2. Order of Volatility ........................................................................................................ 32 4.1.3. Documenting the Scene................................................................................................ 32 4.1.4. Chain of Custody .......................................................................................................... 32 4.1.5. Imaging and Hashing ................................................................................................... 33 4.1.6. Analysis........................................................................................................................ 33 4.1.7. Repeatability ................................................................................................................. 34 5. LEGAL FRAMEWORK WITHIN THE EU ............................................................................ 35 6. DIGITAL FORENSICS TOLLS WEB PAGE ......................................................................... 39 5 6.1. THE WEB PAGE ...................................................................................................................... 39 6.2. THE FORUM .......................................................................................................................... 41 7. INCIDENT RESPONSE AND DIGITAL FORENSIC TOOLS ......................................... 43 7.1. COMPUTER FORENSIC .......................................................................................................... 43 7.1.1. Disk and data acquisition ............................................................................................. 43 7.1.2. Filesystem and Data Analysis ...................................................................................... 52 7.1.3. Memory Acquisition .................................................................................................... 79 7.1.4. Memory Analysis ......................................................................................................... 81 7.1.5. Data Recovery .............................................................................................................. 85 7.1.6. Specific Tools ................................................................................................................ 87 7.2. NETWORK FORENSICS .......................................................................................................... 91 7.3. MOBILE FORENSICS ............................................................................................................ 112 7.3.1. Acquisition ................................................................................................................. 112 7.3.2. Analysis...................................................................................................................... 114 7.4. MACINTOSH FORENSIC TOOLS ........................................................................................... 120 7.5. FORENSIC DISTRIBUTIONS .................................................................................................. 126 8. CONCLUSION ......................................................................................................................... 129 TOOL INDEX .................................................................................................................................... 130 BIBLIOGRAPHICAL REFERENCES ............................................................................................ 132 6 Table of Figures Figure 1 Central Incident Response Team model ............................................................ 12 Figure 2 Distributed Incident Response Team model ..................................................... 13 Figure 3 NIST Incident Response Process ......................................................................... 16 Figure 4 NIST Incident Handling Checklist ..................................................................... 22 Figure 5 Digital Forensic Process, NIST ............................................................................ 25 Figure 6 Collecting digital evidence Flow Chart ............................................................. 28 Figure 7 Home Page ............................................................................................................

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    137 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us