Masaryk University Faculty of Informatics Development of Environments for Trainings Aimed at Digital Forensics Master’s Thesis Vadim Janovskij Brno, Spring 2018 Replace this page with a copy of the official signed thesis assignment anda copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Vadim Janovskij Advisor: RNDr. Daniel Kouřil, Ph.D. i Acknowledgements I would like to thank my advisor RNDr. Daniel Kouřil, Ph.D., for his guidance, ideas and all the time spent with providing me a valuable feedback. iii Abstract The aim of this thesis is to create tools which will be used for build- ing the simulated MS Windows corporate environment suitable for forensics training. The environment created in such way is parameteri- zable, allows generation of forensics footprints. The created framework includes tools for building the infrastructure, injecting the security incidents and generating user’s activity in the systems. The first part of the thesis identifies important forensics areasin MS Windows environment and demonstrates the possible scenario, which enables the effective teaching of important forensics principles and areas. It also compares available orchestration tools and picks one best suitable for thesis needs. The second part describes the designed technical implementation, deployment process, populating environment with the data and in- jecting cybersecurity incidents. iv Keywords Digital forensics, Training, Windows, Security incident, Desire State Configuration v Contents Introduction 1 1 Background 3 1.1 Digital Forensics .......................3 1.2 KYPO – Cyber Exercise and Research Platform. .......4 2 Designing training aimed at Digital Forensics 5 2.1 Training overview .......................5 2.2 Demonstration Scenario ...................6 2.3 Designing environment architecture .............9 2.3.1 Domain Controller . .9 2.3.2 Microsoft Exchange . 11 2.3.3 Microsoft Internet Information Services (IIS) . 11 2.3.4 Microsoft SQL Server . 11 2.3.5 File Share Server . 12 3 Designing semi-automated deployment process of the envi- ronment 13 3.1 Comparison of selected configuration management tools ... 13 3.1.1 Pupet . 14 3.1.2 Ansible . 15 3.1.3 Windows Desired State Configuration (DSC) . 15 3.1.4 Summary . 16 3.2 Understanding Desired State Configuration ......... 17 3.2.1 Modes of deployment . 17 3.2.2 DSC Architecture Overview . 18 3.3 Designing solution ...................... 21 3.3.1 Powershell DSC scripts structure . 21 3.3.2 Deployment process . 22 4 Building the environment 25 4.1 Prerequisites .......................... 25 4.2 Domain Controller ...................... 26 4.2.1 Join nodes to domain . 27 4.2.2 Configuring shared storages . 28 4.3 Internet Information Services (IIS) Server .......... 30 vii 4.4 Microsoft SQL Server ..................... 30 4.5 Exchange Server ........................ 31 4.6 Windows Workstations .................... 32 5 Populating environment with the scenario data 35 5.1 Adding users, groups, and organizational units ....... 35 5.2 Deploying web application .................. 37 5.3 Simulation of users actions .................. 40 6 Security incidents injection 43 6.1 Password guessing ...................... 45 6.2 Phishing email ........................ 46 6.3 Malware injection ....................... 49 6.4 Theft of sensitive information ................. 52 6.5 Disruption of company’s information services ........ 53 7 Conclusion 55 Bibliography 57 A Attachments 61 viii List of Tables 2.1 Typical types of servers present in organization. 10 3.1 Summary of tools comparison. 16 4.1 An overview of virtual machines involved in demonstration scenario. 25 ix List of Figures 2.1 General structure of the training. 6 2.2 Stark Industries - Organization Chart. 8 2.3 Design of the environment architecture. 10 3.1 Desire State Configuration Architecture Overview. 18 3.2 Final DSC scripts structure. 22 3.3 Environment deployment process. 24 5.1 Organizational units and groups structure. 36 5.2 nopCommerce Installation page. 39 6.1 Attacks implemented in our sample Scenario. 44 xi Introduction Every organization must be prepared for the possibility of cybercrime within its network or on its computer systems. An organization should have employees who can recognize crimes like fraud, insider threat, industrial espionage, employees misuse, and computer intrusion. Such employees do not need to understand all technical aspects in depth, but they should be able to determine the severity of the crime correctly and in important cases escalate it to the forensics professionals. Every system administrator should learn how to extract key evidence from the Windows systems. Forensic artifacts are sensitive data that could be easily erased by improper actions. Without proper education of IT professionals in this area, companies risking irreversibly lost forensics evidence and never identify the guilty persons. Education in the environment that simulates a real computer net- work with realistic scenario has been shown as highly effective. It motivates the participants, and they are more involved in the educa- tion process. With the growth of virtualization technologies and cloud comput- ing simulation of such environment is much more simpler, scalable and realistic. Moreover today with the orchestration tools we are able to automate the whole deployment process and build such environ- ment with just a few scripts. The purpose of this thesis is to combine available deployment au- tomation tools, and scripting to build environments aimed at Digital Forensics with minimum human interaction needed. Design the sce- nario that will cover basic forensics areas in MS Windows environment and with automation scripts simulate a malicious activity that will leave forensic traces. The thesis is divided into seven chapters. Chapter 2 starts with describing digital forensics and provides reasons why it is beneficial for organizations to have forensically trained employees. Then the KYPO Cyber Exercise platform is introduced. Chapter 3 describe the design of the environment building process. It provides a comparison of selected configuration management tool and specifies reasons why I have decided to use the solution from Microsoft. Then it describes aspects of the selected technology and provides the design of the 1 deployment process. Chapter 4 illustrates the steps of the deployment process and introduce configuration scripts that have been created. Chapter 5 introduce the process of populating the environment with users and data. It is an important aspect because before injecting the security incidents our training environment need to contain users and data that will be compromised. Chapter 6 describes the injection of the security incidents and analyze the forensic footprints that have been generated in the systems. Chapter 7 summarize the main contribution of this thesis and suggests recommendations for further work. 2 1 Background In this Chapter, we will say what is digital forensics and why it is important for organizations to have employees trained in this area. Then we will present KYPO - Cyber Exercise Platorm, the place where we will deploy our training environment and list benefits that it will bring to us. 1.1 Digital Forensics Forensics[1] is a science of collecting, analyzing and reporting on digital data in a way that can be presented as evidence. The forensic investigator collects forensic artifacts, try to build relations between them and get the whole picture about the incident. Here is an example of forensic artifacts that can be found on a Windows systems: ∙ NFTS and file system ∙ Windows prefetch files ∙ Event logs ∙ Windows Shadow copies ∙ Registry ∙ Memory forensics The results of the forensic investigation can be either presented in a court or stayed internally in a corporation. Today a lot of forensic inves- tigations are not shared with law enforcement, and they stay internal inside the corporation. Organizations do the forensic investigation to understand what kind of breach they had and what information was leaked. With the increasing number of cybersecurity incidents, the need for computer forensics is growing. Having an IT team that is forensically trained can bring the following benefits to the organization: ∙ Save the organization money and time. The organization will not need to outsource basic forensics investigations but could solve it with its own IT department. 3 1. Background ∙ Identify the compromise of important systems faster. ∙ Minimize the disruption of organization’s daily business activi- ties during a forensic investigation. 1.2 KYPO – Cyber Exercise and Research Platform. Our training environment will be based on the KYPO platform [2]. KYPO is being developed at Masaryk University. It provides a virtual- ized environment in a cloud that allows simulation of large networks, systems, services, and applications.Compare to a standard cloud en- vironment, KYPO will bring to our training environment additional benefits: ∙ KYPO provides Windows virtual machines and takes care of the proper network configuration. ∙ The environment is isolated from the outside world, and all con- nections are monitored. Because we are going to inject security incidents to our environment, our systems should have vulnera- bilities. KYPO
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages77 Page
-
File Size-