The fourth session from a two day course I ran for potential first responders in a large financial services client.

1. Phil Huggins
February 2004

2.  The goals of Forensic Readiness are to decrease the time and cost of
ForensicAnalysis (and ScopeAssessment) while increasing the
effectiveness.
 The main idea in Forensic Readiness is to build an infrastructure that
supports the needs (data) of an investigation
 The main areas include:
 Logging and monitoring
 Build Management & Inventory
 User Policies
 Reporting forms

3.  Data is critical to Forensic Analysis
 If the needed data is not being recorded, then
it can not be used in the investigation.
 Forensic Readiness assesses what network
and system information should be recorded
every day and what should be recorded
during an incident

4.  Goal:To create data entry forms that will contain the information that
needs to be gathered during an incident
 Every action performed during an incident should be documented
 Forms help to ensure that the proper data is recorded
 Examples:
 Chain of Custody: Records who has control of the data at a given time
 SystemAcquisition Form:When the response team takes a system from its
owner, this records the system description and owner signature
 Hard Disk Form: Records the history of each drive used during the
incident, including serial numbers and what systems it was installed in
 Investigator Log: Allows the responder to document their actions
 Form templates are included in your course handbook and will be
included on the course cd-rom.

9.  Log data can be crucial to the investigation
 There are two major issues with logging and
forensics:
1.Many incidents involve someone having
unauthorized privileged user access and most logs
can be modified or deleted by such a user.
2.Not all systems are logging the needed
information that is useful to an investigation

10.  All servers send a copy of their log data to a
dedicated log server
 Server can be on the normal network or a dedicated
network
 Server is secured to only allow log data (syslog) and
SSH access and is considered a critical asset when
patching systems
 Syslog Example:
 UNIX servers are configured to redirect syslog output
 Windows servers use 3rd party tools to send event logs to
server

11.  All logs can be analyzed on a periodic basis to detect
anomalies
 Makes it more difficult for attacker to modify the logs
 It is important to correlate events from multiple sources, so
we can compare the locally stored logs and the remotely
stored logs
 This server will be the target of many attacks, which may
alert one to other attacks if it is watched closely

12.  Windows stores logs in event files
 3rd party programs run on a scheduler and send new event
entries to the syslog server:
 Event Reporter (www.eventreporter.com)
 NT Syslog (www.ntsyslog.sourceforge.net)
 evlogsys.pl (perl script)
 Back Log (NT-Only)
 There is a slight window of opportunity with this model for
the attacker to delete the logs before the collection tool runs

13.  Goal:To ensure that the proper data is logged and that it is stored
in a method that can be used during forensics
 Send logs to central server to secure them during an attack
 Ensure log files have strict permissions so only a privileged user
can write to them.
 If possible, only allow the log to be appended to and deny all read
access
 Identify what OS events should be logged:
 User Logins
 System Reboots
 As much as possible, based on space requirements
 Process logging can require large amounts of storage

14.  Identify which application events should be logged:
 As much as possible, based on space requirements
 Log all network devices:
 Firewalls
 VPNs
 Routers
 Dialups
 Servers
 Use NetworkTime Protocol (NTP) to make log processing across
multiple machines easier
 Log by IP, do not resolve hostname

15.  Log Integrity
 Generate MD5 sums of log files when they are
saved and rolled over
 Use a secure (crypto-based) logging system:
 Core SDI
 syslog-ng
 IETF Secure Syslog

16.  Goal:To record needed network traffic to provide new evidence and
correlate activity. This is from the investigation perspective, not
detection.
 An IDS system can be used to record all events, but not generate
alerts
 A general sniffer can record all raw data
 tcpdump
 Ethereal
 Protocol analyzers can process raw output of tcpdump
 NetWitness
 Ethereal

17.  Available storage will be the only limitation of
how much data can be stored
 Specialized hardware or a SAN could be
worthwhile
 If monitoring is not always on, a dedicated
system should exist that can start monitoring
when an incident occurs

18.  Goal:To record host activity, not already being logged, which
will assist in a forensic investigation.
 This level of recording is needed for only the most sensitive
systems
 Keystroke recorders can be either:
 software: Run as services and can hide data in an encrypted file or will
email them to a remote location
 hardware: Device that the keyboard plugs into and saves the
keystrokes in hardware (does not record the window title)

19.  Goal:To document a system’s state
 A common task in forensics is to identify which binaries were
replaced with a trojan version
 Change management identifies which patch-level the
systems should be
 MD5 checksums can be calculated for each machine and
stored off-line (similar toTripwire)
 Configurations are recorded to identify which services are
supposed to be running and which are backdoors

20.  Goal:To document ownership of hardware
and addresses
 This is most useful with internal
investigations
 Allows one to identify the system with a
given MAC address (from DHCP logs)
 Allows one to identify who has a given
hostname (which is found in system logs)

21.  Goal:To set users expectation of privacy
appropriately
 An investigation may need access to a users
mailbox or other “private” data
 Identifying how much privacy users have should
be discussed before an incident occurs
 Data Protection Act requires users to be notified
and to accept any monitoring and for monitoring
to be a normal administration task. Suddenly
increasing monitoring is not acceptable under
the DPA.

22.  Goal:To build the infrastructure needed for an in-house
forensics lab (if one does not outsource it)
 The forensics lab has unique requirements from other
technology labs because of its legal requirements
 Location:
 Little traffic
 Secured by key badge or other auditable mechanism
 Camera surveillance
 Separate computer network
 A safe for long-term data storage (with sign-out sheets)

23.  Contents will vary depending on supported platforms
 At least one system of each supported platform
 Linux can mount most file system images and tools exist for
more advanced analysis (The Sleuth Kit)
 Windows does not have many tools native to it, but
specialized tools exist for analysis of windows systems
(EnCase etc.)
 Binary analysis capabilities
 Malicious code monitoring capabilities

24.  Many proactive steps can be performed to
effectively handle incidents
 Readiness forces an organization to consider
how to handle an incident before it occurs
 The amount of documentation required will
depend on the organization