2. The goals of Forensic Readiness are to decrease the time and cost of
ForensicAnalysis (and ScopeAssessment) while increasing the
effectiveness.
The main idea in Forensic Readiness is to build an infrastructure that
supports the needs (data) of an investigation
The main areas include:
Logging and monitoring
Build Management & Inventory
User Policies
Reporting forms
3. Data is critical to Forensic Analysis
If the needed data is not being recorded, then
it can not be used in the investigation.
Forensic Readiness assesses what network
and system information should be recorded
every day and what should be recorded
during an incident
4. Goal:To create data entry forms that will contain the information that
needs to be gathered during an incident
Every action performed during an incident should be documented
Forms help to ensure that the proper data is recorded
Examples:
Chain of Custody: Records who has control of the data at a given time
SystemAcquisition Form:When the response team takes a system from its
owner, this records the system description and owner signature
Hard Disk Form: Records the history of each drive used during the
incident, including serial numbers and what systems it was installed in
Investigator Log: Allows the responder to document their actions
Form templates are included in your course handbook and will be
included on the course cd-rom.
5.
6.
7.
8.
9. Log data can be crucial to the investigation
There are two major issues with logging and
forensics:
1.Many incidents involve someone having
unauthorized privileged user access and most logs
can be modified or deleted by such a user.
2.Not all systems are logging the needed
information that is useful to an investigation
10. All servers send a copy of their log data to a
dedicated log server
Server can be on the normal network or a dedicated
network
Server is secured to only allow log data (syslog) and
SSH access and is considered a critical asset when
patching systems
Syslog Example:
UNIX servers are configured to redirect syslog output
Windows servers use 3rd party tools to send event logs to
server
11. All logs can be analyzed on a periodic basis to detect
anomalies
Makes it more difficult for attacker to modify the logs
It is important to correlate events from multiple sources, so
we can compare the locally stored logs and the remotely
stored logs
This server will be the target of many attacks, which may
alert one to other attacks if it is watched closely
12. Windows stores logs in event files
3rd party programs run on a scheduler and send new event
entries to the syslog server:
Event Reporter (www.eventreporter.com)
NT Syslog (www.ntsyslog.sourceforge.net)
evlogsys.pl (perl script)
Back Log (NT-Only)
There is a slight window of opportunity with this model for
the attacker to delete the logs before the collection tool runs
13. Goal:To ensure that the proper data is logged and that it is stored
in a method that can be used during forensics
Send logs to central server to secure them during an attack
Ensure log files have strict permissions so only a privileged user
can write to them.
If possible, only allow the log to be appended to and deny all read
access
Identify what OS events should be logged:
User Logins
System Reboots
As much as possible, based on space requirements
Process logging can require large amounts of storage
14. Identify which application events should be logged:
As much as possible, based on space requirements
Log all network devices:
Firewalls
VPNs
Routers
Dialups
Servers
Use NetworkTime Protocol (NTP) to make log processing across
multiple machines easier
Log by IP, do not resolve hostname
15. Log Integrity
Generate MD5 sums of log files when they are
saved and rolled over
Use a secure (crypto-based) logging system:
Core SDI
syslog-ng
IETF Secure Syslog
16. Goal:To record needed network traffic to provide new evidence and
correlate activity. This is from the investigation perspective, not
detection.
An IDS system can be used to record all events, but not generate
alerts
A general sniffer can record all raw data
tcpdump
Ethereal
Protocol analyzers can process raw output of tcpdump
NetWitness
Ethereal
17. Available storage will be the only limitation of
how much data can be stored
Specialized hardware or a SAN could be
worthwhile
If monitoring is not always on, a dedicated
system should exist that can start monitoring
when an incident occurs
18. Goal:To record host activity, not already being logged, which
will assist in a forensic investigation.
This level of recording is needed for only the most sensitive
systems
Keystroke recorders can be either:
software: Run as services and can hide data in an encrypted file or will
email them to a remote location
hardware: Device that the keyboard plugs into and saves the
keystrokes in hardware (does not record the window title)
19. Goal:To document a system’s state
A common task in forensics is to identify which binaries were
replaced with a trojan version
Change management identifies which patch-level the
systems should be
MD5 checksums can be calculated for each machine and
stored off-line (similar toTripwire)
Configurations are recorded to identify which services are
supposed to be running and which are backdoors
20. Goal:To document ownership of hardware
and addresses
This is most useful with internal
investigations
Allows one to identify the system with a
given MAC address (from DHCP logs)
Allows one to identify who has a given
hostname (which is found in system logs)
21. Goal:To set users expectation of privacy
appropriately
An investigation may need access to a users
mailbox or other “private” data
Identifying how much privacy users have should
be discussed before an incident occurs
Data Protection Act requires users to be notified
and to accept any monitoring and for monitoring
to be a normal administration task. Suddenly
increasing monitoring is not acceptable under
the DPA.
22. Goal:To build the infrastructure needed for an in-house
forensics lab (if one does not outsource it)
The forensics lab has unique requirements from other
technology labs because of its legal requirements
Location:
Little traffic
Secured by key badge or other auditable mechanism
Camera surveillance
Separate computer network
A safe for long-term data storage (with sign-out sheets)
23. Contents will vary depending on supported platforms
At least one system of each supported platform
Linux can mount most file system images and tools exist for
more advanced analysis (The Sleuth Kit)
Windows does not have many tools native to it, but
specialized tools exist for analysis of windows systems
(EnCase etc.)
Binary analysis capabilities
Malicious code monitoring capabilities
24. Many proactive steps can be performed to
effectively handle incidents
Readiness forces an organization to consider
how to handle an incident before it occurs
The amount of documentation required will
depend on the organization