lesson 5 not 4

Card Set Information

lesson 5 not 4
2015-01-07 16:15:50
Lesson not
Lesson 5
Lesson 5 other lesson 5 is actually lesson 4
Show Answers:

  1. When an incident happens, you need to know the process you should follow to learn how it happened and how you can prevent it from happening again.
    Network Forensics
  2. NOTE: The process of secure network forensics include steps to preserve, identify, extract, and document the digital evidence of an incident. Using a systematic process like this helps us minimize any damage to the network and find ways to prevent similar incidents from happening in the future.
  3. The use of science and technology to investigate an incident, such as a crime. A purposeful look into how something happened.
  4. What are the 4 primary goals of computer or network forensic investigations?
    • -Establish the evidence of an incident.
    • -Recover data in unexpected events.
    • -Find vulnerabilities that allow an incident.
    • -Track activities of employees.
  5. What are the four steps in the forensic process?
    • 1. Define the goal of the investigation from your suspicions and concerns.
    • 2. Collect and protect the evidence of the incident.
    • 3. Document and analyze the verifiable evidence.
    • 4. Report findings, and take corrective action.
  6. NOTE: If you're working in a small- to medium- sized business, the incident response team is usually two people: the lead network administrator or technician, and a backup person who provides information to management and documents the actions and outcomes of the forensic investigation.
  7. NOTE: In a larger organization, the incident response team may require additional people, typically from the chain of command, including the head network administrator or IT manager and a senior management decision-maker, like the chief executive officer (CEO), chief information officer (CIO), or chief technology officer (CTO). If the incident is severe, such as a natural or man-made disaster, you may need to include the organization's media relations person, a legal representative, and possibly local law enforcement.
  8. NOTE: Depending on the size and impact of security incident, first responders have certain laws they must adhere to in collecting evidence. To find out more, visit the Supplementary Material for this lesson, and click the link to the First Responders Guide to Computer Forensics. Then read the "Cyber Law" module of the document.
  9. NOTE: When working with your incident response team, it's very important that you or any team member be willing to admit when you need outside expertise to resolve the incident. Incident response should not be an exercise in ego. Rather, it's about fixing the issues, causes, and damages as quickly as possible.
  10. NOTE: First, you should immediately assess the situation--the sooner you do this, the better. Collecting as much information as you can about the impact of the incident will help you establish the goal for your investigation. It might help to talk with anyone who was near where the event took place to get a better idea of what you're dealing with. You should answer the following questions:
    -What is the incident's impact on the organizations?
    -If you're able to isolate the affected devices or systems involved in the incident, does it reduce the impact to the organization?
    -What is your initial estimate of what it will take to resolve the cause of the incident?
    -Do you have the expertise necessary to resolve the incident?
  11. NOTE: Although the answers to these questions are preliminary and based only on your initial findings, you should document the answers on an _____________________. Include the date, the time of both the incident and your initial responses, and the names of anyone you spoke with or plan to contact about the incident.
    Incident Report
  12. NOTE: Documentation is a crucial part of any forensic investigation. Be sure to document every action you take and every person you talk to in your report!
  13. Should contain software utilities, most of which come bundled on Windows and Linux release media, or you can download them free. Exactly what you should include in this depends on your network, operating system, and so on.
    Incident Response (IR) toolkit
  14. NOTE: From your initial findings, you can establish the goal of your investigation and build your incident response plan. Obviously, the objective of all incident responses is to minimize harm and to maximize system availability. However, each particular investigation will have its own specific objective. For example, if an attacker has launched a Denial-of-Service attack on your network, the objective of the incident response should be to halt the attack as quickly as possible to restore services to network users. Should the incident be more at the level of a disaster, the objective is likely to be the restoration of services within a specific time.
  15. NOTE: It's always best to have a written general incident response plan. However, when the incident to which you are responding is very minor, you might actually work from a verbal incident response plan that follows the guidelines of the general, formal written plan. Regardless of its form, be sure to clearly communicate the plan to all team members.
  16. What are the 5 steps should be included in your incident response plan?
    • 1.Isolate the affected systems or devices to minimize harm and protect the evidence. This step helps to preserve the "crime" scene.
    • 2. Gather data from the suspected systems or devices, and create backups if necessary. This is the "do no harm" step.
    • 3. Resolve the issues. This step involves fully investigating, applying a resolution to the cause of the incident, and securing the affected devices and systems. During this step, inform the team whenever the return to operation (RTO) estimates change.
    • 4. Return to operation (RTO). When a resolution for the incident is in place, the system should be fully tested and secured for operations.
    • 5. Follow up on the causes and vulnerabilities that led to the incident.
  17. NOTE: Be sure to keep track of all hours and expenses it takes to create a resolution to the incident and follow up on its causes. The cost-to-repair may come in handy when you're trying to justify the purchase of new technology to prevent the incident from reoccurring.
  18. Assessing the damage and coming up with a resolution. The goals are to determine the extent of any damage and to try to control any potential loss resulting from the incident. These are the primary goals of security incident first responders.
    Damage and loss control
  19. NOTE: When determining the extent of the damage, you should also determine whether the incidents affects a single device or system, or a group or network of systems. With this knowledge, you should attempt to control loss by isolating the affected system from the network to prevent the cause from affecting other devices or systems. In fact, you may want to power down the reminder of the network to block the cause from spreading.
  20. What are the 5 activities you should avoid in order to preserve the evidence in an incident?
    • 1. Do not reboot or format the suspect system before capturing its log files.
    • 2. Do not clean or modify the suspect system until after forensic analysis.
    • 3. Do not delete any log files.
    • 4. Do not perform any action that may modify a log file.
    • 5. Do not pull the plug until all other forensics or investigative actions are complete.
  21. NOTE: Of course, just preserving the data isn't enough--you need to collect it so you can use it in your investigation.
  22. What are the three data types you should focus on during a network forensic investigation>
    • -Active data
    • -Archival data
    • -Latent data
  23. This is visible data, and its the easiest data to get. Visible means data that you can readily convert into a readable form, typically by printing it. This includes data files, programs, and operating system files.
    Active data
  24. Backups and stored data. Typically, on backup tapes, CD-ROMs, DVDs, hard drives, and other forms of removable storage devices.
    Archival data
  25. is data you generally need a specialized tool to read or capture, such as main memory, CPU registers, and the like.
    Latent data
  26. To perform an effective forensic investigation on a suspect computer or network device, you should first understand the concept of __________________. Just like police detectives and crime scene investigators who gather evidence before actually beginning to solve a crime, the first step in any computer forensic investigation is to collect all of the relevant data, capturing the data with the highest volatility first.
    Order of Volatility
  27. In the context of incident forensics, means that some data has a shorter life (and availability) than others.
  28. The most volatile data on a computer, router, switch, or firewall is stored in _____________ because it's usually lost first as other processes overlay sections of memory. The contents of memory, swap files, network processes, and operating system processes are all lost when you shut down a suspect system.
    Primary memory (RAM or main memory)
  29. The data with less volatility?
    Persistent data
  30. What is the order of volatility for data storage locations?
    • 1. CPU registers, peripheral memory, cache memory
    • 2. Main memory
    • 3. Network States
    • 4. Active Processes
    • 5. Disk Storage
    • 6. Floppy disks, tape, backup, media
    • 7. CD-ROMs, DVDs, printed materials
  31. What is the expected storage life of CPU registers, peripheral memory, and cache memory?
  32. What is the expected storage life of main memory?
  33. What is the expected storage life of Network states?
  34. What is the expected storage life of Active Processes?
  35. What is the expected storage life of Disk storage?
  36. What is the expected storage life of floppy disks, tape, backup media?
  37. What is the expected storage life of CD-ROMs, DVDs, printed materials?
    Tens of years
  38. NOTE: The reason that highly volatile data is important to the forensic process is that, in general, the data stored in the most volatile locations is the data that can give you the most insight into the situation or cause of an incident. The data in the CPU registers, main memory, and network states register can provide you with the current state of the system; the activities that are or were active at the time of the incident; the validity of the alert on the suspicious device; the root of the problem; and the time, date, and user responsible for the security incident. With this data, you may also be able to determine a timeline of the events leading up to and causing the incident.
  39. store a variety of data including routing and message information, which may be valuable to your investigation if you believe that the source of the incident was a cellphone. Is a form of smart card that can store the data phone users see on the phones display.
    Subscriber Identity Module (SIM) card

    Several devices and software are available that can read a SIM card and transfer its contents to a computer. In addition, there are software applications that make a copy of a phone's SIM card to another card - forensicSIM is one example.
  40. NOTE: In most cases, the source, actions, and accesses of an outside agent that causes an incident on a computer or network are in main memory or on one or more data storage devices. In order to review this data in volatile storage, highest to lowest, you need to create a snapshot of the system as close to the occurrence of the incident as possible. After you capture the data you need, you'll want to make a copy of it to perform your analysis. Working on a copy ensures that you don't accidentally alter or overwrite any evidence during your investigation.
  41. VERY IMPORTANT: Always use a copy of the data or other evidence for your investigation. Never do any analysis or testing on the original drive or data.
  42. NOTE: However, you should understand that before collecting the data you need to perform the forensics as a part of your incident response, you should clearly define the goal for your investigation. Having a clear goal will allow you to collect only the data and digital evidence you actually ned.
  43. What are the 5 sources and methods you should keep in mind when collecting data or evidence for your investigation?
    • -Capture system image
    • -Screenshots
    • -Witnesses
    • -Network traffic
    • -Activity logs
  44. captures all the data residing in the main memory.
    Crash dump
  45. On many devices, including most networking devices such as routers, switches, and the like, the device operating system has the capability to capture the contents of volatile memory to an archive. There are also lots of specialized devices and software available to capture and analyze most, if not all, of the data in highly volatile memory.
    Capture System Image.
  46. Allows you to capture less volatile data, like that on a hard disk, including partition table, file allocation table (FAT), and the data partitions.
    Disk Image

    Before performing any forensic analysis on a suspect computer or device, create a disk image of all data. This will give you the information you need to analyze the incident fully. A capture of the data creates a copy, which provides you with three benefits.
  47. What are the three benefits of a disk image?
    • 1. Ensures that you don't inadvertently change the data during analysis.
    • 2. Makes it possible to reproduce the results of your forensic test using the exact same analysis methods on the original evidence.
    • 3. Captures the data that is invisible to the operating system, such as hidden partitions ext3 partitions on Windows computers, and so on.
  48. Capturing the display of the computer monitor.

    On a system experiencing a suspicious event can prove to be all the evidence you need to isolate the source or cause of the event. Of course, on larger secure networks, it can be virtually impossible for the secure network administrator to be physically present to create the screenshot at the precise moment.
  49. Captures the keystrokes of the computer's operator and to review the history of the Internet browsers on a computer.
    Key Logging
  50. NOTE: Some forensic software systems such as Helix3 provide you with a tool that allows you to capture the screen of any computer on a network from a central administrative location. These systems also allow the administrator to turn on key logging remotely.
  51. The testimony of witnesses.
    Testimonial evidence

    If the incident is serious enough to warrant criminal charges, it's better to gather testimonial evidence in a legal deposition. However, in the vast majority of security incidents, a witness is more likely to be a network user, security guard, or someone who just happened to be in the area at the time of the incident.
  52. NOTE: Witnesses typically are valuable when the incident involves a physical malicious action on the part of the perpetrator, such as someone intentionally damaging a network computer or emailing an administrative password to someone outside the organization and then bragging about it. Most security events occur without physical witnesses, but anyone with knowledge of the event or deeds is a witness nonetheless. In general, you want to include anyone who had physical access to a suspect device, or anyone with substantial access to or contact with a suspected perpetrator.
  53. A response to an incident on a network.
    Network forensics
  54. Where computer forensics captures its evidence from memory, disk, and other storage devices, network data can be much more volatile and, unless capture systems were in place at the time of the incident, may not be readily available. Network capture systems like packet filters, firewalls, and intrusion detection systems (IDS) anticipate an intrusion or attack.
    Network Traffic Capture
  55. What are the two methods used to capture network traffic for forensic investigation?
    • -Read-and-store
    • -Examine-on-the-fly
  56. This method passes all network traffic through a single network device that writes each packet to storage for later analysis. This method of capturing data requires a large amount of storage.
  57. This method scans the contents of every network packet and datagram and then saves only certain data. This method doesn't require as much storage space as read-and-store, but it does require a much faster processor to avoid creating a bottleneck on the network.
  58. Another important step in the forensics of an incident response is analyzing the activity logs, or preforming _______________.
    Log analysis

    When gathering activity logs for your investigation, you can use one of two approaches: collect every log file available, or collect only those log files that directly relate to the goal of your investigation. The first approach is better in situations where your forensics goal is somewhat unclear. The second approach is the one to use when the goal of your investigation is relatively certain.
  59. NOTE: On a windows system, the Event Viewer keeps application logs, security logs, and system logs. On a Linux system, a variety of log files is available in the /var/log directory, including message, auth.log, kern.log, boot.log, and login records log.
  60. NOTE: Many network devices, especially routers and firewalls, keep log files as well. When investigating a network incident, you should collect the log files from those network devices that lie on the path of the incident. The rule parameters (rule-base) of any applicable firewalls may be useful as well. You may also want to request the logs from the perimeter router of your ISP.
  61. NOTE: Other log files you may want to analyze, depending on the nature of the incident, are Web server logs, application server logs, network switch logs, database logs, antivirus logs, and IDS logs. The best rule of thumb is to collect a log from every point on the network where authentication or authorization takes place.
  62. allows a computer to log events at a time other than the current system time.
    Time offset

    It's common for large corporations to set the time offset on all networked devices so that when the corporate IT function consolidates the log files from all operating locations, the log events are all on the same time scale. When analyzing log files, you need to find out what the time offset is so that you can track the time of each log event to its actual local time.
  63. NOTE: You should document every incident that occurs, regardless of how insignificant it may seem at the time. If the incident is important enough to investigate, it is important enough to document.
  64. NOTE: Your organization, and especially the secure network administrators, should maintain an incident report file that contains an incident response summary sheet and all of the printouts, interview notes, investigative notes, and the details of any fix or corrective action taken. In fact, it's far better to document and then analyze the evidence and information concerning the incident than to just start attacking the problem. You want to avoid getting into a situation where you start fixing the problem and then go find out what the problem really is.
  65. Is a legal term for chronological documentation of the seizure, custody, control, transfer, analysis, and disposition of any evidence, physical or digital, gathered during the investigation of an incident.
    Chain of Custody

    The purpose of creating and maintaining a chain of custody document is to list exactly who had control or possession of any evidence during the forensic processes and when they had it. The primary legal purpose of a chain of custody is to establish that the collected evidence directly relates to the incident.
  66. is like the digital fingerprint of a document or file.
    Hash value
  67. produces the hash value from a document or file. It produces a fixed-length digital string, 32-bits in the case of MD5, from a variable-length data set that generates a string of alphabetic and numeric data unique to the document or file that it came from.
    Hashing algorithm
  68. NOTE: Using these hash values, forensic investigators are able to filter out the operating system or well-known application files in a data image, allowing them to focus on unknown files.  A hashing process calculates a hash value for every file in the data image, and then a filtering process screens the hash values of the data image against a list of known file filters (KFFs), or good has values. Any file's hash value with no match in the good hash set indicates a suspicious file. The ability to reduce the number of files in the review saves time for the investigation.
    Forensic Hashing
  69. NOTES: Essentially, we can use the same process to identify malicious files in the data image. This technique calculates a hash value for every file in the image and then looks for matches in a list of known malicious files--the bad hash set. This set includes viruses, hacker tools, or any other file you decide is malicious. In a bad hash filtering, you want an alert whenever a match occurs.
  70. Is there a specific number of people that should be assigned to an incident response team?
    The size of an incident response team (IRT) depends on the nature of the incident. A suspected virus on a single network computer may require only a single technician, while a catastrophic disaster may require all of the IT department, along with consultants from hardware and software companies, public utilities, and more. Determine the size of the IRT when developing the incident response plan's objectives.
  71. What is the term we use to describe the priority, from high to low, for capturing data on an affected device?
    A. Computer Forensics
    B. Order of Importance.
    C. First-responder process
    D. Order of Volatility
    D. Order of Volatility
    (this multiple choice question has been scrambled)
  72. When performing forensic testing and analysis, which version of a suspected system's data should you always use?
    A. A filtered copy of the captured data
    B. An exact copy of data image.
    C. The original data, to ensure its accuracy
    D. A printed copy of the contents of the captured data.
    B. An exact copy or data image.
    (this multiple choice question has been scrambled)
  73. What are the first objectives of a security incident first responder?
    A. Document findings and the chain of custody.
    B. Assess damage and control loss
    C. Identify the perpetrator and call law enforcement.
    D. Question witnesses and create a chain of custody.
    B. Assess damage and control loss.
    (this multiple choice question has been scrambled)
  74. Which type of data typically require special software or hardware tools to capture?
    A. Encrypted data
    B. Latent Data
    C. Archival data
    D. Active data
    B. Latent Data
    (this multiple choice question has been scrambled)
  75. To what list does forensic hashing compare the hash value of a document or file to determine if the file is unaffected?
    A. KFC
    B. KFF
    C. KBF
    D. LKGV
    B. KFF
    (this multiple choice question has been scrambled)