System Forensics, Investigation, and Response Day 4 to end

• Internal General..3
  • Commonly done in house.
  • First Responders Often play key role.
  • May have to block attack, but consider options and include others who have a say.
• Internal Incident Response Policy..4
  • provide guidance when faced with attacks
• Internal First Responders..5
  • First responder Panic can be a big problem
    • May result in lost evidence
    • May tip off the culprit
    • Response policy can help prevent missteps
• Internal Initial Prognosis..6
  • Initial estimate
    • Is it an attack at all?
      • What systems were affected?
      • How were they affected?
    • Look at Logging
      • Sources affected/
      • servers to or from data was sent?
      • Other downstream or upstream victims?
• Internal Ongoing Damage..7
  • May need to take steps to stop damage
  • If a suueptitious attack (e.g., intrusion), consult with others before taking steps that may alert intruder to discovery.
  • Do not “Hack Back”
• Internal Report to others..8
  • Reporting to appropriate people
    • look to POC list
    • Inside and outside company
    • Call law enforcement if suspected criminal activity involved
  • Need-to-know policy if insider
  • consider reportin to other victims/vendors
• Internal Report to others..9
  • Use protected Channels of Communictation
  • Watch for social engineering attemts
• Internal Investigative Notes..10
  • Keep Great notes
  • Keep Notes (and logs) secure
  • Keep records that will quantify the damage
    • Investigate the nature of the incident and its source;
    • Identify vulnerability where accessed, altered or otherwise damaged;
    • Determine whether and to what extent data, programs, systems or information were accessed, altered or otherwise damaged;
    • Recreate deleted or modified data, programs and files;
    • Reload and reconfigure damaged software;
    • Patch the system to prevent similar attacks;
    • Re-secure the data, program, system and information and protect from further damage.
• Outsource General..12
  • Investigatios by third parties not unusual;
  • Same general rules-of-thumb apply to outsourcers as internal investigators
  • Insome jurisdictions, there may be a licensing requirement
• Outsource Special Considerations..13
  • There are some special considerations
  • The scope what the client has autorized the outsourcer to do should be clear
    • What is permitted
    • What is forbidden
    • What to do if it is unclear
  • Participation y client, and reporting to client
  • Outsourcer's duties of fidelity and confidentiality to the client also should be clear
  • Indemnity issues; what if the cousourcer violates rights of another; is client liable?
• Government Calling Law Enforcement..14
  • Once an incident looks like criminal activity, consider calling law enforcement
  • Situations that suggest illegal activity
  • Pros and cons
  • Timing (call before internal investigation, after, during?)
  • How to make the call
• Government Criminal Conduct..15
  • What is criminal?
    • Network Crimes (Computer Fraud and Abuse Act)
    • Wiretapping and Snooping (Wiretap Act; Electronic Communications Privacy Act)
    • Software Piracy
    • Using Network to commit traditional crimes
  • Network Crimes: The Federal Computer Fraud and Abuse Act (Pt 1)..16
    • Criminalizes inflicting certain types of damage to a protected computer
    • A “Protected Computer” means a computer
      • used by the federal government or
      • used by a financial institution, or
      • one that affects interstate or foreign commerce or communication of the United States (can be outside the U.S.).
  • “Damage” is defined as any impairment to the integrity of availability of data, a progam ,a system or information causing..17
    • $5,000 loss in 1-year period (government may aggregate certain losses), or
    • Impairment of medical records, or
    • Physical injury to a person, or
    • Threat to public health or safety or
    • Damage affectin a government system used for justice, national defense or national security.
  • Any reasonable cost to a victim counts as “loss” toward the $5,000 threshold, including:..18
    • costs of
      • responding to an offense,
      • conducting a damage assessment
      • restoring the data, progam, system, or other winfomation to its condition prior to the attack, and
    • Lost revenue, and
    • Any cost or consequential damage from service interruption
  • Law enforcement can aggregate losses among multiple computer and victims to reach threshold if losses resulted from a related course of conduct.
  • Intentional Conduct
    • knowingly transmitting a “program information, code, or cammand”
    • resulting in “damage” (without autorization) to a “protected computer”
  • Applies to insiders (e.g., employees) or outsiders (e.g., hackers)
  • Applies even w/o “access” (e.g., virus, DoS)
  • Reckless Conduct..20
    • Intentionally accessing a protected computer without authorization and
    • Recklessly causing damage [even accedentally]
    • Applies only to outsiders (no authority to access).
  • Access to the victim computer required.
  • Conduct Neither Intentional Nor Reckless..21
    • accessing a protected computer withour autorization and causing damage
  • Applies even if no intent to damage
  • Applies only to outsiders (no autority to access).
  • Access to the victim computer required.

• Network Crimes: The Federal Computer Fraud & Abuse Act (pt 2)..23
  • Criminalizes certain privacy intusions, too
    • Prohibits intentinally accessing computer without or in excess of authorization and
    • Thereby obtain information:
      • In a financial record or credit report
      • From a federal agency or
      • From a protected computer (if conduct involved an interstate communication)
• Network Crimes: The Federal Computer Fraud & Abuse Act (Pt 3)
  • Criminalizes improper access to retricted government information too.
  • Criminalizes trespass on a government system.
• Network Crimes: The Federal Computer Fraud & Abuse Act (Pt 3)
  • Other provisions prohibit:
    • Accessing a protected computer with intent to defraud and therby furthers the fraud and obtains sonething of value
    • Trafficking in information through which a computer can be accessed (e.g., passwords) without authorization
    • Threatening by interstat communication to damage a protected computer with the intent to extort moneyor anything of value.
  • Attempts are illegal, too.
• Network Crimes:..26
  • The Federal Wiretap Act [cat 5 cable]
    • The wiretap act covers the illega interception in real time of voice and electronic communications as they traverse networks
  • The Electronic Communications Privacy Act [stored data, disk, memory, wiretap logs]
    • The Electronic Communications Privacy Act covers the illega access to certain stored voice and electronic communications
• Child Porn..27
• Intelectural Property
  • Crimial copyright
  • Criminal trademark
  • criminal trade secrets
  • Digital Millennium Copyright Act
• Cyberstalking, threats and harassment
• Identity Theft
• Fraud, Drug dealing, other, etc.
• Government Common Cyber-Defenses..28 (Rob Lee Skipped to p.54)
• Attrubution is often the Key
  • Trojan Horse/hacker
  • Virus/Worm
  • Other malware
• Circumstances Can Add Light
• Good Forensics can help confirm or debunk
• Government International Aspects..30
• Cases frequently involve several nation states
• Multiple countries may be host to:
  • tools
  • Contraband
  • Evidence
  • Other Victims
  • Culprit
• Goals..31
  • “No safe havens”
  • Harmonious substantive laws against computer crime
• Procedures for domestic and international investigation
• Faster mutual legal assistance
• Trained and equipped personnel
• Extradite or prosecute criminals
• Mutual Legal Assistance requests ..32
  • Through central authority
  • Relatively fast
  • Abailable at investigative stage
  • based on treaty
• Letters Rogatory
  • Slower
  • No obligation to assist
  • issued by courts
• Assistance through US LE liaisons- FBI legal attaches, Secret Service Resident Agents..33
• Informal law enforcement assistance
• The G-8's 24/7 Point-of-contact network
  • Developed for use in cases involving electronic evidence
  • Have expanded outside the G-8
  • Supports preservation of evidence
• Council of Europe..34,35
  • Cybercrime Convention
  • Recommendation 95(13)
• G-8; High Tech Crime Subgroup of the Lyon Group..34,35
  • 24/7 Pint of Contact
  • Multilateral Conferences
• Asia-Pacific Economic Cooperation
• Organization for Economic Cooperation and Development
• Organization of American States
• Interpol
• United Nations
• Government Pros and Cons..36
• Statistics suggest victim reporting is uncommon– 20%
• Required Notification..45
• Some states [California being the first] have adopted notification requirements
  • Typically apply where personal information is compromised.
  • Most require notification to customers, but not to law enforcement
• Congress shown interest in same
• Government Who to Call..46
• Plan (and meet) in advance..47
  • Infragard program: www.infragard.net
  • U.S. Attorney's CHIPS programs
  • DHS National Infrastructure protection Center Hotline: 202-323-3205
  • CCIPS Web Site: www.cybercrime.gov
    • How to report a crime
  • On-Line Reproting..48
    • www.secretservice.gov/forms/form_ssf4017.pdf
  • List of FBI & USSS Field Offices
    • www.fbi.gov/contact/fo/fo.htm
    • www.secretservice/field_offices.shtml
    • www.infragard.net/chapters/index.htm
    • www.extaskforce.org/Regional_Locations.htm
• Government What is Expected from Victim?..49
• What law enforcement needs:
  • Access to staff who can explain in technical detail what happened and what evidence exists
  • Initial interviews will typically take from 2 to 4 hours
  • Access to evidence such as log files and hard drives
  • possibility of testimony (grand jury, court)
• What law enfocement doesn't need:..50
  • To seize victim computers. You will not be shut down.
  • To disrupt business in order to conduct our investigation.
• Proactive Measures
  • Designate a point of contact who is responsible for interacting with law enforcement
  • stay alert to possibility being deemed an “agent of the government”

• The Goals..52
  • Find Relevant data
    • inculpatory - [finding blame]
    • exculpatory - [clearing guilt]
• Finding the Relevant..53
  • General Rule: More is better
    • Imaging is gold standard
      • …
      • not always practical or necessary
    • look for backup medial
    • place on clean, preferably unalterable nedia and keep chain of custody intact.
• Authority Generally..54
  • Authority is often the key to legality
  • Well documented permissions helpful
    • internal investigator: Incedent response policy, job description, or other documentation
    • Outside contractor: Contracts and work orders
    • Law Enforcement: Often in the form of search warrant or other legal process
  • Be careful of restrictions on Authority
  • Proper Authority is Important
    • Sanctions can be serious
• Acquiring Stored Data: Stand-Alone Devices..57
  • Before seizing, duplicating or analyzing a storage device, identify the source of your authority
    • Consent of or abandonment by owner
    • Contract with someone with authority
    • Terms of service with subscriber or user
    • Search Warrant (or other legal process)
• Network Storage and Real-Time..58
  • Acquiring stored data from a network
    • Reviewing stored content or
    • logfiles on a network server
  • Acquiring data in real-time
    • “Eavesdroping” on traffic(sniffing)
    • content or traffic information

* Network Devices..60

• Stored Data from Networks Often More complicated that stand-alone
• Statutory rules based on the type of data on the network
• Electronic communications Privacy Act (ECPA)
• Others
  • Health Insurance Portability & Accountability Act (HIPAA)
  • Sarbanes-Oxley (SOX)
• Network Devices and ECPA..61
• ECPA governs access to and disclosure of stored files
  • provider/customer/government roles
  • Cannot necessarily share stored files with others
  • Three main categories are covered
    • Communications (e.g., e-mail, voicemail, other files)
    • Transactional Data (e.g., Logs reflecting with whom users communicated)
    • Subscriber/Session Information
  • www.cybercrime.gov/searchmanual.htm
• What stored communications records can network operators voluntarily provide to law enforcement?..62
  • Public or private providor?
    • ISP selling access is a public provider
    • A company that provides e-mail & voice mail service to emplyees is a private provider (VT)
• A private provider may disclose all without violating ECPA
  • Content
  • Transactional data
  • User information
• A public provider looks to statutory exceptions before disclosing content or non-content to government..64
• Public provider may voluntarily disclose the content of communications to government when:
  • Consent to do so exists (e.g., via a banner)
  • Rights and property will be protected.
  • Contents inadvertently obtained & pertain to commission of a crime.
  • The provider, in good faith, believes that an emergency involving dager of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.
• Public provider may voluntarily disclose non-content records concerning a customer or subscriber:..65
  • When consent from the subscriber to do so exists (e.g., via a banner or user agreement)
  • To protect provider's rights and property
  • To the government “if the provider,in good faith, believes that an emergency involving dager of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.”
  • To any person other than a governmental entity
• Real-Time..67
• Cannot intercept contents unless an exception applies; it's a wiretap
• Three Key exceptions:
  • Provider Exception
  • Consent of a Party
  • Computer tresspasser Exception
• Monitoring; Provider Exception..68
• Allows provider to conduct reasonable monitoring
  • to protect provider's “rights or property” or
  • When done in normal course of employment while engaged in any activity which is a “necessary incident to the rendition of his service”
• Is a limited exception. Not a crminal investigator's privilege.
• System administrator can track hackers within their networks in order to prevent further damage.
• scope not unlimited, need to tailor monitoring to its purpose.
• Monitoring; Consent Exception..70
• Interception allowed when user consents “in fact”
• Banner the Network

Your use of this network constitutes consent to monitoring and disclosure of the fruits of monitoring. You have no reasonable expectation of privacy on this network

• obtain the written consent of autorized users.
• Monitoring; Trespasser Exception..71
• Computer trespasser exception
• Allows law enforcement to intercept communication to or from “computer tresspassers”
• Even if trespasser is using system as a pass through to other down-stream victims
• A “computer trespasser” cannot be a person known by the provider to have an existing contractual relationship with the provider for use of the system
• Conditions:
  • The provider authorizes the interception,
  • The person intercepting is “under color of law”
  • The communication are relevant to an ongoing investigation and
  • No communications other than those sent to or received by the trespasser are intercepted.
• Provider receives immunity
• May combine this authority with other exceptions, such as consent.
• Monitoring; Header Information..73
• The Pen Registers, Trap and Trace Devices Statue governs real-time monitoring of traffic data (e.g., most e-mail header information, source and distination IP address and port)
  • Pen Register: outgoing connection data
  • Trap and Trace: incoming connection data
• Does not include content of communication (e.g., e-mail subject line or content of a downloaded file.)
• For non-content informationlike packet headers, rules are more flexible
• Provider exception is broad.
• Consent of user still allows acquisition
• Lawful Access Legislation..75
• “Lawful Access” legislation
  • US (CALEA)
  • UK (RIPA)
  • Germany (Telecom Act among others)
• Common Scope of requirements
  • Agencies given authority to compel production of data (stored and real-time)
  • Establishment by service provider of permanent intercept capability & capacity
• Common Permanent Capability Requirements
  • Ability to isolate target subscriber
  • capture in real-time
    • Call content
    • Call associated data / call detail records
  • Without tipping-off the target
  • Target list secure from outsiders and un-cleared insiders
• CALEA and IP switching
• HIPPA..77
• HIPAA Creates Uniform Federal Privacy Standard for Protected Health Information (PHI)
• Covers
  • Health Plans
  • Health Care Clearinghouses, and
  • Certain Health Care Providers
• HHS Implemented Security Rule to Protect Electronic PHI
• Covered Entities required to implemented safeguards
• Penalties for violation potentially serious
• If data from a “covered entity” made sure you're not in violation
• SOX..79
• Sarbanes-Oxley (US Public Company Account Reform and Investor Protection Act)
• Aimed at preventin, detecting and responding to insider fraud
• Serious sanctions for data destruction to impact government investigation
• Corporate governance policies, including
  • Incident response
  • Data retention and collection policies
  • internal audits
• GLB..80
• Gramm-Leach-Bliley (Financial Services Modernization Act
• Aimed at Financial Institution
  • This includes a surprising number of organizations
  • Education institutions are included
• Focus is protecting personally Identifiable financial information
• FERPA..81
• Family Education Rights and Privacy Act
• Aimed at Educational Institutions
• Focus is protecting personally identifiable information about students
• Other Data Worthy of Mention..82
• Child Pornography
• Credit Card Information
• Social Security Numbers
• Passwords
• Warez
• Attorney Materials
• Outside Reconnaissance..83
• Common Network Tools
  • Whois
  • Traceroute
• Aggressive
  • Hack Back
  • Fire Back
• Tools
• Normal Logging (Business Records)
• Investigative tools
  • No single uniform standard
  • follow your procedures
  • If none exist, do the best you can
• Courts like audit trails
• Whatever tool you use, keep notes

• Chain of Custody
  • Who handled the evidence
  • Goals
    • The evidence is that which was collected
    • the evidence had not been altered
  • Burden on party offering the evidence
  • does not necessarily require all to testify
  • admissibility v. weight
  • Evidence handling form may be useful
  • Secure location..87
  • Storage Procedures
  • Records of process followed

• Investigator May need to prepare a report
• Each Organization may have its own format

• Fundamentals of report Writing
  • Clarity
  • accuracy
• Style and tone
  • Professional
  • no slang
  • No prejudice or bias
  • no unsupported opinions
• In drafting, consider..90
  • scientific method
  • Audience
  • Legal Utility
• Fundamentals..91
  • Reflect use of scientific method
  • Sound Methods were employed
  • Results are repeateble and reliable
  • analysis was thorough
  • analysis was unbiased
  • Document your work in such a manner that it can be replicated
• Audience..92
  • Corporate
    • Management
    • systems administrators
    • peers
  • Law enforcement
    • Prosecutor
    • judge
    • jurors
    • witnesses
  • know what your audience wants and expects to be covered
• level of detail..93
  • Document your work so your steps are:
    • clear
    • repeatable by others
  • Your audience is probably not technical
    • Relevant tool output / screen shots in the body of a paper
    • the rest in an appendix
• Legal Aspect..94
  • Report May be needed in court
    • Write in a clear and concise manner
    • Conclusions are supported by valid and previously stated facts
    • Don't say something you can't prove
  • You may need to testify about it

• Basic Rules of Evidence..95
  • Relevance
    • Pertains to an issue in the trial
    • Burden on party seeking admission
  • Authentication
    • The evidence is what it purports to be
    • Testimony, circumstantial evidence
    • Frequently stipulated to
  • Evidence of Tampering..96
    • Easy to make claim of tampering
    • Often only inadmissible it there's an affirmative showing
  • Techniques to show no tampering
    • hash values
    • write blockers
    • chain of custody forms
    • testimony
  • Best Evidence Rule..97
    • “Original” is normally required
    • Accurate Printout from Computer Deemed “Oringinal”
  • Summaries and Demonstrations
  • Lay Witness Testimony..98
    • Personal knowledge
    • No specail skill required
    • Opinions generally not allowed
  • Expert Witness Testimony..99
    • Special Skill required
    • No personal knowledge required
    • Can state opinioins
    • Daubert/Frye Tests