High-Level Forensic Analysis for Rogue Wireless Access Point Investigation
Delve into the intricacies of forensic analysis in handling rogue Wireless Access Points (WAPs). Learn how to identify, preserve, and analyze digital evidence in investigating unauthorized WAPs, including establishing incident questions, determining where to find crucial information, and conducting forensic analysis to uncover the who, what, and when of rogue WAP activities.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Preparing for Forensic Analysis Security Planning Susan Lincke
Title of the Presentation | 9/20/2024| 2 Objectives Students should be able to: Define and describe computer forensics: authenticity, continuity, forensic copy, chain of custody, root cause, Describe steps to obtain computer forensic information during an investigation. Describe general capabilities of a forensic tool. Describe steps to copy a disk. Define discovery, e-discovery, deposition, declaration, affidavit, fact witness, expert consultant, expert witness.
Title of the Presentation | 9/20/2024| 3 Computer Forensics Information Systems Forensics The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding
Title of the Presentation | 9/20/2024| 4 Aspects in Forensic Analysis High Level Forensic Analysis Forensic Analysis Legal Technical Forensics Perspective
Title of the Presentation | 9/20/2024| 5 Establishing High-level Forensic Questions Incident Questions to Investigate Rogue Wireless Access Point (WAP) When did the rogue WAP appear? Who connected to it? Who introduced it? How do we eliminate it? What information passed through the rogue WAP and may have been compromised? What else might the owner of the rogue WAP do?
Title of the Presentation | 9/20/2024| 6 Determining Where to Find Information: Rogue Wireless Access Point Potential Incident Rogue Wireless Access Point Important Information to Obtain Currently connected terminals (to rogue WAP and true WAP) Location of Information Accessible Wireshark: Connect Wireshark with radio capability and monitor for current transmissions: 1) observe MAC addresses interfacing with rogue and true WAP; 2) observe MAC address of rogue WAP and identify network card type; 3) Follow signal strength to rogue WAP area DHCP: Determine which MAC addresses connected at which times, including rogue WAP. WAP: Determine when MAC addresses connected and left the true WAP. Switch: Identify switch physical port and wire from rogue WAP s MAC address to determine where rogue WAP connects. Confirm Ethernet address, network card match DNS cache indicates IP addresses recently accessed; People interviews Equipment inventory list: assigned person Camera (if available nearby) Forensic analysis on machine running rogue WAP, to investigate or confirm what happened during timeframe in question Characteristics and identity of rogue WAP Connection time of affected terminals and rogue WAP Location of rogue WAP Apps used by persons during this time Person who installed rogue WAP Determine what rogue WAP accessed
Title of the Presentation | 9/20/2024| 7 Balancing Priorities Consider the following priorities in advance of an event: Value Value: What information is most important? Effort: What information is easily accessible? Volatility: What information will disappear (e.g., in memory)? Balance: Volatility Effort
Title of the Presentation | 9/20/2024| 8 Technical Perspective: Methods to Collect Evidence Three important methods to collect artifacts, include: Value Collecting volatile information: the current picture of what is happening; Collecting and analyzing logs Copying and analyzing disk images Balance: Volatility Effort
Title of the Presentation | 9/20/2024| 9 Computer Crime Investigation Analyze copied images Call Incident Response Evidence must be unaltered Chain of custody professionally maintained Copy memory, processes files, connections In progress Take photos of surrounding area Four considerations: Identify evidence Preserve evidence Analyze copy of evidence Present evidence Preserve original system In locked storage w. min. access Power down Copy disk
Title of the Presentation | 9/20/2024 | 10 Aspects in Forensic Analysis High Level Forensic Analysis Forensic Analysis Legal Technical Forensics Perspective
Title of the Presentation | 9/20/2024 | 11 Network Forensics: Where to Find Forensic Information Connections, Network, Transport layer prohibited packets, configuration changes MAC Addresses, configurations, monitoring Router: Source IP address tracking, illegal packets, statistics, configuration changes Authentication Server: Successful/unsuccessful logon, unusual times DHCP: Translates MAC address to IP address, possibly machine name, can derive manufacturer/type DNS: Cache lookups track who accessed services when (e.g., email, web, ssh) Web Proxy: Web accesses, malware origination, view downloaded web pages Application Server: View normal events, errors and abuses via logs Switch: Translate MAC address to physical port, monitor traffic
Title of the Presentation | 9/20/2024 | 12 Collecting Important Technical Information Source Security Information Sample attacks IP spoofing, DDOS, formatting errors (e.g., LAND, teardrop), footprinting/nmap, illegal destination IP or port numbers DDOS/flooding, amplification attacks, formatting errors, fragmentation attacks, exfiltration Router Reverse IP address, statistics, illegal packets Prohibited packets for covered protocols, statistics Firewall Track who accessed services when (email, web, ssh) DNS Inappropriate websites, DNS downloads Application Server View abnormal and abusive events, and potentially view completed events Formatting errors, encoding attacks, SQL attacks Authentication Server Switch Successful/unsuccessful login, unusual times Translate MAC address to physical port Password attacks (dictionary, brute force), impersonation MAC spoofing Wireless Access Point Identify (inappropriate) MAC address Rogue WAP, MAC spoofing Track web accesses, cache status of web accesses Web Proxy Malware origins, inappropriate web accesses Intrusion Detection All Devices Track specific application attacks Nmap, encoding attacks Hiding tracks, enabling backdoors, password attacks Configuration changes, cleared logs, login
Title of the Presentation | 9/20/2024 | 13 Collecting Volatile Information A jump drive: enables the investigator to record volatile information reliably in a short time. The jump drive includes command script(s) containing commands to record volatile information. Volatile information should be recorded in the order of volatility and may consists of: Processor memory: Cache and registers (For routers, switches and NIDS, this includes recording the running configuration.) Network state including current network connections, the routing configuration and ARP table. List of running processes Current statistics and recent command history. Swap file: This is the recent memory used by a computer for virtual memory purposes. Date and time, for evidentiary purposes. The date and time should be recorded as the first and last commands of the jump drive script.
Title of the Presentation | 9/20/2024 | 14 Linux Commands Command: Function: Date Display the current date and time dd if=/dev/mem of=/evidence/case123.memory Copy memory from main memory (/dev/mem) and writing to evidence/case123.memory or an appropriate path. hostname Print the host name of this machine, applicable if IP address is in a DNS. ls -la List directories including permissions, last modifications uptime Display how long the system has been powered up printenv Print the environmental variables (e.g., command paths) pstree a Display a tree of processes ps ef Display statistics of all current processes who Display logged-in users last Display history of all users logged in and system boot time history Display the command history of the last 500 commands Ip Display IP address, router, DNS server with varied options netstat Display connections and active network listeners netstat nr Display routing table arp a Display arp table Systemctl Displays the status of all services Date Display the current date and time
Title of the Presentation | 9/20/2024 | 15 Collecting Initial Information A forensic jumpkit includes: a laptop or memory stick with preconfigured with protocol sniffers and forensic software network taps and cables Since the attacked computer may be contaminated, the jumpkit must be considered reliable The investigator is likely to: Get a full memory image snapshot, to obtain network connections, open files, in progress processes Photograph computer: active screen, inside, outside computer for full configuration Take disk image snapshot to analyze disk contents. The investigator must not taint the evidence. E.g., a cell phone left on to retain evidence must be kept in a Faraday bag to shield phone from connecting to networks
Title of the Presentation | 9/20/2024 | 16 Windows Log Priorities Windows Logs can be sorted by priority when the logs are displayed. Priorities include: Critical: Requires immediate attention Error: Problem does not require immediate attention Warning: A future problem is arising Information: For your information Since logs may be modified by attackers to hide their tracks, it is important to forward, in particular, security-related and priority logs to a dedicated centralized log server
Table 16.5: Important Windows Logs and their Sources (Example) Title of the Presentation | 9/20/2024 | 17 Important Windows Logs and their Sources (Example) Important Information Device(s) Required Logs Notification Method Expanded security permissions Windows 4728, 4732, 4756 Member added to security-enabled group Alert by SIEM Password guessing Windows Logs deleted or disabled 4740 User account locked out 1102 Log deleted 4719 Log recording is disabled 4902 Changes to audit policy, can include turning off logging Alert by SIEM Alert by SIEM Windows Try to access privileged file or directory Windows 4663 Attempt made to access object Log Access the password hash file Windows 4782 Password hash account accessed Alert by SIEM Computer account created Windows 4741, 4742 Computer account created or changed Alert by SIEM
Title of the Presentation | 9/20/2024 | 18 Windows Event View for Logs Operating System Logs Applications Logs Logs forwarded from other systems are stored here Patches applied or failed to apply OS events: low power, system connections MMC policy failures (audit), logon/logoff, resource utilization Some MS apps: e.g., Outlook, MS Edge
Title of the Presentation | 9/20/2024 | 19 UNIX, Linux Logging Systems UNIX/Linux: System log capabilities include Syslog: Initial version Syslog-ng, rsyslogd provide extra capabilities to support both TCP and UDP, use encryption, and support enhanced configurability. Rsyslogd (reliable and extended syslog): supports IPv6 and high precision timestamps. Journalctl utilizes syslog s priorities and its next generation utilities. The format of Linux/UNIX logs is: <date> <time> <device> <command>[Process ID]: <log text>.
Title of the Presentation | 9/20/2024 | 20 Where to Find Files in UNIX, Linux, Mac UNIX, Linux and Mac configuration files are located in /etc. The log configuration file may be found in an /etc directory, such as /etc/syslog.conf or /etc/syslog-ng/syslog-ng.conf or /etc/systemd. Logs are normally stored in files at /var/log, if not forwarded to a centralized log server. Log files are often named after <facility>.<severity>, where <facility> indicates the functional category and <severity> relates to the priority.
Title of the Presentation | 9/20/2024 | 21 Creating a Forensic Copy 2) Accuracy Feature: Tool is accepted as accurate by the scientific community: 4) One-way Copy: Cannot modify original; set write-protect Mirror Image Original 5) Bit-by-Bit Copy: Mirror image 3) Forensically Sterile: Wipes existing data; Records sterility 1) & 6) Calculate Message Digest: Before and after copy 7) Calculate Message Digest Validate correctness of copy; set write-protect
Title of the Presentation | 9/20/2024 | 22 Forensic Tools Normalizing data = converting disk data to easily readable form Forensic tools analyze disk or media copy for: logs file timestamps file contents recycle bin contents unallocated disk memory contents (or file slack) specific keywords anywhere on disk application behavior. The investigator: launches the application on a virtual machine runs identical versions of OS and software packages.
Title of the Presentation | 9/20/2024 | 23 Forensic Software Tools EnCase: Interprets hard drives of various OS, tablets, smartphones and removable media for use in court. (www.guidancesoftware.com) Forensic Tool Kit (FTK): Supports Windows, Apple, UNIX/Linux OS including analysis of volatile (RAM and O.S. structures) and nonvolatile data for use in a court. (www.accessdata.com) Cellebrite: Handles commercial mobile devices for use in a court. Mobile devices are connected via appropriate cables to a workstation with the forensic tool installed, or via a travel kit. (www.cellebrite.com) ProDiscover: Analyzes hard disks for Windows, Linux and Solaris OS. An Incident Response tool can remotely evaluate a live system. (www.techpathways.com) X-ways: Specializes in Windows OS. X-ways can evaluate a system via a USB-stick without installation, and requires less memory. (www.x-ways.net) Sleuthkit: An open-source tool evaluates Windows, Unix, Linux and OS-X. It is programmer-extendable. Sleuth Kit (TSK) = command-line tool; Autopsy = graphical interface. (www.sleuthkit.org)
Title of the Presentation | 9/20/2024 | 24 Example Required Skills & Training Expertise Name(s) Contact Information: Email, Phone Training Completed (or Needed) Forensic software Forensic certification Networking, Protocol analysis Host logs Windows, Linux, SIEM Expertise Networking education or certification System certification (per system being analyzed)
Title of the Presentation | 9/20/2024 | 25 Aspects in Forensic Analysis High Level Forensic Analysis Forensic Analysis Legal Technical Forensics Perspective
Title of the Presentation | 9/20/2024 | 26 Computer Forensics Did a crime occur? If so, what occurred? Evidence must pass tests for: Authenticity: Evidence is a true unmodified original from the crime scene Computer Forensics does not destroy or alter the evidence If disk is modified, not admissible in court of law Continuity: Chain of custody assures that the evidence is intact and history is known
Title of the Presentation | 9/20/2024 | 27 Chain of Custody 11:05-11:44 System ABC Volatile memory copied PKB & RFT 11:47-1:05 Disk ABC Copied RFT & PKB 11:04 Inc. Resp. team arrives Time Line 10:53 AM Attack observed Jan K 11:15 11:45 1:15 System ABC brought Offline RFT System ABC Powered down PKB & RFT Disk copy ABC locked in static-free bag in Building P room 122 RFT & PKB Who did what to evidence when? (Witness is required)
Title of the Presentation | 9/20/2024 | 28 Chain of Custody Requirements Chain of Custody: tracks who handled the evidence from minute to minute and ensures that the evidence was properly sealed and locked away with extremely limited access. The Chain of Custody document describes: when and where the evidence was held/stored, and the name, title, contact information and signature for each person who held or had access to the evidence at every time point and why they had access
Title of the Presentation | 9/20/2024 | 29 Chain of Custody A chain of custody document tracks: Case number Device s model and serial number (if available) When and where the evidence was held/stored For each person who held or had access to the evidence (at every time) name, title, contact information and signature why they had access It is useful to have a witness at each point Evidence is stored in evidence bags, sealed with evidence tape
Title of the Presentation | 9/20/2024 | 30 The Investigation Report The Investigation Report describes the incident accurately. It: Provides full details of all evidence, easily referenced Describes forensic tools used in the investigation Includes interview and communication info Provides actual results data of forensic analysis Describes how all conclusions are reached in an unambiguous and understandable way Includes the investigator s contact information and dates of the investigation Is signed by the investigator
Title of the Presentation | 9/20/2024 | 31 Digital Evidence Digital Evidence form describes a piece of evidence, including: Timeline: where/when it was collected, stored and imaged Witnesses to transactions Evidence description: includes manufacturer, model, serial number, and digital hashes. Cryptographic hashes: ensure that the forensic artifacts are not modified. Evidence is stored in evidence bags, sealed with evidence tape, and stored in locked cabinets in a secured room.
Title of the Presentation | 9/20/2024 | 32 Applied to U.S. ADVANCED: JUDICIAL PROCEDURE
Title of the Presentation | 9/20/2024 | 33 The Investigation (U.S.) Avoid Infringing on the rights of the suspect Warrant required unless Organization/home gives permission; the crime is communicated to a third party; the evidence is in plain site or is in danger of being destroyed; evidence is found during a normal arrest process; or if police are in hot pursuit. Computer searches generally require a warrant except: When a signed acceptable use policy authorizes permission If computer repair person notices illegal activities (e.g., child pornography) they can report the computer to law enforcement
Title of the Presentation | 9/20/2024 | 34 Preparing for Court When the case is brought to court, the tools & techniques used will be qualified for court: Disk copy tool and forensic analysis tools must be standard Investigator s qualifications include education level, forensic training & certification: forensic software vendors (e.g., EnCase, FTK) OR independent organizations (e.g.: Certified Computer Forensics Examiner or Certified Forensic Computer Examiner). Some states require a private detective license.
Title of the Presentation | 9/20/2024 | 35 A Judicial Procedure Civil Case Criminal Case Plaintiff files Complaint (or lawsuit) Law enforcement arrests defendant Reads Miranda rights Defendant sends Answer within 20 days Prosecutor files an Information with charges or Grand Jury issues an indictment Plaintiff & Defendant provide list of evidence and witnesses to other side Discovery Phase Responsive documents Plaintiff & Defendant request testimony, files, documents The Trial
Title of the Presentation | 9/20/2024 | 36 E-Discovery Electronic Responsive Documents = Electronically Stored Info (ESI) or E-Discovery The U.S. Federal Rules of Civil Procedure define how ESI should be requested and formatted E-requests can be general or specific: specific document set of emails referencing a particular topic. Discovery usually ends 1-2 months before trial, or when both sides agree All court reports become public documents unless specifically sealed.
Title of the Presentation | 9/20/2024 | 37 Discovery Stage Depositions: interviews of the key parties, e.g., witnesses or consultants question-and-answer session all statements recorded by court reporter; possible video The deponent (person being questioned) may correct transcript before it is entered into court record. Declarations: written documents Declarer states publicly their findings and conclusions Full references to public documents helps believability Includes name, title, employer, qualifications, often billing rate, role, signature Affidavit: a declaration signed by a notary Both declarations and affidavits are limited to support motions
Title of the Presentation | 9/20/2024 | 38 Witnesses Witnesses must present their qualifications Notes accessible during discovery? NO: Email correspondence with lawyers is given attorney-client privilege YES: Notes, reports, and chain of custody documents are discoverable. Witnesses may include (least to most qualified): Fact witnesses report on their participation in the case, generally in obtaining and analyzing evidence. Expert consultants help lawyers understand technical details, but do not testify or give depositions Expert witnesses provide expert opinions within reports and/or testimony E.g., Computer forensic examiners Do not need first-hand knowledge of case; can interpret evidence Expert witness mistakes can ruin reputation
Title of the Presentation | 9/20/2024 | 39 The Trial Stages of the Trial In U.S. and U.K. Case law is determined by: Regulation AND/OR precedence: previous decisions hold weight when regulation is not explicit and must be interpreted Opening Arguments Plaintiff s case Burden of Proof: In U.S. & U.K. criminal case : beyond a reasonable doubt that the defendant committed the crime In U.K. civil case: the balance of probabilities or more sure than not Defendant s case Closing arguments
Title of the Presentation | 9/20/2024 | 40 Matching Question: Where to find information ? Jumpkit Translation of IP address to MAC address DHCP Translation of MAC address to physical port Domain Name Server Sequence of Internet lookups Switch Volatile information Forensic Software Successful and unsuccessful logins Authentication Server File and disk usage
Title of the Presentation | 9/20/2024 | 41 Matching Question: Where to find information ? Jumpkit Translation of IP address to MAC address DHCP Translation of MAC address to physical port Domain Name Server Sequence of Internet lookups Switch Volatile information Forensic Software Successful and unsuccessful logins Authentication Server File and disk usage
Title of the Presentation | 9/20/2024 | 42 Question Authenticity requires: 1. Chain of custody forms are completed 2. The original equipment is not touched during the investigation 3. Law enforcement assists in investigating evidence 4. The data is a true and unmodified original from the crime scene
Title of the Presentation | 9/20/2024 | 43 Question You are developing an Incident Response Plan. An executive order is that the network shall remain up, and intruders are to be pursued. Your first step is to 1. Use commands off the local disk to record what is in memory 2. Use commands off of a memory stick to record what is in memory 3. Find a witness and log times of events 4. Call your manager and a lawyer in that order
Title of the Presentation | 9/20/2024 | 44 Question What is NOT TRUE about forensic disk copies? 1. The first step in a copy is to calculate the message digest 2. Forensic analysis for presentation in court should always occur on the original disk 3. Normalization is a forensics stage which converts raw data to an understood format (e.g., ASCII, graphs, ) 4. Forensic copies requires a bit-by-bit copy
Title of the Presentation | 9/20/2024 | 45 Summary Planning is necessary Without preparation, no incident will be detected Incident handlers should not decide what needs to be done. Stages: Identification: Determine what has happened Containment & Escalation: Limit incident Analysis & Eradication: Analyze root cause, repair Restore: Test and return to normal Process Improvement (Possibly) Breach Notification If case is to be prosecuted: Evidence must be carefully handled: Authenticity & Continuity Expert testimony must be qualified, accurate, bullet-proof
Title of the Presentation | 9/20/2024 | 46 Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Licensed Practicing Nurse Pat Software Consultant HEALTH FIRST CASE STUDY Preparing for Forensic Analysis
Title of the Presentation | 9/20/2024 | 47 Problem Statement Consider one of the following scenarios: 1) The application server is heavily loaded, delays are becoming unbearable even to sales personnel. 2) An application server has reported that its log file is close to overflowing. This is abnormal; normally critical logs are stored offline weekly. 3) An application server s antivirus has reported malware.
Title of the Presentation | 9/20/2024 | 48 Problem 1: What are the critical questions that should be asked? Incident Questions to Investigate Rogue Wireless Access Point (WAP) When did the rogue WAP appear? Who connected to it? Who introduced it? How do we eliminate it? What information passed through the rogue WAP and may have been compromised? What else might the owner of the rogue WAP do?
Title of the Presentation | 9/20/2024 | 49 Problem 2: Where can we get additional information that will help? Potential Incident Rogue Wireless Access Point Important Information to Obtain Currently connected terminals (to rogue WAP and true WAP) Location of Information Accessible Wireshark: Connect Wireshark with radio capability and monitor for current transmissions: 1) observe MAC addresses interfacing with rogue and true WAP; 2) observe MAC address of rogue WAP and identify network card type; 3) Follow signal strength to rogue WAP area DHCP: Determine which MAC addresses connected at which times, including rogue WAP. WAP: Determine when MAC addresses connected and left the true WAP. Switch: Identify switch physical port and wire from rogue WAP s MAC address to determine where rogue WAP connects. Confirm Ethernet address, network card match DNS cache indicates IP addresses recently accessed; People interviews Equipment inventory list: assigned person Camera (if available nearby) Forensic analysis on machine running rogue WAP, to investigate or confirm what happened during timeframe in question Characteristics and identity of rogue WAP Connection time of affected terminals and rogue WAP Location of rogue WAP Apps used by persons during this time Person who installed rogue WAP Determine what rogue WAP accessed
Title of the Presentation | 9/20/2024 | 50 Network Forensics: Where to Find Forensic Information Connections, Network, Transport layer prohibited packets, configuration changes MAC Addresses, configurations, monitoring Router: Source IP address tracking, illegal packets, statistics, configuration changes Authentication Server: Successful/unsuccessful logon, unusual times DHCP: Translates MAC address to IP address, possibly machine name, can derive manufacturer/type DNS: Cache lookups track who accessed services when (e.g., email, web, ssh) Web Proxy: Web accesses, malware origination, view downloaded web pages Application Server: View normal events, errors and abuses via logs Switch: Translate MAC address to physical port, monitor traffic