30
4. 11. 2019 1 Investigation intro GOPAS: [email protected] | www.gopas.cz | www.facebook.com/P.S.GOPAS Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory | MVP:Security | CEH | CHFI | CISA | CISM | CISSP | [email protected] | www.sevecek.com | Cybercrime and forensics

Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

  • Upload
    others

  • View
    18

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

1

Investigation intro

GOPAS: [email protected] | www.gopas.cz | www.facebook.com/P.S.GOPAS

Ing. Ondřej Ševeček | GOPAS a.s. |

MCM:Directory | MVP:Security | CEH | CHFI | CISA | CISM | CISSP |

[email protected] | www.sevecek.com |

Cybercrime and forensics

Page 2: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

2

Cybercrime

Internal attacks

• physical access

• better internal information

• authenticated network access (read all)

External attacks

• foreign agencies (APT)

• spam/malware producers

• zero-day attacks

Cybercrime challenges

Speed

Volatile nature of evidence

Evidence size and complexity

Anti - digital forensics (ADF)

• steganography, slack space, bad sectors, inter-partition

space, …

Global origin and difference in laws

• jurisdiction, attribution

• due care

Limited legal understanding of victims

Circumstantial essence of digital evidence

Page 3: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

3

Civil vs. criminal vs. administrative investigation

Criminal investigation (trestní)• law enforcement agencies

• standard forensic processes

• court's warrant for seizures

• formal reports required

• fine and/or jail

Civil/tort cases (občanskoprávní)• supporting civil claims and induce settlement

• searches voluntary

• monetary compensations and no jail

• poor chain of custody

• poor chain of evidence (nepřerušitelnost důkazního řetězce)

Administrative investigation (správní)• non-criminal

• government agency internally

• disciplinary action on employees

Rules of investigation

Record any changes to scene and evidence

Chain of custody

Store securely

Set and comply with your own standards for the

procedures

Evidence should be strictly related to the incident

Use recognized tools

Page 4: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

4

Digital evidence

any information of probative value that is either stored

or transmitted in a digital form

Is circumstantial

Is fragile

• and usually volatile

Locard's exchange principle

Volatile vs. non-volatile data

Volatile data examples• system time, logged-on users, open files, running

processes, TCP connections, clipboard contents, services and drivers, command history, ...

• encryption keys and passwords

from memory, or non-volatile storage

Non-volatile data examples• files and databases, hidden files and slack space, swap

files, hidden partitions, registry settings and data, event logs, ...

• browser history, cloud storage client (OneDrive, GoogleDrive, ...), installed applications, installed malware, installed rootkit, ...

Page 5: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

5

Warranted or warrantless seizure

warranted seizure

• exact detailed specification what and why

• must not collide with rights and privacy of other subjects

warrantless seizure

• arranged on good grounds with the

company/employer/ISP/cloud provider

• faster equipment returns

• or only data extracted by the third-party

possible court testimony

Properties of digital evidence

Believable

• the judge is BFU

Admissible

• related to the fact being proved

Authentic

• real and related to the incident

Complete

• prove attacker's actions or his innocence

Reliable

• no doubt about authenticity or veracity of the evidence

Page 6: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

6

Some sources of evidence to note

printers and scanners, copiers

cookies

swap files

flash disks

smart cards

answering machines

digital cameras

modems

switches/routers/APs

pagers

GPS car tracking

Original evidence vs. copy

Best evidence rule

• prevent and alteration of digital evidence

Court can accept copy if original evidence was

destroyed

• due to fire/flood

• due to normal course of business

• in possession of a third party

Original evidence vs. primary vs. secondary disk

images

Page 7: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

7

Hearsay

somebody says he/she heard something about

something else

documentation

former testimony is not hearsay

Privacy issues

charges against unlawful search and seizure

fourth amendment

• vs. patriot act

• vs. fifth amendment

keep anonymity/privacy in internal investigations

• reasonable expectation of privacy

• reasonable expectation of work-related activities

company devices vs. BYOD

Page 8: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

8

Forensic investigation

process

Phases

Pre-investigation

• computer forensics lab

• tools and processes

Investigation

• acquisition

• preservation

• analysis

Post-investigation

• documentation

• adequate and acceptable to target audience

• report

Page 9: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

9

Computer forensics lab

Physically secure• badges, cameras, guards, access log, one entrance, ...

• fire suppression, humidity, ...

Software and hardware from trusted sources• inventory with hashes

Workstations and/or laptops

LAN and internet connectivity?• air-gap

Safe lockers and shelves

Work area• mixing of evidence and results

• chain of custody

Removable media for evidence collection, storage and transport

Digital cameras and video recorders

Everything documented and trusted

Everything tracked at anytime

Forensic workstations

Trusted installation sources• hash inventory stored separately

Do not update images

Cleaning and sanitizing after every investigation• US DoD 5220.22-M (3 passes, 0/1/rnd)

• German VSITR (7 passes, 0/1/0/1/0/1/rnd)

• SSD?, format?, SDELETE, TRIM/UNMAP

Virtualization• one case at a time

Removable media and disk imaging tech, cameras, ...• cleaning, documentation, tracking, ...

There is no exact court list of forensic lab/tools etc. only a trusted accreditation• ISO 17025

• ASCLD/LAB (American Society of Crime Laboratory Directors)

Page 10: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

10

Slow format

Windows Vista/2008+• zeros space

• uses TRIM/UNMAP if available

for MBR disks overwrites BOOT sector only• does not touch MBR

• BOOTREC /fixmbr

zero files or free disk space with SDELETE

zero whole disk with WinHEX

protect confidentiality with encrypted data since ever and delete encryption keys afterwards

Storage device (magnetic, SSD, …) from sanitation

perspective

storage

cellscontroller

computer

I/Obus

SATA

IDE

eSATA

M.3

USB

FC

SCSI

iSCSI

logical block

addressing

512 B, 4096 B

encrypted?

key

PCIe

mSATA

U.2

Page 11: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

11

Magnetic media normal erase process

1

0

1

0

11 1

0

11

0

0

0

00

0 0 00

0 00

controller

gate level

controller

gate level

Memory cell (256 kB) rewrite requires zeroing the

block first

1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 21 22 23 24

I I I I I I I 0 0 0 0 0 0 0 0

18

00

1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893

allocation

table

3

I

initially inaccessible

free over-allocation

(over-provisioning)

Page 12: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

12

Memory cell (256 kB) rewrite requires zeroing the

block first

1 2 4 5 6 7 8 9 10 12 13 14 15 16 17 19 20 21 22 23 24

I I I I I I I 0 0 0 0 0 0 0

18

00

1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893

allocation

table

3

0

initially inaccessible

free over-allocation

(over-provisioning)

I

11

Many repeated SSD write operations break

memory cells

1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 21 22 23 24

1 2 2 1 1 1 1 1 0 0 0 0 0 0 0

18

06

1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893

allocation

table

initially inaccessible

free over-allocation

(over-provisioning)

3

8

Page 13: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

13

Many SSD writes break memory cells

1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 22 23 24

1 2 2 1 1 1 1 1 0 0 0 0 0 0 0

18

06

1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893

allocation

table

3

8

21

1

Many SSD writes break memory cells

1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 21 22 23 24

1 2 2 1 1 1 1 1 0 0 0 0 0 0 0

18

06

1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893

allocation

table

3

8

initially inaccessible

free over-allocation

(over-provisioning)

Page 14: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

14

Many SSD writes break memory cells

1 2 4 5 6 7 8 9 10 12 13 14 15 16 17 19 20 21 22 23 24

1 2 2 1 1 1 1 1 0 0 0 0 0 0

18

06

1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893

allocation

table

3

8

initially inaccessible

free over-allocation

(over-provisioning)

1

11

TRIM/UNMAP

modern storage

• some SSD, VHDX, Storage Spaces, ...

OS initiated deallocation of free blocks

• format

• NTFS file delete of non-resident allocation

• primary motivation - writing speed

for non-empty blocks, each write operation must first read and

erase 256 kB and write it back

Page 15: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

15

Virtualization by design (memory + I/O)

hypervisor (base OS)

vm1 vm2 vm3 vm1vm1

vmX

isolation isolation isolation

iso

latio

n

iso

latio

n

iso

latio

n

Virtualization by design (memory + I/O)

hypervisor (base OS)

vm1 vm2 vm3 vm1vm1

vmX

full a

cce

ss

full a

cce

ss

full a

cce

ss

Page 16: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

16

Risk assessment and impact of forensic

investigation

Long business disruptions

Replacements of collected hardware

Returns into the production

• from the lab, policy custody

• cleaning or physical destruction

Privacy issues with employees

Investigation

1. First response

2. Search and seizure

3. Evidence collection

4. Securing of the evidence

5. Data acquisition

6. Data analysis

7. Evidence assessment

8. Documentation and reporting

9. Testimony as expert witness

Page 17: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

17

First response

First responder

Who

• law enforcement officer

• network administrator or support person

• CIRT officer

• BFU on site

What

• protecting, integrating and preserving the evidence

How

• should have complete knowledge of the whole investigation

process

Page 18: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

18

Tasks in detail

Stop and think

Identify crime scene

Protect crime scene

Preserve as much temporary and fragile evidence as

possible

Collect all information about the incident

Document the findings

Package and transport the electronic evidence

What not to do

No untrained data recovery

Do not forget about other hardware items

• copiers, desktop switches, chain locks, keyboard/mouse

cord, flash drive, photo-frames, cabling, ...

• non-electronical evidence such as tables, chairs, ...

Let others to the scene

Forget about environmental or health hazard

Page 19: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

19

Documenting the scene

Photographing and video shooting

• 360-degree

• from entire scene to details

• use numbered markers

• cabling and other non-visible areas

• trash bins, paper shelves, ...

Notes

• power state of electronic devices

• persons in the scene

Search and seizure

Page 20: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

20

Notes

consent, acceptable-use policy, activity monitoring

jurisdiction

warrants• electronic devices search warrant

• service provider search warrant

preliminary interviews• purpose of the system and current work

• passwords, social network accounts, off-site storage, unique security schemes or destructive devices

• backups

witness signatures + clear understanding

health and safety issues

Isolating electronic systems

unplug internet cables or close connectivity?

unplug cables from the other ports of switches?

• quarantine VLAN?

unplug the device or stop WiFi?

shutdown the device?

Page 21: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

21

Warrantless seizure

When destruction of evidence is imminent, a

warrantless seizure of that evidence is justified if

there is probable cause to believe that the item

seized constitutes evidence of criminal activity.

Agents may search a place or object without a

warrant or, for that matter, without probable cause, if

a person with authority has consented.

Collecting evidence

Page 22: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

22

Could we collect volatile evidence?

Nothing

• mouse/CTRL to wake up monitor

• shutdown

Mouse, keyboard

• be careful about some complex actions

Introducing any tools on removable device or from

network

• leave them there and collect as evidence

Mobile phone click-through bench

Video shoot everything

Physical evidence collection

Power off devices

• standard shutdown procedure

• unplugged batteries if possible

Black-hole bags

• remote-wipe

Cables, peripherals

Papers

Trash bin items

Page 23: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

23

Collecting evidence from social networks and

service providers

Warrants

E-discovery by the service provider• standard file formats

• trusted by no-motive, no-conflict-of-interest

Social network data extraction from "friends" or other public profiles• may require expert witness to confirm the behavior

• documentation/witness from the social network provider

Communication logs, messages, photos, friend reactions• trusted time synchronization?

Securing the evidence

Page 24: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

24

Chain of custody

What, where, when, by whom, transfers

Marking and evidence bags

• pre-agreed and documented format

Transporting and storing electronic evidence

Avoid computers upside-down

Avoid electromagnetic sources

Safe areas

• not leaving in vehicles

Heat/cold/humidity/vibrations

Back-seat instead of trunk

Page 25: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

25

Evidence acquisition

Notes

No unauthorized users

Forensically clean devices used to obtain the

evidence

Write-protection

Primary image -> analyze copies

Page 26: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

26

Image creation

Any suitable solution trusted by the expert examiner

Write-protection

Bitwise copy

Hash creation and integrity verification

Disk image formats

DD

• raw disk data

• no header

• no 512/4K sector info

E01

• header + info

• compressed

VHD, VHDX

• Hyper-V virtualization - boot, attach

• Windows 7/2008+ can mount as a disk (R/O possible)

Page 27: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

27

Virtualization

Isolates the possibly insecure environment

Running imaged OS life (copy)

WinFE

HKLM\System\CurrentControlSet\Services• MountMgr

NoAutoMount = DWORD = 1

• PartMgr\Parameters

SanPolicy = DWORD = 3

USB flash devices cannot be mounted from diskmgmt.msc• DISKPART

• LIST DISK

• SELECT DISK

• ONLINE DISK

Page 28: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

28

IO manager

FASTFAT.SYSNTFS.SYS

C:

disk.sys

Windows storage device stack and WinFE

physical disk device

partition device 2

partition 2partition 1

partition device 1

kernel

user

FS IOblock IO

offline/online

D:

FS IO

bus drivers

disk.sys

Windows storage device stack and WinFE

kernel

user

offline

physical disk device

partition 2partition 1

bus drivers

= R/O

Page 29: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

29

disk.sys

Windows storage device stack and WinFE

partition device 2partition device 1

kernel

user

partmgr

online

physical disk device

partition 2partition 1

bus drivers

disk.sys

Windows storage device stack and WinFE

partition device 2partition device 1

NTFS.SYS FASTFAT.SYS

kernel

user

fsrec

partmgr

physical disk device

partition 2partition 1

bus drivers

online

Page 30: Cybercrime and forensics - Sevecek · Cybercrime and forensics. 4. 11. 2019 2 Cybercrime Internal attacks • physical access • better internal information • authenticated network

4. 11. 2019

30

disk.sys

Windows storage device stack and WinFE

partition device 2partition device 1

NTFS.SYS FASTFAT.SYS

kernel

user

fsrec

partmgr

C: D:mountmgr mountmgr

physical disk device

partition 2partition 1

bus drivers

online

Hyper-V VM from disk images

original boot UEFI/BIOS• VM generation 2 (UEFI) resp VM generation 1 (BIOS)

note UEFI Secure Boot state on the real hardware

OS Vista/2008/7/2008R2+• boot always (basic SCSI/IDE controller drivers always loaded)

• no NIC (original device and config kept in registry)

• deactivated

image -> .VHDX• 512 B vs. 4096 B sector

XP/2003• VM generation 1 + offline IDE controller enable in registry