Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Ethical Hacking and
Countermeasures
Version 6
Module LVII
Computer Forensics
and Incident Handling
Ethical Hacking and Countermeasures v6
Module LVII: Computer Forensics and Incident handling
Exam 312-50
Module LVII Page | 3969
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Scenario
OrientRecruitmentInc is an online human resource recruitment firm.
The web server of the firm is a critical link.
Neo, the network administrator sees some unusual activity that is
targeted towards the web server. The web server is overloaded with
connection requests from huge number of different sources.
Before he could realize the potential of the attack, the website of
OrientRecruitmentInc falls prey to the much famous Denial of
Service Attack.
The company management calls up the local Incident Response
Team to look into the matter and solve the DoS issue.
What steps will the incident response team take to investigate the
attack?
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
Orient Recruitment Inc. is an online human resource recruitment firm. The web server of the firm
is a critical link.
Neo, the network administrator, sees some unusual activity that is targeted towards the web
server. The web server is overloaded with connection requests from huge number of different
sources.
Before he could realize the potential of the attack, the website of Orient Recruitment Inc. falls to
the famous Denial-of-Service attack.
The company management calls up the local Incident Response Team to look into the matter and
solve the DoS issue.
What steps will the incident response team take to investigate the attack?
Module LVII Page | 3970
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Module Objective
This module will familiarize you with:
•
•
•
•
•
•
•
•
•
•
•
•
Computer Forensics
What is an Incident
Categories of Incidents
Incident Response Checklist
Procedure for Handling Incident
Incident Management
Incident Reporting
What is CSIRT
Types of Incidents and Level of Support
Incident Specific Procedures
Best Practices for Creating a CSIRT
World CERTs
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Module Objective
This module will familiarize you with:
Computer Forensics
What is an Incident?
Categories of Incidents
Incident Response Checklist
Handling Incidents
Procedure for Handling Incident
Incident Management
Incident Reporting
What is CSIRT?
Types of Incidents and Level of Support
Incident Specific Procedures
Best Practices for Creating a CSIRT
World CERTs
Module LVII Page | 3971
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Module Flow
Computer Forensics
Incident Reporting
What is an Incident
What is CSIRT
Categories of Incidents
Types of Incidents and
Level of Support
Incident Response Checklist
Incident Specific Procedures
Procedure for
Handling Incident
Best Practices for Creating a CSIRT
Incident Management
World CERTs
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Module LVII Page | 3972
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
To Know More About
Computer Forensics,
Attend EC-Council’s CHFI
Program
EC-Council
Module LVII Page | 3973
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Computer Forensics
EC-Council
Module LVII Page | 3974
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
What is Computer Forensics
“The preservation, identification, extraction, interpretation, and
documentation of computer evidence, to include the rules of evidence,
legal processes, integrity of evidence, factual reporting of the
information found, and providing expert opinion in a court of law or
other legal and/or administrative proceeding as to what was found.”
"Forensic Computing is the science of capturing, processing and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a Court of Law.”
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
What is Computer Forensics?
According to Steve Hailey of Cyber Security Institute, computer forensics is:
“The preservation, identification, extraction, interpretation, and documentation of computer
evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting
of the information found, and providing expert opinion in a court of law or other legal and/or
administrative proceeding as to what was found.”
Preservation
The forensic investigator must preserve the integrity of the original evidence. The original
evidence should not be modified or damaged. The forensics examiner must make an image or a
copy of the original evidence and then perform his analysis. He must also compare the copy with
the original evidence to identify any modifications or damages.
Identification
The first and foremost step that a forensics examiner needs to take before starting with his
investigations is that he must identify the evidence and its location. For example, evidence may be
contained in hard disks, other removable media, or even log files. Every forensic examiner must
understand the difference between actual evidence and evidence containers. Locating and
identifying information/data is a challenge for the digital forensics investigator. Various
examination processes such as keyword search, log files analysis, and system check help in
investigation.
Extraction
The immediate step after identifying the evidence is to extract data from them as soon as they are
located. Since volatile data can be lost at any point of time, the forensic investigator must extract
these data from the copy he had made from the original evidence. This extracted data must be
compared with the original evidence and analyzed.
Interpretation
The most important role played by a forensic examiner during investigations is to interpret what
he has actually found. The analysis and inspection of the evidence must be interpreted in a lucid
manner.
Documentation
Module LVII Page | 3975
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Documentation relating to evidence must be maintained from the beginning of the investigation
till the end where the evidence is presented before the court of law. The documentation will
comprise the chain of custody form and documents relating to evidence analysis.
Computer Forensics Methodologies
The basic methodology consists of what one can think of as the three A’s:
Acquire the evidence without modifying or corrupting the original.
Authenticate that the recovered evidence is the same as the originally seized data.
Analyze the data without any alterations.
Due to the growing misuse of computers in criminal activities, there must be a proper set of
methodologies for investigation. Apart from methodologies, forensic tools also play an important
role during investigations such as enabling the forensic examiner to recover deleted files, hidden
files, and temporary data that the user may not locate. The evidence acquired from computers are
fragile and can be easily erased or altered. There is another possibility where the seized computer
can be compromised if not handled using proper methodologies.
The methodologies involved in computer forensics may differ depending upon the procedures,
resources, and target of the company. Stand-alone computers, workstations, servers and online
channels are some fundamental areas; a forensic investigator must concentrate on. Investigation
of stand-alone computers, workstations and other removable media can be simple, whereas
examination of servers and online channels can be complicated and tricky.
Auditing and logging during investigations are often not executed. They play a key role during
investigations. They must be given due importance, as they will provide leads to the case.
Module LVII Page | 3976
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Need for Computer Forensics
“Computer forensics is equivalent of surveying a crime scene or performing an
autopsy on a victim”
{Source: James Borek 2001}
Presence of a majority of electronic documents
Search and identify data in a computer
Digital Evidence can be easily destroyed, if not handled properly
For recovering Deleted, Encrypted, or Corrupted files from a system
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Need for Computer Forensics
According to James Borek (2001), “Computer Forensics is the equivalent of surveying a crime
scene or performing an autopsy on a victim.”
The importance of computer forensics has developed in the present day scenario where
computers are vulnerable to malicious purposes. Computers are either used as a tool to commit a
crime or have become a target for these attacks. Computers are used to commit crimes, and
crimes can be recorded on computers, including company policy breaches, fraud records, email
crimes, revealing of valuable proprietary information and even terrorist activities.
Law enforcement officials, network and system administrators of IT firms, attorneys and also
private investigators depend upon qualified computer forensic experts to investigate their
criminal and civil cases.
A majority of documents these days exist in electronic format. Computer evidence is delicate in
nature; therefore they must be recorded to avoid loss of valuable evidence. Computer forensics
includes locating and recovering data that resides in a computer system and also recovering
deleted, encrypted or damaged data. This data will be helpful during presenting testimony before
the court of law.
Module LVII Page | 3977
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Objectives of Computer Forensics
To recover, analyze and present computerbased material in such a way that it can be
presented as evidence in a court of law
To identify the evidence in short time, estimate
potential impact of the malicious activity on
the victim, and assess the intent and identity of
the perpetrator
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Objectives of Computer Forensics
The critical phase of a computer forensic investigation is presenting the inferences of the previous
phases (acquiring and analyzing). The objective is obvious; you must present the discovered
evidence in a way that is accepted by the court of law, which increases your chances of winning
the case.
Other objective is to discover the evidence in short time with accuracy. The impact of the crime on
the victim, such as loss of reputation and data has to be estimated along with intent and identity
of the intruder.
Module LVII Page | 3978
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Stages of Forensic Investigation in
Tracking Cyber Criminals
An Incident occurs in
Which, the Company’s
Server is compromised
The Client contacts the
Company’s Advocate
for Legal Advice
The Advocate contracts
an External Forensic
Investigator
The Forensic Investigator
(FI) prepares the
Bit-Stream images of the files
The FI seizes the
evidences in the Crime
scene & transports
them to the Forensics Lab
The Forensic Investigator
Prepares First Response
of Procedures (FRP)
The Forensic Investigator
creates an MD5 #
of the files
The Forensic Investigator
examines the evidence
files for proof of a Crime
The FI prepares Investigation
reports and concludes the
Investigation, enables the
Advocate identify required proofs
The Forensic Investigator
usually destroys
all the evidences
The Advocate studies the
report and might press charges
against the offensive in
the Court of Law
The FI handles the
sensitive Report to the
Client in a secure manner
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Stages of Forensic Investigation in Tracking Cyber Criminals
Module LVII Page | 3979
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Key Steps in Forensic
Investigations
1
2
3
4
5
6
7
• Computer crime is suspected
• Collect preliminary evidence
• Obtain court warrant for seizure (if required)
• Perform first responder procedures
• Seize evidence at the crime scene
• Transport them to the forensic laboratory
• Create 2 bit stream copies of the evidence
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Key Steps in Forensic
Investigations (cont’d)
8
9
10
11
12
13
14
• Generate MD5 checksum on the images
• Prepare chain of custody
• Store the original evidence in a secure location
• Analyze the image copy for evidence
• Prepare a forensic report
• Submit the report to the client
• If required, attend the court and testify as expert witness
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Key Steps in Forensic Investigations
The general procedure in forensic investigation is as follows:
1.
The investigation is initiated at the moment the computer crime is suspected.
2. The immediate response is to collect preliminary evidence. This includes photographing
the scene, and marking the evidence.
3. Obtain court warrant for seizure (if required).
4. Perform first responder procedures.
5.
Seize evidence at the crime scene. After seizure, number the evidence and lock them
safely.
6. Securely transport them to the forensic laboratory.
7.
Create 2-bit stream copies of the evidence. Do not tamper the original disk; it might
change the time stamps.
8. Generate MD5 checksum on the images.
Module LVII Page | 3980
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
9. Prepare chain of custody. Any change would question the admissibility of the evidence.
10. Store the original evidence in a secure location, preferably away from an easily accessible
location.
11. Analyze the image copy for evidence.
12. Prepare a forensic report that describes the forensic method used, recovery tools used.
13. Submit the report to the client.
14. If required, attend the court and testify as an expert witness.
Module LVII Page | 3981
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
List of Computer Forensics Tools
Helix
Process Explorer
Pslist
Autoruns
Fport
Irfan View
Psloggedon
Adapterwatch
RegScanner
Necrosoft Dig
X-Ways Forensics
Visual TimeAnalyzer
Traces Viewer
Evidor
Sleuth Kit
Ontrack
SMART
Forensic Sorter
Penguin Sleuth Kit
Directory Snoop
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
List of Computer Forensics Tools
The following is a list of forensics tools:
Helix
Pslist
Fport
Psloggedon
RegScanner
X-Ways Forensics
Traces Viewer
Sleuth Kit
SMART
Penguin Sleuth Kit
Process Explorer
Autoruns
Irfan View
Adapterwatch
Necrosoft Dig
Visual TimeAnalyzer
Evidor
Ontrack
Forensic Sorter
Directory Snoop
Module LVII Page | 3982
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Incident Handling
EC-Council
Module LVII Page | 3983
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Present Networking Scenario
Increase in the number of companies venturing into e-business
coupled with high Internet usage
Decrease in vendor product development cycle and product
testing cycle
Increase in the complexity of Internet as a network
Alarming increase in intruder activities and tools, expertise of
hackers, and sophistication of hacks
Lack of thoroughly trained professionals as compared to the
number and intensity of security breaches
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Present Networking Scenario
The network of the present age is growing at somewhat at the rate of growth of the universe,
propounded by the Big Bang theory. The Internet as a world wide web is growing at a very fast
rate, and there are lots of applications running on the Internet growing at a faster rate resulting in
the increase in complexities in the Internet.
Reduction in the product development cycle, coupled with a decreased testing cycle, has given
way to increase in the number of bugs in software. Unchecked vulnerability in a network or
weakness in design paves way to intruder activities.
The learning curve for carrying out network attacks is decreasing rapidly due to easy availability
of hacking tools. The denial-of-service (DoS) attack directed against major websites a few years
ago have brought to light the security flaws.
Until recently, the need for an incident response team within every organization was never given a
serious thought. There is a lack of trained professionals who can respond to incidents and
minimize the effects. Organizations are opting for in-house incident response team. This module
highlights the need for an incident response team, basic procedures in handling incidents, various
CSIRTs present in the world and more.
Module LVII Page | 3984
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
What is an Incident
Computer security incident is defined as “Any real or suspected adverse
event in relation to the security of computer systems or computer
networks”
• Source: www.cert.org
It also includes external threats such as gaining access to systems,
disrupting their services through malicious spamming, execution of
malicious codes that destroy or corrupt systems
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What is an Incident?
An incident can be an event or set of events that threatens the security in computing systems and
networks in any organization. It also includes system crashes, packet flooding within a network,
and unauthorized use of other user’s account, gaining access to unauthorized network privilege
specially the administrator’s privilege.
There are various types of incidents, which are found out after a comprehensive study of security
attacks and security breaches occurred from time to time in the various organizations. A standard
qualification of the incidents is classified in following forms:
Repudiations
Reconnaissance attacks
Harassment
Extortions
Pornography trafficking
Organized crime activity
Subversion
Hoaxes
Caveats
Repudiation:
Repudiation is an incident process in which a person or software program acting on behalf of any
other person takes some action.
Reconnaissance:
Collecting or discovering information about any individual or an organization that might be
useful in attacking whatever targets a perpetrator has chosen. These types of attacks are better
known as reconnaissance. The DSL and cable modem connections which are gaining popularity
these days are more exposed to reconnaissance attacks because, the connections are usually open,
which gives more time to hackers to attack our systems.
Port scanning or running a program that remotely finds ports opened and closed on remote
systems, represents one of the most common types of reconnaissance attacks.
Module LVII Page | 3985
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Harassment:
It is a cyber crime and the hacker or perpetrator can use or send an obnoxious mail messages to a
victim using a chat room or remote screen writing service.
The extreme cases of harassment include cyber stalking in which electronic means are used to
follow or intimidate a victim.
Extortion:
This makes the victim to pay money to the hacker or intruder because he or she has got such
important information about the respective organization, which can lead to severe loss to the
organization whether it is related to data/ information or a financial threat.
These attempts are growing more now in the cyber world.
Pornographic trafficking:
The networks have become a natural source to store and transmit pornographic material. The
Internet governing bodies have banned pornography, and anything that involves this is therefore,
illegal. The electronic pornographic activity is common and is braking in everywhere.
The computer and networks are being used worldwide to store, send, and receive child
pornography also.
The law broker’s embed the pornographic images to other images thus, making it difficult to
track. One famous technology used for this purpose is steganography.
Organized crime activity:
Some of the organized illegal activities are done with the help of computers, such as drug
trafficking making of illegal passports, running prostitution rackets and online smuggling, and
providing unauthentic and illegal visas to people. It also involves the illegal immigration of people
without proper identity proof.
Subversions:
A subversion is an incident in which a system does not behave as it was expected to. It is supposed
that the reason behind this kind of behavior of the system or the network is because of an attack
on the integrity of the system, network, or application, but in reality it is something more.
Example of which can be putting bogus financial server to discover credit card or illegal indexing
of web pages. In the case of subversion, the preparator modifies the web links so that whenever
anyone connects to link he is transferred to any other location, which is unrelated or false.
Hoaxes:
A hoax is an email warning of some virus that may have devastating affect on the system. This will
be posed as a new virus, which is unknown to anyone. These emails provide false information
about the virus and they also mention a company or an institution whose name is known by
public to defame the company.
The hoaxes convince people to send mails to others informing about this virus. The virus does not
exist and hoaxes spread false virus warnings. The panicking user can cause damage to his or her
systems.
Caveat:
It is also a sort of warning, which may be in the form of a legal notice that can lead to the hearing
in the court. The kinds of incidents discussed in this section are by no means mutually exclusive.
Module LVII Page | 3986
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Category of Incidents: Low Level
Low level incidents are the least severe kind of incidents
They should be handled within one working day after the event occurs
They can be identified when there is:
Loss of personal password
Suspected sharing of organization’s accounts
Unsuccessful scans and probes
Presence of any computer virus or worms
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Category of Incidents: Low Level
All incidents are of different intensity and complexity and occur under different situations or
conditions also known as vulnerability. The incidents are then classified according to the level of
their intensity and affect on the network and systems.
They are classified into three levels; these are low-level incidents, mid-level incidents, and highlevel incidents. The least harmful incidents are low-level incidents and it is better to handle them
within one working day.
The low level incidents can be identified by the following symptoms:
Compromise of system password
Unknown sharing of company account
Misuse of computer peripherals
Unintentional routine computer action
Unsuccessful scans and probes in the network
Presence of computer virus and worms
Module LVII Page | 3987
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures v6
Computer Forensics and Incident Handling
Exam 312-50 Certified Ethical Hacker
Category of Incidents: Mid Level
The incidents at this level are comparatively more serious and thus, should be
handled the same day the event occurs
They can be identified by observing:
• Violation of special access to a computer or computing
facility
• Unfriendly employee termination
• Unauthorized storing and processing data
• Destruction of property related to a computer incident (less
than $100,000)
• Personal theft of data related to computer
incident($100,000)
• Computer virus or worms of comparatively larger intensity
Illegal access to buildings
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Category of Incidents: Mid-Level
Mid-level incidents are more serious kind of incidents. They should be handled within the same
day the event occurs, that is normally two to four hours of the event that has occurred.
Medium level incidents are identified by the following symptoms:
Unfriendly employee termination
Violation to the special access to computer or any computing facility in an organization
Illegal access is found to building up in the network of an organization
Systems present in the organization’s network used as unauthorized systems for
processing or storing the organization’s data
Property worth less than $100,000 related to an organization is destroyed
Personal theft of amount less than $100,000
Presence of computer virus and/or worms whose effects are more compared to low-level
incidents
Module LVII Page | 3988
Ethical Hacking and Countermeasures v6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.