U NIT INTRODUCTION OF "\ CYBERCRIME, DIGITAL FORENSICS AND INCIDENT a RESPONSE METHODOLOGY SiA GROUP PART-A SHORT QUESTIONS WITH SOLUTIONS Qt. Write a short note on cyber crime, Answer ? Model Pagar, 0) sna advent of internet connection eros the loa scale hs nae milions of wet connect va computer: Many w «xs may misuse the network by performing illegal activity on the computer and targets the security ofthe system and data, Such sti i termed as cyber ere. aaa a eevee raga Re Accyber crime can be defined as a criminal activity doing using computer, They make use Of computer technology inord al the personal information of the user, business trade secrets or other malicious purpose. They obtain these inform. ing, spamming and phishing. Apart from this, the illegal person also use computers for communicat storage purpose 2. Define the term hacking. Answer : on by n, document of data The term “hacking” refers to process of entering into the computer system or the network by breaking the authentication ‘with some unauthorized techniques: The people who perform hacking are known as hackers. Hackers are sometimes called erack- ers because, they illegally gain the access rights over the computer(s) in a network without the owner's consent. These hackers can reconfigure or reprogram a system, can inset viruses, steal daa, destroy the database or completely vandalize a system. The hackers and the hacking techniques evolved over the time with respect tothe growth in electronic media, Such criminals ean gain entry into any system from anywhere provided that the targeted system connected to Internet, Q3. Write in’ brief about virus. Answer = Model Paper. Na) ‘A virus is a software program that replicates itself and infects another computer without the knowledge of the user. The computer virus gets its name from biological vius. For replicating itself a virus must execute code and shouldbe writen tothe memory, For this reason, many viruses attach themselves to executable files that ae pat of authentic program. ‘Avirus propagates by ransmiting itself across network and bypassing security system, Viruses are otherwise sad fo Bein dormant phase (ile) uni certain events cause thei code tobe executed Virus also propagate rom one system o another when ears. taken to an uninfected system. They are transmitted a attachments in an e-mail message or in a downloaded file Ga. List some of the examples of how computers are helpful in crime scenarios, Answer: Model Pape (a) Some of the examples of how computers are helpful in eime scenarios are as follows, 1. ‘The witness ofthe erime can view the suspeels image on the sereen by means of computers, Finger pit of person canbe akon wil the belpof computer 10 check whet the prion elated 0 ps crimes, 2 3. By using computers, simulations or duplications can be performed. 4. In raffiejunetions, computers ne used 1 identify the Vehicle Identification Number (VIN), ‘whether the car is stolen, ete, so in such cases, the person can be arrested immediately. SPECTRUM ALLAIR-ONE JOURNAL FOR ENGINEERING STUDENTS a D Scanned with CamScanner Sia GROUP 3Q10. Discuss briefly about the types of cyber crimes. Mode! Answer : The eybererimes can be broadly classified into two types: ‘Violent or Potentially Viotent C ‘threat, ‘ybererimes cyber talking Mt It refers to the crimes that causes physical risk to the people. Cyber terrorism, cyPer tang, assaults by, Pornography fall under this category of cyber crimes, 2. Non-violent ‘Cybererimes 1 1 ake economi Te refers to the erimes that do not cause any physical risk othe people but rather they ma vomic damage, Cy category of cyber crimes. ‘Per trespass, cyber fraud and destructive cybercrimes fall under this category of eyber cr Some of the other types of eyber crimes are as follows, 1, Hacking 4 The term “hacking” refers to a process of entering into the computer system or the nt oe with some unauthorized techniques, The people who perform hacking are known as hackers. Hackers are sometimes; crs Because, they illegally gain the access rights over the computer(s) in a network without the owner's consent, can reconfigure or reprogram a system, can insert viruses, steal data, destoy te database or completely vandalizea backers and the hacking techniques evolved over the time with respect tothe growth in electronic media. Such crimin “nity into any system from anywhere provided that the targeted system connected to Internet. 2. Denial-of-Service (DoS) Attacks This attack prevents the normal usage of various facilities provided by the system or network. It attacks som {arget within the system due to which all the messages destined to it will be suppressed or destroyed. Also, itd System by overloading it with messages which in turn disables the overall performance of the system. 3. Trojan Horses A trojan horse can be defined as a computer program containing hidden code, which results in harmful fun execution. These programs allow users to access information for which they are not authorized. Also, these progr ‘modified when compared to other possible software programs. ‘Trojan horses allow the attackers to access functions indirectly. Most of the trojan horse infections occur because the user is trapped to execute an infected malicious program. The important feature of trojan horse is that it has all capab permissions of an authorized user. Trojan horse can either be malicious or non-malicious program. 4. Credit Card Frauds Credit card frauds are most simple and common form of frauds. Itcan be defined as an identity theft that includes ‘access of other person’s credit card information, with the intend of performing purchases and removing funds, Credit card frauds can be categorized into two types, (2) Application fraud (>) Account takeover. (a) Application Fraud: Application fraud refers to an unauthorized opening of credit cards accounts in the na other person. These crimes are serious and the victim may be acknowledged about this very late. (b) Account Takeover: Account takeover refers tothe criminal hijacking of existing credit card account. Here, person obtain enough personal informiation ofthe victim and changes accounts billing address. Then later, may obtain new card by reporting the card loss. u x Child Pornography Child pornography is an offense which involves teenagers in illegal pomographic activities, It is a visual d includes, « (i) AComputerized (of a child) picture that is sexually exploited, (ii) Any movie or pictures containing improper content which is unsuitable for child to view. Intemet has become a boom around the world where each and every individual is getting used to it, Day connections are reaching every city and village duc to which every major and minor i petting exploited. Ho specially getting trapped in the aggression of pedophiles. Pedophiles generally refer to people who psychologi harass minors and force them to get involved in sexual activities. E Look for the SIA GROUP LoGo ab on the TITLE COVER before yout Le Scanned with CamScannerBei Introduction of Cybercrime, Digital Forensics and Incident Response Methodology 15 Online Betting g over the internet which Online betting is also referred as online gambling oF internet gambling, It is get rally « gambl js done in multiple websites available over the internet Software Piracy | | __ Software piracy refers to steating of software programs through illegitimate ways ie. copying of genuine or origi fpresms by violating laws. Some of the examples of software piracy are as follows, lo) End-user Copyin | [ Hard Disk Loading with Itictt Means: Hard disk sellers copy pirated softwares in the disk and sell them in much cheaper ©) Friends share genuine software disks with each other prices. Counterfeiting: Softwares are imitated in the disks fraudulently and distributed. form alternations on the address of the sender and other parts of the message header. These modifications are done such that 1 appear as the e-mail originated from different source. |g E-mail Spoofing Spoofing e-mal is one of the most commonly performed cyber crime, Spoofing isan activity in which a eyber criminals | ._-Forgery/Falsifcation, Forgery can be defined as the creation of false documents or performing unnecessary alternations in authentic document. “The forgery is committed with the aim to cheat people. They are certain eriminals who forge money or currency and such activities is generally called as counterfeiting which ‘is done with the help of complicated computers scanners and printers. Iti possible to forge many entities which may include students mark sheets, degree certificates, revenue stamps ete. 10. Phishing Phishing is pronounced as fishing which refers to a process in which victims suffer an attack wherein they are redirected ‘0 some other website when they click on the link. Such links are duplicate and victims generally come across these problems ‘while browsing on internet or through e-mails in the mailbox. ‘Some of the websites by which users face problems are as follows, 1. Claim your lucky draw by clicking on the site below, ‘wwwclaimdraw.com “Security breach”, this hereby inform that, due to some security reasons customers are requested to provide their account details by clicking on the site below, www banking.com ‘As shown in the above example whenever the user clicks on the above websites, they are redirected to some duplicate site which resembles with the original bank website, Phishing attacks are usually executed by using URL's similar tothe original websites URL's. Therefore, when the use enter its crucial information on the fake website then the atacker gains access tothe users sensitive information and misuse it; Cyber Terrorism e isan in it ist activities. Itis a controversial term which is referred as a dell ‘ber terrorism is an internet based attacks in terrorist activities. i " sage otro ewok and publi nternet inorder fect th personal bjetves by wing (ol sock as cumple objectives include political or, ideological in the form of terrorism. iach go : 2] Scanned with CamScannerCOMPUTER FORENSICS [JNTU-HYD} Salami Attacks i ci saies cuect mall amount of information legally and achieve a huge res. Fo yg “tis matics program ust ols al of tax of interest mary not be considered or gn cof money like fractional pennies during the calculation Bae gas ceo publ o Salami tack wherein all the ignored amount is collected fo ams. These programs are often suscef Mel 1s be pod by ie we, Thi eal mand stored else where. Since, the amount i very smal its unl illegal programmers for carrying out malicious activities he following example leary describes the ination tat faces the slam attack, SP cana wnually. Bu the calcul © Considerabank hats paying 6 5% interest to every account holder annually yf ulatng the interest amount ofa day then multiplying it with 30 days, The result wil be so small ic, $0.5495796, “Value.need to be rounded down as banks deal only in full cents. Thus, round-off errors are engaged by the programmers, lation need to be made py 13,” Defamation ‘The cyber defamation can be defined as a perceivable offense that causes damage to the reputation ofthe person | Tteret, The criminals do this by verbal written, signs or just by visible representation. They publish a defamatory | ABainsta person inorder to lower the reputation of the person in general public. The damage caused to one's reputation on | Becomes viral on Intemet and is ireparable asthe information becomes available to the entire world, 14 Cyber Stalking (Cyber stalking isa form of onine stalking performed to harass people. It uses technology, basically the Intemet “Purpose. The cyberstalkers use various mediums like e-mails, instant messages, phone calls ind other communication dey harass, monitor, threat exploit, destroy data or falsely accuse people. Usually cyberstalkers are the persons who are known _buthot strangers. They can be a former frend, a relative an ex or any person who wants to trouble vietim cybertalking fi s self-image, carer and self confidence. Vietims of eyberstalking may lso face domestic violence. Cyberstal __ spyware, software to monitor the activites and gain information through the vietim’s PC or phone. Hence, ine _allofus tobe aware of technology’ and protect ourselves frm being a victim cyberstalking (8). The internet spawns crime —(b) Worms versus viruses. met can be defined asa global network that provides huge information and various communication facili services, there isa chance of occurrence of crimes. A computer is considered asa tool of crime in ease 0 ‘of erime incase of equipment iheft and theme of crime in case of hacking and expansion of vases. al commandment is a law enforcement that inquires about the members who are responsible for exee ies Tis nego poses hl kiftel operon nscoopear niente he mpencnin proces of ner eto srt stn In meas ora Scanned with CamScannerFF | yNIT-1_ Introduction of Cyber uN Percrime, Digital Forensics and Incident Response Methodology Ee | Cirwses A virus is a software ut vin gs name en baat aE sad infects ane computer Without he knowledge ofthe user: The somput - Tom biological virus, For replicating itsel /irus must execute code and should be written to the nory. For this reason, many viruses attach themachrae ea se! ava selves to executable files that are pat of se indent pase lg) ean tse weross network and bypassing security system. Viruses are otherwise said sote in dormant phase (idle) until certain events cause their code to be executed. V emrpentieme cs 8 cause their code to be executed. Virus » jownloaded file ‘ken to an uninfected system, They are transmited as attachm hentic program. Iso propagates from one system nts in an sage or in Virus contains malicious code that cause: sles or by reformatting the hard disk, Some o1 s damage to the system by destructing important programs, deleting necessary f other viruses are designed only to replicate themselves but not to cause any Classification of Viruses Viruses are classified into the following types: 1, Boot seetor virus Macro virus 4. Encrypted virus 5. Stealth virus 6. > Polymorphic virus Metamorphic virus 8. E-mail virus. Boot Sector Virus, Itis a type of virus, which damages the master-boot record. It propagates while booting the system from infected disk File Virus Itis a type of virus that damages only those files, which are assumed to be executable by the operating system, Macro Virus Macro virus is one of the common types of virus. These viruses cause much damage to system’s data. They have become a threat because of the following reasons, (i) Macro virus damages Microsoft Word applications by inserting unnecessary words or phrases. Due to this, all hardware ‘and operating system which supports the word document also get affected. (ii) Macro virus damages only documents, and larg parts of system information which is in the document form instead of program code. (ii) Macro virus ean be transmitted without any difficulty Encrypted Virus Its a type of virus which infects in the following way, Initially, a random encryption key is produced by some part of the virus. Then, encryption is performed on the remaining part of virus, The encrypted key is stored along withthe virus and using this key, the virus is deeryped. Stealth Virus ‘This virus is designed in such a way that it hides itself from being identified by any anti-virus software program. Polymorphic Virus ‘ Iisa virus that changes with each infection. It creates duplicate copy of itself where every copy of Virus performs same action Here, every individual virus differs from one another in ther bit pattern. This change in ther bit patterns is achieved ‘using encryption proces Scanned with CamScannerFORENSICS [JNTU-HYD compuTen + G13, Writo a brief introduction about Digital Forensics. Answer + ensics", The term Yorensie ‘ also called as "forensi le Forensic selence plays a vital ole in erminol justice ystems, His alen called th from the Latin Word 'forensi’je., open court, Forensic science can be implement of computer forensic science, I ine ation and Communication Technology (en performing the activities huge Digital forensics also calle ay digital forensic seienee which i ranch secoveryandanalysis of components that are identified in digital devices: The Information at” related working environments undergo the challenge of using the computer for Hong, i are not work related, mobile technology, cloud The evolution of CT resulted in upgradation of some ares like social networking, mobile technolo#y, and storage solutions. This advancements have increased the data flow and reduced the data security in the organization, inereased activity in ICT working environment also resulted in increase in the computers and networks minty aaa employee can implement simple fassword cracking tools and gain access to confidential information. 50, is compere ‘vestigations were performed to check the misusage of computers and networks. Wherein auditing was the key component ‘helped to answer the user activity and cybercrime questions. In the recent years, due to the advancements made in tools and systems the digital forensic department have made ui «evelopment, These advanced tools helped the common users o perform dificult audit tasks. In internet there are many irley ‘nl easy tutorials that provides information o gain access to any computer. By using this, a common computer user Can aeeeas ‘information such a illegal software, confidential documents etc. In order to control such activities there is high need of com Security methods and forensic tools for collecting the accurate digital evidence or information. There is a misconception, ‘atious forensic tools which are available for free that they can be used to conduct digital forensic investigations. These Possess various features that promote the digital forensic investigation process, The court of law mainly focuses on the d evidence and its respective process that is used to gather the evidence and these are considered as important. The coma such as the Digital Forensic Research Workshop Group (DFRWS) and the American Society of Digital Forensics and eDiseo (ASDFED) have proposed various processes that should be used to gather the digital evidence. As there ate various process ‘se no specific process is considered as standard forensic process that is required to be used by digital forensic investigators forensic investigator does not use or consider the appropriate process that should be followed to gather the evidences, then itm be considered as a major mistake. Because when the evidences are submitted without proof then the defence may raise quest segarding the process of digital evidence collection 4 .Q14. Explain briefly about incident. Answer: A ‘An incident can be viewed as an occurrence of an attack. In terms of information technology, it is an event ‘where ever the service could riot function properly and fails to produce the feature which itis intended to d ‘branch or incident occurs a method called incident response is implemented. Ideally, d approach, It is'meant to solve and manage the situation Scanned with CamScanner4. Eradication UNIT-1_ Introduction of Cybererime, Digi Six Stages of Incident Response At first, the computer incident response tea of selected members. In supplement to the see relation departments, lent Response Methodology Forensics and In ‘ganizations incident response which is nothing but a group ry out an r rtatives include legal, human resource and public ‘The following are the six steps necessary to resolve the incident 1. Preparation 2. Identification 3. Containment 4. Bradication 5. Recovery 6. Lessons leamed, 1. Preparation In this step, the teams role is to create formal incident response capability. In doing so, they develop an incident response Process which represents the organizational structure. It shows the roles and responsibilities for developing procedures with detailed guidance so as to address the incident appropriately. This is made possible by selecting right and skillful persons. These persons holds the capability to define the criteria for declaring the incident. In addition to this, they also select proper tools to managing the incident. Subsequently, they also defines the generated report and the point of contact like whom to approach for the discussion. More importantly, this step is fundamental and crucial one where the team assures that each and every actions are known and well coordinated. Apart from this, teams good preparation can extensively, minimize the potential damage by facilitating quick and effective actions. 2. Identification In this step, the team initiates the process of verification once the following occurs, (Occurrence of occasion Gi) Sustaining the observations corresponding to the events and indicators. (iii) Transgressing from traditional operations and for malicious activities ‘Therefore, during the protection mechanism the team can perform identification. While the incident handler team with help of their skillset. For determining the signs and indicators. These observations can be posted on network, host or system level. At this point the team alerts and logs from routers, firewalls, IDs, SIEM, AV, gateways, OS, network flows. 3. Containment In this step, the team members limit damage caused by offenders and attackers. Here, the team makes the decision cor- responding to the strategy that will be implemented. It contains the incident depending upon the processes and procedures. (On the other hand, the team in this step forms close bounds with home-based business owners and judges to accomplish the system. There is also possibility that network can get disconnected ot its operations can be continued or monitored certain factors like scope, magnitude and impact on incident plays a major roe. In this step, successive steps are employed to deleté the intended reasons for the occurrence of incident. In essence, the virus which has affected the system. Ifthe situation becomes more serious then the team checks and eliminate ill-used susceptibilities. Apart from this, the team also identifies its initial execution, applications and necessary measures s0 has to avoid its reoccurrence. 5. Recovery ae In this step, the team gets busy with the process of restoring the backup or carrying out the process of reimaging. Once the process of restoration is completed the task of monitoring starts. Monitoring is essential as the team has to determine the indications and sign for detection. 6 Lessons Learned In this step, the team carry out follow-up activity is essential. Here, the team can reflect as well as document the oecur- 1 eo helped them to learn ‘what sources has failed and what are still functional. The team will experience some improvements corresponding to incident handling processes and procedures, @earroma Wi mLAne TOURNAL POR ENGINEERING STUDENTS ——— Sia Group oh Scanned with CamScannerCO __L———__ ~~ 2 COMPUTER FORENSICS [JNTU-HYDe ats, Discus about incident response methodology: Answer : : The se this utilized for explaining the different phases j inthe procs So the wena ying ea ofa righting Which clea vides heey ae Moreover, Aiea rhe . o : 2 se pert dined and he processes il be exile , flowcharts, the phages can be pet basic cases, Developing a str ing a consistent level of accuira But itis said that the developed Mostly, Approach usin is segregat fi ‘sis a difficult task and on the other hand ang, “ fea ag oe nee ess demands number of vibes eet 10 the Inldent response process demand number O° Al {ent response method is stright forward, clear, error-free and ae ssed by employir acted, These problems are addressed by employing the computer security incidents are complex, multi a maaan 0 4 output are clearly scrutinized. a proce: "8 & Complex engineering problem, Subsequently, the ‘ct into smaller components. Then each components of inp ‘The figure below represents the Approach to incident response. Pre-incident preparation Y Detection of 1 incidents ¥ Initial Resolution pespores) Recovery I Incident Implement occurs Security Formulate }e——— | point-n Measures }¢——__| response time or strategy [J ‘ongoing Tvestigate the incident Data Collection Data analysis Reporting Figure: Incidence Response Methodology ‘Components of Incident Response Methodology ‘The following are the seven major component of incident response methodology, 1. Pre-incident preparation 2. Detection of incidents 3. Initial response XN 4. Formulate response strategy 5. Investigate the incident ‘ 6. Reporting 7. Resolution. Scanned with CamScanner1.13 7, Pre-incident Preparation aaa rer nent the necessary actions are taken prior othe occurrence of nent. Tis prepares the organization and Detection of Incident In this component, potential ‘Security incidents are identified. 3, _ Initial Response In this component, most generic ident. Apart from this, it e ‘specifications are recorded that defines the boundaries of incident. Apart also includ the collection incident response team, Subsequently the individuals who are involved are informed about the ‘incident. And the initial response team carries out initial investigation. 4. Formulate Response Strategy Inthis component, the most efficient team is regulated and depending upon the generated result, from the outcome of facts «quire the approval of the management. Now, based on this data regulate the civil, criminal, administrative and other actions deduced from the investigation records Investigate the Incident In this component, data is collected completely so as to identify what actually had happened, time of occurrence, who had carried it out and what are the preventions to be adopted to stop its occurrence in future. «Reporting |n this component, error frée information about the investigation record is stored. I is used by decision makers. 1. Resolution In this component, multiple resolution are applied. These resolutions are implementing security measures, procedural changes, recording of lessons, development of long-term fixes to problems. 16. Explain about, (a) Pre-incident preparation (b) Detection of incidents (c) Initial response. Answer 5 (a) Pre-incident Preparation An incident response can be made successful through perféct planning. In this phase, before responding to the computer security incident, the organization must prepare not just entire organization but aso the CSIRT members. Since, the computer security incidents are uncontrollable andthe investigator will stay unaware ofthe upcoming incident, ven though they stay unaware, their role does not end here, they had to encourage the organization members to respond the incidents Typically, the incident response can be vulnerable in nature. Subsequently, the pre-incident preparation phases involves cnly preemptive measures on which the CSIRT can trust to secure the organizations possessions and information Some of the steps necessary to be taken to saye time and effort areas follows, 1. Preparing the Organization In this step, important comporate wide strategies are designed. So, atypical preparation of organization include, (i) Employ host-based security actions. (ii) Employ network-based security procedures. (ii) Conduct training for eventual users. ‘ iv)’ Ensure that the intrusion detection system is functional. (¥) Developing strong access control. (vi) Carrying out timely weakness assessments: (wii) Secure the backup to be used on regular basis. Scanned with CamScannerOX — i ————— 2 Preparing the Computer Security lnchlent Heapon™* Team in this sep, the CSIRT is setup and team of experts ‘Assembled #0 a8 to manage the incidents, The co adhere to the following 40 a8 to prepare the CSIR pany ent {Employ hardware to cary out the investigation of com Iriter security incidents, (Develop the software to carry out the inves ‘computer security incidents {88 Employ the documentation to cary out the inve ‘of computer security incidents Ki) Employ necessary response strategies for policies and ‘perating procedures (©) Contact incident response such that it promotes succe fal forensics, investigations and re-mediations (69) Conduct training for staff members (©) Detection of Incidents When the organization does not attend or ignore the ‘incidents then its functionality becomes slow. It is necessary to ‘know that, one of the important characteristic feature of incident esponse is detection of incident phase. Also, itis considered as disjointed phases where incident response proficiency provides less control. ‘There exist one or many ways to detect the suspected incidents. They are detected in situation like occurrence of ‘unauthorized, unacceptable and unlawful event. This involves ‘organizations computer networks or data processing equipment. It proceeds like this -at first, the incident is repeated by the user, detected by system administrator, identified by IDS alerts. ‘Many organizations set up a team to help the users re- porting the incident. They can do this through three avenues, @ Immediate supervisor (il) Corporate help desk ii) Incident hotline controlled by information technology department. All the known facts and details must be recorded. Certain factor must be kept in mind while recording. (i) Frequent time and date (i) Report the incident (Gil) Explain the incident (iv) Occurrence of incident. 4 commuren FORENSICS NTU NYDERAR Ay Step Arccrrenc® of Real Incident ‘Achieving Containment J} Eradication I Recovery from Incident [Following-up Teamed igure: Detection of Incidence Initial Response In initial stages, itis essential to acquire suffi mation for identifying specific response. The phases is in here is assembling the CSIRT, collecting network: other data. Additionally, types of incidents are also analyzing the effect of incident. The beginning of next ‘demands the collection of sufficient information developing the response strategy. Subsequently, asthe grows the need for documentation arises and must be care, The moment incident occurs, the initial response: the ‘knee-jerk’ reactions and helps the organization to without any stressor panic) © Furthermore, the defection of computer security’ can be carried out in multiple ways, It is also necessary 'up & department of justice in situation of theft of any property by the employees, If any employee notices the theft in the organi he instead alerting the people should report to the author oF concern members, This is essential because, the stolen ‘modity could be misused. Once, the incident is detec! initial response phase starts and after the detection, the Scenes gets documented. The collected data in the time 0 fesponse phase requires review of network-based and. ocr, ‘Typically, the initial response phase inch Scanned with CamScannerUNIT-1_ Introduction of Cybercrime, Digital Forensics and Incident Response Methodology 1.15 {} Conducting interview of system administrators corresponding Wo the incident (ii) Conduct interview with the business unit human resource to ficilitate the context of incident, ‘This gives understanding to business events, ) Determining the data reviewing intrusion detection reports and network-based legs corresponding to the incident implying the occurrence of incident wy) Wentify the sources with respect to attacks, then perform the process of review of network topology and access control ist performing to the incident (Once this phase Gomes to an end, the authorities will eome to know whether or not incident has occurred. Thus, giving 4 good idea about the aected system type of incident, fet of it a7. Explain how to develop response strategy. Answer = Model Papers. a3(0) To establish the most suitable response strategy, the conditions of the incident isthe primary goal of the response strategy mulation stage. The factors like politcal, legal, technical and business that encirle the incident should be considered. Seles- on ofa strategy depends on the following objectives ofthe group or individuals on which the final solution lies Considering the Totality of the Circumstances Depending on the events of computer security incident, the response strategy vary. In the course of deciding the number sf resources needed to scrutinize an incident, whether to generate a forensic duplication of relevant systems or to make a criminal ‘whether to pursue civil litigation and other features of your response strategy the following aspects are required to be considered, (2) How much are the affected systems critical? ») How delicate isthe compromised or stolen information? (0) Who are the likely guilty party? (@) Wis the incident inthe public eye? (©) What is the severity of unauthorized aveess acquired by the attacker? (Whats the intruder’s apparent skill? (2) Involvement of system and user downtime. (®) The altogether dollar loss. From virus outbursts to theft of consumers credit card information, the incidents may vary toa large degree. A routine viru outburst usually reults in some idle time and last productivity. The phishing of customer's credit eard information can place an inexperienced dot-com operation out of busines. The response svateuy foreach event wll sving consequently. Most, & vin bures is nelested The heft of erica information like tha of ordi cards lik fire alarm bare which shoul impel troponte that includes publi lations department the CEO and al available technical resoures ofthe organization, Its e+ sential to reproof details of the incident before the response strategy is picked. ‘The ebpone seg is il ina big oganzation si provides fire update for new CSTR em onal teins iderations, legal limitations and business intention, tesources, political consi 2 Considering Appropriate Responses ‘ne shou beable to reach at feasible response strategy hat is equipped with the circumstances of he tack andthe capacity 1 seapens tein fel amseneinasons vo rnzeve ene sod poh tones ue agPONIE SPB Jnes how you move forward from an incident to outcome, ; determi : SES REO Fou: FOR ENGINEERING STODENTS ——————— SIA. GROUP Scanned with CamScannerTEN Dos atack ( popular Distributed Denial of Service attack), Employ work computers to facilitate pornography sites. ne flooding impact of th Possible forensic duplication xd investigation. Interview with suspect effects of attack mitigateg by router countetmeasures Establishment of perpetrate resources to be worthwhitel investment policy. ‘Monitor, epair and investigate website while it is online Implement website "refresher program, Website restored to op perpetrator may involve enforcement, Stolen creditcard and customer information from company database, Make public affairs statement, forensic duplication of relevant systems, and investigation of theft Detailed investigation Law enforcenient partic Remote administrative access via attacks such as cmsd buffer overflow and Internet “Monitor activities of attacker. Isolate and contain scope of unauthorized access. Secure and recover systems, Vulnerability leading to} intrusion identified am corrected. Decision whether to identify p Table: Response Strategy for Attacks ‘The response strategy must take into consideration the business objectives of your organization, It must be app the higher authorities due to its probable impact to the organization, The res ‘pros and cons of the following, (2) Evaluate the dollar loss (©) Impact to daily operations and network downtime. ‘Impact to operations and user downtime. 1s your organization capable or not to legally take certain actions. Public disclosure of the incident and the affect ot on reputation of organization sponse strategy must be quantified with respectUNIT-1_{ntroduction of Cybercrime, Digital Forensics and 4 {tis customary to probe a computer security incident pat quantifies for legal action or that coud lend om Ine nat cout proceeding. While deciding whethet law ehforen nt rust be inclucted in the incident response oF not, the followin msiculars should be considered, ee Does the damage ofthe ineident qualify for a criminal Is it likely that the expected out tome by your o tion will be achieved by erin lection hal or civil action? Was the actual cause = of the incident been established For a comprehensive investigation, does your organiza- ‘von have adequate documentation and sequential report? Does you organization possess a worki with the local or federal law enforcer ing relationship ment officers’? Do the previous performances of the individual excelled any legal action? 5 Administrative Action At present, rather than performing civil or eriminal ‘ons, terminating employees by means of administrative ssures is common. To set right the internal employee, ad strative measures that can be put to practice include, 2) Letter of reproof Immediate termination Leave of absence for a specific length of time is compul- Job duties must be reassigned. ‘Temporary deduction in pay for reparation of loss/dam- age. Public/private apology for regulated 218. Discuss the process of Investigating the incident. Answer : Mode! Papers, 3b) An investigation phase involves the process of establish- ng who, what, when, where, how and why corresponding to 4n incident. Inorder to run your investigation, the host-based ‘vidence, network-based evidence and evidence collected by ‘means of traditional, nontechnical investigative steps must be ‘eviewed. While investigating an incident, the main key is to determine which things were harmed by while people while ‘lablishing the identity behind the people on a network which is increasingly tough. ‘The identification ofan attacker can be of less concern to ‘he victim that the property harmed or destroyed, The following, ‘a the two stages of computer security investigation, 1. Data collection C—O 1 Response Methodology 1 Data Collectio The process of gathering facts and clues that are required during your forensic analysis is referred as data collection, This phase involves various forensic challenges which are as follows, (The electronic data must be gathered in a forensically sound way. Gi) ‘The storage capacity of computer cannot be increased, ii) The collected data must be handled in such a way that i secure integrity of data Data Collection Network Based Fvidence ered © © Obtain IDS logs % Obtain existing router logs Obtain relevant firewall logs % Obtain remote logs from a centralized host @ Perform netwokr mentoring, % Obtain backup's Host Based Evidence % Obtain the volatile data during a live response © Obtain the system time Obtain the time/date stamps for every fle on victim system % —Obiain all relevant files that dispel allegation, ° Obtain backups Other Evidence + Obtain oral testimony from witnesses, Data Analysis 1 Review volatile data Review network connections. Determine any rogue processes (Blackdoors, sniffers) Analyze the relevant time/date of a system, ‘$ Adentty files upload to system by ‘an attacker, ‘® _Wdentfy file downloaded from the system, Review the log files Determine unauthorized user accounts ‘Cheek for unusual or hidden files Analyse jobs run by the scheduler service Perform keyword searches. Figure: Data Collection and Data Analysis, SS Si GROUP 5 Scanned with CamScannerTh ‘The data collection phase is firther o fundamental components host-based informa ‘based information and other inform, orized into three on, network: (4) Host-based Information A host-based component includes logs, records, docu! ‘ments and other related data which is identified on This component deals with information forms i «system athering in wo distinet + Hive data collection and forensic duplications. In some situation hen the corresponding system shuts ‘down, the evidence which is requited to und is lost! Therefore, lerstand the incident data collection forms the frst step to collect ‘his volatile information before itis lost. Inorder ta retrieve the Jost information one must record the following, F _ Date and time of the system * Applications that are under execution on the system, * Establishment of current network connections. % Recently opened ports. The state of network interface. (>) Network-based Information ‘Anefwork-based component includes IDS logs, consen- sual monitoring logs, nonconsesual wiretaps, pen-register/trap and traces, router logs and firewall logs. Anetwork surveillance is performed to confirm suspicions gather evidence and to de- termine co-conspirators involved in an incidence. It enables an ‘organization to carry out various tasks like, % To drive away the suspicions over computer security incident. + To gather additional evidence and data To verify scope of a compromise * +. To identify additional parties involved + To determine timeline of events occurred on network + Toensure compliance with a desired activity. (©) Other Evidence Z ‘This component involves collection of personnel files, interview employees, interview witnesses, interview character witnesses and documents of the data gathered. COMPUTER FORENSICS [JNTU-HYDERg, refers to the process of rey Forensic analysis refers to the p reviewing red. It includes reviewing log files, system egaq i data gate ; aanarice rast roations, web browser history records, egg vi messages, andthe corresponding attachments, Tyg soa es performing more low-level sks like looking “Ina that has been deleted logically from the system, Perform forensic | duplication | Preparation of Data Analysis of Data Scanned with CamScanner1.19 A Introd ‘i UNIT-1_Inlfoduction of Cybercrime, Digital Forensics and Incident Response Methodology 19. Discuss briefly about, (a) Reporting (0) Resolution, Answer = Model Paper: 3 fa) Reporting or challenge Reporting is Considered as the difficult phase in the isto generate reports in which the incident details are cision make ent response process. In this phase, the main tas ed. The generated reports need t0 be clear and understandable to the {In reporting phase, the following rules are must be followed or implemented. 1, Document Immediately {tis important to document all the investigative steps and conclusions immediately. Ifthe document is written in short ud simple terms when the evidences are identified, it helps to save time, improve accuracy and also ensue that the investigation «etils can be discussed or communicated with others easily at any moment. Italso becomes easy ifany other new member takes ne lead fi the investigation process. 2. Write Coneisely and Clearly [tis better to implement the "write it tight" logic. It means o use short and simple words as much as possible. In order to ocument the investigative steps, the suitable methods and format i require. The report should be written ina way that tcan be understandable to writer and others involved in the investigation process. tis suggested not to use short hand or shortcuts. Ifa report contains any indefinite notations, incomplete scribbling and unclear documentation, it may result in redundant efforts, forced notes translation, notes confirmation and comprehend notes failure 3. Usea Standard Format [A specific format must be developed for reports and the same must be maintained throughout the reporting process. The incident response process outlines and templates are used to create the permanent data standard formats. This standard format helps in report writing, saves the amount of time and improves accuracy. 4. Use Editors ‘The technical editors can be hired or engaged in order to ead the forensic reports. By using editors, the reports can be enerated or developed in such a way that non-technical people can also be able to understand it easily. But, one disadvantage fusing editors is that it may modify the meaning ofthe critical information so, it is required to review the final product before submission, (0) Resolution “The main objective ofthe resolution phase is to implement the host-based, network-based and procedural counter steps on the incident in order to avoid or prevent the further damage by the corresponding incident to the organization. It may also return ond operational status tothe organization. This phase consists of problem, solution tthe problem or problem solution and the preventive measures to prevent the reoccurrence of the problem. Incase of any potential civil, criminal or administrative ation, idence information before implementing any security measures. Ifthe system is secured by changing by installing a software on a host with out proper review and validation it may result in itis bette to gather all the evi the network topology, packet filtering oF| the loss of good investigative clues like system state at incident time, ident, the following steps must be introduced or implemented. In order to resolve a computer sec |. tnt deniy the pir of the problems that occur in the organization, I means the problem with highest printy is resolved fist 2. tdemify the ineident type by gathering enough information and analyze the “what” security measure by using the host based measures to address the incident, c based and network: SPECRUN GILIIPONE JOURNAL POR ENGINEERING STUDENTS ‘SIA GROUP G SPECTROM ALL-IN-ONE JOURNAL FOR Scanned with CamScanneree. to be hi TpoWdent which are need to be handled 4. tis also required to determine he underiying or systematic causes oH he ie to depend upon the previous data version, 4° Itis betterto restore any affected ot compromised systems. Its requited per ae ion, Blatform software or application software wo make sure that the system PET : ‘ an be made, It is also required to chee $._Inorder to handte any host-based vulnerabilities, the required correction ue chins “ani | all the problems in a lab environment before implementing om the prouction SY I Taenerworicbaved counter step oe remedia! monsures such ax access contol ists, firewalls. or IDS can be img 7% The systematic issues aré need to be rectified by assigning the responsible rte 8. Weis requited to track the progress on all the corrections. 9. This also required to check whether the host-based, ietwork-hased and systemic measures are implemented propery, 10. “tis required to update the security policy and procedures in order to improve the response Process ~ ITIAL RESPONSE, PHASE AFTER DETECTION OF AN I Q20. Describe the activities in initial response. Answer : An organization may face challenges or issues when the occurrence of computer security incident takes place. Ap Model Papert, is required to provide more support for the following tasks. 1. It is required to make fast and effective decision making. 2. It is required to gather huge amount of information. 3. Rapid growth of the incident is required. 4. The growth of participants notification is required to assemble the CSIRT Gathering Preliminary Information The main objective of initial response phase is to gather enough information in order to get a suitable response. It include the following activites in initial response. 3 (@ Initially, an incident should receive an initial notification. Then, incident details and declaration should be recorded. Ga) Assemble the CSIRT, ‘Now, implement the traditional investigative steps. (¥) Conduct the interview process, (vi) _ Finally, determine the growth of incident. ‘Documentation of Considered Steps ‘The other objective ofthe initial response phase isto document the steps which are considered. On detecting an inc the organization methods and practices can be used to avoid the knee-jerk reactions. A good initial response plan helps to a formal reporting process and also provides support to maintain good metrics, By recording the incident details, the o tion can know about the possible number of attacks that have occurred such as its type, frequency, damages and their: organization. These type of metrics becomes difficult while ‘measuring the return on investment of a good plan. Look for the SIA GROUP Loco 4% on the TITLE COVER before you buy Scanned with CamScannerUNIT-1_ Introduction of Cybercrime, Digital Forensics and incident Response Methodology 1.21 Te ee eee rae ee ne a a a2t. Expl ter detection of an Incident answer? After the detection of an Incident, the following phases should be implemented. 1, Recording the Incident Details After tnitiat Detection ‘\n implementation of good incident response plan requires a checklist, One type of checklist is initial response checklist. initial Response Checklists "cssused to record the incident details afler receiving the initial notification, This checklist is divided into two parts where information and second part consists of more specific information. The second part information ‘when, where and how", These questions may provide some information about the incident such as the system's location, adminis- ‘tative contacts and so on. Its easy to solve oF fix the situation if all the answers are obtained from the questions. But the problem is that the answer may not be available for every question. Scanned with CamScannerCOMPUTER FORENSICS [JNTU-HY! 6 Developing a Response Strategy .e, one can know Response strategy is considered as important aspect in incident response. In this phase, one can know about the measures that must be considered to recover from the incident, The response strategy should also contain initiating ton against an external attacker or an intemal employee. In order to develop a good response straleBy, It is required to discuss and conduct the sessions about the strategy. Basically this sessions should include discussion about response considerations and policy verification. eae oy Classify Fulfill re Resolve Scanned with CamScanner