ASSDF Searchable

Syllabus :
8.29 11 Cyber-attacks, Vulnerabilities, Defence Strategies

and Techni ques, Authentication Methods and
in Depth Strategies. Protocols, Defence
. .
6:3
1.2 Access Control Policies: DAC, MAC, Multi-level
Security Models: Biba Model, Bell La Padula
6-33 Federated Identity Model, Single Sign on,
Management. , :
6-34 1.1 Introduction
Computer security is the science of managing
malicious intent and be havior that involv
communication technology. It is all es information and
about studying cyber attacks, their motives
, recent attacks like pharming,
phishing, DOS, malware and how to defend
against them.
To avoid such attacks, we need to under
stand what makes systems vulnerable to
these attacks. In this subject we will
learn access control, a uthentication,
data protection, defence strategies in depth
.
System security revolves around the three
key principles of Confidentiality, integrity
upon the application and context, one of and Availability (CIA). Depending
these principles might be more imp ortan
t than the others.
- Confidentiality
Secrecy or confidentiality, means that only

authorized people should be able to
access or read specific computer
systems and data.
Integrity
Integrity means that only authorized

people should have the ability to use
or modify systems and data.
Availability
Availability means that authorized Peopl

e should always have access to their
systems and data. For example,
intentional actions of another unauthoriz due to
ed user C, an authorized user A may
not be able to contact a server B. This
would defeat the goal of availability,
Other important terms :

a. _Authentication
The process by which computer understands who

is interacting with it.
Authorization
“The processes of ensuring only authorized rights

are exercised — policy enforcement
— The process of determining rights — policy definit
ion
c Non-repudiation
There are situations when a user sends a message, and later on refuses that he /she had sent that message. For
insta
in nce user A could
d send a funds transfer request to bank B, over the internet. After
: the bank performs the funds
Scanned with CamScanner

Introduction and Access Cont
: 12
:
Advanced System Security & al | Forensics (MU) i to the bank} ay
he funds transfer ;instruction Thus ¥ Advanced System Security & Digital Forensics (MU) 1-3 Introduction and Acce
ss Controt
WF
h e/she never
sent tl
A it n defeats such possibility of denying Password crack
transfer as per A’s instructions, A could claim. that i e goalof non-repudiatio!
yn. The B'
repudiates or denies his/her funds transfer instruct One means of intruding into a computer system is through password-guessing attacks, which are a special case of
something. jonary attacks. There are two methods for password attack i.e. Brute Force.
Attack and Dictionary Attack. In Brute force the attacker uses different approaches and guessing methods to get the
Access control s i that user A can yj; and validate them to obtain
le to specify password combination. It is a trial and error method. Generates large number of guesses
_ ies eas payee, wai
This determines, who should be able to access what. For instances, We actual data. And in dictionary method the attacker tries to guess
passwords by using well-known words or phrases.
the record in a database, but cannot update them. However, user B might a related to two areas ; “a Contains a list of commonly used passwords and validate
them to get original password.
Access control is broadly
this.
access control mechanism can be set up to ensure
Skimming attacks
1. Role management and
smart cards and ATM cards through a variety of
Personal information may also be leaked out from credit cards,
2. Rule management
skimming attacks.
Role management concentrates on the user side, which user can do what whereas the rule management focuses on
the resources side, which resources is accessible and under what circumstances.
1.3 Vulnerabilities
1.2 Cyber-Attacks that can leave it open to attack. Or it is a weakness of an
It is a cyber-security term that refers to a flaw in a system
more threats. 7
A Cyber attack is any type of offensive action that targets computer information systems, infrastructures, computer asset or group of asset that can be exploited by one or
networks or personal computer devices, using various methods to steal, alter or destroy data Types of vulnerabilities
or information systems,
1.2.1. Types of Cyber Attacks Physical Vulnerability
Human Vulnerability
The space of cyber attacks is large and expanding, Here
we wil introduce some ofthe high-profile attacks. Software/Hardware Vulnerability
Phishing attack
Communication Vulnerability
It is a type of social engineering attack. Phishin Configuration Vulneral
g is the practice of sendin, i fraudulent communications that
come
; from a repu
appear to
p table soar, It isi usually done through email.i Protocol Vulnerability
The Boal is to steal sensitive data like arecard and
credit
login
information or to install malware
on the victim's machine. Different examples of vulnerabilities
°
Malware
Through Software: Programming flaws, software bugs, complexity of software, improper deployment
tenet
Malware is a term used to d lescrii be m Through Technology: technological changes, file transferring
US software,
+ includ
i
ing
i
Trojan
j s,
Spyware, ransomware,
cess to key compon viruses, worms, Through Hardware: Design flaws, misconfiguration of hardware, out of date hardware
ents of the network,
Pharming Through Employees: Opening spam mails, connected personal device to company network, installation of
Itlures its victi unauthorized software and apps vulnerability identification is a necessary step in designing attacks.
ms to a fake website, for
*
i which . 3 example on- ine bank. Th ‘
with Vulnerability scanners provide a systematic and automated way of identifying vulnerabilities. Their knowledge
the victim has an account. The victim is t! the look and feel of
the authentic bank
name and password, whic
her N induced reeset
to Teveal sensitive
vas information base of known vulnerabilities has to be kept up to date.
h are then passed on
to the fake website such as her/his logit
, Organizations such as SANS or Computer Emergency Response Team (CERTs) provide this information, as do
MitM attack
security advisories of software companies.
1.4 Defence Strategies and Techniques
Different defence strategies to prevent intrusions are
oS
istributed Denial-of Access Control
-Se
These attacks exha Data Protection
ust thi '
a computing power,
Indwidth of thei Ke Shutting down Prevention and Detection
their targets, causing it to be inaccessible or or Services, exha
a to it j
unavailable 's intendeg Users, ust memory ry capacity
capi Response, Recovery and Forensics
Techknowledl
ions
vu
Introduction and Access Con
ay
: System Security & Digital Forensics qmu_t4

W Advanced i ww Advanced System Security & Digital Forensics (MU) 1-5 Introduction and ee
88 Contro|
and Authorizatlo n
1. Access Control- Authentication each layer fails, it fails safely to a known state and sounds an alarm.
access control.
The first defense strategy to prevent intr! sions is
— Intrusion Detection Systems (IDS) are utilized for this purpose.
create se
curity architecture to protect the asset, IDS have the capability of monitoring system
i ms tog! her to
work rk toget activity and notify responsible persons when activities warrant investigation.
Access controls are a collection of mechanis that
3 ee
of information syst
Y ems. : which is the mechanism that pro ONE Performey 4. Response, Recovery and Forensics
ntability,
‘One of the goals of access control is personal accou — Response measures should be taken immediately once an attack or infection has been detected.
a computer activity at a specific point in time.
dentiality and integrity — These include shutting down all or part of the system if required.
It is used to implement the major objectives of security : Confi
-— Handle attempted attack in such way as to minimize damage as determined by the security policy. Monitor, collect
Access control consists of two steps : authentication and authorization
data, perhaps increase amount of data collected.
Authentication : Access to documents can be restricted in one of two ways: by asking for a username and
1. — During a worm widespread, the infected part of the system should be quarantined and necessary patches applied.
password or by the host-name of the browser being used. The former, referred to as “user authentication’, Many intrusion attempts leave finger prints just like a criminal does at the crime site. Cyber forensics
is an emerging
requires creating a file or user IDs and passwords and defining critical resources to the server. discipline with a set of tools that help trace back the intruders of cyber crime.
2. Authorization : Unlike authentication, which is security-based on the user's identity, restricting access based on
1.5 Authentication Methods
something other than identity is called “access control”. “Allow” and “Deny” directives allow or deny access to
network services based on host name or address. ‘ — Imasecure system we might need to track the identities of users requesting its services.
to
Data Protection - Authentication is the process of verifying a user’s identity and determining whether a user should be allowed access
a system.
Data protection is against unauthorized disclosure and has two component
confidentiality, s: content confidentiali
identiality and message flow - Entities that may require authentication by computer systems include users, computers and processes.
- Ona typical computer network, user authentication is performed du g the logon process when a user submits
1. Content confidentiality protects the data from
unauthorized disclosure. credentials usually consisting of a username and password.
2. Message flow confidentiality allows the
originating network t ‘© conceal the path or route that the message Authentication Methods :
followed on its way to the recipient.
_ ° Message flow confidenti
obtaining information from the observation
ity isi useful ini preventi er from 1. Something you know ~
of the message. Been stare
Also data should be protected from i. Password PIN
accidental or ma ious modifi
Operation performed on it, and cation during data transf er, data storage or from an
to Preserve it for its int ended use, 2. Something you have
Prevention and Detection
»
i. Ce icate Smart or I-card e-Token

Access control and Mess
age encryption are Prev 3. Something you are
enti ve Strategies.
Authentication keeps intru :
ders out, while authorizat
ion li what can be don i. Biometric IP address
a
Prevention : Security measures must be taken to
re
protect inf Mates ravibearialewe

i | fo rmati 4. Two-factor authentication
disclosure whether accidental or intentional. ation from unauthorized Modi
ication, destruction, or
uring the prevention 3 1. Something you know
phase, security policies,
Secu Control:
rity policies, secu rity awareness Programs a ses should i nted: — Passwords are the most common form of authentication.
developed early on. ce
nd access e p
control ‘ocedures, arebe alldesigned and impleme
interrelated and should be - This technique is based solely on something the user knows. There are other techniques besides conventional
Once an organiza in has adopted a policy, cre passwords that are based on knowledge, such as knowledge of a cryptographic key.
must implement detectio ‘ated an aw:
n Strategies and resp
onse plans, Sreness program and — Password is a 1-factor authentication i.e. something you know.
Code testing is used to detec
has established access controls"
t vulnera ies. To determ| Passwords :
handle unexpected ine whether the so}
or malicious input, BI
F
ack box testing isemplayed, ft)
ware has been carefully designed? In general password systems work by requiring the user to enter a userid and a password (or PIN). The system
Detection : Detection of
a system compromi
se is extremel compares the password toa previously stored password for that userid. If there is a match, the user is authenticated.
matter what level of Pro
tection a system may hav
e, it wi Bet: compromise for computer systems for a long time.
~ d, a. Benefits of Passwords : Passwords have been successfully providing security
There is no full proof “silv
er bullet” security solution are familiar with them. They can
They are integrated into many operating systems and user and system administrators
Techiinowledg’
rw catleas
WF Advanced Systern Security
, & Digital Forenst ics (MU)
(MU) 1-6 .
Introduction and Access
Fe el Contra
Introduction and =
: ‘1 as € long list below
¥ Advanced System Security & Digital Forensics (MU) 1-7
ee rol
provide effective security, when properly managed in a controlled environment. However,
shows, password systems have significant problem ¢ based on technical limitations of the systems ang the facial recognition.
, lost or forgotten.
Advantage of biometrics is it cannot be disclosed
Management of the systems. ,
user acceptance can be difficult.
metric authentication is technically complex, expensive and
b. Problems with Passwords : The security of a password system is dependent upon the ability to keep Passwords
secret, and there are many ways that the secret is divulged. Some of the significant problems are discussed : Two-factor authentication
know (PIN} is used.
you have (password generator) and something you
1, Guessing or finding passwords : Because users have to remember passwords, they tend to make them easy to In two-factor authent! ication both something
tor authentication.
two out of the three ‘something's’ is known as two-fac
remember. That often makes them easy to guess. The names of people’s children and pets or favorite’ sports Any authentication. m ethod that requires
is a credit card together with a signature.
teams are common passwords, which are ways to guess. If passwords are hard to remember or a user has Many Example of a two-factor authentication
}
Passwords, people often write them down where they can be found. People can observe someone |
entering a 1.6 Authentication Protocols
Password or PIN. jes wishing to
ticating ent
type of cryptograp protocol with the purpose of authen
2. Giving passwords away : Users may share their passwords. They A nau thentication protocol is a
may give their password to a co-worker in order
| communicate securely.
to share files. In addit lion, people can’ be tricked properties :
into divu ging their passwords. categorized based on the following
Different authentication protocols are
This Process is referred to as
Social engineering attack,
vs. one-way)
Brute
va force :3 There a. Reciprocity of authentication (mutual
are several brute force attacks
on Passwords that involve either
the use vs. asymmetric)
dictionary or an exhaustive attempt at
different character combinations,
of an b. Type of cryptography (symmetric
a
Electroni itoring : c. Key exchange
© monitoring : When passwords are transmitted to a computer syst
monitored. ystem, they can be electronically efficiency
d. Computational and communication
5. Accessing the password file e vs. off-line)
+ If the password file is Not
prote cted b e. Real-time involvement of a third party (on-lin
downloaded. Even if the file i encr TONG access controls, the file can
ypted, brute force can be
be used to guesa
s Passwords.
Something you have : Reciprocity of authentication
x
Example of of something you have

is an ATM card or a smart 1. Mutual Authentication
authentication which is based card r ' identity and to exchange session
Ware tokens can be used for y about each other's
on the somet hing you have < = — Enable communicating parties to satisfy themselves mutuall
A smart card is a credit-card sized . oe
card that has an embedde: keys. .
, technique or the
on either using the symmetric-key encryption
authenticate the indi Bs Tear the card womlebe The - The authenticated key exchange can be managed
Ingn multi-facte ‘or authenticati
ication, In other words, the usercean
user mu “iereical public-key encryption technique.
something (the PIN). ate commo nly used with a PIN
have something (the smart card)and and k know
Drawbacks of memory cards One-way Authentication
: same time.
and receiver are not in communications at the
— - One-way authentication required when sender
Need special reader
to be online at the same time.
= Insome applications, such as e-mail , is not necessary for the sender and receiver
Loss of card or token issues receive ’s electronic mailbox, where it is
stored until
The message sent by the sender is rather forwarded to the
User dissatisfaction
the receiver reads it. Thus, only one-way authentication is required.
3. Something you are
Type of cryptography (symmetric vs. asymmetric)
Biometric is the somet hing you are method ofauthentica based Authentication)
tion 1. Authentication using symmetric keys( Shared -Secret
Biometric is the science of can be
identifying individual s usin iB Physical char key K and this key is only known to both. Authentication
Example of physical attributes acterist ics and beha viors. — Suppose two users share a symmetric
that may be used fo t : Such shared symmetric key.
iris or retina, facial chara purposes include usi ING pers accomplished by proving knowledge of this
on’s fi
cteristics , voic e patt not be revealed to a third party user.
— _ Inprocess of authentication the key K must
ern, nail bed , palm print or even ‘
Person's DNA can also be used bos dy odor.
ae “eae,
to uniquely identify him or Nand ene
her, ’ but this i isa keys(Asymmetric based Authentication)
2. Authentication using asymmetric or public
skin, tissue or .
The ‘ most popuBisdd sample. More invasive process and requires a and only a user can use a
lar biom
i etrici technolo In In keys, 7 pu blic key operations can be performed by anybody
authentication using public
gies at present are thos
aut
e used f or fingerpri ox 2
nt identificati
on, iris scanni
ng 3 id private key.
n Publications
WF Pustieat
Techknowte
18 . Introduction and Access cy
WF Advanced System Security & Digital Forensics (MU) s (MU) Introduction and
4 ¥ Advanced System Security & Digital Forensic Recess Contrat
Different authentication protocols Protocol(CHAP)
—
2. Challenge Handshake Authentication
Password Authentication Protocol(PAP) It is designed to defeat Man In The Middle
Attack (MITM).
the
Challenge Handshake Authentication Protocol
(CHAP) initial communication link between the user and
les authentication after the establishment of the
Kerberos Protocol :
handshaking procedure as follow
| — CHAP operation comprises a three-way bits)} to the user
” (th e challenge is a nonce (random
i mechanism sends a “challenge
5. Time-Based One-Time Password (TOTP) 4. The CHAP authentication
lowing the establishment of the communication link.
ie
fo!
6. HMAC-Based One-Time Password ced by a one-way hash function.
e challenge with a string produ
1.6.1 One-Way Authentication Protocols 2. The user responds to th red with a hash result calculated
by the authentication
smitted by the user is compa
3. The hash value tran on of the user is verified. If the
values do not match,
es are identical, authenticati
1. Password Authentication Protocol (PAP) mechanism. If the two hash valu
.
| the connection is terminated.
(unencrypted) provides
i
In PAP, » user provides username and password in clear text
i the || time periods. This procedure
3 are repeate d at random
, which are Sompared ‘With 4. For increased security, Steps 1 through
corresponding informati ion in a database of authorized users.
| attacks.
protection against replay ‘ = nonce
|
| - -
- a
| a
m Login, Password | ’ ‘
|| hash(Challenge, secret),
OK name;pass i
sPassword
0 database
OK
| aii
Has shared secret
Has shared secret
1
|||
. Fig. 1.6.1. Fig. 1.6.2
Drawi
— This method od iis not secu
re, as the username
— PAPis vulnerable to u
and Password art usually
{| sent in cle: ar text, f
| 4, Authentication using symmetric keys (Shared -Secret based Authentication) « . “
Sername and password guessi
Buessing and
B and also to repla 'Y
| ‘ hana who is responsible for generating a session
key
Insecure on an o| peni network. attacks, on Key Distribution Centre (KDC) is involved
In this technique, a trusted
:
session, aS well as for
the two communicating parties for a particular
Open access to the Pass that is to be used for a short duration between
word file
distributing that key to both the parties. i .
: fen the session key to
key for distributing
KDC, and the KDC uses the master
ently protected and an i , ~ Each party shares a master key with the
compromised!
it? All passwords are now ensure secure distribution of session keys.
Even if a trusted admi however, each of them had some
n sees your key distribution u sing a KDC;
pass word , , thisthi: might ht al sO be mis — Several protocols were proposed for secret
So! lution : used your Pa was presented for secure key tribution including authentication.
ssword on othe
r er s) sy: stems. weaknesses. Finally, in the early 1990s, a protocol
Store a hash of the Password
ina file. “4 — The steps of this protocol are as follows :
. s
in
. .
nonce NA and sends it to B along with its identifier IDA
Toinitiate the authentication exchange, A generates a
~ .
1 YOU don’t get the
Given a file,
Passwords, 1,
— Have to resort toa dicti : i xt.
_ tonary or brute-force att i plainte
ack. , v3 by KDC, to
Example, passwordds hashed with SHA-512 h message that includes the session key generated
; 2. This nonce will be returned to A later in an encrypted .
ashes (SHA-2), i
~ An improved protocol CHAP
can be used assure A of iits timeliness.
key. B's
IDB and a nonce NB to request KDC for a session
3. Bsends a message to KDC that includes its identifier
KDC to issue credentials to A.
message also includes a block that instructs
r
between the KDC and B, and includes A's identifie
4. This block encrypted with the secret (or master) key shared
ion time for the credentials (TE).
(IDA), A’s nonce (NA) and the suggested expirat
WY Technet
W advanced System Security & Digital Forensics (MU)_1-10 try
WY Advanced System Security & Digital Forensics (MU) __1-11
5. KDC sends a message to Athat includes the following :
|
LE home eco,
e
— | The steps of this protocol are as follows : Oh
a Nonce received from B(NB) ‘
1. A-sends a message to KDC informing that he or she wants to establish a secure connection withB,
=a A block containing B's identifier (IDB) to assure A that the second party Is Bitself 7 Ta
F Message
includes the identifiers of A (IDA) and B (IDB) in plaintext.
— A's nonce (NA) to assure A that this [sa timely message and not a replay
2. KDCreturns a copy of the public-key certificate of B to A, which contains the identifier and public key of ipru eB,
- A session key (KS) generated by KDC and
encrypted with the private key of KDC (KDCPRI).
- The time of expiration of the key (TE).
; / | A generates a nonce NA and sends it to B along with its identifier (IDA) to inform B that he or she wants v9
3.
This block is encrypted with the secret key shared between A and KDC, which is KA. ng it with B's public key (BPUB). -
communicate with B. A sends this information by encrypti
A block containing A's identifier (IDA), the session key (KS), and the
time of expiration of the key (TE). This block is /| On receiving thi information from A,B sends a request to KDC
for issuing the public-key certificate of A, and also
encrypted with the secret key shared between B and 4.
with the nonce
KDC (that is, KB). It serves as a “ticket” for A request includes the identifiers of A and B in plaintext, along
1
authentications,
for subsequent for generating a s ession key (KS). B's
KDC (KDCPUB).
NA encrypted with the public key of
A transmits the ticket to B. A also sends pted with KDCPRI. KDC
B's nonce encrypted with th € sessio certificate (A's identifier plus its public key) ta B encry
message has come from A and
n key (KS) to assure B that the 5. KDC sends a copy of A’s pub! -key
is bound to NAin
not from a replay attack, B uses B's identifier (IDB). This triplet informs A that KS
summarized as given below :
KS to decrypt the nonce. These
steps are also sends the session key (KS}, nonce NA and
first encrypted with
ed session key and not an old one. The triplet is
order to as: sure A that KS is anewly generat
1. A>B IDA || NA is fro! m KDC itself, and then it is encrypted with B's public
key to make
KDCPRI to assure B that this information
2 B> KDC IDB ILNB|| EKB[ID
|] NA ||A7] sure that no other party can create a fraudulent
connection with A.
3. KDC->A EKA [IDB || private key along with the nonce NB to A. This whole
bs NAT[KS ‘ || TE MI EK [IDA |] KS 1] TE} || NB B sends the triplet {NA, KS, IDB} sti encrypted with KDC's
. key (APUB). ~
EKB [IDA || Ks | TE[|]ExS information is further encrypted with A's pu
INB]
This protocol provides a secu KDC (KDCPUB) to obtain the session key (KS). Then, it
re and effective mec han
i
ism to establish. : ., 7. Adecrypts the received information using the public key of
Suppose A establishes @ a Sessio n with a Secure him or her that A has got the session key.
session with B u: sing th
this p tocol,
sessioiony key. . sends the nonce NB encrypted with the session key KS to B to assure
y andt en ends
that Session onc . .
e the communic
atior These steps are summarized as given below: ,
Further, assume that within the same tim: e limit
Session key KS that can
be used for subseqi went
TE, - A again Wi i.
1, A>KDC IDA || 1DB ;
autheentica
nticatition toantsB but
to establ ish a new session wi
this ime with
Thus, A can esta h as many Sessions he wan et Now, & has the
ithou tt the involvement 2. KDC DA EKDC-PRI [IDB || BPUB] :
key, ts within the of KDC.
it provide, d
by the Protocol usi ADB EB-PUB[IDA || NA]
— Once the ti ng the same ses
sion
3.
me | is over, @ new session key must
be rer ‘Quested fro 1DB || IDA || EKDC-PUB [NA]
The steps for esta
blishing a new sess m the KDC. 4. B KDC
ion withou t contacti ing KDC ,
are asfollows:
1. ADB EKBL[IDA || ks || TE] || NA 5. KDC >B EKDC-PRI [ IDA || APUB] {| EB-PUB [EKDC-PRI [ NA || KS | 108 ])
2. BOA N’B || Exs [N'A] : 6 BOA EA-PUB [EKDC-PRI[ NA || KS | IDB] [|] NB]
3. ADB EKS[N‘g] . 7 ADB EKS [NB] .
Here, N'A1 and N'B1 are newly
generated nonces ti
hat assure A and 8 1.7 Defence in Depth Strategies (DiD)
Here, TE is the time relative to Bi
'S %
that there j
aor eisn
self -generated timestamps. OG th lus, there is no nee d say steaks Security design principles are defence in depth, aims to increase security by diversity.
70 £0 synchronize Clocks
uthentication using g asym beca use p there is still
asymmetric or Public The idea is not to rely on single defence or a single kind of defence. So if one defence is overcome,
keys (Asymmetri a that needs to be
In the public-key encr
yption technique, in another one to protect. i.e. if one layer is broken , there is another ofa materially different character
ddition to Beneratini g ee re
exchanging the public keys of A and B, the e seci Suihentic
Session keys, atiCion) bypassed.
°
, Kp)
is also resp ts needed to secure
In this technique, no mast
er key is sh ared bet onsible for Defence in depth is security implemented in overlapping layers that provide the three elemen
Ween the KDC :
KDC and the com municating partiesj are used for encrypti and the communi
Municatin, i assets: prevention, detection and respon
se.
ption. 8 parties; rather, the .
by the strengths of two or more layers.
Public ke
ys of it also means that weakness of one security layer is offset
Introduction and Access Contry
WF Advanced System Security & Digital Forensics (MU) _ 1-12 el
— For example, a typical internet-attached network designed with security in mind includes routers, firewall S, Ww Advanced System Security & Digital Forensics (MU) _1-13
aNtivirys Introduction andAovens Cont
and intrusion Detection System (IDS) to protect the network from would be intrude rs. It employ traffic analyzers and
s Permissions can be granted by the creator /owner of the object at their discretion. DAC is 50 called borane gee
real-time human monitors who watch for anomalies as the network is being rights to an object are left to the sole discretion of the owner of that object. e access,
used to detect any breach in the layers of
Protection. Also it relies on automated mechanisms to turn off access or remove the system Most common access control model in commerce world. Used by most operating systems including Windows, One
from the Network jn
response to detection of an intruder. Mac.
Fig. 1.7.1 shows different defence of depth strategies. Access based on:
= Identity of requestor (subject)
— Access rules state what requestors are (or are not) allowed doing.
}-— Database security, ACLS,
what objects
backup and restore Strategy, ~ So these access rules would define essentially what objects the subject or requestor could access and
Information rights Management, could be read, written to, executed, created or deleted and so on.
Security of devices
subjects at his discretion.
[— Authentication, Authorization, Subjects have ownership over objects — A subject can pass access rights to other
SSO, Identity Management,
Session management The privileges for these various objects are granted or revoked by the system administrator.
Users can pass on their privileges to other users.
| — Security update management
in, we can track exac
Patched machines, buf For DAC operate correctly , will have users log in with unique user identities. So when Bob logs
OS hardening audiing fer
Bob and Bob’s activity on the network.
| Firewall, Dos Prevention, To create privileges for user identities , we use Access Control List (ACL)
Viruses and ;
NDS’ ‘worms protec“tion, ‘ Permissions get defined on an Access Control List(ACL)
1. Permissions granted to a user account (explicit)
2. Permissions granted to a security group(implicit)
| ~
ACL gets linked to the object.
Gua rds, by locks ke Keys,
Walls, Tacking 1. Example of DAC system is Access Matrix Model.
ne a
Access Matrix Model
— Password stren
= igths, AMM was designed by Butler Lampson in 1971.
peices, Securitypoli ce”
ta Classification i It comprises of subjects and objects
Fig. 1.7.1 a. Subjects: active elements requesting information
18 Access Control Po
licies Eg. : Users, processors, agents etc.
Access controls
are a Collection b. Objects: passive elements storing information
of mechanisms
ofan information that wo,
System. Access
Control Mod els are 4 Eg. : Processes, files, devices, data repository
Mandatory Acc
ess Control (MA C) ACM is a table that lists all subjects, all objects and the privilege levels of each subject on each object.
3. Role-Based Acc
ess Contro} (RB
AC)
5. Centralized
7. Distributed
S:
1.8.1 Discretion
ary Access Cont CAPABILITY
rol (DAC)
~ DAC' is a type of secu
ri ity access cq,
object's Creator
or owner. cts obje
The Principle of
at eo au ct ac
CeSS viVja an
discretiona FY access Access Po
access the system contro} di ct at licy g
and wha ft priv es that thle in
ileges th formatioin
eyhave, Owner rr is
th e One Who g ecid
es who
Bets
: to
Fig. 1.8.1
‘TechKnowledge
Pustications
-_Introduction and Access Con,

ve Advanced System Security & Digital Forensics (MU) 1:14 ro
— The row is the capability for the subject and the column is the ACL for the object and ACLis bound to the object. % ¥ Advanced System Security & Digital Forensics (MU) 1-15 Ant
troduction Nd Acces,
Drawback of DAC So in order to access the given object, the subject must have the sensitivity level equal ioigcner co
er than the re
objects. Access is allowed when clearance=classification. Auested
{tis not concerned with information flow ~ anyone with access can propaga
te information
In MAC environment, objects (including data) are labeled with a classification (Eg. Secret, Top Secret and $0 forth), ana
ACL or capability maintenance’
subjects or users are cleared to that class of access. :
Grant or revoke Permissions mainten
ance
From the perspective of confidentiality alone, if a subject has been cleared at level SECRET, then he/she should be
Itis very flexible but very weak
security able to read all documents.labeled SECRET or lower.
So DAC d ‘0 not take care of flow
of information from ‘one person or As labels are assigned by the system — difficult to change. MAC system is strong compared to DAC as it is difficult to
ccess toinformation. user to another so it i
but not the flow of information,
transfer privileges in MAC.
1.8.2 Mandatory Access
Control (MAC) Bell-LaPadula and Biba models are based on MAC.
that Bob can access must also have a
Example : If a user Bob has a secret clearance at the base level , the objects
and information can flow.
secret classification label and as clearance = classification , access is granted
1.8.3 Multi-Level Security Models
configuration and authenti
cation.
So iint MAC access poliicy MLS is a form of access control.
cy iis determined by the
a
system and not
01 b y the owner, Government and Military interest in MLS for many decades.
Subjects :! The peo ple or other syste
ivsiem: Even there are many possible uses of MLS outside government and military.
Ms that are granted a clearance to access i
information is
an object withi in ‘i
the iinformation MLS needed when subjects / objects at different levels use same system or application. Like business
b. Ob : .
restricted to senior management, all management, employees, customers or general public.
Heets : Data Fepository that holds important data, , file files.
MAC is most oft
Ft en seen in in mil MLS models do not tell you how to implement but what needs to be done.
it ita
mili ry and governmental Systems
MAC provides tiiB hter Secur
ity because ie only
and is rarelyh See
n in th € com In the simplest implementation of mandatory access control, all information- carrying objects like files, documents
on aa syste mer,et
So :in a MAC based systems,
sy: m
administrator within an organization are classified based on their sensitivity level. Likewise, employees or users are also assigned a
all subjects an May access or alter controls, A commonly used set of
clearance level after the organization has performed the requisite background check.
must have labels
i as: ned to the sensitivity /clearance levels includes the following :
M and a Subject sensitivity label
SUBJECT; ASsification
CLEARANCE label, 1. Top Secret 2. Secret
NEED-TO-KNOW CLASSIFICATION | :
CA 3. Confidential 4. Unclassified
TEGORY
There are many MLS models like :
1. Biba model .
2. Bell La Padula model
3. Schematic Protection model , 5
4. Lipner’s model :
*
SECRET
Sy . 5. Clark-Wilson model, Chinese wall model.
S > CONFIDI ENTIAL
1.8.4 Bell La Padula Model
SENSITIVE BUT UN
Z CLASSIFIED Bella La Padula proposed a state machine model in 1975.
The aim is to capture the confident ity aspects of access contral (Who gets to see what?).
is to prove the possibility of Multi-Level
Fig. 1.8.2 The model uses a state machine (or automaton). The purpose. of the model
levels of security.
Security (MLS) that allows different
and military applications.
BLM model was proposed by Bell and LaPadula for enforcing access control in government
TochKnowledgs
peanentions
Introduction and Access Con

ai (NU) 4-16
sics
W_ Advanced System Seourity & Digital FORE m moves from 0 ne state to another state- Information flow Mody wv Advanced System Security & Digital Forensics (MU) 1-17
° TA
Introduction
s
as the syste
— Preserves security of informatio n even 1.8.5 Biba Model Cont
nts :
— The model has the following compone 4 As Bell-LaPadula model based on confidentiality,
Biba access control rules were designed to insure data
are processors OFusers. j Integrity,
LoA set S of subjects. Subjects - Goals of integrity are
2. Aset O of objects. Prevent unauthorized users from making modifications in a document.
write}
3. Asset of access operations = {execute, read, append, — Prevent authorized users from making improper modifications in a document. ;
and LS). — It is designed to stop unauthorized changes. .
4. Asetofsecurity levels denoted L(0)
or system & secure if all these properties are true, - Thesecurity policies of Biba are given by two properties.
— The security policies of BLP are given by two properties. A state
1. Simple Integrity Property(no read down) :
1. Simple Security Property(SS Property) -No Read UP
Subject may not read an object of a lower integrity level.
2. The *_property(Star property) - No Write down * (Star) security property (no write up) :
2.
Subject may not write to an o! bject at a higher integrity level.
1. Simple Security Property (No read up)
|
Prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher,
|
} clearance level to read an object at a lower level (read down).
}
j
i 2. The *_property( No write down) |
' |
Gs
f.
The * property (the write property) prohibits a high-level subject from Or) ’ :
sending messages to a lower-level object. WRITE.
only user
j ~~ The Inquirer -
|
| © -*{etar) Integrity Axiom.
Fig. 1.8.4: No Write Up or Read Down — No WURD
1.9 Single Sign on
| Single sign-on is a authentication process that allows a user to access multiple applications with one set of login
| ’ credentials.
(PQA.COM)
Source web site
Lower Secrecy
* Simpie Security Proper
_ Simple is Reading ee :
Loading from a disk.
; Fig. 1.8.3 : User restriction is No read up ang . E
— BLP security rules prevent inf. i ° wrlte
security.
x . For ‘acts if you iiveie formation ¥
= a, of te ss ‘on level of hi igh =
lower level object. OP secret level then YOU are ecurity bpwe
level to a level oat!
Limitations of BLP: allowed to share this inform?
~ Write up is possible with BLP.
—_. — Does not addnike
Saas eee,i issues- BLP does Not
prevent is that it r : Destination website
Clearance confidential could essentially modify j (*Y¥Z.COM)
a OWS a User With o
wat
Partlcular
5
top sec r Snfidential to write data UP Fig. 1.9.1
5
St document ora secret toP Tech Knowledge
Pupiications
WF Advanced System Security & Digital Forensics (MU) Introduction and Access Contra
_1-18__. Se,
ication linked to this system.
applica’ Ww Advanced System Security & Digital Forensics (MU)
Means once you logged in, you do not have to log in repeatedly for every
1-19
~ Introduction and
Access Sonitray
— Atypical and goad example of fsingle
single sign-
sign-on is Google. Google’s implementation of login for eal Bans SUCH ag TON
ser that is logged in one oft
ora Tulle and Google Analytics and so on is an example of this system. Any u
he Identity
Google\ products si is automatically
i logged ini to the other p roducts as well. Provider
— Auser authenticates to one web site (domain) and then is able to access resources at some other ebsite (BobS)
wi ( (do mains).
A user Bob is authenticated at PQR.com and can access resources
at XYZ.com
Advantages of Single sign-on;
User signs on once. Service
Provider
No need for authentication at
multiple sites, applications. (Bobsh)
Can set central authorization
po icy for the enterprise.
Log into many websites using
one account,
No need to Manage large
number of passwords,
Disadvantages of sing Service
le sign-on;
Provider
There is a single point of
failure. A site’s users wi
not be authenticating (Bob -1)
Data loss may occur if sso Provider 80es
if SSO provider is hac
ked or bi reached, down,
1.10 Federated Identity Ma Fig. 1.10.1
nagement
There are three major protocols for federated identity:
Relatively new Concept
dealin i with the
and numerous appl : use of
an a=comi 1. OpeniD
ications an. identity Management
Scheme across multiple
Used to implement Sing enterprise 2. SAML
le Sign-On (SSO)
) using browsers,
— Adigita entity is an electroni c fepresentation of aTeal 3. OAuth
the means of linking
a Person’s electron ¢ enteity. A fed
ua erated identiity and
systems. ic iden ity and
atti iinf orm atiion technology isi 1.10.1 Security Assertion Markup Language (SAML)
across multiple dis
Related to tinct identity Mana
fed era ted ide ntity as single sign gement
on So in which a It is is a meta-level
I single sign-on protocol. . Pri arilyly fe tor enterpr
terprise web-based
eb- applic; ‘ations. Itis
It ap roduct of the OASIS
Across multiple sys user’s sin, Ble
tems Or organiza authentication tic Security Services Technical Committee.
Services provided ket or token is
include: trusted
Point of contact It could be implemented by Kerberos or by PKI-based protocols.
~ SSO protocol services An XML-based
a: standard for exchanging
ging. authentication and authorization
i data between security domains used by
— Trust Services Federated Management (FM)
— Key services
It is a framework for exchanging security information between business partners.
— Identity Services
It is based on the concept of Assertions (statements about a user) which
i can be passed arou ind.
— Authorization
SAML assertions are passed similar to a cookie from a source website
i to a destination
inati ite viavia headers or HTTP
website
— Provisioning
POST requests.
— Management
—
SAML
Al identity assertions are attached to the SOAP document's envelope header to secure the paylo:load.
Aset of service providers agrees on a wa
y to refer to a single
i we user even if
he/sh In a federated d s system, m, F there is a need to exchange
; authentication
i and authorization
ization informati
information between
Ws Identity y
Olfferentiname - ‘ @ is
- The user Bob Providers
rovi and Service Providers to allow Single Sign On (SSO) for enterprise users.
is authenticated at XYZ.com as’ Bo! bS ang ; known to each of them under a
can access Fesoure
ABC.com (Bob1) without being reauthenticated, as sh An Identity Provi i ider can offer assertions
i o1 f someone identity
identi (authenticate
i the user) using
ing a assertion ticket.
Own in Fig, 1.10.1, “S at both PQR.com h
(Bobs) i
A Service Provider u: ses the information
i provi ided by the identity
i i provider
it to ensure appropriaiate access control
SI and
W leawateags
Utons
iH
introduction and AccegsCn,
cess 4 hosted
4, User tries to ac
corporat e application
reds
s h SAML. re
quest and redi
Pro vid er” en erat
e 5
r
2. “Se rvi ce ider : g e n
|_2. “Service Prov to the Identity
3. User redirected
ae with the SAML
certains Provider" together
request.
henticates
4.“Identity Provider’ aut
SA ML request and
user, parses
generates encoded SAML
response
5. Browser sends SAML
Tesponse to “Service Provider”
6.“Service Provider” verifies

SAML response and user
logged in.
Fig. 1.10.2: A SAML authentication use case

Advantages of SAML :
— Platform independent
~ ~ Easily extendable i
- Portable trust across domains
Q.1_ What is a Cyber attack? Explain different types of cyber attack,
Q.2 Define vulnerability and different types of vulnerabilities.
Q.3 Whatare different defence strategies to make system secure
Q.4 Explain different authentication methods.
Q.5 Whatare the different types of authentication protocol?

Q.6 Explain one-way authentication protocols.
Q.7 Explain mutual authentication protocols.
Q.8 Whatis the need of Defence in Depth strategies?
Q.9 Explain different access control policies, Explain in detail D AC and M

nd MAC,
,
Q.10 Explain Bell-LaPadula security model
l.
Q.11 Explain Biba security mode
Q.12 What is the need of Single-sign on method?
Q.13 Explain Federated Identity Management. Explain in detail SAML.
ooo

Program and OS Security
~ PS
Unit Il
Syllabus :
2.1 Malicious and Non-Malicious programming errors, Targeted Malicious codes: Salami Attack, Linearization Attack,
Covert Channel, Control against Program threats.
2.2 Operating System Security: Memory and Address protection, File Protection Mechanism, User Authentication.
2.3 Linux and Windows: Vulnerabilities, File System Security.
2.1 Malicious and Non-Malicious Programming Errors

The network security practitioner has to be familiar with and understand the various types and effects of malicious
and non-malicious code.
Malicious code (also known as a rouge program or malware) is software written to intentionally cause unexpected or
undesirable effects.
Malicious code can do anything that a “normal” program can do, it can change data or other programs.
Malicious attack intentionally eavesdrops, steal or damage information, use information in a fraudulent manner or
deny access to other authorized users.
Non-malicious : Programmers and other developers Program Security Flaw
make many mistakes, most of which are unintentional : I
and non-malicious. Non-malicious errors typically result + +
from carelessness, lack of knowledge or intentional. inadvertent Malicious
. Human Errors intentional Flaws :
Many such errors cause program malfunction but do :
not lead to more serious security vulnerabilities. Fig. 2.1.1
Program Flaws
“Intentional , Inadvertent
Cc
1. Validation error -
<0 — " (Incomplete/
Malicious Non-Malicious : Inconsistent)
a 2. Domain error
1. Logic bomb 1. Convert channel (object reuse,
2. Virus 2. Buffer overflow Residuals)
3.a, Worm
plac iat Independent 3. . Incomplete Mediation 3. . Seriatizati
Serialization/Aliasini
4. Race conditions
ing
4. Identificatiory
5. Trojan horse
Authentication inadequate
A, Non-replicating
5. Boundary
poung condition
B. Replicating
6. Trapdoor violation
7.Rabbit 6. Other exploitable
logicai error
8. 2 Spyware
Fig. 2.1.2

Scanned w ith CamScanner
Code
2.1.1 Types of Malicious 5 S
grams Virus modifies the code. Worm does not modify the code,
propagates copies of itself to other pro
SS
Attaches itself to pro
gram an p
t Virus is a destructive in nature. | Worm is non-destructive in nature.
“| Virus
a network 3. Trapdoor
of iitselfthrough
Worm Propagates copies , (usually software) installed tyy
A hidden computer flaw known to an intruder, or a hidden computer mechanism
functi jonality
zed access to
Trapdoor Allows unauthori intruder, who can utilize the trapdoor to gain access to the computer without being blocked by ‘ security Sheen: "or
o nal functionality
, additiitio mechanisms.
tains unexpected
Trojan Horse Con
2 Trojan Horse
itio; n occurs
gers action when cond but also has a hidden and malicious purpose that evades
Logic bomb | Trig A computer program that appears to have a useful function, or
time occurs e authorizations of the user who invokes the program
action when specified security mechanisms, sometimes by exploiting the legitimat
Time comb | Triggers
“ leak your confidential information.
to exhaust resource
Rabbit Replicates itself without limit Like a virus, but it doesn’t modify and doesn’t
replicates.
, from a
e-mail attachments, through file-sharing software
Trojans can enter a system in several ways- through
1. Virus
y oF file. website, or through cell phone downloads.
attached to another program, system memor
— Avirusis a piece of software that can be
Damages caused by Trojans are
to other non-malicious programs by modifying them.
— Avirusis a program that can pass on malicious code passwords and credit card details.
o Logging keystrokes to steal information such as
a biological virus. It infects other healthy subjecs)
The term “virus” was coined because the affected program acts like
3 . o Installing a backdoor on a computer.
by attaching itself to the program and either destroying it.
co Overwriting or erasing data on computer.
— Atransient virus is active only when its host program is active.
g other malware such as virus.
o They are also known as dropper as they are spreadin
- Aresident virus establishes itself in the computer’s memory and can remain active without its host.
- Ex. files deletion on launching a media player application. 5. Logic Bomb
service
- — First network virus in 1970 was Creeper and first PC virus in 1982 was ELK Cloner. conditions are met. Usually intended to cause denial of
Malicious program logic that activates when specified
2. Worm or otherwise damage system resources.
series of keystrokes, or at a specific time or date.
Aworm is like virus only but unlike virus, worm is capable of Moving from system to system without any human action Triggers for logic bombs can include change ina file, by a particular
(independently), can propagate a com plete working i version y Time Bomb
consumes computer resources destructively. TEE oils ether. hoses one inebwotki 7
“— tt does not modify programs. . Atype of logic bomb that activates at a specified date/time.
— Replicates copies of itself again and again through a network,
Rabbit
— Famous worms are Morris Internet worm (1988), Code Red , Nimb:
, »Nimba, system resources.
Avirus or worm that replicates itself without limit to exhaust
Comparison between Virus and Wo: rm> disk.
them on disk, in an effort to completely fill the
a Arabbit might create copies of itself and store
Viruses has to rely on users for transferring to inf 2. 2 Targeted Malicious Code
files or programs. ect
that is written specifically to :
“Targeted malicious code is malware
Viruses require interaction,
— Attack a particular system
Damage caused is mostly local to the machine. ication
‘— Attack a particular appl
Virus spread quite slowly. malicious task
Worm 5 — Carryouta particular
m uch mor
75000 viPread
ce - tech niques apply in the context
of targeted malicious code,
000 victims within 19 Sea Ex. SQL Slammer wort Many virus and worm Wace
ncatiene
me
es,
i ———
Program and OS S$

ely '
WF Advanced System Security & Digital Forensics (mu)__2-4 W Advanced System Security & Digital Forensics (MU)
have learnt in previous sessions are :
— Well known targeted malicious attacks other than what we
1. Salami Attack
2. Linearization Attack
2.2.1 Salami Attack
Data are especially vulnerable to modification.
Small and skillfully done modifications may not be detected in ordinary ways.
toe
= A in Salami attack, a programmer a", “slices off” an amount of money from individual transactions. These slices must be
, which is
see whether it makes the correct password
difficult for the victim to detect. checks on entered number to
— Consider above program, which
For Eg., A bank employee or the i |
programmer inserts
: a program into the bank’s servers that di leducts a small amo! unt | TS67A123'. exit as soon as incorrect character
is
ei ney i (fractional
mo i value of any transaction) from the account of every customer ! i
For efficiency, Lahn :
decid ed to check
teh one character at a time and to
i —
- be noticed. ‘ ~
e shi ‘aved amount isi so small that an individual case is unlikely to the advantage © 3
\ found. Attacker takes Even better (for attacker), a password
that
However, accumulated a mounts can add up process than incorrect .password.
to a ti 'y sun Pporti ‘
has incorrect first character.
9 p mmer’:
idy sum, su portinga programmer's early retirement or new car. |} he e corr
will takemn longer than any that
sswon La
2.2.2
net Lineari ization Att < has the first character correct
, = Correct letters takes longer than incorrect letters.
i
It is also call led as extended= sparse linearization
linear XSL attack, a
that T takes longest.
5 4 — Attacker tries all 1st characters — Find
It uses processing ti i - en attacker guesses all 2nd characters : T* - Finds TS takes longest and so on.
to get method
ease
ing time past securit y measures,
olbilesar s :
Itis one of thecrypt i
the key. ' ;
at a time.
the technique to retrieve the secret
cret message without having .- Attacker can recover one character .
ter at a time?
- In linearization attack, a Speci used ;
|
| _— Whats the advantage to attacking password one charac
gorithm termed extended Sparse linearizatioisn
ized algori
used to recover th e key. each has 128 possible values.
Working of attack : | = Suppose password is 8 characters and
— Password
word
Val
Validation, | = Then 128° = 25° possible passwords
| in about 25° tries
ch: =
— — Check each character. | — Attacker would guess the password
9 ial.
| 8*(128/2)= 2° which is tri
— t
Exitit when incorrect character found | = Using the linearization attack, the work is about
. m
Correct ct iinput takes longer
to Process than incorrect, | — Input: Correct password-> verification time : Maximu
| m
Can be crackead easily-ly- Vary the first
wid
character until th
— Input: Incorrect password->Verification time: Minimu
remaining characters. ’ i | — So based on the delay and quickness of authenticating user , attacker
can guess the character.
_—— r.Continue by doing the s siiies Fae eaehi
ae
Example ;
’ | 2.3 Non-Malicious Errors
— Program checks for password
‘T567A123’ :
For efficien .
cy, check made one character at a time. - A Attacker takes adva Types of non-maliciious errors are :
— Vantag of this, 2. Incomplete mediation
Sean a aE e 1. Buffer overflow
3. Race condition 4. Covert channel
1. Buffer overflow
memory.
— — Buffer is a block of
can handle. So this may lead to the
h data is inserted into a buffer than it
- Buffer overflow is caused when too muc is over writ ten.
if a certain memory pointer
executing of arbitrary code will be smaller than a certain
formed inputs. If one assumes all inputs
Buffer overflow ca n often be triggered by malan anomalous transaction produces more data then could cause it write
-
ted to be that size and if
. size and buffer Is crea
buffer.
past the end of the
LWAdvanced System Security & Digital Forensics (MU) 2-6
behavior inely
— If these overwrites adjacent data or executable s code, this may result in abnormal program w Advanced System Security & Digital Forensics (MU) 2-7
Memory access errors, incorrect results and crashes 2.3.1 SEE
Covert Channel
2. Incomplete mediation Covert channel is a type of computer security attack that transfers information
that is not su Pp
— Sensitive data are in an exposed, uncontrolled cond communicate by the computer a security policy. Based to be alowedtg
— For Ex. A covert channel is so called because it is hidden from the access control mechanisms of secure
OS and itis
imate data transfer mechanisms. Not seg,
URL generated by client’s browser during online purchase.
> http://www.--~,com/order/final&custiD=100&part=20A&qty=20&price=108 shipest=S&total=205 It cannot be detected by or controlled by the hardware based security mechanisms of secure OS.
Instead, user edits URL directly, changing price and total cost as follows: : Encryption only protects communication from being decoded by unauthorized parties, whereas covert channels aim
to hide the very existence of the communication.
http://www.--~.com/order/final&custID=100&pa rt=20A&qty=20&price=1&shipcst=5&t
otal=25,
— User uses forged URL to access server, Types of Covert Channel :
lf the server fails to verify the Price of the
item then it will accept 25 as the total cost, sO 1 |
Types of covert channel
just 25 as opposed to legitimate total of 205, user purchased 20 items fy |
Unchecked and unvalidated data
are a serious vulnerabi ity.
Solution is anticipate problems,
L 4 4 ‘
Storage Timing Termination Resource _ Power
- Don’t on't let
let client t ret channel channet channel channel channel
return a sensiittive resu t like
€ aa total
total that
that can b € easily reco
Use dro ais boxes or choice mputeted by y the
the serve
server,
r
ice lists
li for data input. Prevent user Fig. 2.3.2
from editing input di
Check validi ty of data values upon receipt from
the client. Do not rely solel Here we are going to discuss the most popular covert channel, timing and storage
channels
y on client-sage”
ide :va lation.
3. Race condition
1. Covert Timing Channel
A race condition or
Seri zation flaw occur: Ss whi en
computational resul
ts,
two concurrently executing A process relays information to another by modulating its use of system resources.
processes Produce incorrect and
Information is transmitted by altering a system resources performance or timing, it’s a way of hiding messages
because it is mixed with
mixing it in with legitimate traffic that is travelling over the network and it would not be seen
legitimate traffic.
Timing channels have received much less attention than storage channels because of synchronization issues and the
potentially lower bandwidth available to the channel.
leaving a
One of the main methods of creating these types of channel is to monitor the inter-arrival time of packets
the wait times
network. Attacker does not necessarily have to generate her own packets but can attempt to modulate
between packets to encode the information.
~ For Ex. Receiver monitors the amount of time that the sender runs a process.
— Ifitisrum more than 10 sec,i ignals a 1.
- Ifless than 10 sec, it signals a0.
For Ex. Consider Fig. 2.3.1 whi Fig.Ig. 2.3.1 I} Subject
ich represents a ‘
A and B who are tryi Poorly designed airl,
ng to bo ok a Seat on as airline reservation modulation
att emp tin g Pecific flight, ; system. We ha
to boo k the one r emaining seat at nearly thes Imagine there is only one seat serge two web customers Timing Attack
The race conditio 7 when ti
ame e time. in 8 and that both are
n beg ins
™ responds yes because one seat remains for edit if any seats for the flight are avaitab Fig. 2.3.3
Vailable , the reservation
a
2. Covert Storage Channel
and the main memory
is this common storage area between processes
= Mechani
ect sm used to send the secret message
of the system.
tionses
Wy Recttarset
pensice
Program and OgSee
Sy
Forensics (MU) 28 ads it.
Ww Advanced System Security & Digital 5 of low er clearance re WF Advanced System Security & Digital Forensics (MU)
proces o unl
ation, and another ormation i on iint 2-9
Aprocess writes data to a storage loci i e or emb ed inf
— protocols. Hid Pr
In this type, focus has be! en on using
com im
on networ
suit of protocols.
1. Development Controls
(EE
— re sear ched is th e TCP/IP Many controls can be applied during software development to fix the
er of any pr ‘otocol, most with a proble:
predictable fields in the head
er fields tha
t are unused, immutable or mutable specifying, designing, building and testing software. MS. Following TAKS ate mw wea,
mation in certain head the network with the intention of avoiding deters \
— The idea is to embed infor d out of 1. Specify the system 2. Design the system
information i carrie
predictability. The embedded packets.
ad section of the
Information may be placed in the paylo: 3. Implement the system 4. Test the system
5. Review the system at various stages 6. Document the system
Subject at low
Subject at high 7. Manage the system 8. Maintain the systems
security level
security fevel
Different development controls are used to prevent threats during software development.
1. Modularity Encapsulation
3. Information Hiding Peer reviews
Data at high security level 5. Confinement Configuration Management
. Storage Attack
Modularity:
A key principle of software engineering is to create a de: small , self-contained units, called modules.
Fig, 2.3.4
When a system is written this way, we say it is modular.
ute of a file.
of its | ed
Security analyst must be able to understand each component as an independent unit and be assured
effect on other components.
- Unlocked signals a0,
Keep it isolated from the effects of other components.
— Using pseudo binary code.
Prevention and Countermeasures
The prevention of channel is very difficult. But follo
wing techniques can beused
.
- To identify covert chann , we need to analyze the resou
rces of as ystem regularly, °
— Audit g of the channel.
— Maintaining and analyzing Log files.
— _ Limit the bandwidth of the channel,
2.4 Control against Program Threats
- Program Threats : Operating system’s processes
and kerne| I do the
made these process do ma de si gn ated tas! K as \instructed, n
rogram Threat If a user pre
— Some well known program threats are Viruses, Trap 4 s,
—
. ”
Controlling against program threats is most wc
IFAD doors, , Trojan horse,
Logic bomb etc, Fig. 2.4.1: Modularization
Ively ace
‘Omplished dy rl Ing
- There are essentially 3 controls on such activities the Software development process: cohesion and low coupling.
Modular component usually has high
for being there.
1. Development Controls nent have a logical and functional reason
3. High cohesion : All the elements of a comp:
components in the system.
2. Operating System Controls with which a component depends on other
b. Low couplin, g : The degree
3. Administrative Controls . i
rity & Digital Fore’
wy Advanced System Security & Digital Forensics (MU) __2-11
Advanced System Secu
By
¥v easily and maliciously alter the com ram 298.98 See),
Advantage of information testing is developers cannot
not know the components work. PONENS Of others they do
Peer Reviews :
Saeed ty
another with a view toward identifying and eliminating security flaws.
These security flaws might be malicious or non-malicious.
4. Non-malicious security flaws
, having
mers can often become blind to their own mistakes
When writing a software program , computer program
flaws in his work
mer to ensure that any unintentional security
another person review their code can help a program
a problem.
High Cohesion Low Cohesion will be detected before they become
Low Coupling 2. Malicious security flaws
the possibility of intentional, malicious —_ security flaws becoming part ofa
A peer review process also greatly limits
- Fig. 2.4.2
software program. by
in a program if his is being reviewed
Each module should meet 4 criteria. to embed a malicious security flaws
It is much more difficult for a programmer
— It performs only one function(Single-purpose).. ' other programmers.
— Itis small. Configuration Management :
- Itis simple. making which changes to the -
it is important to keep track of who is
1. During the software development process,
- Itperforms its task in isolation (Independent).
ation management.
program- this is accomplished using configur
Advantages of modularity are parts of the
or unintentional consequences for other
2. Changes to one part of a program can have intentional
- Maintenance necessary.
undesirable changes to be “rolled back” as
program. Configuration management allows
— Understandability urce
ment projects and for the development of open-so
- Reuse 3. It is particularly important for large software develop
— Correctness software programs.
- Testing Other Software Development Security Controls:
Encapsulation : Hazard analysis
s system states.
If a component or venileesi
faulbthe rcaunadti module eme
is isol
ee la nits * Aset of systematic techniques designed to reveal hazardou
ee components, then it is easier to trace a problem to flaws.
the what-if scenarios in order to identify security
Involves the development of hazard lists and
It is also easy to maintain the sil
is eacidh te’ sewh
stem,
System, maysinceli changes to an isolat ed component ; Static analysis
ee where vulnerabilities
ye ent do not affect other components a4 It for evidence of potential security threats.
Encapsulation is a programmi
mming practice in which ‘ Examining a program's code and design specifications
j
amodule’s Sinner data structures.
3s worki INS are hi focuses on control flows, data flows and
Encapsulation hides a componi ent’s iimplementati Conducted before a system is deployed-
tation details q idden from oth: er modules. ‘
It minimizes interfaces to reduce covert chann \
els, Prediction
dangerous or most likely to occur.
Information Hiding :
Predicting which security problems are most
they will be most useful.
ing our limited rt esources to where
Similar to encapsulation, but refers to the data values
st These predic tions allow us to manage risk by target
iti ‘ored — peas wet ree, eee Nie aca a, .
adsiles: should be specified and designed 50 that i and useg Within es
Analysis of mistak
an €ncaps
y ated modu d.
inaccessible to other modules that have no need f .
g the same mistakes in the future
nformation (Proceg, le.
for such Ure an id ity breaches in order to avoid makin e identified.
e hides its int
ernal details and data) contained within a modulé i Lear! ning from ‘secur 2 security breai ches ar
S Specif by .
ied so that we can review tl hem when
ument ou r design decisions
It forces design units to commu
nicate only through Requires that we doc
well-def
wr
_ Program and O§ Secy
2-12 al
ing (MU)
. . " Ww Advanced System Security & Digital Forensics (MU) _2-13 TREE
¥ ics wu)
Advanced System Security & Digital Forens Pr re
: Bey
Secu
3. Administrative Control
y, stability and accuracy,
Testing sure q
ini order to en Admin of the software development has to do maintain and implement two types of controls.
deployment
tested prior to ent thatcomprises the program.
Programs should be extensiv ely '
each compon : 1. Standards of program development
nality and behavior 0
1. Unit Testing : Testing the functio ' ents interact W!
th one another as intended, — Standards of design
h system compon
g the extent towhiel ctions for which it was designed. — Standards of documentation, language and coding style
Integration Testing :Testin the fun
m to P erform
N
abil ty of the syste Standards of programming

Function Testing : Evaluating the dards for which iin =
system to achie ve the performance stan Standards testing
ating the ability of the -
Performance Testing : Evalu
— Standards of configuration management
designed.
input values. It does mat | Security audit
es correct output values in light of known -
Black-box Testing : Ensuring that a system generat
Separation of duties
consider the internal workings of the system. .
2.5 Operating System Security
world because systems as such are always connected,
Different OS controls are: Security as such is become extremely important in this current
programs to enter into the system.
1. Mutual suspicion 2. Confinement asa result it become very easy for malicious
so as to prevent as much as possible any loss of
4. Trusted Software Therefore operating systems should be designed in such a way
3. Access Log
information due to such malicious intrusions.
Mutual Suspicion : in computing systems. They support many programming
Operating systems are the prime providers of security
Fr
, and enforce restrictions on program and user

When two programs must interact, each should be suspicious of the other. || capa jes, permit multiprogramming and sharing of resources
Mutual suspicious programs operate as if other routines in the system were mi behavior.
us Or incorrect. |
targets for attack, breaking through the defenses of an
ASalnpecae
calling program Because they have such power, operating systems are also
cacti cannot
eedtrust it’s called sub proceduresre: to be corre: ct, and a called sub procedure cannot nnot trust its |
i operating system gives access to the secrets of computing systems.
purpose objects. To secure these files and
Usually operating system consists of files, memory and other general
A program should never fully trust another program. effective , what are the loopholes of the
memory what kind of mechanisms are there in the operating system, are they
Each protects its interface data so that the other has only will learn in this topic. .
imited
I acce: SS. architecture and how can we can better and advanced protection that we
|
A program should protect itself by :
é | 2.5.1 Protection in General Purpose OS
— Validating input values supplied
by other Programs, that is the concurrent use ofa system by more than one user.
OS usually supports multiprogramming
Granting other programs only |
limited access, from inadvertent or malicious
F Operating system designers have developed ways to protect one user’s computation
Confinement: interference by another user. .
Programs that are suspected of bein ig untrustwo For this purpose, operating system has following fac
the system and other programs. Strib be Confined by the op eratin ratetect © Memory protection
A confined program is strictly limited in what syste; .
m ri source oo ° le protection
s itean
\f a program is not trustworthy, the data ata ‘Sccess,
iti can access o General control of access to objects
are strictly lim
Trusted Software 3 ited,
Security functions of 0.S are
Code has been rigorously devel 4. Separation
oped and analyzed,
Functional correctness,
, 2. . Memory Protection
Enforcement of integrity.
3. Access Control
Limited privilege.
Separation:
Appropriate confidence level,
one user’s objects separate from other users.
The basis of protection Is separation: keeping Knowietgt
Tach ieat
panr ions
Program and OS Secutiy |
wy
214 =,
wv Advanced System Security & Digital Fore nsics (MU) Advanced System Security & Digital Forensics (MU) _2-15
Separation in an OS can occur in several Ways- use different physical objects, such as separate printers fy, and the other that can be used by user program space.
,
Physical separation : in which different
processes
© }
The fence was a predefined memory address - the operating system resides on one side and the
el
output requiring different levels
of security. executed at | other.
security requirement: s are , “Set tgSay ON the
sses having different
© Temporal separation ; in which proce! This implementation was restrictive — operating system always occupied predefined amount of Shace,
times, needed or not. EET ag
e
ace ess objects outside its permitted domain,
programs ac cass so that it cannot
© Logical separation : OS constrains computations In such a way that
they are Because of this drawback, there is another memory protection mechanism exists |.e. Variable Fence Tebister,
processes conceal their data and
© Cryptographic separation : in which
Variable Fence :
unintelligible to outside processes.
Variable fence uses a hardware register, often called a fence register, containing the address of the end gf the
2.6 Memory and Address Protection operating system.
If operating system version 1 is used then in that the address limit is o to n and n+1 to high is used by the user
The most obvious problem of multiprogramming is preventing one program from affecting the memory of other
programs. Fortunately, protection can be built into hardware mechanisms that control efficient use of memory, so program space.
that solid protection can be provided at essentially no additional cost. = In another version of operating system, 0 to p is used by the operating system and p+1 to the rest of the area is used
Memory protection prevents one process from affecting the confidentiality, integrity or availability of another. by user program.
Address limit register Address limit register
2.6.1 Approaches of Memory Protection
Memory Protection
l
‘ t 4 q 4
Fence. | Relea Basa ‘Bound | | - 7 | :
L = register ovis en : Paging
Fig. 2.6.1
1. Fixed Fence Addressing Rant
A fence is a method to confine
users to one side of aboundary,
In the fixed fence mechanism, there is
a hardw: fare address limitation
i
Oto
. n addresses used by the operatin 8 system and n+ mitation, it says m emory is divided
ivi |
i from
is used by the user program space. ‘ 0 high, the wi ec ines ewe Bas Operating system
hole adress Tange, the rest of the address range
| Bee Fig.2.6.3
Address In contrast to a fixed fence, in this scheme the location of the fence could be changed.
Each time a user program generated an address for data modification, the address was automatically compared with
|
0
the fence address. :
if the address was greater than the fence address means in the user area, the instructions was executed; if it was less
than the fence address means in the operating system area, an error condition was raised.
| A fence protects only in one direction. In other words, an operating system can be protected from a single user, but
the fence cannot protect one user from another user.
| Relocation
Relocation is the process of taking a program written as if it began at address 0 and changing all addresses to reflect
the actual address at which the program is located in memory.
When we write the program, we assume that It starts with address 0 but when we want to execute it is changed to the
addresses which reflect the actual address. Because program is going to be loaded into the memory and which area of
the memory is going to be loaded is decided at the time of execution.
Tach Knowstedga:
ae
Pupnica )
Program and OS §, cut
Ww Advanced System Security & Digital Forensics (MU) _ 2-17
WF Advanced System Securityi & Digital Forensics (MU) _ 2:16 n factor to each address of the program,
Program and Os, Secu
relocatio! the base and bound register’s to reflect the true address space for that user. ey
entails adding @constant
— Inmanyinstances, this effort merely program.
address of the e prop
nt relocation factoris added to each
must pert
= So every time a consta i he program. when transferring control from one user to another.
eI
Perform
~The relocation factor Is the starting address of the memory assigned for the prog
from
had location of 0,1,2,3 then it has to be recomputed What is the problem with base/bounds registers or relocation ?
— For Ex, if the memory address Is 1000 then your program
program ends.
1000, 1001, 1002 and 1003 and so on till the i. Problem with using base/bounds registers for protection or relocation is their contiguous nature. Each pair of registers
= The fence register can be a hardware relocation device. The contents of the fence register are added to each program
confines accesses to a consecutive range of addresses. A compiler or loader can easily rearrange a program so that all
address.
code sections are adjacent and all data sections are adjacent.
— This action both relocates the address and guarantees that no one can access a location lower than the fence address, | integrity of
In some cases- some data values need to be protected but not all. A programmer may want to ensure the
— Fence register provide a lower bound i.e. asta ig address but not an upper one,
alized but prohibiting the program from
certain data values by allowing them to be written when the program
The upper bound can be useful in knowing how much space is allotted and in checking for overflows into |
modifying them later.
“forbidden” areas.
all its data available to be
Base/bounds registers create an all-or-nothing situation for sharing; either a program makes
3. Base and Bounds Registers
accessed and modified or it prohibits access to all.
A major advantage of an operating system with fence registers
is the ability to relocate. This solution
This characteristic is especially iv. Even if there were a third set of registers for shared data, all data would need to be located together.
important in a multiuser environment. Wi ith two or mor: i
advance where a program will be loaded for execution, Susets; None Earl knows would not be acceptable if the data items are large records, arrays or structures. So solution is tagged architecture.
The relocation register solves the problem b Y providing
id 4. Tagged Architecture
. a base or stari All addresses inside a program are
Offsets from that base address. A variable fence Tegist
eon A tagged architecture is, in which every word of machine memory has one or more extra bits to identify the access
lower bound but not an upper one. Benerally known as a base register. Fence register provides
rights to that word.
An upper bound can be useful in knowing how
Much spacei lotted and j i * These access bits can be set only by OS instructions (privileged) . The bits are tested every time an instruction accesses
areas. To overcome this difficulty, the second register
e is often ad and in checking for overflows into “forbidden
ded. e that location.
Address M i j
0 lamory |
For Ex.:
Base register
RW 3000
R 1012
x 4013
One memory location may be protected as execute-only whereas another is protected for read only data access and
another is accessible for write. .
Two adjacent locations can have different access rights.
Advantages of tagged architecture :
Different classes of data like character, numeric, pointer or address can be separated with few extra bits.
From Fig. 2.6.4, we came to know
that0 ton di - Can pick and choose what to protect and what not to.
that means the user area starts with n+
Lit ve S55 space jg Used 5
Says tha t use r A has ba se n+ TA has are: — Minimum sharing for task completion
1 and is bounde, 2 from Y OPeratin 8 System,
User C space. Ob. From 5 +] ti MLto RB,then There is a base registel B i Disadvantages of tagged architecture ;
as Og, User g sp: there
The second register, called a bound
s r egist ‘ace andfro IS a bound register P wa
a lower address limit. Major changes to conventional operating system needed for implementation.
Si8an upper addr Rss, lime, in the
™ q+1 till the memory er”
This technique Protects - Cost is more compared to other protection mechanisms.
a program’s addre:
SSES fro i : Same w,
When execution changes ™ Modi ficati,
from one user’ “Y that a base or fence reelste” f
* Program to an
Prograrn and OS Seq
, 48 —— Ww Advanced System Security & Digital Forensics (MU)
2-19
Program and OS Seeu
W Advanced System Security & Digital Forensics wa | hiding of addresses has three advantages for the
OS. 3 —
. i — This
a even after th
5. Segmentation vex Each piece has a logical unity, exhibiting a relationship any co The OS can place any segment at any location or move any segment to any location, table, ee
s all address references by a segment address
begins to execute. Because the OS translate Needs
am into separate ple! one table when a segment is moved.
Segmentation, divides a progr only to update the address in that
ctiion of all local g 4 |
all of its code or data values. ‘ t he colle
lect device) if it is not being used
be the code of a single proce dure, the data of an array, or o (UA E can be removed from main memory {and stored on an au liary
For example, a segment may ;
|
currently.
to check each one for
values used by a particular
module. operating system, so there is an opportunity
g different access tights. j o Every address reference passes through the
be divide o many pieces ha
Segmentation allows a program to protection.
or data item within a segmen
t is addressed as the pair < name, offsep, ware and software.
( that, The segment process uses both hard
Each segment has a unique name . A code offset is its location within the segment
—
segment containing the dat a item and Segmentation offers these prot
ective benefits.
where name Is the name of the -
ked for protection.
nce from the start of thesegment}
its dista o Each address reference is chec
true addresses in memory. rent levels ofprotection.
atable of segment names and their data items can be assigned diffe
The operating system must maint o © Many different classes of y different access rights.
, the operating system looks up name in the s to a segment, with potentiall
Two or more users can share acces
When a program generates an address of the form <name, offset» co
access to an unpermitted segment.
segment directory and determines its teal beginning
memory address. o _Auser cannot generate an address or
address of the code or data item.
To that address the 0S adds offset, giving the true memory 6. Paging
For efficiency there is only one OS segment table for each process in execution. .
— Paging is an alternative to segmentation
Two processes that want to share access to a single segment would have the same segment name and address in thei It is a logical concept.
- Paging is used for faster access of data.
segment tables. s to be non-continuous.
— Paging allows physical address of a proces
- Physical memory is divided into fixed size blocks called FRAMES.
same size called PAGES. .
— Logical memory is d ded into blocks of the
y).
place where a page(logical) can be placed(physicall
— Aframe has the same size as a page and is a
Process Logical Memory Physical Memory
Page — Frames —
;
| =
> Frames —
Segment 0 Segment 2 ~ Frames
rf
Segment3
| ese eis Cn] Address Mapping
|__800 | on] Segment 1 Fig.2.6.6
Process Logical Memory Physical Memory
Page £0, Frame ~
~ Page Were : "Frame
Logical address space 1 ae MMU. F- = Frame
a = Comer : ysical
| Page = | Address :
Fig.2.6.7 : Page translation
ladg’
TechKnow
Pupibeations
Program and OS g,
ronsics (MU) 2:20 two parts <page, offset>, here the hig Ww Advanced System Security & Digital Forensics (MU) _2-21
Ww Advanced System Security & Digital Fo USiNg
. Program BN OS Sec,
ate d by CPU vogeed rame
is rep resent and he lower order bytes determing th The OS maintains a table of user page numbers and their true addresses in memory, The page Se
— r
Ina paging scheme , every address gener Porth
I ed the physical (page, offset) reference is converted to a page frame address by a table lookup. The offset portion igaided oe
order bytes determine the page number also c?
offsetinto the page. page frame address to produce the real memory address of the object referred to as (page, offset). ani
'
base address of each page in physical memory
which contains Fragmentation is not a problem is paging as all pages in the paging approach are of the same fixed size. Each page caiy
into a page table
Page number(p) used as an ind ex ai ddress that is sent to the memory unit,
i :
= physi al memory
addresst o define the fit in any available page in memory. .
— Page offset(d) combined with base
Access Control (Control of Access to General Objects)
Methods :
Access control matrix
Access Control List (ACL)
Fig.2.6.8
Capabilities
- Forgiven logical address space 2m, page size an, Please refer chapter 1 for the same.
We have already discussed all these methods in previous chapter.
— The page number is used as an index into a Page Table. .
— The page size is defined by the hardware. The size of a page is typically a power of 2, varying between 512 bytes and 27 File Protection Mechanism
16 MB per page.
shared among several users.
The protection ofa file is mostly needed in multi-user environment where a file is
protection to keep one user from mal iously or
All multiuser operating systems must provide some minimal
inadvertently accessing or modifying the files of another.
On system which does not permit access to the files of other users, protection is not required.
CPU© Two different forms of protection are
1. All or none protection
pe User can read, modify or delete a file belonging to any other user or OS files.
ee 2. Group protection
physical
Identify group of users, for example Windows
i oe
; Page table memory | Auser is recognized by two identifiers : a user ID and group ID
Fig.2.6, User cannot belong to two groups
Example : ues |
Forces one person to be multiple users
Logical Address Files can only be shared within groups
2.7.1 Different File Protection Methods
1, Single Permissions
Physical Memory Password or Token for each file
Can be lost.
Inconvenient.
Must be protected, if changed must notify all users.
Temporary Acquired Permission
UNIX’s set userid (SUID) — Unix operating system provides an. interesting permission scheme based on a i
three-level user-group hierarchy.
The UNIX de: ners added a permission called set userid (suid).
t
Fig.2.6.19 If this protection is set for a file to be executed, the protection level is that of the file’s owner, not the executor.
TechKnowtedg?
Program and os Se
—
y
:. curity & ital Forensics (MU) 222
(WF Advanc
ed System Se
th suid. When
Ann executes the fe, she W_Advanced System Security & Digital Forensics (MU) 2-23
execute itwi =
lows Ann to Frogram
— For Ex. Suppose Tom owns a file and al é | One-time passwords : is one that changes every time it is used. Instead of assigning a stati
AG =<
.
protection rights of Tom, not of herself only in a Presey system assigns a static mathematical function. Parase to A user, othe
thy
; nc
functions that general users should be able to perform Challenge-response systems : In this system, login requires a user ID and password, io
— This mechanism is convenient for system ui ulail |
challenge-response interchange. In such an interchange, the system prompts the user for a reply that wit we aa a
passwords, but ind
sho
way. individual users
i the file o f user's .
each time the user logs in. Because there are many possible challenge functions,
a attacker who captures ao
‘Ol example, ol only the system shou
ld be a ble to modify us
ma For ib ee
s any time they wish. and password cannot necessarily infer the proper function.
to change their own password w therefore have ful| aay
owned by the system, which
word change program can be Authentication other than passwords
— With the SUID feature, a pass
\ RSCUESS IE handprint detectors, voice
to the system password table.
user executes it, the programe,| Some sophisticated authentication devices are now available. These devices include
— The program to change passwords also has SUID protection, so that when a normal
the user. recognizers and identifiers of patterns in the retina. Authentication
with such devices uses unforgettable physical
lly constrained way on behalf of
modify the password file ina carefu characteristics to authenticate users. The cost continues to fall as
these devices are adopted by major markets; the
/
3. Password or Other Token devices are useful in very high security situations.
allowing a user to assign a password toa file.
Wecanapplya simplified form of password protection to file by
=
at the time the file is opened. The Passwer]
2.9 Linux and Windows Vulnerability
— — User accesses are limited to those who can supply the correct password
|
access).
can be required for any access or only for modification (write Most vulnerabilities are in applications.
a passwor!
— File passwords suffer from difficulties similar to those of authentication passwords: Loss, Use — Supplying Some vulnerabilities in the operating system.
|
for each access to a file can be inconvenient and time consuming, Disclosure, and Revocation. in comparison with Windows OS.
Linux vulnerabilities are very small
4. Per-Object and Per-User Protection ; | Default Linux installations (un-patched and unsecured) have
been vulnerable to
o Buffer overflows
should have similar access to one or more data sets. |
o Race conditions
The access control lists or access control matrices described earlier module provide very flexible protection. - o “SetUID root” problems
Their disadvantage is for the user who wants to allow access to many users and to many different data sets; sucht
© Trojan Horses
user must still specify each data set to be accessed by each user.
|
As a newuser is added, that user’s special access rights must be specified © Terminal Troubles
by all appropriate users
2.8 User Authentication
|
. who a user
| oO Denial of Service (DoS)
Protection of OS iis: mainly
i based on knowing of the system is. Authentication mechanisms used in OS ale:
o Web applica n vulnera
Use of passwords
o Rootkit attacks
The most common authentication Mechani
sm for user to OS is a password, a ‘word
Attacks on passwords :
, a ‘word’ known to computer and usef. SetUID root vulnerabilities
as root no matter who executes it.
Passwords are somewhat limited as pr oO i . } Asetuid root program is a root-owned program , runs
they contain. ‘ Here ar @ some ways youPp might
tectionbe devices
abte to Pa
because of the relativel ly small number of bits
i of informati@
infor
Unprivileged users can gain access to unauthorized
privileged resources.
oO ex. to change password.
Try all possible passwords.
po Pwiatd. Asetuid root programs necessary. For
for them.
Q setuid root programs, system attackers still scan
Try many probable passwords. Distributions now do not ship with unnecessary
© Try passwords likely for the user.
Trojan horse
© — Search for the syste m list of Passwords, ms, can use legitimate outbound ports.
Linux Trojan programs disguised as legitimate progra
oExhaustive attack or brute .
force attack ious. For Ex. Sheepshank use port 80 FTTP GET (p214)
Sine identify this traffic as m:
*
Solut ions to avoid Firewalls and IDSs cannot
these Security issues with Password | ed Trojan programs.
rd: ems from already iden
Password selection criter It is easier to protect syst
ia : Use char.
words, choose an unl Remote Shell, Dextenea
4 Ex. Trojan, Linux, JBellZ,
don’t write te iiath
passwords, avoid actual na"
it down, don’t tell anyone else:
Program and Os Seq,
225
W Advanced System Security & Digital Forensics (MU) P SOK
Advanced System Security EEE Sey
A. Types ; of File Systems , NTFS, HFS (Hierarchical File System), ext2, ex,
isc9g6q
installe dby y an intruder with root access € the system. | o Disk file systems — FAT (File Allocation Table) ing wonder VDE
es% Reo n a binary programs ew to beinl aiffult10 find and remove. NTFS are primarily used on Windows operat
Contain; Trojan | o -FAT(FAT12, FAT16, FAT32) and especially S alse the
ie is still used today.
— If successfully installed before detection
‘ | standard file system for floppy drives and ems.
ds xt2, ext3 are used on various Linux o| Resa eratin y=
— Originally began as collections of hacked comman j HFS i
is used by Mac OS and ext2s eX" 8
.
and hides attacker from uy 4 °@ optical media.
ich intercepts system votcalls in yemel-space
- ‘Hidi directories , processes: _1SO9660 and UDF are used on
—
ea
Nowuse Loadable Kern
el Modules (LKMs)whi en
i chkroo! it. How does the file system
handle security?
be able to detect with B.
letely invisible , May
— Even LKMs not comp ° The file system is crucial
to data integrity.
with Trojan programs. ugh access control.
- Replace legitimate commands o Main method of protection
is thro ol lists or
olled through access contr
deleting a file) are contr
tions (ex. modifying or
Ex. LRK15S
° Accessing file system opera
ext3.
4. Web vulnerabllities capabi file systems like NTFS or
by operating systems on
e so they tend to be used
Capabilities are more secur
Avery broad category of vulnerabilities. . ery systems
and recov
—
website or web application code that
allows anattacker! ‘ is through the use of backup
is a weakness or misconfiguration in a j ° Secondary method of protection
— Awebsite vulnerability
pos ibly the hosting server.
gain some level of contral of the site, and C. Attacks on the file syst
em
s content, or inject defacement:ani
= — Once found, these vulneral s are then exploited to steal data, distribute maliciou ;
\1 1. Race Condition Attacks” mption that they are
spam content into the vulnerable site. ence of operations on a file, under the assu
i a ue a process performs a sequ
ffer r fi
scriptinging I languages, can suffe input- | o Occurs when
= When writteninin script code'injecuoniete:
3 : " kom pd nat aT we, SS) | executed atomically. een two successive operations on it
- wu Fctritibutiti ons ship with
distr
.
few “enabled-by-default” web applications. ge the characteristics of that file betw
Linux o Can be used by the attacker to chan
he Web Server operate on the modified file.
For Ex. Default cgi scripts included with Apac | resulting in the victim process to
2.9.1 Windows Vulnerabilities 2. Using ADS to hide files ‘ i le file.
toa sing
multiple data streams to be attached
.
has security bugs. Bugs have been exploited to com
i co Alternate Data Streams (ADS) allows
be hundreds of megabytes in size,
- i i
Windows like all other OS promise customer accounts. as an attached stream that ‘could
- M . ;
i © A file can be hidden behind a file
system. Some of the common vulnerab
(
any vulnerabilities have been published for Windows o} perating the file’s normal size.
directory listing will only display
in all versions of windows are: however a
© Remote Code Execution 3. Directory traversal
lied input file names
ficient security validation of user supp
© Memory Corruption co Anexploit caused by lack of insuf rd to retrieve the
this as input. debebbeohodut of -Letc{passwo
© ‘Sql Injection o For example, the attacker would pass |
© HTTP Response Spi password files from the server. |
data integrity? |
© Directory Traversal How does the file system ensure
o — CSRF File inclusions i protecting the files on a file syst
em.
| There are various methods of
© Passwor }
P es
i
o Access Controls
° ‘eer-to-peer fi
Encryption
: ities nie
Vullulnerabil s ddeg
in embe ;
° automati 7 allow °o ne
execution of rouge code. ation features in Microsoft Outlook RAID
and Outlook Express that ca” d
o Recovery when data is corrupte |
© ‘Dos
i update resolves several Privately rey
© — Security : 2.10.1 Linux File System Security
: Ported vulnerabilities in Mi
250-Fies
ystem Security Tide - InLinux everyt
g isa file.
“special” file.
— UYOto devices isviaa h is a special file
points to /dev/hdb whic
° Example: {dev/cdrom WY Tectin cntedet
webbieat ives
Program and Og g,
4
va
Advanced System Security & Digital Forensics ~~
ics (MU 2-26 = ww Advanced Sy
————
pipes.
Have other special files like named
/ programs
co Aconduit between processes
important. Q.1 Whatare tt
Since almost everythin ga file- security very
3 types of access permissions read(r), write(w), execute(x) accose,
file or folder in Linux has
; permissions: Every
File Q2. With the he
Permission defined by 3 types of users : Q.3 List the co:
o Owner of file
Q4_ Discuss ar
o Group that owner belongs to
o Others Q.5 Write in br
ile ini memory , usagee No’
: or lock file now obsolete.
— Sticky Bit : used to process to “stick” in memory Q6 Explain br
Y nn
© Currently used on directories to suppress deletion of file that iis owned by others. Other users cannot delete eve, i) Salami <
if they have write permissions.
Q.7. Whatare
— SetUID and SetGID : =
© _ setuid bit means file when executed runs with the same permissions as the owner of the file. Qs Writeast
0 _ setgid bit means file when executed runs as a member of the group which owns it. QQ Explainh
— - SetUID and Directories :
Q.io Explaine
© © setuid has no effect on directories.
Q.11 Whatis\
© _ setgid does and causes any file created in a directory to inherit the directory’s group.
oO Useful if users belong to other groups and routinely create files to be
shared Q.12 Explaint
with other members of those
groups.
Q.13 What are
2.10.2 Windows File System Security
Q.14 Whicha
In Windows OS, NTFS is more secure as compared to
FAT in the sense that there is a security descriptor
defines the access rights attribute that
and prevents unauthorized access to
the file.
Entire directory or any individual file
can be compressed and encrypte
d transparently.
Different security models are there
in Windows. ,
© Access Tokens: Evidence that a user
successfully logged-in.
°o Security Descriptors: Repre
sent access rights of a lo,
gged-in user,
oO Object Manager: Reads 4
the securit
Monitor (SRM). SRM
determines wh
- Security Feature ;
°°
°o
na sers from accessing hi

© Minimum password length and frequent — i
8 higher nodes in the system.
cl
© Multiple levels of Privilege, unlik
e UNIX
© Challenge-response scheme
for authentication Purposes
duri :
© Auditing.
mnns user log-on ante
° Active Directory,
Security (IPSec), PKI.
TechKnewledgi
Pubbications

v Advanced System Security & Digital Forensics (MU) 32
Neb ane, =
What do they provide ?
n Security
Web Applicatio
- Publications
o OWASP Top 10
o OWASP Guides to Building / Testing Secure Web Applications
— Release Quality Tools/Documentation é
o@ WebGoat
: ;
Syllabus : co WebScarab
i C ‘cookies, SSL, HTTP: S, SSH,
User ‘Authentication and Session Management,
OWASP, Web Security Considerations, .
cereal Forgery, — Beta and Alpha Quality Tools/Documentation
Privacy on Web, Web Browser Attacks, Account Harvesting, Web Bugs, Citk — Security, R o Beta Tools(16)
and Pharming Techniques, Web Service
Session Hijacking and Management, Phishing
0. Alpha Tools(10)
— Local Chapters -
3.1. OWASP o Community Orientation
jes that is detected by OWASP are:
— Theten most critical web application security vulnera
OWASP stands for Open Web Application Security Project.
Injection Flaws : SQL Injection, XPATH Injection, etc
What is OWASP ?
mf
Cross-Site Scripting (XSS)
1
It is worldwide free and open community focused on improving the security of application software. | Broken Authentication and Session Management
pw
It promotes secure software development and oriented to the delivery ofweb oriented services. .
Insecure Direct Object Reference
‘ /
It supports application security risk decision making,
Cross Site Request Forgery (CSRF)
we
It is a free resource for any development team. }
Security Misconfiguration
oO
{t encourages developers for active participation and information
sharing, Insecure Cryptographic Storage
pm xn
— OWASP provides free resources to the community.
Failure to Restrict URL Access
© Testing and Training Software
Insufficient Transport Layer Protection
9° Publications, Articles, Standards
10. Un-validated Redirects and Forwards
o Local Chapters and M 2 Lists
Non-profit , volunteer driven organization, 3.2 Web Security Consideration
© All work is donated by volunteers and
sponsors - The World Wide Web is a client/server application running over the Internet and TCP/IP intranets.
° Allmembers are volunteers
~ Web now widely used by business, government, individuals but Internet and web are vulnerable.
— Supported through sponsorships.
- Web has variety of threats.
© — Corporate support through
financial OF project Sponsorship
o Integrity
© Personal sponsorships from members
o Confidentiality
o Denial of service
co Authentication
new challenges :
- Along with all above issues of web security, the web presents
ts, even electronic publishing systems involving
Yours! o The Internet is two way. Unlike traditional publishing environmen
on the Web servers over the Internet.
Building our teletext, y voice response, or fax-back, the ; web is vulnerable to attacks
rand
and product information and as the
Testing The Web is. increasingly serving as a highly visible outlet for corporate
Chapters ; | and money can be lost if the Web servers are
webScarab latform for business transactions. Reputations can be damaged
platfor
Validation ; Project
subverted.
Certification Wiki pat j
Fory Tech Knomiedgé
Fig. 3.1.1: Blogg US
NS
_Web Application Secuy

-
W Advanced System Security & ‘al Forensics (MU) 3-4
Advanced — System Security & Dig e relativ vers af ely easy *° configure and manage, anq Web i
7 Web sel This Compla, The session ID is often ; all that is needed to prove authentication for the rest of the sessi
e is extraordinarily complex. : SSION.
© Although Web browsers are very easy t 6
new ang
istory of the web is filled with examples of — Session management is usually handled by the web framework, making it transparent to th © develo, her,
content is increasingly easy 10 develop flaws The short hi attacks. —
is by
One of the fundamental ways of handling user login authentication and session management S BY ste
of security
software may hide many potential S| able to avariety Session space plus setting some data
SANE Varah
in cookies on client computer while sometimes in database as. well,
ed
upgrad sys . tems, properly stalled, that are wine
sn using the web are: <=
|
-
ent.
| Countermeasures — Following steps are involved in session managem
— Differ security threats faced in using ¢
types ofent
| o Start HTTPs, and deliver login form.
Beye : (ates aS eSGs Threats i i - Cryptographic j|
- f informataaion erveckguims | Submit credentials.
Modification of userdata Loss 0}
8
— | user.
Integrity - ise of machine Create sessions, deliver cookie to
Comproms
9
— Trojan horse browser } ; f Exchange information.
Modification ofmemory | — Vulnerability to ball othe
0
threats ‘ Logoff or idle session timeout.
Modification of message
0
—
traffic in transit
invalidate session.
o
- Encryption, web |
Eavesdroppingonthe Net |- Loss of information
Confidentiality |-
| 3.4 Cookies
Theft of infofrom server . | - Loss of privacy
— tes leave on your web browser.
| - Cookies are small files that websi
Theft of data from client website.
= behaviors and preferences on a given
: — Cookies allow websites to remember user's us
- Info about network
the browser sends the cookie back to the server to notify user’s previo
configuration - Every time the user loads the website,
| activity.
- Info about which client .
| or to record the user’s browsing activity
talks to server , . - {tis used to remember stateful information
to remember whether
like for example cookies are what allow website
- . prevent
| - They enable lot of the features that web users
Denial g of user threads - Disruptive : - Difficult to
ae of or not you are logged i with your user account.
Service q . P
with}— Annoying at a user shopping cart.
- Flooding machine remember what items have been placed
— Cookies also allow shopping websites to
bogus requests
— Prevent user from get :
Acookie consists of the following components
:
—
pe ing up disk or memory work done
o Name
— Isolating machine by DNS
| Value
attacks o
i|| Zero or more attributes
Authentication |- Im
personatiion of}- Mi isrepr i ofuser |— Cryptographic
legitimate users Presentation
Bellet that false techniques
— Data forgery information is valid |
3.3 User Authentication and Sess they cannot
ion Managementn any code that would run a program and therefore
— Cookies are simple text files so they cannot contain
‘Authenticati;on: verifica in that an your computer.
entity isi who iti claiaims
to be. execute malware infections on
‘ auth a downside too.
enti cated sessi on track they are malware free but cookies have
s the status of a y = Socookies are great convenience and
upplied to the entity once they “logged in” around the web and share
are authenticated, 5 g cookie, tracking cookie follow you
'GBed in” to the system. A session identifier (10) |
— One particular kind of cookie called a trackin
: = ion iis: created by an
Asess ‘h advertisers.
application server to track
th le state information about you
i you signed on to a web account.
fons are used by the applicatio
n server on any sub: ‘iain
|
= Second problem with cookie is, if you forget to sign out, cookies can leave
ead username or password from an
Session IDs are a "key" | can sometimes learn your
to a portion of memory wireless networks, eavesdroppers
corresponding active user. - Also on unsecured
,
In some applications
intercepted cookie. ted.
when the cookie is crea
the session is initiated once a user iden ration time that can be set
ies/authenti Cookies last till the expi to persist for an
window is closed, but it can be made
In other =
applications, the Icates th ems the current browser
By default the cookie is destroyed when
sessio nisin elves,
iated even for anonymous users on first -
Session ID's are Typi
after that.
browser and server in an HTTP Page visit,
c: ly passed betwe en the arbitrary length of time
¢; ‘Okie, TechKnowledg’
ww Advanced System Security & Digital Forensics (MU) 3-6
SSL encrypted HTTP (HTTPS) uses TCP port 443. AS tte
§$L can be used to provide encryption for other protocols.
Types of cookies: —
i
— — Tracking cookie For example : SMTP over SSL/TLS (SMTPS), IMAP over SSL/TLS (IMAPS) , Post Office Protocol vers,
"8 {POP cree”
- Zombie cookie SSL/TLS (POP3S).
- — Session cookie = OpenSSLis a free version of Secure Socket Layer (SSL).
secure and authenti
HTTP only cookie §SLis designed to make use of TCP as a communication layer to provide reliable end-to-end
eal
— = ae
+
and the sérver).
(for example, between the service client
- Secure cookie connection between two points over a network
with
an SSL session, while almost all browsers are provided
- Authentication cookie = Today almost each available HTTP server can support
Limitations of cookies : $SL-enabled client software.
= Asingle browser may only store
300 cookies. Goais of SSL: °
nicating applications.
to 4KB.
— — Browsers limit a single cookie is to provide privacy between two commu
1, The primary goal of the SSL protocol
cookies per machine.
Agiven domain may only set 20 communicating applications.
— 2. To provide reliability between two
connection between two parties.
3.5 SSL and HTTPS 3. Cryptographic security that is, SSL should be used to establish a secure
utilizing SSL that will then be able
support encrypted access to web servers. s should be able to develop applications
— — Originally developed by Netscape to 4. Interoperability : Independent programmer
one another's code.
private information like credit card numbers to be
transmitted over c parameters without knowledge of
— it was developed by Netscape to allow sensitive or to successfully exchange cryptographi
and bulk encryption methods can be
framework into which new public key
public network, Internet.
5. Extensibility : SSL seeks to provide a
the need to create a new protocol and
S$SLv1 is released in 1994, v2 is released in 1995 and v3 is released 1996. accomplish two sub-goals: to prevent
— incorporated as necessary. This will also ,
new security library.
— Served as the basis for \ETF standard TLS (1999). to avoid the need to implement an entire
- Used by major financial institutions for secure commerce over the Internet
Objectives of SSL :
SSL is independent of the application layer protocol above it and can be used not only for encrypting Web traffic using
to each other.
HTTP but also mail or newsgroup traffic. — Authenticating the client and server
- The combination of HTTP running over SSL is known as HTTPS. — — Ensuring data integrity.
SSL provides secure connections between web browsers and web servers. = Securing data privacy.
Eavesdi
Message vesdropning 3.5.1 SSL Architecture
forgery NX
: No Message
Client Website ; forgery cal
No
HTTP : No Encryption Eavesdropping =‘
{no SSL)
(a) HTTPS ; Secure SSL Connection
Fig. 3.5.1 (») Fig, 3.5.2
— SSL is neither a network layer nor an applic
:
n layer protocol, tt Is one that sits between application and transpo*
layer. main protocols :
SSL Is comprised of two
— Because of Its position, SSL gives the client ma
tocol
ene th e ability to Selectiv The Handshake Pro
applications, rather than set forth encryption3 el 1.
of applicationsY @Pply security protection on inaiwl®
aN enti Sroup Protocol
~ SSL protocol and Its successors, the Transport La YET , 2. The Record Layer
* Se curity (TL a
transmitted data. } Protocol can be used to provide encryptio” E
Web Application Scout
wv Advanced System Security & Digital Forensics (MU) 3-8
Advanced System Security & Dig! al Foonscs (UE) = itis also used to encapsulate data sent by og, tte
wv ‘ integrity. record layer Protay7
ne acoekted with Sst check data. The
Phase 1:
— Record Layer protocol is responsi ble for data deneyPrO?
the t a
e, it is also i volve in
— During the first phas , a logi
e ca l connecti must be initiated between the client and the
SSL protocols, and therefor . on s
packets.
eee
of SeSsiy The client sends the server a client_hel me ‘a followed by the
d and duplicate and Sst Alert protocols cover the areas
negotiat on the connecti paramete
rs. 7 lo ‘ABiE CoMtaini
also detects replayed, re-ordere!
ion on ng, data:
ssi Cipher Change the client and the serve, such as :
= The other three protocols, SSL
Handshake,
and transfer of
SSLm essages between
= Version : The highest SSL version supported by the client.
aphic parameter management
management, cryptogr
— Random Data : consisting of a 32-bit timestamp and 28 bytes of randomly generated data. This data Is used to TOI
z ~
is used to initiate a session betwes |
Handshake Protocol . PEShee
1. The the key exchange session between the parties of the connection.
of the SSL protocol. It
the mos' t complex part ithms and keys usey |
— The handshake protocol constitutes various compo nents such as algor — Session ID ; A number that defines the session identifier. A non-zero value of this field indicates that the client wishes
ge of this pr ‘otocol,
the server and the client. Wi in the messa to authenticate the parties to each
other anj |
to update the parameters of an existing connection or establish a new connection
on this session. A zero value in this
this protocol, it is possible
data encryption are negotiated. Due to
|
a new connection.
for | field indicates that the client wishes to establish
negotiate appropriate param: eters of the
session between them. supported by the client. The server, in
illustrated in Fig.3.5.3. | — CipherSuite : A list of encryption algorithms and key exchange method
n the client and these rver is lo message, containing the same set of fields as the client
— The process of negotiations betwee response to the cl ient_hello message sends a server_hel
Client Server
message, placing the following data:
Client hello supported by the server
o Version : the lowest version of the SSL protocol
but the data generated is completely independent.
Establish security o Random data: the same fashion as used by the client,
field
Phase 1: capabilities value is sent back; otherwise the server's session ID
co Session ID: if the client field was non-zero, the same
Servet hello
contains the value for a new session.
selected by the server from those
© CipherSuite : the server uses this field to send a single set of protocols
ic keys
Gertinicate proposed by the client. The first element of this field is a chosen method of exchange of cryptograph
is the specification of encryption algorithms and hash
between the client and the server. The next element
parameters.
Phase 2: Server authentication and functions, which will be used within the session being initiated, along with all specific
rical e key exchange field establishes 3 components:
Reque' iar cant corte? — The set of encryption algorithms and key exchange method sent in the CipherSuite
1. The method of key exchange between the server and client.
Server done
2. The encryption algorithm for data encryption purposes.
3. A function used for obtaining the MAC value.
Phase 2:
~The server communicates its certificate to the client. On receipt of the certificate , the client checks the owners’
Phase 3: Client authentication of these
and key exchange name/URL and validity period. It also verifies the signature of the CA on the certificate. Successful verification
.
fields does not guarantee the authenticity of the sender.
over the internet in the clear and can be easily obtained.
— The server's certificate is repeatedly transmitted
.
Authentication of server only occurs at the endofPhase4.
Phase 3:
secret is encrypted with the
The client chooses a pre-master secret — a 48-byte random number. The pre-master
xchange message.
server's public key and sent to the server in the Client_Key_E
the pre-master
Phase 4: Finish - Therefore, both client and server compute the master secret. This is the HMAC style function f, of
1 and some pre-defined constants.
secret, the two nonces exchanged in Phase
/
Phase 4:
in each direction. The first of these the Change_Cipher_spec
This step involves the exchange of two messages
= the keys just
Fig, 3.5.3; SS
L Handshal message. The party that sends this message signals that from now the cipher suite just negotiated and
ke Protocol a keyed hash on the
this phase is “finished”. This message includes
- It canbe divided into 4 phases separa ted with
horizontal broke, computed will be used. The second message in
N lines, Tech Knousledy’
i Web Application §, Cur
BF Advanced System Security & Di 3-10
r 39 | Web Appiicay,
fined constant. The keyeq hag
Digital Forensics (MU) a = eading PI phase plus @ P re-de
in the preceding | 3. The SSL Alert Protocol Tee Sccurty
|
|
concatenation of all the handshake messages an | exchange a ndfunctionin
ee. } — TheAlert protocol is used by parties to convey session messages associated with data
previous handsha! 1 Of the
serves as an integrity check on the j protocol.
|
2. The SSL Record Protocol mitted, fra gment the data whi Each message in the alert protocol consists of 2 byes. The first byte always takes a value,
“warning”(1) of “fata
to be t rans — Q,
on message
d protocol is to tak
ean applicati an object just ¢ led a record, which isencryptey that determines the severity of the message
sent.
The purpose of SSL Recor aders and create bytes are header).
— SSL session.
e it with appropriate he party will result in an immediate termination of
needs to be sent, encapsulat
the TCP protocol.
Itisa 5 byte frame ( 1*3 — Sending a message having a “fatal” status by either
and can be forwarded for sending under — The next byte of the message contains one of the defined error codes, which may occur
during an SSL communication
1. 1* byte : protocol indicator session.
SSL Alert Protocol i
2. 2 byte : major version of SSL
3. 3 byte: minor version of SSL type of error
upto 214 bytes. if warning-1
Last 2 bytes indicate length of data inside frame if fatal error-2
sed, add MAC value and then encrypted.
- = Further the data inside frame is fragmented, compres
SSL Record Protocol
Application Data
4. The ChangeCipher Spec Protocol
Fragment of a single message that carries the value of 1.
= This protocol is the simplest SSL protocol. It consists
state to be esta! hed as a fixed state, which results,
— The sole purpose of this message is to cause the pending session
for example, in defining the used set of protocols.
session
Compress server and vice versa. After exchange of messages, the
- This type of message must be sent by the client to the
are transferred using the SSL record protocol.
state is considered agreed. This message and any other SSL message
Add MAC
3.6 SSH
between a client and a server over a public
Secure Shell (SSH) is a network protocol for securing data that flows
Encrypt .
network such as the internet.
secure.
When a client connects to a server, it needs to be verified so the transaction can be considered
Append
SSL Record
SSH uses encryption to protect login names and passwords while authenticating.
Header
shell or command-line
Use of SSH is to provide a strongly encrypted connection to a remote server in order to gain
executes commands.
access on that server, to transfer files between the client and server, or to remotely
instead
SSH has a powerful capability called port forwarding. SSH has file transfer capabilities. Advantage of using SSH
al output after of FTP is that, FTP establishes tow connections one for control information and another connection for data transfer,
Bhitg SSE 80rd protaco| transfer.
SSH only needs a single connection for all control function and data
of SSH is SSH3.
SSH-1 designed in 1995 by Tatu Yldnen. Latest version
TCP port22.
SSH is a secure alternative to Telnet. Uses
It is suite of 4 ut ies ; ssh, slogin, sftp and scp
PT (Optionally compres
sed) |
Current implementations are
© OpenSSH : common on UNIX systems
: commerci | implementation
SSH Tectia
oo 9°
PuTTY :client only, Windows
Java applet
MindTerm : client only,
Tach Knowiedga
reatioas
phic Keys. After the server succes Ww Advanced System Security & Digital Forensics (MU) _3-12
W Advanced System Security & Digital Forensics Web. Application
Secu
i
ovided encrypted file tp, 3.7 Privacy on Web s ty
One of the methods to authenticate
authenticates the client a t — Web browsing habits are tracked via cookies, search engines routinely change their privacy policies and
there are
between the client and the server. always challenges to web privacy.
theft.
= Common privacy issues for web privacy are tracking the user, surveillance , identity
Solutions to protect privacy on web:
1. Clean up search history
bar, This web history should be
site you type into the address
Most web browsers keep track of every single web
your computer system running at top speed.
periodically cleared out not only for privacy's sake but also to keep
2. Secure your web browser
make sure that you take the necessary steps to secure it.
Your browser is the main program you use to gO online, so
rs to access the personal data on your device.
After all, cybercriminals can take advantage of loopholes in browse
d
3. Log out of search engines and websites when you're finishe
t and log in to access the full array of their services,
— Most search engines these days require you to create an accoun
idea to log out of your account after
including search results. In order to best protect your privacy, it's always a good
Another useful application of SSH is ability to securely execute system commands and programs from remote location. | :
executing your web searches.
es used to login through a network in Unix environment are telnet, rlogin, rcp, rsh. But the problem is user's © s endings for whatever ~
name and password transmitted as clear text. Data transmission after logi — In addition, many browsers and search engines have an auto-complete feature that suggest
clear text. . ThisThi: pro! lem is |
also in clear
‘
overcome using SSH protocol. word you might be typing in.
.
SSH supports secure remote login, secure file transfer and secure 4. Avoid unnecessary forms online - Don't give out too much information
remote command execution.
A good web safety rule of thumb is to avoid filling out forms that require personal information in order to keep
How SSH works ?
anything from being entered into the public, searchable record i.e. web results.
The client initiates the connection by sending
a request to the TCP port of the SSH One of the best ways to get around companies getting your personal information is to use a disposable email
Server reveals it's SSH protocol version to the client.
“ee account — one that you don't use for personal or professional contacts
nt andsever. decidi e theiri versi
ions are compa tible , the conne ctior
5. Watch what you are downloading
SSH server sends the follo
win, 8 to the client
i - host k - Be extremely cautious when downloading anything (software, books, music, videos, etc.) from the web. .
+
authenticati + ee |
on methods, anda sequence . :
of eight a toe oe - This is a good idea for privacy advocates to avoid being tracked online, but it's also a great way to keep your computer
Client checks identity of serve oe " |
r by using the hostke from freezing up and malfunctioning.
5 Y again: ;
Client generates a session key and double encry st known hosts database.
- Be very cautious when surfing the web and downloading files; some programs include adware that will report your
:Client sends
" encrypt TyPted session
i key surfing habits back to a third-party company that will then use that information to send you ads and unwanted emails,
along with check bytes and
erver then decrypts the encrypted seit accecceptable algorithm,
i otherwise known as spam.
Server send
; s
" a conf irma tion encrypted with 6. Using services without reading their terms and conditions
thi is
Client receives Confirma }
tion, con Never click “agree” until you understand what you’re getting yourself into. You wouldn’t want to legally grant
companies and service providers access to all kinds of data. Then sell this information to the highest bidder.
Server confirms
client authorizatio .
n 7. Guard your private Information
Generates a 256 bit ran site - be sure it's not i
dom challen, ge, hi anything online- on @ blog, website, message board, or social networking
crypts itPawit
v
h clients Public
~ Before sharing
Client decrypts challenge, that could identify you in public, f
beginning of ke something you would mind sharing in real life. Don't share information
session), as Sh value with 7 a Session identi and Sends to client,
and last names, addresses, and phone numbers, to yourself. i
ifier
i ‘i to — | Keep identi fying details, like usernames, passwords, first
Server generates hash, if both Match, {Commonly generated random striné * | an email address can be used to track other
Your email address should be kept as private as possible because
identifying information.
WY Rainontetys
Puplications
WF Advanced System Security & Digital Forensics (MU) -14
W Advanced System Security & Digital Fores
the TCP establishment, the session sequence numbers, network Nieation Secu,
identification data and
8. Use caution on social media sites parameters.
tings i are sel t appropriately and that what you share op Soxiy FOR mumbers Wind of
i
our privacy Se | |
It's important to make sure that ¥ iP ' ersonal or financial nature. The attacker modifies the captured traffic to allow the attacker to take the place of the
client
networking sites would not reveal anything of a P Attacker takes the legitimate user offline (usually with a DOS attack}
and then takes over that use’s Sesion,
. ;
2 Delete cookies
i at browser exit ites, advertisers, and other third-parties to track All future traffic in the session is now channeled between the web server and the attacker.
webs ; Attacker concentrates on taking over session oriented applications like HTTP, FTP and Telnet.
You should delete cookies regularly as they're used by ]
online. The hijacking is usually done after the legitimate user has authenticated to the web
server. Therefore. = the attacke, T
does not have to re-authenticate (usually for the remainder of the session). In this way, the attacker bypasses one of
Protect your computer and mobile devices i
: of i ey the major security features of the Web-based session, the initial authentication.
web is simple with a few precautions, such as a firewal,
Keeping your computer safe from harmful content on the The hijacking attack exploits a weak method of maintaining state. If the attacker can understand how state is
all security protocols are kept up to date
appropriate updates to your existing software programs (this ensures that maintained, they may be able to inject themselves into the middle of the session by presenting a valid state.
and antivirus programs. One typically weak method of maintaining state is using cookie data to maintain state. In this method, the user is
11. Keep your software up-to-date initially authenticated (usually with a user id and password). If the authentication is successful, the Web server sends a
session cookie to the user’s browser. Now every time the browser hits that same web server (presumably during the
If you leave vulnerabilities in your software, chances are that the attacker will exploit them. Keep your Operating | same session), the user does not need to enter the password, rather the cookie re-authenticates for the user. -
system, browser, as well as other software like Adobe Flash and Java up to date to ensure that you don’t miss outon |
1. Avalid user does some web activity that result in their acquiring a Cookie.
new features and security fixes.
2. The Cookie is stolen or captured by an attacker.
3.8 |Web Browser Attacks t 3. The Cookie is transmitted with the attacker's attempt to access the application. The Cookie authenticates the
Web browser attacks are typical ofWeb-based applications in general. The attacks can be summarized attacker as a valid user. The attacker gets access to the application.
as follows:
1. Hijacking : Thi is a man-in-the-middle attack in which Types of session hijacking ‘
the attacker takes: over the session.
2. Replay : This is a man-in-the-middle attack in which sent data Passive Attack An attacker hijacks the session but just sits back and watches and records all of the traffic. Used to find
is repeated (replayed) leading to various results. |
out passwords and source code.
3, Spread of malcode (viruses, worms ani id
So50 01 ) : fh The Scripting natur
e o web brow
br sersrs make
ma s Active Attack It forces the user offline, takes over the session and executes commands.
them p! e tare |
;i
Hybrid Attack Starts out passive and then becomes active. Watch a session and periodically inject data into
4. Browser cache : Obtaining sensitive inform the active
ation from the Cache stored in by session without actually taking it over. . i
rowsers,
Running dangerous executable
s on the host : In som
uw
workstation, This ean be very risky, e cases, the browser Protection against session hijacking
May peri executables to run on the het
Use encryption }
Back and refresh attack ; Obtai
8 Credentials and ies
of the browser, nv other sensitive data by using the Back button and Refresh feat! Use a secure protocol- SSH or SSL i
Accessing host filesles : Certaj Limit incoming connections
™N
: Certaj attacks allow the browser t

information, such as banking data, or 0 send files to an attacker. ersor Minimize remote access
system information as These files may contain P
Browser history : Sens 1 SUCH as password s. Implement strong authentication methods : |
d thr ‘ugh th
e URL from
Theft of private information the browser' Replay attack
: Browsers ar € at
s hist or y,
risk of disclo
This information may be used sing sens; et
in identity the ft itiveme information
j .
to strangers on the Interne | A replay attack occurs when an unauthorized user captures network traffic and then sends the communication te its
or to Conduc t a social en
:
A. Hijacking attack original destination, acting as the original sender.
Bineering attack. i|
Typically a “Man in the Middle” For Ex. Suppose Alice wants to prove identity to Bob. Bob requests her password as proof of identity, which Alice
session. provides. Meanwhile, Eve is eavesdropping on the conversion and keeps the password. After the interchange is over,
Eve connects to Bob; when asked for a proof of identity, Eve sends Alice’s password read from the last session, which
Bob accepts thus granting access to Eve.
WH ectknewintet
Punitcations
Advanced System Security & Digital Forensics (MU) __3-16
i ios (MU) WW ttn sccuay
Advanced System Security & Digital Forensi uo) Investigative searching
numbers.
Prevention ment timestamps and seq uence p
fet . . j Pieces of information posted on the Internet are rarely forgotten (even years after being identified
by vane search
you can imp! in the appropriate tim estamp o | a site, attackers will often harvest user names
Toprevent replay attacks from succeed
ing,
contain the approp! engine). As a form of reconnaissance against Web sites
only network packets that
— to
— This allows authentication system to acceP be || search for e-mail addresses.
e-mail new
sequence number. . Simple searching on the partial e-mail address @engg.coll.edu.in quickly turns up over a dozen
packet iIss discarded Stroup
tain time then the postings which each provide a unique user
name that can be used in an attack.
p is beyond a cer
— If the timestam attac! kissessio
n tokens.
| place e-mail addresses and sen. e information in the comments Web Pages,
of countermeasure replay send the result to Bob, In addition, Web administrators often
One more technique
—
the pi assword and ammunition against a site.
Alice, which Alice uses to transform which can provide an attacker with additional
— Bob sends a one-time token to mi atch, the login is successful. =
tation; if and only if both values
— — Onhis side Bob performs the same compu Bob sends a different session token Faulty authorization
another session;
this value and tries to use it on nt harvesting or, even worse, impersonat
ion.
Now suppose Eve has captured Mistakes in authorization can lead to accou
— be different from Bob's computation.
and when Eve replies with the captured value, it will used to gain or upgrade access to a Web
site.
Otherwise Eve may be able to pose as Bob, presenting some Improperly implemented tokens can be
— — Session tokens should be chosen by a random process.
use that token in her transformation.
predicted future tokens and convince Alice to Web Bugs
3.10
C. Browser parasites or e-mail message (to
advertiser to a webpage (to track its popularity)
Asmall, usually transparent image added by an
many effects on
— Abrowser parasite is a program that changes some settings in your browser. The parasite can have track when it is read).
the browser, such as the following: ‘ 1 the message or web page is viewed and
that can confirm when
A graphic {in a web site or a graphic-enabled email)
© Browser plugin parasites may add a button or link add-on to the user's browser. When the user clicks the
record the IP address of the viewer.
button or the link, information about the user is sent to the plugin’s owner. This can be a privacy concern. address.
Web bugs are often used by spammers to validate email
© Browser parasites may change a user's start page or search page. The new page may be a “pay-per-click site,”
where the owner of the browser parasite earns money for every click.
Web bugs can provide:
- i
the Web site, e-mail, or word processing document
“0 Browser parasites may transmit the names of the sites the user visits to the owner of the parasites. This can be The IP address of the computer that opens the image within
0 0
used to formulate a more directed attack on the user. The time the computer opened the image.
00
. j
— Atypical ite i
in How often a message is being forwarded and read.
typical browser parasite is the W97M_SPY.A. Once installed, this parasite hides from the user and stays resident
i
the background. This spyware macro program originated
igi in France. It i The type of browser that the user opened the image with.
contact list and then sends the information to a hacker's e-mail address,
pee preset “4 Any previous cookies for that site.
o
such as images and videos.
3.9 Account Harvesting When user visit a website, some parts may come from other sites
g networks.
It is the process of callecting all the legitim Some of these pieces {invisible pictures) come from advertisin
ate account names on in their network?
{tis also called as Credential Harvesting. | Who can tell when you are visiting more than one site
“een.
It is the use of MITM attacks, DNS Poisoni This data may also be sold or shared with others.
ng, Phishing and
(username/passwords combinations)for other vectors to amass large numbers of credentials
reuse.
3.11 Clickjacking
different to what the user
Clickjacking is a malicious technique of tricking a web user into clicking on something
perceives they are ing on.
ter
improper identity authentication. ing confidential information by taking control of their compu ;
It is the technique of tricking web users into reveal
ess web pages.
1. Enumerating directories while clicking on seemingly harml
attacker's code.
= The click of link executes the
Acommon mistake made by Web site admi another valid page say a
istrators is ti0 allI with a link to a video about a news item but
| ~ By default, any page named index.htm! or index.htm with Ow directory listings, | Example would-be.auser might receive an email tries to
underneath the play button of the news video the user
i directory ry listings
listi are allowed,
: thin j product page on amazon.com can be hidden on top or
the Web site
i May i
accidentally alr tory wi iil be displayed, If this file does not exist and lly buys the product
from Amazon.
_ . ; leak play the video but actua
Open directories such as this can be extremely dangeroy . Sensitive information, user, a ickable region will be chosen by an attacker and will attack
ecause the
Y¥ may di On an authenticated website that is accessed by
not intend to be available to users. :
*Y display files that an administrato! doe g iFrame feature
of HTML.
WF TeenKnemin dss
Penticatians
emt
papilee
|

Advanced System Security & Digital Forensics (MU) 3-18
transparent and layered on top
Ww DRENi
Web
a 1
An unsuspecting user logs into yourbank.com and authenticates. ty
= Amalicious website will load a P8° fro The user then visits said message board.
another element on the site. Arequest is issued from the victim’s browser to the bank’s website.
account.
2
iFrame A carer can embed : The bank’s website transfers the user’s money to the hacker's
| <iframe sre=hupil/spoot om, <iframe = 00) Prevention
: & 9
as opacity attribute: 1.0 =completely V8! je OOS Add a secondary authentication mechanism, such
as an impossible to guess token.
iY percental arget element.
_HTMLattribute Opacity defines ly dangerous actions.
—
the (278 Require a confirmation page before executing potential
to hide target element and make other element flat under
Eliminate XSS vulnerabil
Prevention mechanism . - incoming CSRF requests
iFrame - POST requests on the server for sensitive data
page being displaye din an Use POST as your form action and only accept
URL and not the post body.
will fail since the parameter is in the
are |
~ Allow click only on elements that light feature.
kee| ps clients from tapp
ing asit’s a ClearClick high Session Hijacking and Management
=. Add NoScript add-on to Firefox which 3.13
s from one browser to one or more sites.
Sessions : A sequence of requests and response
3.12 Cross-Site Request Forgery
— Session can be long or short.
constantly re-authenticate.
Tnjects script == = Without session management : users would have to
=SSS= Server
into web site
Web Container
Hacker . Website
Session
uest
Client Tig = 123 id=123
fa Retrieves compromised es Serviet
i page contents ——*}===3
Session.
Compromised s reque: id=134°
id = 134
Unknowingly wevale
[ executes script
End User
Fig. 3.13.1 : Session management
hath wnat 3.13.1 Session Management
Fig. 3.12.1 : Cross-site script (XSS)
SRF we need to keep track of user's
forces a logged-on im's ro
bi HTT? is a stateless protocol. A request and response are independent. But sometimes
application, which then forces the victim wser to send a pre-authenticated request to a vulnerable wel activity across multiple request.
be as powerful as the web application that i a Perform a hostile action to the benefit of the attacker. CSRF a" as the new request. So we need to maintain the state
Each time user requests to the server, server treats the request /
is
CSRF occurs wh
¥ - an authenticate ular user.
i d user unknowingly
initiates a re of an user to recognize to partic
request is handled as etif it were ere tials will be with the server until he logs out. This is
eee
jintentional, usual
a For example when a user logs into any website, his creden
— — CSRF attacks are difficu le user being aware. creating session.
lt executed and managed by
un nents oie st
from the users IP addres s so it is aifcu provided data and making it available to the next reque
9arenhunt adow mnaretheexecu
ha
ted in the context of the e victi
vi m and the reques noo
m
Session mana gement is mechanis of track
ing the client
.
jacker is essentially give process is continued until the user choose to Logout or terminate the session
n all Of the user ’s privil from the same client. And this
t s of requests from the same user
— XSS facilitates CSRF via “Unk = a mechanism that servlets use to maintain state abou a serie
Injection” “ee Session managemen'
‘ time.
Example ! across some period of
cart ap plication a client keeps on adding items
into his cart using multiple requests. When
Example : Ina shopping lentify in which client’s cart the item is to be added. So in this scenario,
- Ahacker posts to a messa ge board containi , the server shou
ld
- -; “ ee wn an image ta ig every request is made
for session tracking.
there Is a certain need
v Advanced System Security & Digital Forensics (MU) 3-20
Advanced System Security & Dightel
; session :
— There are different techniques used for
Cookies
1. HttpSession 2 o
ua
Rewriting
3. Hidden form field 4, URL ‘www.example.com?id = 123 & user = To
5. Session tracking API
HttpSession .
ion object i is used
Toentire store entire ses n with a spec
ific user, HttpSessi
—
ct. Fig.3.13.3
attribute fr 0 mn HttpSession obje
Wecanstore, retrieve and remove
i
—
jet throughout the getSession() metho
d of the HttpServietReques management.
to HetpSession 0! bject The web container will fetch the extra part of the requested URL and use it for session
— Any servlet can have access
object. Hidden Form Fields
us er to the serviet.
then it returns a sessioit n objeci t of the
— When getSession() method is called it manageme nt.
One of the oldest method of session
to identify the client.
When the client submits the form to the server, the hidden fields is used to store client state and
4.4 Request session unique
1.2 Creates id
It is easier to implement as a simple HTML input field of type hidden is required.
2.2 Creates unique Html Form-
session id
Fig. 3.13.2
— Aservlet can either store or read a user data using that session object.
Whenever client requests first time to any server, the Web Container generates a unique session ID and gives it
back to the client with response. This is a temporary session created
by web container. ‘
With each request, the dlient sends back
the session ID. It easier for the web container
to identify where the
request is coming from.
The Web Container matches this ID with
session ID and associates the sessio Fig.3.13.4
n wi ith the request.
2. Cookies
} —
3.13.2 Session Hijacking
Cookies are small 's that websites leave on your
web brows er,
Cookies allow websites to reme Session Hijacking : The hacker masquerades as another user by stealing the users session id (usually via XSS).
mber user’s behaviors'a1 ind pref
erences ona iver nw
Every time the user loads i
the website, the browser Typically a “Man in the Middle” attack. It is also known as cookie hijacking and is the exploitation of a valid computer
} activity. i
/
Sends the cookie back; to theva
Server to notify user’s previous session.
— {tis used toremember
stateful information or
-
to record the user’s browsin, Session hijacking occurs when an HTTP session is observed and captured by a network sniffer.
One maj or sho rtc omi ng Of using cookies
cannot able to save isi nt has turned off Cooki Ae Here the attacker gets in the middle of a session and actually captures the information going back and forth including
the client State as
brow ser will Nat allo w Stor
© saving settings in his browser then servel the TCP establishment, the session sequence numbers, network identification data and port numbers all kind of
~ In Serviet API, Cookie class ing c ‘ooki=e: of
|s used to create cao} e : '
i information and to access the caoki 4 kies and addCooki, parameters.
es re: spectively okie(}, BetCookiesi) methods are used send cookie
aes take the place of the client.
3. “URL Rewriting d ae The attacker mod! ies the captured traffic to allow the attacker to
Jt is a complete session tracking method
‘ttacker takes
Attacker ta the legitimate user offline (usually with a DOS attack) and then i takes over that use’s session.
. Thismet! hod is used
server and the attacker.
user has disabled the cookies, w; ‘uture traffic in the session is now channeled between the web
All future
with browsers that do not support cookies or whe
re the oriented applications like HTTP, FTP and Telnet
ttacker conc entrates on taking over session
Attack
' . weet
puptee®
Web Application Security

Ww Advanced System Security & Do ital Forensics (MU) 3-22
3224 eb server. Therefore, the Attacker
Security & Digital FO ransics
(MU) d to the .W
W advanced System uthenticate ‘_ Anattacker would send fraudulent email to victim and the message would appear to be fro
the attacker bypasses ong of mm
aftertl he legitimat e user has sion). In this WY,
—_ The hijacking is usually done website. aTeRimate Company
remaind ler ofel the Se
or
(usually for the ©
he
to re-authenticate session, a thentication. — The victim then may be convinced to click on a link to a website which again appears to be legiti im
3 from a
does notr have
the majo security features of the Web-based how state is i ' i ; .
ced to provide confidential information. ae
b understand legitimate company; they are con
$ q if the attacker can
method of maint
aining valid state.
The hijacking attack exploit: s a weak e session by presenting @ — Phishers target large groups of random people with phony mass m ngs that look ke they originated from a bank,
— the middle of t s
emselves into user js the IRS, carriers such as UPS or FedEx and social media sites like Facebook or Linkedin.
maintained, they may be able to injectth . In this method, the
cookie data to maintain state
ate is using sends
One typically weak metho d of maintaining st essful, the Web server Types of phishing
— If the authentication is succ
andd pa passwtheord).brow
with a use rid‘dan ser hits that same web server (presumably during the
initially authenticated (usually 4, Spear phishing 2. Voice phishing (Vphishing)
er. Now every tim! uthenticates for the user.
session cookie to the user’s brows ne
ord, rather th e cookie re-a
need to enterthe passw
same session), the user does not 3. Smishing
a Cookie.
result in their acquiring
1. Avalid user does some web a ity that
bank. It's done to gain
2. The Cookie is stolen or captured by an
attacker. Spear phishing : Refers to a directed attack against a specific organization, such as
the application. or malicious
3. The Cookie is transmitted h the attacker's attempt to access unauthorized access to specific, critical information. These attacks use malware infected attachments
The Cookie authenticates the attacker as a vi user. The attacker gets access to the application. links that compromise computers.
to be an official
2. Voice phishing : Uses a phone call instead of an email, but the scam is the same. Someone pretend
Types of Session Hijacking
legitimate organization and tricks the target into giving up confidential information.
of the traffic. Used to from a
Passive Attack : An attacker hijacks the session but just sits back and watches and records all
1.
The scam involves a
find out passwords and source code. . 3. Smishing ; Uses Short Messaging Service or SMS, which is commonly known as text messaging .
2, Active Attack: It forces the user offline, takes over the session and executes commands. fake text message that directs victim to a website that looks harmless but is actually malicious. The site requests
smart phone.
\ 3. Hybrid Attack : Starts out passive and then becomes active. Watch a session and periodically inject data into the personal information, which could lead to identify theft. This site may also try to install malware on your
1 active session without actually taking it over.
Prevention
4 Protection against session hijacking
— Spar filters
- Useb in session management - Users should check email addresses
— _ Use secure randomly generated session keys to make
prediction impossible
3.14.1 Pharming Techniques
~ Use reasonable session ti eouts
— Use eneryption = Pharming is yet another way hackers attempt to manipulate users on the Internet. While phishing attempts to capture
— Use a secure protocol- SSH or SSL personal information by getting users to visit a fake website, pharming redirects users to false websites without them
even knowing it.
— . Limit incoming connections
- Pharming is a type of cyberattack where the user of legitimate website is redirected to a fake website which looks to
— Minimize remote access
be legitimate and they are then convinced to provide confidential information to a fake website.
— Implement strong authentication
Methods — One way that pharming takes place is via an e-mail virus that poisons a user’s local DNS cache. It does this by
Applications of Session Management modifying the DNS entries , or host files. For example, instead of having the IP address. 121.32.2.14 direct to
hacker.
| - www.example.com, it may direct to another website determined by the
Enables the applicationto Uniquely identify that uses the affected DNS server will be
; | that a iv ~ Pharmers can also poison entire DNS servers, which means any user
, | - Authorize user once. Biven User access a number of different requests security features to protect them against such
redirected to the wrong website. Fortunately, most DNS servers have
- Allsubsequent requests are tied to user : “ ‘
a attacks.
an d it appears to be significantly different than what you expected, you may be the
3.14 Phishing and Pharming Techniques — So lf you visit a certain website
victim of pharming. :
_ eee ‘ , formatio c, ’ Prevention
Phishing is the practice of using fraudulent emails to steal _ Nn or gain access toa company’s network.
connecting to the website again. If the
- Where attacker is able to obtain confidential information Restart your computer to reset YOUF DNS entries, run an antivirus, then try
may have been pharmed,
mmit identity F website stil locks strange, contact your ISP and let them know their DNS server
by ee 'nformation
ae in orde rto commit
watlon by
Convincing thei ctim to provide a very fake website:
Scanned w ith CamScanner
Web Application Secu
WF _Advanced System Security & Digital Forensics (MU)_3:24 Web : n
al Forensi defining clement ee
Advanced System Security &f git SOAP (Simple Object Access Protocol) for encoding messages and
i
3, MESSARE patter NS.
4, WSDL (Web Services Description Language) for describing services.
earlier a
Internet. Many of the entries in service direct
What Is web service ? hosted on the 5, UDDI (Universal Description, Discovery and Integration) for describing 'ettories, and {
cess to resour cese Or
The web was originally designe
d to give users @! n-to-program intera ction.
8 publishing and retrieving service descriptions.
Banking i involved huma! that need to be addressed,
applications such as Internet re that was created
and use When deploying a web services project, security is one of the most important issues
ions infrastructul
Web services build on communi Distributed applications have to protect data in transit
and in the end systems, Standards for encrypting and Signi AT
on/data.
and exchange informati
%
computer-to-computer interaction. hic protection applied to as
a. s
ons can talk to each other documents are needed, and communicating parties have to agree on the cryptograp
Using web services two different applicati as exchanges.
defines a web service
The World-wide Web Consortium wr, ,
and described using XML tts ty?
ces and bindings are defined Why do you need web service securi
by a URI whose pub ic interfa
“A software system identified act with the web service ina us example, all airlines data that they have shared with
makemytrip.com should not
are systems. These systems may then inter Protect consumer data (in pre’
definition can be discovered by other softw s.”
a
ges conveyed by Internet protocol
n using XML-based messa be misused by any unauthorized party or person.
manner prescribed by its defin!
n.
between ap plications over the web by
providing standard protocol for communicatio Prevent unauthorized access.
It enables communication
Maintain data integrity.
For Ex. : makemytrip.com
Increase adoption of service.
.
‘ 3.15.1 Web Services Security Architecture
WS-SecureConversation WS-Authorization
_ WS-Trust
Today WS-Security
.
:
Fig.3.15.1 SOAP Foundati
;
i
on
Here makemytri p website h comi
Restat jas
e iia with other ‘
websites like Airindia, GoAir, Jet Airways etc to get the flight
tails Of Pegred
to-computer interaction. And itis possible using sethe concePt af Ha 82
Web services. nth eample Al itn Hauuterake nak rip.c om uses
‘heir web services through an mi Is and ‘ makemyt
:
those web services to communicate = eenaie
ew
developed like
web services, a number of standards have been
the airlines.
~ To address the specific security Tequirements of
, WS-Federation, WS-Authorization as shown
WS-Security, WS-Policy, ‘WS-Trust, WS-Privacy, WS- Secure Conversation
.
in above diagram.
Web services are an architectural these is 'WS-Sec, which describes how to attach signature and encryption header to SOAP
Paradigm for i implementi The most important of
a: 5 X.509 certificates and Kerberos tickets.
Loosely coupled applications need standards for ni h security tokens such
messages; how to attac
and for transferring messages, there, hast bea
Or
specifications of the service; deli ivered and users haveto
ST able to
ding,be doctimen
It includes standards
e standards / technologies constituting the foundations of ithe services on offer . XML signatures
of we! i i. XML Encryption
1. HTTP for message transfer. ios a SAML
iv
Tokens
2. XML for encoding documents. constraints of the security and business pol es on intermediaries and
and
:
WS-Policy describes the capab
endpoints.
rane
publlé
ae 2SCurty
U 3-25 : —— —_ :
4 i
W Advanced System Security & Digital Forensi& wy yet rel relationships between communicating entities,
inds of trust
ating various Ki state privacy preferences and
organizational} Privagy
— WS-Trust provides a framework for cre
ices
web services
an d requesters ane ,
— WS-privacy is a model for how
gous to the security association in IPSec or So
Practice statements. ich isis analo *
re session, which “ including security context exchange a, d
— WS-Secure Conversation creates ase es between parties,
message exchang
connection. It mange and authenticate
establishing and deriving session keys. domains. Encrypted elements in the body of a SOAP message
le trust "
ships across multipa
— WS-Federation helps create trust relation 7
data and authorization policy. Example :
— — WS-Authorization manages author ization revisions to date. The Principal
r have undergone several
appearedsince 2002 ani d some <?xmiverslon=') 02>
Most of these standards have
— <Paymentinfo xminse'http:/ /example.org/paymentv2'>
are W°C, IETF and OASIS .
players in developing the standards <Name>John Smkh</Name>
in the following modules. <CreditCard Limita'S,000° Currency="USD'>
— Wediscuss some of these standards <Number>4019 2445 0277 5867</Number>
<Issuer> Example Bank </issuer>
WS-Security <Explration>04/02< /Expiration>
—
</CredtCard>
| It includes standards </Paymentinfo>
<?xml versiona'l 07>
| i, XML Encryption <Paymentinfo xminsa='hitp://exam ple.org/paymentv2'>
<Name>John Smkh</Name> :
XML signatures <CreditCard Urtt='S,000° Currency="USD'>
<Number>
Tokens <EncryptedData xmins=http:/ /www.w3 org/2001/04/xmienc®
Type="http:/ /wrw.w3.org/2001 /04/xmienc#Content’>
iv. SAML
<CipherData> : 1
<CipherValue>A23845CS6</CipherValue>
[. | XMLEncryption . </CipherData>
— TheXML encryption standard was developed by w’Cin 2002. It defines XML elements for representing encrypted data
</EncryptedData>
</Number>
and keys used for encryption. <issuer> Example Bank</tsuer>
<Expirat ion>
04 /92</Expiration>
— _ It allows encryption at different levels of granularity : </CreditCard>
</Paymentinfo>
1. Anentire document or
2. Acomplete XML element within the document or Fig. 3.15.3
3. The content of an XML element
The actual cipher text of each encrypted element is enclosed in a <CipherData> sub-element.
hi standard permits any combination of el ements
within
ithin i t the body and/or ir the headeri r of of a
SO. AP message t? ii. XML Signature
Require a decryption key to read
the Document. - The XML Signature Standard was developed jointly by w’C and IETF in 2002.
Differ ent Part of
} When encrypting an XML elemen
thi
e document may require different key to decryet. - It used to provide integrity, signature assurance and non-repudiation.
t or element cont tent , the <EncryptedData>
element or element content. element is used to represent encrypted
- It specifies the syntax for signatures and signature keys while offering a rich set of options for signing XML documents.
- For example, parts ofa document can be signed by an entity. One or more intermediaries may attach their signatures
document.
| <EneryptionMethod/>? to the document. Two entities may sign overlapping or disjoint parts of the
~ Like standard RSA signature, XML signatures involves computing the hash of a document followed by encryption using
‘KeyInfo>
the signer’s private key.
have different signature associated with it.
Just like XML Encryption different part of the document may
7 . : *
Publications
Neb Application Sean
i. Username Tokens: used as a means to identify the requestor by “username”
ae vandan OPtional pa: SSWOrd, a
authenticate a SOAP message o.
X.509 Tokens: uses an X.509 digital certificate to help T Xo Identity a
(<Reference URI? > (< Transforms)! key with a SOAP message that has been encrypted.
used to secure SOAP messages and SOAP <
> SAML (Security Assertion Markup Language) Tokens:
<DigestMethod> <DigestValue that binds the subjects (e.g. the sender) and
statemey Te
exchanges with the help of SAML assertions Nts of
</Reference>)+ .
assertions to a SOAP message with an XML signature
</SignedI nfo> inds of assertion statements can be used: authentication, authorization and attribute. These three
_— Three general
<SignatureValue> an ap| ation to determine who the requester is, what they are requesting,
statements are used at various times in
(<Keylnfo>)? (<Object ID?>)* - and whether or not their request
has b' een granted. In addition, SAML assertions enable the preservation of security
s.
</Signature> restrictions across different security domain
te the Kerberos ticket and interoperate within existing
XML Signature Syntax : developed
tp
by the W3C mainly a. Kerberos Tokens: used to allo wa service to authentica
awhich has been
sation,
on @ concept called canon'c the same piece of data
scanned by differen Kerberos domains.
XML Signatures rely heavily hical variation:
and compensate fortypograp message level integrity and confidentiality u:
standardize data formats, b. Rights Expression Language (REL) Tokens
: used to implement
file systems and parsers. the data and tags in the .
es @ unique signature using Rights Expressions as defined in ISO/IEC 21000-5
XML content, canonicalisation creat
When a signature is applied to
ty can Username Token Syntax
ed message content, data integri
canonicalisation method to the receiv
This ensures that by applying the same -<UsemameToken Id=
be verified.
<Username>...</Username>
Example :
<Password Type#”...">...</Password>
<Signature 1d="MyFirstSignature” _</UsernameToken>
xmlns="hutp:/www.w3.org/2000/09/xmidsig#"> ee
Example :
“<Signedinfo> <CanonicalizatioMethod =
Algorithm ="hup:/Iwww.3.org/TR/2001/REC-xml-cl40-20010315"> oe | <wsse:Security>
; <SignatureMethod Algorithm="http://+ww.w3.org/2000/09/amldsig#dsa-shal'/> : -<wsse:UsernameToken>
“<Reference URI="bttpl/rwe.v3.org/TR/2000/REC-xhtm]-20000126/"> > <wsse:Username> XYZ
</wsse:Username> . *
“<Transforms> <Transform Algorithm="hitp://www.w3.org/T] RI200/REC-uml. :
: SaaS 3
¢14n-20010315'/> </Transforms> 2 <wsse:Password> 123456
<DigestMethou! Algorithm ="hitp:/vww.w3.org/2000/09/xmldsig#shal"/> 2 Shwess Password >
<DigestValue> j6lwx3rvEPO0vkK up4NbeVu8nk=</DigestValue> 5 </wsse:UsernameToken>
</Reference> L </wase:Security>
</SignedInfo> Wv. SAML
<SignatureValue> M COCFFrVLIRIk= -</Signatu
reValue> s module. It is developed by OASIS.
— This we have already learned in preciou
<Keylnfo> <KeyValue> <DSA
KeyVaiue> ication and authorization information.
~ — Itis XML framework for exchanging authent
<P>... 5/P> <Q>...</Q><G ors declaration of a fact).
> ~</G><Y>
we sSl> < /DSAKeyValue> </KeyValue> </Keylnfo> Na ~ SAMLassertions (Assertion
</Signature> *
o Authentication
.
tii. WS-Security Tokens fox
o Authorization
It used to help the receiver of the me: r ° Attribute
SSage identity and veri
verify the send ler.
Security tokens provide a mechani ism for conveyi is L
~ — SAM for
YING security y information wi : etfs
described in XML. ith a SOAP m e: token it © Authorization service
5 ssage, and the 4
The following security tokens are supported:
wv Advanced System Security & Digital Forensics (MU) 3-30
; : z NEO ApBtcatig
¥ Advanced System Security &L jgital Forensics 2
OAuth provides to clients a “secure delegated access” to server resources on behalf of a Tes
~ =
Our
end user’s account information to be used by third-party services, such as Facebook, or Gmc Owner. iy lowsan
° Single-sign-on(SSO) wit hour,eros the
user's password.
° For distributed transactions.
It’s effectively a process that says, | don’t know who you are, but | trust this other provider, like Facebook10
Examples : ot Google
that it will tell me what you’re allowed to do.
I 2 >
For Ex. You have a Google account, however you are accessing a bank statement so on the bank statement asks you
oar se Authenticatfonstatement
vauthenticationMethod="password) provide a Google Account and you get redirected to the Google page and from there Google asks you whether ea
‘authenticationinstant="2010-02 want to authorize your bank to redirect or give information about you to the bank. This what happens through OAuth,
<samisubec™ 1 gies 7
: Name="ABCD" />
<samiNaryoomaine'mycompany-con Why it is important? How it works ?
<samb:ConfirmationMethod> Authorization request
21 Fane
cee fconfirmationMethod> : Resource
</sambSubject> ‘i Authorization grant - Owner ©
</sambAuthenticationStatement>
</sambAssertion>- Acre uceais cesses teks
subject S was authenticated Authorization grant
Dacre
Authorization
Peele Access token Serer ~
Access token
Fig. 3.15.4: Authentication Statement( Used for SSO) using SAML
Resource:
Protected resource Server
<saml:-Assertion...>
<sambAuthorizationStatement
Recieve Aloe!
esource=http://mycompany.com/em Fig. 3.16.1 : OAuth working flow
<samtSubject>...</samlSubject> Senate
<sambActions Here resource owner is end user and Resource server as a service like Google, Facebook or twitter. Authorization
Avienbiateeeparesit://.."> server is responsible for validating authorization grants and issuing the access tokens.
<samicAction>Read</sami{s
</saml:Actlons> al For Example: Nishad has account at ICICI bank and uses online banking platform activities.
</saml:AuthorizationStatement>
</sambAssertion> ICICI bank stores his credentials in order to authenticate his access to their online functions but now its modern world,
it’s slightly more complex picture. Nishad has multiple online ‘banking accounts from multiple financial service
An issuing authority dec
ides providers. He has a hard time keeping track of his money and is decided to use paytm.com, a new online personal
Muatae Comer TT ays .
request by subject finance organizer. .
S
Paytm has arrangements with various banks users to add their accounts at those banks to their paytm.com portfolio.
ICuMay rte 3 one of the problem is to be sorted is how
This will give Nishad a consolidated view of his finances. For this work
access Nishad’s account at ICICI bank on his behalf. Paytm cannot ask bank username and
exactly Paytm.com will
his
Fig. 3.15.5:
Password store in their own data store and use them as needed. And also Nishad should not be willing to hand out
password.
3.16 OAuth 2.0 OAuth suggests a system whereby Nishad grants limited access for Paytm to access data and this grant takes the
access to
form of an access tokens. It will be known only to Paytm and ICICI bank and can only be used to for limited
Nishad’s data. So when Paytm needs to check on Nishad’s account, it simply sends the token along rather than a
username or password. ICICI bank recognizes token and sends Nishad’s data back to Paytm.
So OAuth is becoming the standard for token based authentication and authorization on the Internet.
We Teeinewiatet
Puntications
Web Application Secug
NA ee
Syl
Wi-
IEE
4.1
7 Users «|
fact
1.
Fig. 3.16.2 2.
| :
| Q.1_— Explain OWASP and its need? 3.
Q2 — Explain different authentication mechanisms. What is session management?
| Q.3 Write a short note on cookies.
5
| Q.4 Whats the need of SSL? Explain SSL architecture.
Q.5 Write a short note on SSL handshake protocol.
4.
il Q.6 —_ Explain working of SSH.
Q.7 How to protect privacy on web?
Q.8 con
Explain different types of web browser attacks.
: ;
| Q9 .Write a short note on account harvesting. : a.
| Q.10 Write a short note on web bugs (Refer 3.10] b
Q.11 Define the following terms : .
| 1. Web bugs 2. click iacking 3
| : c
. peas
Q.12 Explain session hijacking and ses ‘ » Cross-site re
? HNO EHS SESON Management in detail uest forge
Q. 13 Write a short note on phishing and pharmin
t
_
9 attack,
Q.14 Whatis web service? Why we need web secur}
ity Services?
Q.15 Write a short note on OAuth 2.0 stand ;
ard. *eplain web Services security architectu
°
re

Wireless Security
“Unit IV =—=—=—=—=>>
|
Syllabus :
Wi-Fi Security, WEP, WPA, WPA-2, Mobile

Device Securit y - Security Threats, Device Security, GSM and
IEEE 802.11/80 2.11i Wireless LAN Security, VPN Security. UMTS Security,
41 Wi-Fi Security
. The security problems are posed in

Wireless networks, and the wireless device
s that use them. The following are the
factors which causes the higher secu rity risk.
1. Channel : Broadcast communications are

involved in Wireless networking. This broadc
ast communications are more
vulnerable to eavesdropping and congestion. Wireless networks are
also vulner. able to active attacks that exploi
vulnerabilities in communications protocols. t
Mobility : As compare to wired devices Wireless

devices more portable and mobile. Ti his mobili
ty causes a number of
tisks, described consequently.
3. Resources : There are many wireless devices (for example:

Smartphones and tablets) available
complicated operating systems but limited memory and processing resources with which to oppose threats,which have
including
denial of service and malware.
Accessibility : A few wireless devices, like sensors and
robots, possibly left unatte nded in
locations. This significantly increases their remote and/or hostile
vulnerability to physical attacks.
There are three components of the wireless environment that Provide point
of att ack as shown
components are : wireless client, wireless in Fig. 4.1.1. The
access point, transmission medium.
a. Wireless client : The clients can be a cell
phone, a Wi-Fi enabled laptop or tablet, a
wireless and so on.
b. Wireless access point : It gives a connection to the network or service,
Exam ples of access
hotspots, and wireless access points are cell towers,
points to wired local or wide-a Wi-Fi
rea networks.
;
Transmission medium : It carries the radio waves
for data transfer, is also a source ofvulnerabilit
y
Y
CO OYM §
Access point
Endpoint
Fig.4.1.1: Components of wireless environment
‘

_Witcless Secuiy eY Advanced System Security & Digital Forensics (MU)___4-3
Wireless Security
—_—
Advanced System Security & Digital 2. Encryption : to prevent eavesdropping, encryption of all wireless transmission is effective.
To oppose the attempts of altering and inserting transmissions, encryption and authentication protocols are the
4.1.1. Wireless Network Threats
tems a standard method.
to wireless sys imity (e.g,, in the
Following are the dange! rs or threats pi
pints to wired LANs in close prox
ir or wireless access 4.1.3 Securing Wireless Access Points
Accidental association : Company ‘ wireless LANS tay ping transmission ranges- A
nt aiming to connect to one Uy
To prevent such attack use
same or neighboring buildings) might generate overiaP ing network. Even if the security breach ig Unauthorized access to the network is the major threat to wireless access points.
nt from a neighbo!
a Wil i reless access Pol This standard gives an authentication mechanism for devices
may by accident lock on to LAN to the accide
ntal user. IEEE 802.1X standard for port-based network access control.
theless expo: resources of on @ access points and other unauthorized devices from
unintentional, it never ses
they are communicating to wishing to attach to a LAN or wireless network. It also prev ents rogue
access point to believe that
: This attackmake tl he user and an
Man-in-the middle attacks attacking device.
& becoming insecure backdoors.
diate
each other. But the fact is they are communicating an interme 4.1.4 Securing Wireless Networks
n them,
peer networks between less computers with no access point betwee
Ad hoc networks : These are peer-to- :
risk because of an absence of a central
point of control. For wireless network security the following techniques are used
Such networks can represent a security
encryption systems for router-to-router tra
links, like barcode readers, personal network Bluetooth 1. Use encryption : Wireless routers are regularly equipped with built-in
Nontraditional networks : Nontraditional networks and
in terms of eavesdropping and spoofing. Utilize firewall, antivirus and anti-spyware software: These facilities ought to be enabled on all wireless network
devices, and handheld PDAs represent a security risk 2.
point. endpoints.
Malicious connection : In these circumstances, a wireless device is configured to show to be a legitimate access
to communicate a distinguishing
enables the operator to steal passwords from genuine users and then penetrate a wired network through a genuine 3. Turn off identifier broadcasting : Wireless routers are typically ordinarily arranged
event that a network is configured so
eless access point. signal so any gadget inside the range can learn of the router's presence. In the
to defeat attackers.
that authorized devices identify the identity of routers, this ability can be disabled,
Denial of Service (DoS) : A DoS attack happens when an attacker repeatedly attacks a wireless access point or some
assailants who will endeavor
other accessible wireless port with a variety of protocol messages designed to consume system resources. The Alter the identifier on your router from the default. Once more, this measure frustrates
to access a wireless network using default router identifiers.
wireless environment lends itself to this type of attack since it is so easy for the attacker to direct multiple wireless
ion.
messages at the target. Modify your router's pre-set password for administrat
intity theft (MAC spoofing) :3 Thi
Identi This happens when an attacker is able to eavesdrop on network traffic and be aware Permit only defiite computers to access your wireless network. Configure the router to communicate with approved
of a security system.
of the MAC address of a computer with network rights. MAC addresses. Obviously, MAC addresses can be spoofed, so this is only one component
i
Network Injection : Thi is attack targets wireless
i access points that are exposed to non-filtered network traffic, for 4.2 WEP (Wireless Equivalent Privacy)
example, network managemen
8 tit messages or routing i protocol messages, A case of such an attack is one in which
fake passed between
reconfigurati
guration
+
commands are utilized to influence and Switches to bring down WEP protocol is the first IEEE 802.11 proposal for protecting the confidentiality and integrity of data
twork terminals to the network.
networl performance. mobile terminal and access point. It is also used for authenticating mobile
4.1.2 i
Wireless Security Measures that may get
Authentication is done by using pre shared secret. These secrets are installed manually in all devices
Ron
The wireless
. cans me ‘asures relate d to the wil
security access, and in all access points of the network. This solution is appropriate for small installations for example, home
wireless transmissions, wireless wt KS
can b ‘oup. ‘Sdropping, changing or access i
points, and le:
wireless netwol networks.
Bes es and disturbance
I! are the major threats to wireless and can only provide as a case study for representing mistakes that must not be repeated.
transmission. So to handle eavesd,
ropping two count ‘ermeasures
WEP is seriously defective
are suitable ; stream cipher. The exclusive-or of two
1. i Stream cipher is used by WEP for encryption. Keys are not repeated in
of the two plaintexts.
plaintexts encrypted with the similar key stream is equal to the exclusive-or
access points.
be used for cryptanalysis that rebuilds the two
The statistical properties of the exclusive-or of two plaintexts can
Organizations turn off Service Set Identifi Initialization Vector (IV) randomized encryption.
ier (SSID) broadcast plaintexts and thus also the key stream. Therefore, a 24-bit
i ng by wirele: $8 access points To transmit a message m, the sender computes
04 bit is shared by the sender and receiver.
Asecret key K of 40 bit or 1
Assigns cryptic names to ssips,
K
), takes the 24-bit IV, and generates a key stream with the 64-bit (128-bit) key K’= IV]
Reduce signal strength to the
‘owest a 32-bit checksum CRC-32(m.
level that sti ill
provides Tequi using the stre am cipher RC4.
Locate wireless access points j in the Inter; (m| |CRC-32(m)) and the key stream,
or of the build; i overage, ise exclusive-or of
ing, away from wi The ciphertext c is the bitw
windows and exterior (K’).
walls. ce (mllCRC-32(m)) @ RC4
= Tecan
puonest
‘ 44 — Witelegs Security
BF _Advanced System Security & Digital Forensi¢s (MU) ep ace ()2 (rl jerc- -a2(m) and pvthaestes athe Sisal
mputes ¢ Pairwise Master Key (PMK)
~ Ciphertext and Iv is transmitted to the receiver,who © . upplicant
address i
ain to the client. The client uses the above ere
checksu m.
, it tes test in the
ds a 1024-b-pit
, pl
F is response.
nonce -— nonce
— For authenticating a client, the access point nt authenti icates this resp
the access poi
7 key, and
algorithm to encrypt the test with the pre-shared ~ Pseudo-random Function :
— WEP cryptographic method has two major design flaws.
ting a random error linear function is useful but there ig
First flaw is, CRC-32 is a cyclic redundancy check, . For det ectin, Pairwise Transient Key (PTK)
— protection when used in combination with
no defense against targeted modifications. It does n ot offer
strong integrity
n (exclusive-or) ofa stream cip| her. ; KEK TK
the linear encryption operatio t as follows:
text m, can alter the plaintex 128 bit 128 128 bit
— Anattacker who“ has a WEP
, ciphertext, but neither key K’nor pl
The attacker comput es 5= CRC-32(d) and adds (A||8) to the
. Transmitter addres: Sequence counter
Let 4 be the intended alteration of the plaintext.
ciphertext, obtaining a valid encryption of the plaintext m © Aas > Key mixing —
(MICRC-32(m)) © RCA (HC) @ (AL) = (rm BAICRC-32(m) @ 4) ® RCA HK) WEP key I1IV.
= (m® AIICRC-32(m ® A)) @ RC4 (K’).
Fig.4.3.1: The TKIP Key Hierarchy
Second Flaw is the size of the IV. If the secret key K remains unchanged, the IV is the only variable part of the key kK’,
For each connection new Pairwise Transient Keys (PTKs) are derived from the master key and used for protecting
An attacker might observe traffic for a longer period until IV’s repeat and then try to rebuild the key streams and build
a table of IV's and matching key streams.
traffic between mobile station and access point.
The algorithm computing the PTK takes the PMK, the medium access control address of both devices, and nonces
~ There are some attacks that replay encrypted control messages to create more traffic so that they can obtain the
created by both devices as its inputs.
amount of data necessary for cryptanalysis.
- Nonces are transmitted in the clear.
4.3 WPA (WiFi Protected Access) The key hierarchy is then further extended. The PTK is split into a Key Confirmation Key (KCK) for key authentication, a
Key Encrypt n Key (KEK) for distributing group keys, a Temporal Key (TK) for data encryption, and maybe
— WEP broadly unsuccessful to meet its security goals. WiFi Pratected Access (WPA) was
designed as a quick temporary unidirectional MIC keys for integrity protection.
solution that removed the major flaws of WEP prior to a complete
redesign of the WLAN Security architecture.
The temporal session key is derived from the TK and the medium access control address of the access point, so diverse
— WPAruns on existing WLAN hardware.
access points handled by the same controller will use different keys.
— There are also enhanced procedures for authentica
ting the client to the network and for establ ishing temporary Lastly the WEP key and IV are derived from the temporal session key and the packet sequence counter. Every packet is
encryption keys dynamically.
therefore encrypted in its own key and IV.
— The Extensible Authentication Protoco
l (EAP) has its Origins in work on WLAN
security. 4.4 WPA-2
- A Message Integrity Code (MIC) called Michael reptac
doubled to 48 bits, Places CRC-32 for better integrity protection. The length of the IV is A whole redesign of WLAN security method is given in the standard IEEE 802.11i,
published in 2004.
'y hierarchy where data encryption keys are modified for The WPA2 specification created by the WiFi Alliance and IEEE 802.111 are sometimes used as synonyms. The two
each pi packet. Supplic
pplicant (mobilei station)
i 3
and authenticator (e, 8. an access point controll specifications overlap to a large extent, but are not completely the same.
Pairwise Master Key (PMK). y ler) ) need ne d toto h have a long-term
long-
~ IEEE 802.111 has two modes.
— _When WPA is deployed with pre-shared master
keys (wpa- 1. Robust Security Network (RSN) requires new hardware. It is not backward compatible with WEP. RSN supports
function PBKDF2 (RFC 2898) as {WPA-PSK), the PMK is computed with the key generation dynamic negotiation of authentication and encryption algorithms. EAP is used for authentication in large
‘
Smaller networks can use TKIP. Authentication establishes temporal keys per packet.
PMK ='PBEDF2 (passphrase, SSID, SSID iengu 4096, 256) networks.
WEP may
— With a secret passphrase (20 characters
are re Transitional Security Network (TSN) permits RSN and WEP to coexist on the same WLAN. Devices using
i ‘ . Commended), the ssi ‘
This input is hashed 4096 times and a 256-bit keyis returned 'D of the access point and the SSID length as input. create a security risk i in
sucha configuration.
t
~ For encryption and integrityprotection RSN uses CCMP (Counter mode CBC-MAC Protocol). CCMP is based on 128-bi
ed in RFC 3610.
Counter with CBCMAC Mode (CCM). CCM is defin
AES (key and block size) in
Wireless Security
W Advanced System Security & Digital Forensics‘ 4-6 — wv Advanced System Security & Digita
(MU) l Forensics (MU)
~ new tempo! i al key is established the counter is set to 1,
4.7
AES is used in counter mod
e for encryption. Whenever 5. Interaction with Other Systems Wireless Security
— Every 128-bit Plaintext block is exclusiv ; F @ y t ter val ue encrypted under the temporal key; then the
e-ored with the ‘coun
Counter is incremented. CBC-MAC mode A typical component foun
is used for integrity. d on Cell phones and tablets is
Header blocks put before the message have the packet number and parts of the MAC
Frethatanpora (media
l eye Hells | address fiely
access)citation tat applicat ions , conta
the capacity to automaticall
y
— cts, Photographs, etc with Other processing devices sync hron ize information,
Headers and plaintext blocks are encrypted in CBC mode with IV 0 unde organization has control of the cons and with cloud-based storage, Excep
iderable number of devices ‘engaged t if an
Serves as the 128-bit CBC-MAC. with sync
sli tock risk of the organization’s hronization; there is a significant
formation being put away in
~ 64-bit MIC is derived from the CBC-MAC and transmitted with the encryp! P an unsecured location, in addit
introduction of malware. ion, the danger of the
4.5 Mobile Device Security 6, Utilization of Untrusted Content
4.5.1 Security Threats Mobile devices may access
and utilize conte nt that other Computing devices don't exper
Quick Response (QR) code, ience. An example is the
Devices like desktops and laptops are used within the organization facilities which is a two-dimensional
and on the organizati barco de. QR codes are
on Network. But device camera inten ded to be captu red by a mobil
mobile devices need extra specialized and ut ‘ed by the mobile device. The QR code decod
prote: in measures. The problems associated with mobile device security es to a URL, so that a malignant
follows: are as guide the mobile device to malicious QR code could
Web sites.
1. Lack of Physical Security Contr 7. Utilization of Location Services
ols
The user has the full Control of The GPS potential on mobile
a mobile device and he uses and keep mobile devices can be used to keep knowl
device in a variety of locations outsid edge of the physic al locati on
the organization’s control It means e feature may be useful to an of the device. This
the user uses the device off-pre organization as part of a Presen
mises. even if it is Necessary ce service, it generates security
device in the premises, The user to keep the mobile information used by the attacker to risks, the location
moves the mobile device used in the determine where the device and user
locations. So the mobile
organization between secure and non-secure are located.
devices have theft and tamper 4.5.2
ing threats. regarding the
security of the mobile device,
Device Security
mobile device may get stolen the
or can be accesse d by a malicio us
from the device itself Party. Malicious party May try to get
or it may use the device sensitive data The elements of mobile device security fall
into 3 classifications :
to get an organization's
resources.
Utilization of Untrusted 1. Device security
Mobile Devices
»
Though organiza tion 2. Client /server traffic security

issued and Organization controlled mol
have individual cell le devices, for al tents and
phon es and ad onall y purposes all employees 3. Barrier security
tablets. The organization
depe ndab le. That is, must accept that thes
the devices may not Utiliz
e encryption and e devices are not
bypass to the inherent either the ent 1. Device Security
limitations on secu rity
, Operating sys
or an outsider may have introduced 4
tem Use, etc,
3. Utilization of Untrusted various organizations will supply
Networks mobile devices for employee use
and Pre-de
business enterprise security sign those device s to comply with the
approach. In any case, numerous
organizations will think that it
receive a Bring-Your-O is helpful or even import ant to
wn-Dev ice (BYOD) approa ch that permits the dividual mobile devices of employees
“orporate assets. IT managers ought to be to approach
ready to examine every device before allowi
Set up guidelines for operating ng networ k access. IT will need to
systems and applications. For
ff-premises fragment instance, “rooted” or “jail-broken
” devices are not allowed
i the syst em, and mobile device
s can't store corporate contac on
attacks. Hence, the secu ts on local storag e.
rityarra ngement must be by the organization or BYOD, the Regardless of whethe r a device is claimed
and the organization based organization ought to arrange
are not dependable, the device with security
controls, including the
Utilization of Applic accompanying :
ations Created by /
>
Unknown Parti Ei lock, which makes the device lock in the event that
By plan, it is anything les Habletautoock,client to re-re-ente! ra four-di it has not been utilized
but difficult to discover, wy iring the
equirin, PIN or a secret ‘ key/password to re-initiate the fordevice.
a given a Measure of time,
represents the conspicuous danger
ofinsta
hat’s more, i the ice, ' ;
ai » intr Enable password or PIN assurance. he PIN or secret key is expected to open
danger. INE Malicious soft oduce Outsider applications on mobile devices THis
Ware, : be d lesigned with the g! ‘coal that jat el email and other information on the device are encoded
® An organization feyi choices for managing th Phrase and ind must be recover
Ci secret key.key.
ed withith the PIN or r secret
features that or passwor
memorize c lent names
Void utilizing auto-complete * S-
~ Allow remote wipe.
Tachitnomtedgs
Wireless Secu;
AA Advanced System Security & Digital Forensics (MU)
4 ay v Adva inced Syste
ysi m Securi
ecurity& Digital
ig Forensics
it (MU) 49
Witeless Security
4.6.1(A) Components —e
Make sure that SSL security is enabled, if accessible.
IS UI UP to date.
ications, , is Every GSM user has a subscription in a home network.
re in g systems and ap! Pp!
software, includin ig operat
Visited network is the one where a service isrequested.
Install antivirus software as it becomes available. pile device or then again it ought
A cell phone or Mobile Station (MS) has the Mobile Equipment (ME) and the Subscriber Identity Module (SIM).
Either sensitive information ought to be disallowed from storage on hei : pt
encoded/ encrypted. The SIM performs cryptographic operations in the MS and stores the related cryptographic keys. The SIM contain
devices, wipe the device of all information and after that disable a personal data of the subscriber, for example, a personal phone book, and gives personal mobility independent
IT staff ought to have the ability to remotely access of the ME.
the device in case of misfortune or robbery.
" The network contains Base Station (BS), Mobile Switching Centre (MSC), Home Location Register (HLR) of a subscriber,
installation of third-party applications, execute whitelisting to deny the installation
The organization may preclude all the organizations Authentication Centre (AuC), and visitor Location Register (VLR).
protected sandbox that separates
of all unapproved applications or then again execute a The HLR and VLR controls call routing and roaming information. The AuC controls a subscriber's security-related
information and applications from every single other data and app! ication on the mobile device. Any application on information.
the approved list ought to be joined by a digital signature and a public-key certificate from an agreed authority
The relationship between different network operators is managed through Service Level Agreements (SLAs) and the
the utilization of
The organization can implement and enforce limitations on what devices can synchronize and on GSM Memorandum of Understanding (GSM/MoU).
cloud-based storage. The International Mobile Subscriber Identity (IMS!) is the identifier for a GSM subscriber.
To manage the risk of untrusted content, security responses can incorporate training of personnel on the inherent in Subscriber and HLR/AuC share a secret 128-bit individual subscriber authentication key Ki. The SIM stores Ki, IMSI,
untrusted content and disabling the use ofa camera on corporate mobile devices. TMSI, and a current 64-bit encryption key Kc. in the SIM Algorithms A3 and A8 are implemented.
To counter the risk of malicious utilization of location services, the security strategy can direct that such service is Personal Identification Number (PIN) is used to control the Access to the SIM. Personal Unblocking Key (PUK) is used
disabled on every single mobile device. to unblock a SIM.
Traffic Security 4.6.1(B) Temporary Mobile Subscriber Identity
xX
call and the

“Traffic security is based on encryption and authentication. All traffic should be encrypted and travel by secure means, When an MS connects to the network it should have some identity. A fixed identity is used at every
for example, SSL or IPv6. Virtual Private Systems (VPNs) can be set with the goal that all traffic between the mobile movements of subscribers can be tracked, although following traffic is encrypted.
ial contact with the GSM
device and the organization's system is by means ofa VPN. To limit the access from the device to the resources of the For better subscriber privacy, the unencrypted IMSI is sent only when an MS makes
organization a strong authentication protocol should be used. Regularly, a mobile device has a single device-specific network.
and used in the complete
authenticator, since it is assumed that the device has only one user. A preferable approach is to have a two-layer After that a Temporary Mobile Subscriber Identity (TMSI) is assigned in the visited network
authentication method, which involves authenticating the device and then authenticating the user of the Device. range of the MSC.
((TMSI, LAI), IMSI)
Barrier Security The IMSI is thus not normally used for addressing on the radio path. The VLR maintains a mapping
Ca
(LAI) to IMSI.
from TMSI and Location Area Identity
6
The organizatioi
. ought to have a security
i method to protect the network of another MSC. When permitted by signaling proced
ures,
from unauthorized access. The security Anew TMSI is assigned when an MS moves into the range for
strategy can include firewall policies specific n about the mobile subscriber identity are encrypted
The scope of data and application access for all signaling information elements that pass on informatio
to mobile device traffic. /
devicescan be limited by the Firewall p s. Additionally, intrusion detection and intrusion prevention transmission on the radio path.
systems can be configured to have strict
rules for mobil le device traffic. 48.1(C) Cryptographic Algorithm
s
aphy Is not
4.6 entication. Public key cryptogr
Se GSM and UMTS
ge Security for encryption and subscriber auth
tric cry| ptography Is used by GSM
S symmetri
4.6.1 GSM feasible for GSM.
aphic algorithms.
There are th ree cryptogr
GSM'S full form is Global Syst
ystem for Mobileile Communica
Con ‘ Cryptography is used in GSM and authorized awiretaP®
tions,
ation algorithm
can be conducted in fixed network. The and au 1. A3-the authentic
and user data.
national post, tele h
Phone and telegraph operators are the partners in the os algorithm. It is used on signaling
consortium. The major security goal of GSM is protect 2. A5-the encryption
foes ; ion again st ch nd
signaling data on the radio channel. For the fixed hetwork traffic, no arge fraud and the protection. of voice traffic @ generation algorithm
.
” e ad ded cryptographicy protection is a 3. _A8-the key e the GSM/MoU , but were finally leaked or, reverse-engineer ed.
work may select its
provided. There io ublished outsid
n scriber and home network. Therefore every net
These algorithms were not ri red betwee sub
contribution to physical security. It is
possible to track stolen end de
ices, .
A8 are sha
Algorithms A3 and
= Wireless Securiy
4-10 ¥ Advanced System Security & Digital Forensics (MU)
BW Advanced System Security & Digital Forensics (MU) specified. — oA Wireless Security
»pu' ts must be
out!pu .1(E) Encryption
heir inputs and Ki,Processing
individual algorithms 43 and A8. Only the form om challenge RA
ND and the key
4.
Ke from a rand als for A3 ang
* A3 and A8 calculate a response RES and ciph ering ikkey MoU manages propos On the radio link all voice and non-voice traffic is encrypted. The infrastructure is responsible for encryption algorithm
for ‘Ag. GSM/
times must remain below a maximum value, €-8- 5 00 milliseconds
selection, or whether to switch off encryption so that na confidentiality protection is afforded. If essential, the MS
AS.
versions: A5/1, 4 signals to the paelas which encryption algorithms it supports. The serving network then chooses one based on a
nd all network operators. There are three
— Algorithm AS has to be shared between all subscribers a priority order preset in the network, and signals the choice to the MS.
less secure ‘export’ version A5/2 and a stronger version AS/3.
The ciphering indicator feature allows the ME to detect that ciphering is not switched on and to flag this to the user,
4.6.1(D) Subscriber Identity Authentication This feature can be disabled by the home network operator by setting the administrative data field (Eso) in the SIM
a restart of the MSC/VLR, or when accordingly. If it is not disabled in the SIM, then at any time a connection is or becomes unenciphered, user will get an '
— Subscriber authentication takes place when the first network access is done after
originating or terminated call. indication. '
the subscriber try to access a service, e.g. set-up of a mobile
in the VLR or The AS encryption algorithm is a stream cipher and it is applied to 114-bit frames. The key for every frame is derived
— Authentication is also done when the subscriber applies for a change of subscriber-related information
key sequence number mismatch. from the secret key Kc and the current 22-bit frame number. A stream cipher is preferable to a block cipher as radio
HLR, e.g. location updating involves change of VLR, or in the event of cipher
links can be noisy. With a block cipher, a single bit error in the cipher text affects an entire plaintext frame. In a stream
— _ Fig. 4.6.1 shows the message flow during authentication.
cipher, a single bit error in the cipher text affects a single plaintext bit.
© The first message from ME to VLR has a subscriber identity, either TMSI or IMSI. TDMA frame number TDMA frame number He
© Thenthe VLR maps TMSI to IMSI and forwards the IMSI to the HLR/AuC over the fixed subnet. (22 bits) (22 bits)
© The AuC creates a non-predictable 128-bit challenge RAND and calculates the response RES = A3(Ki,RAND) anda
64-bit encryption key Ke = A8(Ki, RAND). Ke AS ee
© The triple _RAND, RES, Xc_is sent to the VLR. The VLR stores RAND and Kc and passes the challenge RAND on to 114 bits{key stream 114 bits|key stream
the MS.
114 bits radio channel 114 bits
© The key Xcis only v: within one location area. “7 LY plaintext
plaintext
© Inthe MS, the response (signature) SRES = A3(Ki, RAND) is computed in the SIM and transmitted by the MS back
Fig. 4.6.2: Encryption of GSM frames from MS to MSC
to the VLR.
© ~The VLR compares SRES and RES. 4.6.1(F) Location-Based Services
© Authentication succeeds if the two values match. to propose location-based
The mobile equipments location is recorded by the GSM network. This information is used
To accelerate successive authentications in a visited network, the AuC sends several triplets (RAND, SRES, Ke) to services, for example, traffic information for motorists. Emergency location services give the location of an ME making a
the VLR, which are then used in turn for subscriberauthenticat j
ion. call to an emergency number, This service i is mandatory in some countries.
46.2 UMTS
on (3G) mobile communications system.
Universal Mobile T ‘elecommunications System (UMTS) is a third-generati
is si lar to GSM. Subscribers are having a Universal Subscriber Identity Module
| fixed subnet —} HLRvAUC The security architecture of UMTS
(usim).
MSCIVLR i pa rt of the User Equipment (UE) and share a secret key with the AuC in the home network.
The e USIM isa
IMSI.... ni or a Serving GPRS Support Node (SGSN).
ices from a visited etwork
The UE requests serv
__.__RANDRESKe ‘i. 4.6.2(A) False Base Station Attacks
Ki RAND ests to use the IMS! for
, icated to the ME in GSM. The ME cannot tell whether requ
on. To tackle this problem, one
Tretnetwork [5 Net es tion are genuine or come from a bogus base stati
ently it matters how we interpret the ‘network’. ft
AGIAS’ authentication of to sich jo. e
H ME and network. Curr.
RES may call for mutu al authentic =e UMTS network so authentication proves that signaling comes from a genuine
o the entir
RES,Ke Here, we may refer t se station.
s ba:
beccnasl Operator and not a bogu 0 perators. Another approach is a subscriber
make a call who wants to be sure
yes/no : perkaiat
ch of Sarwo
It ls a traditional approa handling the call.
Fig. 4.6.1 : Subscriber Identity authentication In GSM of the networ
about the Identity Oe Tectecaietee
raniications
. Wireless Security ¥ Advanced System Security & Digital Forensics (MU) 4-13
(MU) __ 4-12 i Wireless Security
wy Advanced System Security & Digital Foren:
As the ME has a _ After that the message authentication code XMAC is derived from RAND, SQN and AMF, and
i hentic ating the visited network. compared with the
There are a number of reasons that militate against aut message authentication code value received,
direct authenti cation of a visited network is not' possibia.
pre-established relationship only with the home ne
twork, soauthentica tion would not prevent false base station attacg,
_ This authenticates th at RAND and AUTN had been produced by the home AuC. If there is a mismatch, the USIM aborts
to give mutual
Extending the challenge-response protocol the protocol run, sending a reject message to the VLR. If not, the USIM continues the protocol and checks that SON is
either. ove,
lete and then take valid to discover replay attacks. A synchronization error is signaled to the VLR when this check fail
ine base station to comp
— The attacker require only wait for authentication wit h the genu BS. Additionally, cryp
tographic AUTN
nal than the genuine ——
communications with the ME by sending with a stronger
in a message will cause authentication to MAC
authentication methods are of limited use on noisy channels. Any bit error of a RAND SQN@AK AMF
that it will be rejected because
fail. So, the longer the authenticated message, the larger is the probability
transmission error. ‘
4.6.2(B) Cryptographic Algorithms
— _UTMS has fi and j2 authentication functions and f3, f4, and f5 key generation functions. These functions can be XMAC.
specific to the service provider.
Fig. 4.6.4 : Authentication In USIM
— The MILENAGE framework, a suggestion for Authentication and Key Agreement (AKA) functions, has a block cipher
the combination of
with 128-bit blocks and 128-bit keys at its core. You cannot prevent the false base station attacks by authenticating the serving network. By using
attacks are prevented.
- The encryption algorithm for the radio link and the integrity check algorithm for signaling data on the radio link have key freshness and integrity protection of signaling data the false base station
the challenge RAND and its secret key K and
to be standardized. At last, the USIM calculates the response RES and the keys CK and IK from
XRES to authenticate the USIM.
— KASUMI, an eight-round Feistel cipher is adopted by UMTS. It has 64-bit blocks and 128-bit keys. KASUMI is used in a gives back the response RES to the VLR. The VLR compares RES and
variation of output feedback mode for encryption and in a variation of CBC-MAC mode for integrity protection.
4.6.2(C) | UMTS Authentication and Key Agreement
radio link fixed subnet ——>
- Home network (AuC) and subscriber (USIM) shares a secret 128-bit key K and it also maintains a synchronized
sequence number SQN.
VLA/SGSN
- In response to an authenti ion request, the AuC generates a random challenge RAND and an expected response TMS\(IMSI IMSL... +
XRES = f2(RAND,K).
IMSI
— The AuC computes : RAND,AUNT. RAND,AUTN 1
— _A128-bit cipher key CK = f3(RAND,K) XRES,CK,IK SEQ K RAND
— A128-bit integrity key Ik = f4(RAND,K)
— A 48-bit anonymity key AK = fS(RAND,K)
XRES,CK,IK,MAC
— A message authentication code of the challenge
RAND. SEQ CK IK
— Asequence number SEQ. yes/no
An authentication management field AME
that may contain a key lifetime. Fig. 4.6.5 Authentication and key agreement in UMTS
LAN Security 5
AMF 47 IEEE 802.11/802.111 Wireless
SQN RAND
47, ‘
me. le era
1 IEEE 802 "1 is for a wide range of Local Area Networks
; (LANs). 7 Later they
standard
has di ever loped protocol and transmission specifications for Wireless LANs
~ IEEE 802 is a comm! itee that
a charter to develop a
IEE € 802.11, with
MAG
XRES CK formed new group, has also
IK AK . The Wi-Fi Alliance
Fig. 4.6.3: Creation of Auth
entication Vector at A (WLANs). - er eated a test suite
certify interoperability
to et
iC Fid ity) Al :
~The wii (Wireless called Wi-FI5.
The AuC then constructs AUTN
= (SQN@AK, AMF, MAC) and 02 11a2 products,
CK, Ik) to the VLR/ ds the authentica
, tion vector (RAND, AUTN, tification process for e40 dard. It 5 recent version
is WPA2 that includes all of the
SGSN, whic h stores (RAND, XRES, developed a cer 11 security stan
AUTN, XRES cK,
7 ite r the IMSI and passes
ess (WPAI the IE
Upon receipt of RAND and AUTN
, the USIM firstsatin
RAND and AUTN to the UE-
WéFi Protected Acc . urity speci
ification.
=ASIRAND,K
—
) and SQN = (SCN @ Ak) @ AK (Fig. 4.6.3) features of the IEEE 802-111 WLAN 520
Wireless Security ¥ Advanced System Security & Digital Forensics; (MU)
15
5 (MU) 4-14 eee
& Digital Forensics és. cac : The Cyclic Redundancy Check field is an error detecting code. The CRC
S
WF Advanced System Security is calcutategy,
entire MPDU. The sender calculates; the CRC and adds Gon the: tty
4.7.1(A) Architecture of IEEE 802 Protocol
s it to the frame. The recaeem
calculation on the incoming MPDU anc! compares that calculation to the CRC field in thatin, Coming Derorms te Myre
MPDY
802 standards. two values do not match then one or more bits have been altered in transit.
Fig. 4.7.1 shows the architecture of IEEE re
Physical Layer function is to encode/decode the signals ang The fields previous the MSDU field are referred to as the MAC header, and the field next the MSDU fieta ig ser, eTTeA ta,
rence model. Its ; as the MAC trailer. The header and trailer contain control information that go with the data fleld and that a, re Used by
; and also defines frequency
ayer ot a * tion of the transmission medium the MAC protocol.
Etc lover Miko sp ecifica
transmit/ receive the bit. This layer contains a
Specific IEEE 802.11 3. Logical Link Control
bands and antenna characteristics.
General IEEE 802 P functions LLC layer optionally keeps track of
functions “_ The MAC layer detects errors and diseards any frames that contain errors. The
“~
which frames have been successfully received and retransmits unsuccessful frames.
“Logical Link | Flow control 4.7.1(B) IEEE 802.11 Network Components and Architectural Model
Control | Error control ;
contai ns
Set (BSS) i is the smallest building block of WLAN. BSS
Assemble data Fig. 4.7.3 shows 802.11 models. Here, Basic Service
same shared wireless medium.
into frame Reliable data delivery ‘eless stations executing the same MAC protocol anu competing for access to tl he
Medium Access] Addressing Wireless access control
Control Error detection protocols
Medium access
_. | Encoding/decoding Frequency band
me of signals definition
"- Bit transmission/reception Wireless signal
Enyce
~ <1 Transmission medium ancoding
Fig. 4.7.1 : IEEE 802.11 Protocol Stack
Medium Access Control
means of controlling access
All LANs have collection of devices that share the network’s transmission capacity. Several Basic Service
to the transmission medium is required to give an organized and efficient use of that capacity. This is the function ofa Set(BSS)
Medium Access Control (MAC) layer. The MAC layer receives data from Logical Link Control (LLC) layer, in the form of Cs Basic Service
Set(BSS) :
a block of data known as the MAC Service Data Unit (MSDU).
STA2 @
MAC layer performs the following functions :
STA4
o Ontransmission, collect data into a MPDU frame with address and error-detection fields.
© Onreceiving, disassemble frame, and do address recognition and error detection.
© Govern access to the LAN transmission medium.
MAC ~ | Destination Source 5 ne
Control |MAC Address | MAC Address | MAC Service Data Unit (MSDU) e Set
Fig. 4.7.3 : IEEE 802.11 Extended Servic
AP functions
through an Access Point (AP).The
OO
a backbone Distribution System (IDS)
MAC header ABSS is isolated or connected to
MAC trailer
Fig. 4.7.2 : General IEEE 802 MPDU as a bridge and a relay point. to communicate with another station
in
Format directly. If one station in the BSS wants
Client stationsin BSS communicate in AP to the
The MPDUs frame format is shown in the Fig. ting station to the AP and then from the
4.7.2, it has the following fields : frame is first sent fr ‘om the origina
© MAC Control : This field has any protocol the same BSS, the MAC
contro} information r equired for the functioning of the destination station.
MAC protocol. from the local station to the AP and
For example, a priority fevel could be shown here,
frame from a station in the BSS to a remote station is sent
Destination MAC Address : The The same way, a MAC wa’ y to the destination station. |
destination
" physical address on the LAN for
for th this MPDU. then passed by theAP over the DS on its ;
Source MAC Address ; k and switch. ;
The source physical address on the UAN for this MPDU. irel;less netwo rl
worl k, 7 wire that tr
pi A DScan bea wired net each other directly
© MAC Service Data Unit : The data from the next commu! cate with
higher layer. le stations a! id they
‘ stations are mobi network.
In BSS if all the Known as Independent BSS (IBSS}. An IBSS is an ad hoc
AP, such BSS are # Tech Knowledge
7, SUC Punticattoas
W TechKnowt eddt
pupricat
Wireless Security
_ — ¥ advanced System Security & Digital Forensics (MU) 4-17
A Advanced Syst E ' ics (MU)__ 4-16
System Security& Digital Forensics (MU) se ie. each station is within wireless range only of
assoclation-Related Services a
— In Fig. 4.4.3, it is shown that each station belon gs toa singingle B: to OV erlap geographically,
i
so that
.
it
a single statig,
other stations within the same BSS. It is also feasible for t wo B95=ian between a station and a BSS is dynamic, Stations Distribution service ful s the maiIN purpose of the MAC layer that is to transfer MSDUs
between
i about stations within the ESS that Is given by theassoclatione
could participate in more than one BSS. Additionally, the 2550 nen ungservice
jstribution needs i
aime Entitey,
elated, Services
May turn off, come within range, and go out of range. reaerrjeting wntlsosting "e eviees the data is delivered and accepted from the station but bet
— An Extended Service Set (ESS) contains two or more basic service sets
interconnected by a distribution system, Th. ‘ations must be associated. Thi of mobility comes in pi
Ore thay, th
There are three
e
Single logical LAN to the LLC level. types of transit based on mobility: ‘ae : 7
extended service set emerged as a
1. No transition 2. BSStransition
4.7.1(C) IEEE 802.11 Services 3, ESS transition j
No transition : Such stations are either stationary or moves only within the direct communication range of the
There are 9 services given by IEEE 802.11 for achieving the vl LAN functionalities. Table 4.7.1 lists the services and
shows two ways of categorizing them. communicating stations of a single BSS.
:
1. The service provider can be either the DS or station. Station iervices are employed in every 802.11 station, cluding 2 BSS transition : These stations are described as a station movement from one BSS to another BSS within the same Ess,
AP stations. To support the services provided between BSS:the ution Service Provider is used; these services Here, delivery of data to the station needs the addressing capal ity for recognizing the new location of the station.
possibly implemented in an AP or in another special-purposedevice attached to the distribution system. 3. ESS transition : These stations are described as a station movement from a BSS in one ESS to a BSS within another ESS.
2. To control IEEE 802.11 LAN access and confidentiality 3 services are used. To support delivery of MSDUs between This case is supported only in the sense that the station can move. Maintenance of upper-layer connections supported
by 802.11 cannot be guaranteed. Actually, disruption of service is ikely to occur.
Stations 6 services are used. If the size of the MSDU is toovarge for transmission in single MPDU then fragment it and
The distribution service wanted to know where the destina n station is located while delivering a message. Basically,
transmit it in a series of MPDUs.
so that the message can reach to
DS wants to know the identity of the AP to which the message should be delivered
with the AP within its current
the destination station. To fulfill the requirement, a station must keep an association
BSS. There are three services related to the requirements :
Association : Initial association between station and AP is established. Before a station transmit or receive
Association Distritution system | MSDU delivery that a station must establish an
message on WLAN, its identity and address must be known. So, it is necessary
2. e this information to other APs within
Authentication Statin LAN access and security association with an AP within a particular BSS. The AP can then communicat
| frames.
3 Deauthentication | Staion the ESS to facilitate routing and delivery of addressed
UAN access and security
one AP to another, enabling a mobile
4, Reassociation : It allows an est ablished association to be transferred from
Disassociation Ditribution system | MSDU delivery
| z station to move from one BSS to another.
, "
§. | Distra“ibuti.on “istril
Ustri an existing association is ended. A station has to
bution system | MSDU delivery c. Disassoclation : A notification from either a station or an AP that
6. | Integration down. Yet, the MAC supervision facility protects itself
Ostribution system | Mspy deliv give this notification before leaving an ESS or shutting
| ery without notification.
7,_| MsDU delivery _| station. against stations that yanish
MSDU del elivery
8. Privacy 4.7.2 802.111 Wireless LAN Security
Stati
ation LAN access and security not innate ina ‘eless LAN. These properties are:
uy "| Two characteristics of a wir ed LAN are
9. Reassociation Distribution system In contrast, with a wireless
J MSDU delivery on has to be physically connected to the LAN.
1. While transmitting on wired LAN, 2 stati a form of
Distribution of Messages within a
DS the other devices on the LAN can transmit. In a sense, there is
LAN, any station within radio range of n to connect a
positive and most likely observable actio
a
— Distribution and integration are the tw:
“2
nice us , by stations
. Servi authenti
. cation with a wired LAN in that it needs some
to exchange NPDU ces used f for me:
s when Tie $5ag¢
etats cas
distr ibuti on within DS. Distri station to a wired LAN.
9 a Station in another BSS. \f the tweS i on also has to be
tations 2
that are communicati to gettwfrom stationre
ee a te one BSS
in te atransmissio! n from a station that is part of a wired LAN, the receiving stati
service logically goes thro
ugh the sinle Ap oft! that Likewise, to receive
ass, “—-
— The integration service allows tr ‘ans®t attached to the wired LAN..
of data bet
IEEE 802.x LAN. The word integrard refers to 4 iwer je cy by limiting reception of data to stations connected to the LAN. In contrast, with
e On an IEEE 80 11a Wired LAN gives the degree of priva'
are logically connected N that is bh ysi cand a station on an integrate within radi, o range C
So, there is a need of robust security services and methods
an receive.
addr.
to an IEE 802.11 LAN y;
and media criversion logic see
€8s translationtandmediat Via s , the
me On Servicecally co re to the DS and whose stations
si a wireless LAN, any station
ts | some major weaknesses. So, WI-F
I Protected
introduced for privacy but it has
the j
ee for wireless LAN. WEP algorithm
OF the exc! hange of; data Integration seryi e takes care of anY strong security.
introduced for
Access (WPA) is
Wie
¢ 8 Ge
Wireless Ss v Advanced System Secu
7
&. Advanced System Security & Digital Forensics 4-18 —y rity & Digital Forensics
(MU) — (MU) 4-19
rs STA
WPA is a set of sec urity methods that 802.1. a curity
| form issues
of theand802.11i
was based
standaon
rd, theThecurren State
Witeless Secu
Wi-; Allan gy
eliminates ol is the AS End Staion
the 802.111 standa near
rd.
Certifies vendors in Robust Security Network - ecification the WPA2 program.
compliance with the under
full 802.111 sp
4.7.2(A) IEEE 802.111 Services
_ Phase 1 - Discovery ’
= ms ‘Slowingion;
serves i exchange
eebetwe
ET en aot an Authentication Server (As)
Sige IE oaeueriag to be used between the client and the AP over the wirel gives
that
ess link Phase2 - Authentication °
— Access control : This function imposes the use
of the authentication function, routes the mess
ages correctly, ang
assists key exchange. It can work with a
range of authentication protocols.
~ Privacy with message integrity : MAC-level
data for example, an LLC PDU are encry Phase 3 - Key Management
pted along with a Message
integrity code that makes sure
that the data have not been chang
ed.
4.7.2(B) IEEE 802.111 Phases of Ope
ration
Phase 4 - Protected Data Transfer. : ees
— IEEE 802.11] RSN operation is
divided into 5 phases. The nature
end points of the comm of the phases wi depend on the configuration
unication. Possibilitie
s include :
and the
< Phase 5- Connection Termination: ~
Fig. 4.7.4 : IEEE 802.111 phases of operation
| he discovery
| Al to
phase iiss fe for an STA STA and an AP identify ify each other, agree of on a set e of securi ity capa bilities and for
system, ication a i capa bilities.
ion for future ee usingi ig those security
— Fig. 4.7. 4 shows the 5 phases of Operati:
Authentication
Server (AS) isa ne
Station sendsa ener AP sends possible
BES to identify an onses to advertise its IEEE 802.111 security poli elon security parameter
with the AP, which
it Uses
AP for a WLAN wit
h which it desi cy, The Station sends21 4 mentic
Open system
ation request | P®
(security capabilities set
the security policy)
to 5 elect the res to communicate. The STA asso
Response s Pre sen
Cipher sui te and aut ciates request to pe!
t a opt ion, hentication method when n system
the Beacons and Probe naa autora auhorenin feponse | AP performs
2. Authentication : In Station sends a request to nujl authentication
this pha se, associate with AP with] Association request
non-authentieat security paraméters "4ssociation response _| AP gends the
ion traffic between
Ro
ie TAand and AS verify their Identities to each othe
AS untit the
not take part in the
authentication transa
4
auth enti r. The AP blocks
ca N transaction Station set selected
security parame! ters.
‘security parameters
tion except forwarding is successful, The AP Te02.1x Controlled port blocked =
3. Key management
: The AP and the STA tratr, ic betwee does ——T~g02, 1x EAP request
“Ary out some per n the STA an a02,1x EAP response Access
and placed on the ap ati d AS. request
(EAP request)
and the STA. Fra mes Per ati ons th
are SWa ppe
4. Protected
d be: hi at cause ‘ryptographic keys
data tran ‘tween t je to be produced "Extensible Authentication Protocal Exchange ~~ =
sfer : Fra mes are wapped between th
AP and sta only, Accepv/EAP success
data transfer hap
pens between the e STA 3 key material
STA and the
5. ap Only;
Securiri A 802.1X EAP success:
Connection ter ty an
is d th eee
mination : The no e Preoven
idgegStat
AP and STA Swap
Sonnection Is restored to the orig frames I In this €nio through the
d-nto-eng AP. A secule G02. 1X Controlied port blocked = |
inal state Phas
e,
the secure “°nnection is torn dow
n and the ne Capal bilitydiscovery, authentication, and association security
.111 phas es of operatlo! capabilities
Fig, 4.7.5 : IEEE 802
Wireless Securiy
aay, wo Systom Security & Digital Forensics (MU) 4-21 Nitsloes Secu,rity
4-20
ME Advanced System Security & Digital Forensies (MU) £ 802.1X Access Control Approach —
s *
following area tee
cific techniq r ig unicast traffic (traffic only between this STA
— _ Inthis phase, the STA and AP choose on SP! _ (EEE 802,11i uses IEEE 802.1X standard. Itis a Port-Based Network Access Control.
s for protectin It uses Extensible Authentication Protocol (EAP).
© — Confidentiality and MPDU integrity protocol
and AP) vetsuses th —
aN 802.1X supplicant, authenticator, and authentication server. In the perspective of an 802.11
© Authentication method at rms match to the wireless station and the AP. The AS is a separate device on the wiredside of
in directly on the authenticator.
© Cryptography key management approach d integrity protocols. All STAs in a multicast the ne . (i-€., accessible over the DS) but could also exist
AP statet he Confident
iality an ed key len ath, i control and authentication messages between
To protect the multicast/broadcast traffic long with the select until the AS authenticates a supplicant, the authenticator only passes
— ion ofa protocol, al is unblocked, but the 802.11 data channel is blocked.
group must use the same protocols and ciphers. Thespecificat ;
cipher suite are: the supplicant and the AS; the 802.1X control channel
for the confidentiality and integrity then forward data from the supplicant,
known as a cipher suite. The choices ity with older IEEE 802.11 Once a supplicant is authenticated and keys are given, the auth enticator
compati Under these conditions, the data
key, which permits backward subject to predefined access control restrictions for the supplicant to the ni etwork.
© WEP, with either a 40-bit or 104-bit
channel is unblocked. \
the
are logical entities defined within
implementations
802.1X uses the concepts of controlled and uncontrolled ports. Ports
ports for WLAN, one port
refer to physical network connections. The authen icator have 2 physical
° CCMP
authenticator and
within its BSS.
| oOo TKIP .
is used to connect to DS and second portis used for wireless communication
led port permits the exchange of PDUs
© -Vendor-specific methods - Every logical port is mapped to one of these two physical ports. An uncontro
The Authentication and Key Management (AKM) defines + of the authentication state of the supplicant.
— between the supplicant and the other AS, i spite
systems on the LAN as long as the
of PDUs between a supplicant and other
1. The ways by which the AP and STA perform mutual authentica
tion - Acontrolled port permits the exchange
an exchange.
be produced. current state of the supplicant authorizes such
2. The ways for deriving a root key from which other keys may
- The potential AKM suites are :
o ‘IEEE 802.1X
o — Pre-shared key Uncontrolled
oe
port Authentication server
0 -Vendor-specific methods
MPDU Exchange Access point
There are 3 exchanges involved in discovery phase: c *
Station Controlled
. , Controlled i ‘
with which
y: During this exchange, STAs find out the existence of a network
- Network
6 pen ey discousr d by RSN IE (Robust Security port porrt
Network ae e 7 either periodically broadcasts its security capabilities, indicate To other e—+» ToDS
to a station’s Probe wireless stations <——®
Beacon frame; or responds
{ pequeseiaondt - ement), in a precise channel through the on this BSS
A wireless station may discover available access
points and matching Fig. 4.7.6 : 802.1X Access control
secuivemalanies ioe
i
T passively monitoring the Beacon fram es or actively probing ig every every ch channel.I
authenti : |
Open system entication : The reason of this frame sequence, which provides no secu ity, is simply to maintain
— ry! MPDU Exchange
, on phase has following three phases.
et
backward compatibility with the IEEE 802.11 state machin i in’ , existing IEEE 802.11 hardware.
Wi 'n on phase the MPI
Du exchange is happened. The authenticati
} spirit, the two devices (STA and AP) simply exchange ition. s implemented In the authenticati The AP acknowledges this requ
est and
est to Its AP for connection to the AS.
sends a requ
Association : The¢ use of this stage ge isi: to agree on a set of i - Connect to AS: Th e STA
est to the AS. ges are possible.
Association Request frame to the i secini APSPMNES ES berusedl Th ea sends an access requ mber of other exchan
AS to each other. A nu
those advertised by the AP. If oe ten Eee Stinapetiesiing Set of matching sagebiber hl among ge authenticates the STA and Key (MSK), also called as the
{ = hiange: This This exchan
EAI P exch ed, the AS creates @ Master Session
- an isig es! establish
‘ Once authentication
Association Request. The STA blocks hoe: i. i apeelltes between the AP and the Siig thea re “4 = sae En and Accounting (AAA) key, and send it to the STA.
iNegally on its channel. The IEEE ) in case it has associated with a rogue A or i
ization
5 T traffic goesSa
beyond the AP. uthentication, Author
. the 802.1X controlled ports is blocked, and no use ; A _
Authentication Phase
ee f EAP Exchange ges that can be used.
ral possible EAP exchan
2 oe eee : aff
ph ase seve ocol, and the message run
The authentication phase allows mutual authentication between an ST) — During the auth entication and AP emplo'
ys the EAP over LAN (EAPOL) prot
er
only authorized stations to use th ‘A and an uthentication server located In the vice (RADIUS) protocol, though oth
in aut!
7 etween STA
e Authentication Dial in User Ser
i a,
DS. Authentication is designed to allow
‘
q
e rk and to give the STA with guarantee Usually, the message 'U? ® the Remot exchanges.
' + 7 testa) gtA-to-AP and AP.
-to-AS
that it is communicating with a legitimate network.
4
between the AP and AS Sh Wy hates etts
pupiicatiens
for bo!
alternatives are available
advanced System Security & Digital Forensics (MU) 4-23

¥ Wireless Secy
tty
;
there are following two ways to create a VPN connection: q
Service Provider (ISP)
Security & DI ital
Fo! By dialing an Internet
¥ Advanced System 1.
ication exch if you dial-in to an IS! P, your ISP then makes another call to the private network's remote access server to establish
the authentl
isthe summary of eap-Reque st/iden er the uncontro lled port, The the PPTP of L2TP tunnel after authentication; you can access the private network.
:
~The following the AP Issuing
an
the Ap receiv
es ov
1. The EAP exchange starts with frame, which e! ras a RADIUS-A
ccess-Requeg 2. By connecting directly to the Internet
se/identity onto theRAI pius serv
2. The STA responds with an EAP-Respon d passed network, a cable modem, or a Digital Subscriber Line (DSL),
if you are already connected to an Internet, on a local area
p an
in RADIUS over EAI
packet is then encapsulated directly to the remote access server. After authentication,
you can make a tunnel through the Internet and connects
\
which Is passed 0" to the :
STA as an EAP-Request,
e packet, you can access the corporate network,
peeks paplus-Access-chal leng llenge information. of Host y. Host x
3. pe and contains relevant cha y. The data packet at Host x has the IP address
The AAA server replies with at e authentication tV! ed by the AP int
oa Host x wishes to send data a data packet to Host Packet is removed. The Router inserts the
This request Is of the appr
opri
the AS. The. re
sp onse is translat
eated multiple transmits the data packet. When the data packet receives Router Rx, the IP
and sends iti to
e as a data field Steps 3 and 4 may be rep
! se message
Respspon e to the chal leng
_ payload field and sends it to Router
Ry.
The STA creates an EAP-p-Re cK Ethernet frame.
s ith the respons it is common for authentication to require the IP Packets and sends it to Host y in an
mae ¥a | a rail : fs cB
tunneling method
s, On receiving the packet Router Ry removes
based on the mi .
Router Wireless Network Router
imes,
40-20 round trips. ccess frame the
The AAA server permits access with a Radi
us-Access-Accept packet.
The AP issues an EAP-Su
(eee he :
5. to access the network.
the user may ber gin
controlled port is authorized, and ree ey
Tunnel
4.8 VPN Security
,
a private Local Area Network at a remote location ie 4y
is a secure way ‘of connecting to
— A Virtual Private Network (VPN) data packets p ately, using encryption. . Ethemet frame
rk
public network to transport the netwo Ethemet frame
using the Internet or any unsecure users
and encryption to prevent unauthorized
to deny access to unauthorized users,
~The VPN uses authentication
kind of network traffic securely, includi
ng Fig. 4.8.2 : Tunneling
. The VPN is used to send any
from reading the private network packets
voice, video or data.
secure fashion to a remote corporate server using the
48.1 Tunnelling
— VPN allows users working at home or office to connect in a of Tunneling.
nology is based on the idea
routing infrastructure provided by a public inter-network (such as the Internet
). - Virtu al private network tech
l network connection.
and encryption protocols are lishing and maintaining a logica i
VPN tunneling involves estab
i
over the VPN is encrypted and secure. New authentication net.
- Internet connection
The e Int i - transported over the Inter
i ssible to another packet before it's
an entire packet within
enforced by the remote access server. s Sensitive data is hi idden from the public,
i of placing l.
Tunneling is the process moves within a virtual tunne
and ensures that the packet
-
the contents from public view
appropriate users through a VPN. ° ———
- That outer packet protects t are encapsulated within
some other base or
ructed a speci ic VPN protocol forma ving side.
- Onthis connection, packets const y de-encapsulated on the recei
between VPN client and server, and finall
carrier protocol, then transm| ed tructure of the
the routing and switching infras
their data in IP packets that hide
i. Allows senders to encapsulate
Internet
or hackers.
unwanted viewers,
Dedicated Dedicated To ensure data security a8; ainst
There are two types of Tunneling.
up link to ISP md
link to ISP
ul
Fig. 4.8.1: VPN Architecture 1. Voluntary tunneling
, 2. Compulsory tunneling
— The requirements of VPN are:
o Tunneling
Voluntary tunneling a connection to the carrier
. The client first makes
=
o Encryption onnection setup tunnel to a VPN
ient manages © creates the
In the VPN client application
o —_Encapsulation the VPN =
ase of Internet VPNs). Then,
Sonintany tunnel ISP in the ¢
Network provider (an Tecaknomleds®
tion.
Firewall server over this live connec
Wireless Security
y Advanced System Security & Digital Forensics (MU) 4-25
Wireless Security
Encryption in VPN
48.3
Advanced System Security & Digit it
lient fi tion is the process of
setup: Whe? the cllent rst takes
be able to read and use
data so that only a computer with the right decoder will
2. Compulsory tunneling as vPN ersconnection
a VPN connection between that client and it.ae egeioe
ateaveach ar
of the tunnel encrypt the data entering the tunnel and decrypt it at the other end.
‘ k provider manaB
the carrier networ bro! There are most two common forms of encryption:
In compulsory tunneling, instantly pared to the two-step
ordinary connection to the carrier, the
carrier in turn set up in just ene step com L symmetric-key encryption
onn ections are the vpy
point, VPN ¢ of VPN server connectivity from
VPN server. From the client view hide s the det
tunnel This tunneling the ISP. In response, service
ntary m clients to
procedure required for volu over the tunnel is fro j insymmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a
agement contr ol
client: s and successfullyIly transfers mal m8 installing and maini taining FEP devices. message-
the additi nal burden of
providers must take on uter uses its private key to
In public-key encryption, each computer (or user) has a public-private key pair. One comp
4.8.2 VPN Tunneling Protocols g
encrypt a message, and another computer uses the correspondin public key to decry
pt that message.
ing Protocols. They are as follows: and decrypt it at the other
There are three nes of VPN Tunnel Ina VPN, the computers at each end of the tunnel encrypt the data entering the tunnel
g Protocol (PPTP) where protocols come in. A
Point-to-Point Tunnelin end. However, a VPN needs more than just a pair of keys to apply encryption. That's
ocol (L2TP) Generic Routing Encapsulation (GRE).
Layer Two Tunneling Prot site-to-site VPN could use either Internet Protocol Security protocol (IPSec) or
Internet Protocol Security
(IPsec) over the Internet Protocol (IP).
GRE provides the framework for how to package the passenger protocol for transport
and the connection between sender
(PPTP) This framework includes information on what type of packet you're encapsulating
Point-to-Point Tunneling Protocol
ed by Microsoft in
ted VPN metho: d among Windows users and it was creat and receiver.
It is the most commonly suppor ble for Linux and on IP networks, including the internet. IPSec can encrypt
data
methods, PP’ TP is faster and it is availa IPSec is a widely used protocol for securing traffic
companies. As compare to other IPSec
association with other technology to router, desktop to router, and desktop to server.
does processing at high speeds. For between various devices, including router to router, firewall
ing method. It can be easily setup and
Mac users. It is used in Voluntary tunnell a VPN needs to secure its packets:
(Point to point protocol) to consists of two sub- protocols which provide the instructions
a control channel. It is dependent on the PPP
including the PPP data packets, the PPTP uses s the packet's payload (the data it's transpo
rting) with a symmetric
to the data packets. The PPTP protocol tunnels
a PP session over and IP 1. Encapsulated Security Payload (ESP) encrypt
provide encryption and authentication, security
key.
protocol.
network. It Is called Point-To-Point Protocol (PPP) and TCP/IP @ ha: shing operation on the packet header to
help hide certain packet
2. Authentication Header (AH) uses
) un' gets to its destination.
information (like the sender's identity
2 Layer Two Tunneling Protocol (L2TP) the data
modes. In transport mode, devices encrypt
LAN-LAN and user-to-LAN Networked can use IPSec in one of two encryption
devices
LTP is tunneling protocol, It is an improved version of PPTP protocol. It supports might
tunnel between two networks. As you
traveling betwee In tunnel mode, the devices build a virtual
n them.
connectivity. It provides data integrity and confidentiality. However, it does not provide any encryption or authentication together.
with IPSec ESP and IPSec AH working
guess, VPNs use IPSec in tunnel mode
i.e. it lacks in providing security.
3. Internet Protocol Security (IPSec) 484 Authentication
remote-access
VPN tunnels can be established. User-created
It is a collection of multiple related protocols like PPTP, L2TP, the most important protocol used in VPNs. Tunnel endpoints mus t be authenticated before secure Network-to-network
ctor authentication or other cryptographic methods.
security. authenti ates every IP packet. It uses standard cryptographic methods. Itprovides good
'PSec is a layer3 protocol that authentic VPNs may use passwords, biometrics, two-fa permanently store the key to allow the tunnel to establish
lunnels often use passwords or digital certificates. They
tion from the administrator.
automatically, without interven
oP | LTP | PPP
Header | Header | Header 48.5 Features of a Typical VPN
rendered unreadable to”
network must be
: Data carried on the public
L. Keep ep d data dent tial (encryption)
fidi
confi
network.
Unauthorized clien' ts on the ty
cation) : The solution must verify the user's identi and
communicating (authenti
ae Ba % Ensure the identities of two parties It must also provide audit and accounting
records to show who accessed
“UDP PPP Payload” d users only. |
Header restrict VPN access to authorizet
{IP Datagram) Trailer: | Trailer.
What information and when- that private addresses are kept
s on the private net and ensure
sign a clie nt's addres
Encrypted by IPSe Address Manageme! nity It must as
c
Private.
Fig. 4.8.3 : PPTP ang
Letp
waren
Wireless Seouriy
he client an
dthe server
W Advanced System Security & These include
public network.
used in the
4. Key Management: It must generate and
Fj st
5. Multiprotocol Support: The solution mu
(IPX) and 50° n.
IP, internet Packet Exchange
leased lineso
Un
4.8.6 Benefits of VPN i m pared to traditional .
t co: st savings CO d users by supporting different
a VPN is theP ote! ntial for significan d unauthorize
1. 7 Low Cost: ‘i The maini benefi t of > data access by ha ckers an
secure th ;
dial up networking. Security: VPNS . s z
stem
ded to their network easily without modification in the sy:
4
i meth
authentication methods and encryption s- Syllabus :
be added to
2. Sealability: VPNS allow more number of users to | 5.1 Cyberci
infrastructure.
xible me hods of accessing the network lite 5.2 Protecti
5 efficient and fle
3. Compatibility with broadba nd technolo gy: VPN provide:
cost ef fective meth
od to connect to the Failures
tio ns provide a
connec
broadband, ISDN, DSL, wireless technologies. These
remote offices.
4.8.7 Disadvantage of VPN
5.1 Cybe
than dedicated lines due to public Net
The performance of a VPN will be more unpredictable and generall ly slower
system. - Cyber crin
traffic. Likewise, many more points of failure can affect a Net-based V PN than in a closed private
includes cc
- Amajor ati
crimes.
Qi What are the different wireless network threat?
2 Write short note on wireless equivalent privacy.
Q.3° ‘Write short note on WiFi protected access.

Q4 What are the security threats to mobile devices?
Qs What are the elements of the mobile device

security?
Q6 Write a short note on GSM,
Q7 Write a short note on UMTS,

7
Qs Write a short note on IEEE 802.14 Wireless LAN Security
Q@.9 Write a short note on 802.11i Wireless

LAN Security,
Q.10 Write a short note on VPN security.
5.1.1 Types of
oe
The cybercrime
1. Violent or
2. Nonvioleni

jal and Ethical Issues
he system Syllabus:
5.1 Cybercrime and its types, Intellectual property, Privacy, Ethical issues.
stwork like 5.2 Protecting Programs and Data, Information and the Law, Rights of Employees and Employers, Redress for Software
vect to the Failures, Computer Crime, Ethical Issues in Computer Security, Case studies of ethics.
5.1 Cybercrime and Its Types

-
) public Net
systems and networks. Cyber crime additionally ty
- Cyber crime encompasses any criminal act handling computer
includes conventional crimes performed via the internet.
- Amajor attack vector of Cyber Crime is to exploit broken software. The crimes are either cybercrime or cyber related | :
crimes.
Cybercrimes Cyberrelated Crimes
vy | |
Cyberspecific Cyberexacerbated Cyberassisted |
| Cyberstalking Income- tax cheating

amet iamnet Pedophilia (with a computer)
a lism Internet Pornography * Physical assault with
Cybervancal a computer
- Property damage
using a computer
hardware device |
(e.g., throwing a |
hardware device
through a window
: |
Fig. 5.1.1
|
=e Cyberc rimes
god Ma Types of Cybererime/ Categories of
The cybercrime is categorized as follows :
- ; ae
1 Violent or potentially violent cybercrim
. ;
Patent = Ni
Onviolent crimes
Pupnicate®

Aavanced System Security & Digital Forens
<a
ics (Muy 5-3
¥
rf any/business =

Legal and Ethical Issues iil. comp espion
netwo vi to'StOlise borté exchan; Wherein m en and women insi
w age inside or outsidi e a busines
SESs ent E Sti,
rk
2 FT er8e Use
financial records, exclusive purchaser lists, advery, SINR strategiasthy fe
e
‘W Advanced System Security & Digital, Forensics (mu) 52 different information that may = usedSécrets,
to sabotage the commercial enterprise or advantage a
or probably violent cybercrime NABETeSSVe gan,
1. Violent or potentially violent cybe! rcrime categories Kinds of violent Iv.
plagiarism : It is the theft of someone else’s
ol ori inal writing with the intention of transferring it one’, own n; .
character oF
persons. ame,
These crimes pose a physical risk to so! me Piracy : Piracy means copyin i
ate, This act will result in Ne 6 . Copyrighted software in illegal manner. For example, music, movies + ATL, Hooks
include : . S Of revenue to the legitimate owner of the copyright.
rer theft
{dentity temenun this theattacker Collects the victim’s personal information, such as PAN card no, driver sticense
: In it
b. ‘Assault by threat vie
a. Cyberterrorism to the victim.
“d. Child pornography n h ' crime or to obtain the property or money which belongs F
Cyberstalking
g: : It B8 form of unauthorized interception. The intruders manipulate the contents of a
c. poiso Iti
vil DNS cache5 oe
a. Cyberterrorism
orks. It consists of the usage
of computers cache to redirect network transmissions data to their own servers.
activity in cyberspa
ce via computer netw
Cyberterrorism is committed and pla ned ent act s as well as recruiting
Cybertrespass
ors to communici ate
records for use in viol
e-mail for communications among co-conspirat or network's resources but does not
sites. It also includes : In cybertrespass crimes, the criminal have unauthorized accesses to a computer's
stitution individuals through internet nts and noting what
espassers read your personal e-mail and docume
Air visitors control computer system
s which reason the planes to Co!
ide or crash.
misuse or damage the data there. The Cybertr
i.
structures to reason infec
tion of water supplies. programs yOu have on the system.
infiltrating water treatment plant compute r
risky
could result in incorrect, Cyberfraud
changing or deleting facts that ¢,
Hacking into medical institution databases and
ud the victim
named as theft. In the cyberfra
remedy of a patient or sufferers. Cyberfraud means selling fake things for the benefit. It can be also
of air cond ioning in summer and warmth in iciness
or k and work from home
Disrupting the electric power grid, this will motive lack money to the criminal. Examples of cyberfraud are
know ingly and voluntarily offers the
can constitute fraud.
ficati ‘on of network data to obtain a benefit
result in the dying of folks. fraud. Cyberfraud can take other forms; any modi
b. Assault by threat d. Destructive cybercrimes
It is used to give life threat via email to people and their loved one. This may also consist of e-mailed bomb threats is damaged, destroyed and stolen
network services. Because of this the data
The Destructive cybercrimes damage the ctive
sent to businesses or governmental agencies. data or program files. The destru
Hacking into a network and deleting
for misuse. These crimes consist of
c. Child pornography
cybercrimes are :
” Web pages.
Child pornography includes creating pornographic materials of minor children and distributes these materials as well 1. Web server hacking and “vandalizing
network.
It becomes a cyber crime when computers and networks are used for any of these activities. malicious code in the computer
as accesses this material.
2. Introduce viruses, worms, and other
g network
also prevents legitimate users from accessin
brings down the server. It
2. Nonviolent cybercrime categories 3. Planning a DoS attack that
Nonviolent cybercrimes are divided into following subcategories :
ng (erasing all the files of
resources.
or destroying data rather than steali
v and a lism me ans damaging
Cybertheft b. Cybertrespass Cyber v and a lism : Cyber
through email.
business competitor) and trans' mitting virus
Cyberfraud d. Destructive cybercrimes
Other nonviolent cybercrimes 7
Other cybercrimes ®&
Ee
a. Cybertheft Other nonviolent cybercrimes includes:
the Internet.
‘4 services Ov! s
1. To do the Advertising/soliciting of prostlt
ution
Theft is one of the maximum popular cybercrimes. Cybertheft crimes consist of:
i. Embezzlement : which includ les misusing 2% Todo Internet gambling.
isusi money or belongings on you
you with the aid ofa person else. ee, enh: Reencentruatadlite 3. Sell the illegal drugs on the internet. illegally to obtained mone
y.
sfers of funds are done
ii i
‘ : In this the criminal is
Unlawtsh appropriation where electro! nic tran
not entrusted with the val
but gains get access to the 4. To do the Cyber laundering, e encryption technology that is banned in some
jurisdictions, over the
information from the outside of the organization. The funds can be transf; ne
nsferring illegal | items,
Cybercontraband or tra
uments can be get modified
Td
and gives the title to the document which is not owned by him/her pees tie
Internet.
YW TechKnowledgé
uptications
~~
¥ nsvances System Security & Digital Forensics, (Mu) 5-5
Legal and Ethical Issues
er Bt architectural works

Forensics (Mu)
WF _ Advanced System Security & Digital o software-related works
copyright owner has the
5.2 se exclusiv rights
e ,Protected aga
Intellectual Property ins t infringeminfrinent
gement::
e o — Reproduction right: allows the owner make copies of a
: wor! work
,
The U.S. legal system distinguishes three primary types of prop! erty: and fixed mobile homes. lodification right :
‘ke trees,b dings,
:
_ *eonceins Modifyinga work to make a new or copied work
98
to the land, like tr

attached " tributi
1. Real property : Land and things permanently bank wages, accounts, securities, istribution right : all :
s, like cars, ‘i ; . lows the owner Publicly sell, rent, lease, or lend copies of the work
9
2. Personal property : Personal effects, move

able property and good son baseba tick
ets. Public-performance right : Applies mainly to live performances
and sea
jewellery, patents, pets, d ideas. Examples include software, ;
oo
i rance e p policies, J
i , insu
ture, a small business Buublic-display right
play right :: allows the owner Publicly demonstrate a copy of the work directly or by means of a film,
furniture, a sm an! :
Intellectual Property (IP) : Any intangible ass et that
includes huma' in knowledge slide, or television image .
re for a disease.
ousetrap, oF a cul
sound recordings, data, novels, the design of a new type ofm 2. Patent
Patents. ~
“Unauthorized - Apatent for an invention is the grant of a property right to the inventor.
grant itself, "the right to exclude
The right conferred by the patent grant is, in the language of the U.S. law and of the
making, |
using or selling States or "importing" the invention
others from making, using, offering for sale, or selling" the invention in the United
into the United States. Similar wording appears in the laws of other nations.
_ There are three types of patents:
and useful process,
o Utility patents : These patents are granted to anyone who invents or discovers any new
improvement thereof;
machine, article of manufacture, or composition of matter, or any new and useful
a new, original, and ornamental design for an
o Design patents : These patents are granted to anyone who invents
article of manufacture; and
5.2.1 Types of Intellectual Property es any
who invents or discovers and asexually reproduc
o Plant patents ; These patents are granted to anyone
trademarks,
There are 3 types of intellectual property for which legal protection is available and they are copyrights, distinct and new variety of plant.
and patents. The legal protection is against infringement, which is the attack of the rights secured by copyrights, public-key cryptosystem. From the time it was
- An example of a patent from the computer security realm is the RSA
a fee for
trademarks, and patents. The right to look for civil option against anyone infringing someone’s property is decided to the IP patent holder, RSA Security, was entitled to receive
granted in 1983 until the patent expired in 2000, the
owner. Depending upon the type of intellectual property, infringement may differ. each implementation of RSA.
1. Copyright . Trademark
rx)
in trade with goods to show the source of the goods and
- Copyright law protects the tangible or fixed expression of an idea, not the idea itself. ~ Atrademark is a word, name, symbol, or device that is used
goods of others.
— Copyright is automatically assigned to newly created works in countries that subscribe to the Berne convention, which to differentiate them from the
ates the source of a service rather
except that it identifies and differenti
Aservice mark is the same as a trademark
encompasses the vast majority of nations.
—
than a product.
to both trademarks and service marks.
the following conditions are fulfilled: mark are normally used to refer
- The terms trademark and prevent others from
from using a confusingly similar mark, but not to
oO The proposed work is origi be used to pre ent others
— Trademark rights may me goods or services under a clearly different mark.
o The creator has put this original idea into a concrete form, like hard copy (paper), software, or multimedia form. or from selling the sa
making the same goods
— Examples of items that may be copyrighted include : d Computer Security
Intellectual Property Issues a”
‘
*
5.2.2
literary works :
nd ci computer security contain
Intellectual Property relevant to nein
0000600
musical works well as shareware, proprietary

produced by vendors of commercial software as
dramatic works
~ Software : Thi includes programsJon for i ternal use, and software produced by individuals. For every
such software,
by an 0” protection may also
be proper.
pantomimes and choreographic works software created edie Ina few cases, a patent
on is av lable i ei data that is collec
ee ted and prepa red in such a fashion that it has possible
ictorial, graphic, and sculptural works copyright protecti
abase may 7 ses may be protected by copyright.
motion pictures and other audiovisual works ~ Databases ; A dat l
ncialforecasting database. Such databa
mple Is 2fina
sound recordings commercial value. An exa Tach Krealedgd
9
Knowle
eattone
y advanced System Security & Digital Forensics (MU) 5-7

Legal and Eth
ical issues
_ The systems further restrictions on the use of digital objects, like inhibiting printin,
a 56 — any other iB OF
urseware,
Web site content, and prohibiting further distribution.
ltimedia, co igital devices.
content ; This group contains audio files, video files,mu ing
There is no single DRM standard or architecture. DRM encompasses a variety of approaches to intellectual property
Digital s or other
:
in| computer
tosystem.
_
ginal digidigital work that can be present ed in some manner ust
Original public-key cryp
ed, is the RSA management and enforcement by providing secure and trusted automated services to control the distribution and use
i men tion’
Algorithms : An example of a patentable algorithm, earlier of content.
A. U.S. Digital Millennium Copyright ACT (DMCA) including the
ent rights in in common, the objective is to give mechanisms for the whole content management lifecycle,
effect on the protection of digital cont
— The US. Digital Millennium Copyright ACT (MCA) hashi ad da a deep management of rights information associated with the content.
de
both the U.S. and worldwide. on (WIPO) DRM systems should meet the following objectives :
World Intellectual Property Organizati
— The DMCA, signed into law in 1998, is designed to implement access to the digital content, limiting access to only
4, Provide persistent content protection against unauthorized
treaties, signed in 1996."
erial s in digital format. those with the proper authorization.
— In spirit, DMCA strengthens the protection of copyrighted mat opyrighted works. files, video streams, digital books, images).
technologici al measures topreter: copyrig! Support a variety of digital content types (e.g., music
The DMCA give confidence to copyright owners to use
2,
—
PCs, PDAs, iPods, mobile phones).
— These measures fall into two categories: 3, Support content use on a variety of platforms, (e.g., ‘
flash memory.
of media, including CD-ROMs, DVDs, and
1. Measures that prevent access to the work and 4. Support content distribution on a variety
2. Measures that prevent copying of the work.
1. DRM Components
Protected i
— Additionally, the law prohibits attempts to evade such measures. content
measure that effectively controls access to a work Content —
- Explicitly, the law states that "No person shall avoid a technological ~ provider «
protected under this title".
decryption of content.
- Among other effects of this clause, it prohibits almost all unauthorized {
that can crack encryption
‘t
— The law further prohibits the manufacture, release, or sale of products, services, and devices i
designed to spoil either access to or copying of material unauthorized by the copyright holder. ‘
:
Both criminal and civil penalties apply to attempts to circumvent technological measures and to assist in such :
circumvention. } Paying
Usage| ” Paying
Certain actions are excused from the provisions of the DMCA and other copyright laws, including the following : | royalty fees / distribution
ti
o Fair use: This concept is not firmly defined. It is intended to allow others to do, show, quote, copy, and otherwise
'
istribute portions of the work for certain purposes, including review, comment, and discussion of copyrighted 't'
works. i
t
Reverse engineering: Reverse engineering of a software product is allowed if the user has the right to use a COPY i' license
of the program and if the reason of the reverse engineering is not to duplicate the function. ality Consumer -
of the program
Clearinghouse |...
but rather to achieve interoperability. " , Requiring license
a JS
Encryption research: "Good faith" encryption research is allowed. This exemption allows and paying.
decryption attempts to
advance the development of encryption technology.
s
Security testing: Security testing is the access of a computer or network for the good faith testing, investigating, Fig, 5.2.2 : DRM component
or correcting a security flaw or weakness, with ,
the authorization of the owner.
oO f the principal users of DRM
systems. These are :
Personal privacy: It is generally permitted to bypass i M model ini terms d
technological measures ifthat i
Fig.5. 2.2 shows a typical DR! these rights. Examples: a music recor
the only reasonable way to the content and needs to protect
prevent the access to result in the reveal
ing or recordin digita rights of
s the digital
Content provider : Hold
g of personally identifying info Tmation.
p —
th ‘distributor
annels, TRE gnronline shop or a Web retailer, for example, an online
— Despite the ptions
exemptio ns built: Into the act, there isi consider
i able concern, especial
communities, that the act
ly in th
demic label and a movie studio. channels, i th e content and rights
ig '
inhibits legitimat distribution,
ce distribu and creates a Web catalogue presenting
e security and encrypti
innovation and academic freedom and is a threat to open source soft
on re seal
rch. These partiese that DMCA stifles
feel e Distributor Gives from the content provider
i
:
oftware di evelopment. i
receives digital conten t fro
.
Digital Rights Management (DRM) oadable or streaming content through
he digital content by retrieving downl
Ld
metadata for its promotion.

to accn ation used by the consumer
5Y stem ee al license. The player/viewer applic
obviously recognized and receive the fixed Payment for their works. ~ Consumer : Uses the ee for the
reo a nghouse and enforcing the conten
t usage rights.
nnel an cleari
the distribution cha
g
f° Weta
takes charge ofinitiatin license
g
ad
13 van ed

Sy stem Securityee
Legal and Ethical Issues & Digital Fore
Torns
ensic
ioss (M
pill in (Mu)
U’ 5-
8 g/ pa ym ents function 9
E_ Advanced System Security & Digital Forensics (Mu) 5 and pays royalty fees s deal = — Legal a
ital license to the consumer rights ho ld er
with th e 5
Colle ction Nd Ethical
. the d responsible for s an d distributors De i of Usage fees from consumers and the distrib ; J82ue9
Clearinghouse : Handles the financial transaction for issuing *
The clearinghouse is also , livery
the dlsistri
tor accordingl functions deal
with the delivery of content to consumer. ution ofPayments ™
to the content provider and distribution fees to Privacy
53
logging license use for every consumer, ts the content
~ In this model, the distributor need not impose the a0 ights. In its place, the content provider protec
inghouse.
access capability from the clear An issue
in such @ manner that the consi umer have to purchase
: disal viderandto determine what access is permitted ang
ig' license
y the a content pro ity is that of privacy. ,
The Clearinghouse consults usage rules provided b In contrast, the scale and tercon, nectedness of personal information
e fee, the clearinghouse credits the content provider ang collected and stored 2
dth in information systems
the fee for a particular type of access. Having collecte have increased dramaticall
¥, Motivated by law enforcement, national security, and economic incentives,
distributor appropriately.
- The last ical
mentioned
. has S bi Deen perhaps the main—driving force. In a global information economy, it is likely
a
d that the most
{
; 2. DRM System Architecture economically valuable electronic asset is aggregations of information on individual.
In contrast, persons have become increasi gly aware of the extent to which government agencies, businesses, and
even Internet users have access to their personal information and private details about
their lives and activities.
= Concerns about the level to which Personal privacy has been and
may be compromised have led to a variety of legal
and technical approaches to reinforcing privacy rights.
Service Interface
5.3.1 EU Privacy Law
- European Union Data Protection Directive was adopted in 1998, to both
“Identity Content |
Management
1. Ensure that member states protected fundamental privacy rights when processing personal information and
2. Prevent member states from restricting the free flow of personal information wit! the EU.
- The directive is organized around the following principles of personal information use :
Billing © Notice : organizations must notify individuals what personal information they are collecting, the uses of that
Encryption |} Authorization | | Payments information, and what choices the individual may have.
Consent : individuals must be able to choose whether and how their personal information is used by, or .
disclosed to, third parties. They have the right not to have any sen: e information collected or used without
Fig. 5.2.3: ORM System Architecture express permission, including race, religion, health, and union membership, b iefs, and sex life.
Fig. 5.2.3 shows general system architecture to Consistency : organizations may use personal information only in accordance with the terms of the notice given
support DRM functionality. The system is access
by parties in three
Kn, Rights holders are the content providers, the data subject and the choices the make on its use /
who either created the content or have acquired
ervice providers include distribut rights to the content.
ors and clearin; ighouses. Consume Access : individuals must have the right and ability to access their information and correct, modify, or delete any
rs are those who ’ lurch,
Content for specific uses. i to
. Purchase the Wk portion of it.
to acces
There is system interface to
technical and other means, to protect the
Security ; organizations must provide adequate security, using
the services provided by the
DRM system:
1. Identity management ; mech information.
anisms for unique entities,
such as parties and content. integrity and confid entiality of personal
2: Content management: Proc
esses and functions to mana Onward transfer : third partiarties receiving personalons information must provide the same level of privacy protection
ge the cont ent lifecycle. ©
the information is obtained.
3. Rights management : Processes nd
and functi Tunctions needed as the organization from whom
to Manage rights, rights holders, and private right of action to data subjects when organizations do not follow the law.
associated
Enforcement : Permits a
requirements.
©
Below these management modules are common functions, Ti
he Security/encryptio
‘
n Module provides 5.3.2 US Privacy Law Pri
abi ;
encBokit conten
i it and to sign functions to es was the
ed Stattes
ted in the ° Unit
i license
i whi h dealt
agreements. The identity
Management service . dati
legi+ slation ai dopted y Act of 1974, whic
and authorization functions to identify all parties in the relationship, Using these f k use of the authentica' tion:
makes The fi st corr prehensive privacy Tl is intende :
agencies. The act
and used by federal
service includes the following: unctions, the identity manageme” mation called’
Personal informa’
Alloc ation of uniqu e party identifiers, are collected, maintained, used, or
Us, determine what records pertaining to them
management, Public key management. i Permit individuals
‘oO
, et Pee and Preferences, User's deviee 1.
disseminated.
rr]
Wrencaciene
Legal and Ethical Issues Advan cad System Security & Digital
—— Forensics (MU)
Ww Advanced System Secu Legal ang Et
rity & ital Forensics (MU)__ 10 Privacy.
d for another pun pose without consent. hicay Issu
a es
; i nepurpose to be use
2. Permit individuals to forbid records obtained for0 h
, and to cor! rect and amend such records as
3. Permit individuals to obtain access to records perta ining to them
| Anonymity without soliciting information
appropriate.
formation in 2 manner that ensures that the
4. Bai
Ensure that agencies collect, maintain, se personal fol
7 .
and u oa for its intended use. Reversible pseudonymity
information is current, adequate, relevant, ind not ext Pseudonymity:
ai 7 Pseudonymity
5. Createa private right of action for indivi ae m ation ised
duals whose pers! onal infor not used
a in ti as outhwith
accordance theeact,
av
indivit Alias pseudonymity
As with all privacy laws and regulations, ere i
are exceptions ai ind conditio!
th ividual rights of privac
vestigations, national security concems, and conflic betwee
ts
y.
n competing indi fave bearcenackeitthat-tay,
While the 1974 Privacy Act covers government records, a number of other ave er
: U.S. laws
ildren's's pri
other areas, including: Banking and firiancial records, Credit , Medical and health insurance records, Children Privacy, = Unobservability
Electronic communications.
Allocation of information impacting unobservability|
5.3.3 Organizational Response
Unobservability without soliciting information |
Organizations need to deploy both management controls and technical measures to comply with laws and regulations
Authorised user observability’
Concerning privacy as well as to implement corporate poli
s concerning employee privacy. ISO 17799 (Code of Practice for
Information Security Management) states the requirement Fig. 5.3.1 : Common criteria privacy class decomposition
as follows :
ISO 17799 : Data Protection and privacy of Fig. 5.3.1 shows a breakdown of privacy into four major are as:
personal information
1. Anonymity : Make sure that a user may
An organizational data protection and Privacy policy use a resource or service without disclosing the user’s
should be developed and i plemented, identity.
Specifically, this means that other users or subjects are unable
This policy should be communicat to determine the identity of a user bound to a
ed to all persons involve d the processi
with this policy and
ng of personal information. Com subject (e.g.,By, process or user: group) or operation. It further means that
all relevant data protection legislat the system will not solicit the real name
ion and regulations requires approp
structure and control. riate management of a user. Anonymity need not conflict with authorization and
access control functions, which are bound to
Often this is best achieved by the computer-based user IDs, not to personal user information.
appointment of a Person responsible,
Provide guida like a data Protection officer, who
nce to Manag ers, users, and service Providers should Pseudonymity : Make sure that a user may use a resource or service without
on their individual responsibi disclosing its user identity, but can
Procedures that should be lities and the specific
followed. still be accountable for that use. The system shall provide an alias to prevent other users from determining a
Responsibility for handlin user's identity but the system shall be able to determine the user's identity from an assigned
dealt g personal information and ensuring awareness Of the alias.
| with in acco rdan ce with relevant legis
lation and tegulations,
data protection principles should be Unlinkability
nlinkability ;+ Make sure that a user may make multiple uses of resources or services without others
Suitable technical and being able
Organizational measures to protect pers to link these uses together.
onal information shou
Common criteria Priv ld be implemented
acy class
Unobservability : Make sure that a u ser may use a resource or service without others, particularly third parties,
The Common Criteria
Specification con being able to observe that the resource or service being use id.
ice Isis bei
should be implement tains a di ie Fi
ed in a trusted system, ih =~ of
against discovery and
misuse of identi
: The purpos e a ofsettheof privacy
functio nal requirements in a Privacy Class, which
functions is to provide 54 Ethical Issues
respect to their use '¥ by other users,
tis primar il a user protection
of computer reso; i 'Y¥ concer
Conc , e
; ernedd ea
a useful guide to how Urc: es, rather t| ri . vacy of
Pri The definitions according to Oxford Eni glish Dictionary of ethics, morals and hacker are :
to design priva
an the Privacy of the ani divviidual I wi
cy y UpPort functi
ir Pe rso, na ! i
on s @S part of a
;
computer syst
em, 1 Ethics : “The science of morals; the department of study concerned with the principles of human duty. The moral
I i
Principles i a p' erson isis guide
by which
guided.”
‘ ‘
ster or dspostion, considered as good or bad, virtuous a
or vicious; of or pertaining to
Moral : “Of or pertaining ; to char al :
or good and evil,a in relation
: .
to the actions, volitions, or character of
the distinction between right an id wrong,
sf
"esponsible beings; ethical.
iasm forprogramming or using computers as an end in itself.” Or, “A person who
Hacker : “A person with an enthus
‘o try to gall in
unauthorized
2 access to computer files or networks.” .
with computerst
qoseees System Secu
Legal and Ethical Issueg rity & Digital Forensics
WF Advanced System Security & Digital Forensi ee (MU) 5.13
5-12
cs (MU) Improve public und erstanding of Com Legal ang Et
puting and its con hical Issu
The hackers are of following es
type : sequences, ey
3 Self . ing withwith tec! technology and Ww riting code.
imenting Access computing and communicatio
-described hackers : These hackers enjoy experimen ' n Fesources only when authorized to do so.
cause damage, and write malw
b. are,
: These hackers break into systems, All these rules highlight a need to Obey
Media-labelled hackers (crackers)
the law, avoid harm, and respect other
Cc. Ethical hack ity iindustry to test
ave joined the security network
further knowledge and understanding, s’ privacy and Property, but also to
ers ; These are former hackers or cr
a ; Ten Commandments
Security and create Security produc
ts and services. of Computer Ethics
s, for example, the accompanyi
ng.
(CEI)
Ethical issues emerge as the consequence of the role
of computers,
; Do not use a computer to abuse and
ava harm Other people.
Repositories and Processors of information : Unauthorized utiliz ation of generallyl y unused computer services o- of
data put away in computers . so irness.
Do not interfere with other
people’s computer work.
brings up issues of sultabllayor
Producers of new forms and type faites re altogether new types
s of asse ts : For instance, computer programs of assets “Do not peep in around other people's comput
Potentially not subject to the same ideas of ownership are er files,
as other assets. ; ;
.
- Instruments of acts : To what extent must computer Do not use a computer for theft,
services and users of computers, information,
and programs be
responsible for the integrity and suitableness Do not use a computer to convey false
of computer output?
— witness,
Symbols of intimidation and deception
: The images of computers as th ing machi nes,
trustworthy, subject to fault, and outright truth makers, Do not use a duplicate copy of Propri
as human substitutions of people etary software for which you have
who fail ough t to be caref not paid.
— ully consider ed,
Technology intrusion : Internal Do not use other People’s computer resour
Privacy to the firm, External privacy ces without Permission.
monitoring Hacking. to the firm, Computer observat
ion, Employee
— Ownership issues ; Moonlighting, 8. Do not appropriate other people’s intellectual output.
Proprietary Tights Conflicts of interest,
resources for individual advantage Software copyrights, Use of organization Always think about the social importance
, theft of information,
Pry
Programming software, or of the program you are writing or the system
— Legal issues and social hardware, you are designing,
responsibilities =
Embezzlement, misrepresentation 10. Always use a computer in ways that assure
ATMs Accuracy and timeliness and Misuse, for exa consideration and respect for your compan
of informati on Over-evaluated system abilities mple, through EFTs or ion humans.
information, and "savvy" computers
Monopoly of 5.5 Protecting Programs and Data
— Personnet issues : This
issues covers the Empl
from job obsolescence oyee harm Ergonomics and hum
, an components Trai Computer programs are protected legally by using copyrights,
ning to keep away patents, and trade secrets.
A. Hacker Ethics
1. Copyrights
1
~' To protect the expression of ideas Copyrights are designed: Copyright is a Pplie d to
2. creative work like a story, song,
Photograph, or pencil sketch. Copyright protect the right to copy an express' ion of an idea. The
goal of a copyright is to
3. Some hackers reje Permiti regular and free exchange o! f ideas.
ct this code for a
4 variety of reas
ons.
B, ACM Code An author writes a book, represents the expression of idea in the Book. The author welt
of Ethics and Pro 's the book to earn a li
fessional Conduc the law protects an individual's right to get a ing, so
Contribute to soc
t living, while recognizing that exchanging i ideas supports the intellectu
iety and human wel al
i
l-being,
Avoid harm to othe The Copyri ghtn
%
rs, Re ge says that a ific method for communicating a thought has a place with the creator.
speci opyrig hts identif ied For instance, in
Be honest and tru Music, there might be a few c E eaartaenra with a solitary creation: An autho
aan copwist apincrienta
can naee
copyri
aegh t a melody, an
&
stworthy.
Be fair and take Nn of that plan
action not to dis of
=
criminate, that
me tune.
e The— value you oe
pay ier a ticket to a show incorporates remuneration for each of the th ree imaginative
5. Honor Property
rights inc lud articulations.
ing cop yri ghts and Patents, ts the right to make copies
6. of the expression and sell
Give Proper credit
for intellectual Pro : Due to Copyright Author ge itpublically,
perty, :
7. Respect the Privacy Intellectual property
of others,
egist
Honor confidential t can be r ered for "original
AS per U.S, copyright law (§ 102) a copyrigh n be percei
ity Know and resp work s of auth orship fixed in any tangi
ect e; ved, reproduced, or otherwise ble
Medium of expression,...from wh ich t hey cal communicated, either directly
Or with the aid ofa machine ce,"
or device. expressed. “In no case does ;
copyright protection for
~ Copyright does not cover
i bein
i an Original work of
soo
authorship; extend to any idea.
copyright wo! rk should be original and work must be in some tangible medium of
wv Tech Knowledge
Punticacions
WP ‘Tech
Test Knowledge:
Knemees
advanced System Security & pj ital Forensics ae
—_—_—
= In the United States a form is completed ang 15
meee Advanced System Security & Digital Forensics (MU) 5-14 al and Ey
~ work, in fact, the Copyright Office needg only t Submitted to the Copyright Office, with a S™All fee
expression, the event of a court case, The ang =
& Must by
: he first 25 and the last 25 pag es of the Work
~ Copyright is granted to the originator of the work. permits filing up to five years late, but , to help it Nee a
no noi bg with
Infr inge ment in
s thre
previ e mon ths afte r the first dist ribu tion ofthe
— Distrib ution of5 the work isi the purpo! ime er
Previous to the time ofof filin
ginality are added then it can g g can can b be prosecut
se of copyright. copyright but If thel re «and orl
Is somewhat - AUS. copyright now lasts for 79 years ahea filin eg,
[5 original. For Instances, a dofthed eath of the last surviving author, if the entity was <ODytighed
= by
~ Some expressions in public domain are not subject ee :
acompany or organization, for 95 years
aft rsh
ntify what is pul
be Copyrighted. In such cases, there is no need to aie col e ction includes some public domain the date of publication.
istorian. Thisis co inte
international standard is 5 so
Collection of the folksongs can be copyrighted by 4 the songs, choosing which ones to
,
papas nt fight t that collecting ee Years after the death of the last author or 50 years from publication.
Material and some original material. Here, the historian might "6 4 Copyright Infringement
Include, and putting them in order was the original part. \
— The historian may battle that gathering the tunes, ciel es to incorporate, and placing them
onien
hich se
all together The holder of the copyri
Pyright must go to Court to prove that someone has infringed on the copyright.
e folksongs however would rather secure \
was the first part. For this situation, the copyright law wou
The infringement must be considerable, and it must be copying, not independent work.
'
that particular choice and association. Suppose, two Se
ld likely not be found to have
have written the Same song independently, and neither knowing
d other. So, both the people are
Somebody selling a sheet Of paper on which only one Of. the:tunes. wee comp: ose wou
long these lines, + as well; the creators don't
opyri ighted along eitiget tt seve Nt protection of their work as neither would have infringe on the other and both have the rights of
infringed on the copyrig! historian, Lexicons can in be copy!
righ' t of the histori distributing their work for a fee.
profess to claim the words, only their appearance as a spe
It ls easy to understand Copyright for written work
of fiction as it is very unlikely that two people can
b. Fair use of material express their idea
with same wording. The freedom of nonfiction works is not almost so clear, for example, a mathematics
Copyright object Is subject to fairi use as per the copyright law. division can be explained in number of Ways, So two independent book. Long
books can use same wording for that explanation.
A purchaser of the copyright material has the right to use the product in the way for which it was was planned
planned and iin a e, Copyrights for computer software
way that does not obstruct with the author's rights.
= The original copyright law imagin
A fair use of copyrighted work is allowed by the law. It includes the reproduction of copies for the purposes like es Protection for things like songs, books,
and photographs. So People can easily find
criticism, music, comments, teaching, research or scholarship. when these items are copied.
The fair use permits to make a backup copy of copyrighted software which you have got legally. The backup copy The division between publ domain and Creativity is quite clear and the differ
ence between an idea and its expression
Protects you use against system failures but it does not affect the author. is pretty understandable.
The copyright law typically supports the author's right to a fair return for the work and encourages - Works of nonfiction reasonably have less Scope for independe
others to use the nt expression.
underlying ideas.
- Due to programming language constraints and speed
and size efficiency, computer programs have less scope
— Unfair use of the copyrighted item Is known as piracy. still.
- In 1980 copyright law included a clear definition of computer software.
~ Yet, copyright protection may not be
Because of the photocopier, it is difficult to enforce
fair use. There are many commercial copy shops available in especially popular form of protection for computer works. For example, an
market, they copy
the algorithm used in a given program, here
a portion of a chapter from a book but refuse to copy an entire volume, citing fair use. with the algorithm is an idea and the statements of the Programming languages
Photocopiers the quality of the copy degrades are the expression of the idea so,
with each copy as you know if you have ever Protection is permitted for the program statements themselves, but not for the algorithmic idea.
Paper. trie d to read a copy ofa Copying the code
~
whole is illegal, but reimplementing the algorithm is acceptable.
— There is a concept of first sell in the copyright law. When you bought copyrigh ted material, the owner can give away
or resell the material. It means Copyright The purpose of the copyright is to promote the distribution of ideas that is the idea embodied in the
owner is permitted to control the first computer
- The first sell idea works
sale of the object. ‘program, is to be shared.
well for books . An author is rewarded when a bookst
extra income if the book is later ore sells a book, but the author earns Another problem with copyright protection for computer works is the necessity that the work be published. A
resold at a secondhand store. no
¢. Copyright registration requirements
Program possibly published by distribution of copies of its object code, for example, on a disk.
On the other hand, , if the source code is not distributed, it has not been published. A suspected infringer cannot have
— Acquiring a copyright is an €asy
process and mistakes in getti
ng a corporate can be correcte violated a copyright on source code If the source code was never Published.
- The first step for copyr d.
ight regis trati on is Notice. Any e possible f Copyrights for digital objects
user can be made aware that sae
- All the copies must be mark the work is copyrighted.
ed with the copyright symb
ol ©, the word Co some issues of
> In 1998, the Digital Millennium Copyrig ht Act (DMCA) cleared digital objects like music files, graphics
~All the distributed
copies must images, data ine database, and also computer programs, but it left others unclear.
be mark ed, thou gh the law will forgive failu
made to remember and re to follows : j
mark any Ones distributed
without a mark. ~The DMCA provisions are as
— ight. device
Digital objects can be subject to copyré ute
The copyright have to file Officially,
© s that disablé antipiracy functionality or that copy digital
© It isa crime to manufacture, sell, oF distribu
objects. inemledge
tons
Ww Advanced System Security & Digital Legal and Ethical Issues advanced System Security & Digi
Forensics (MU) __5-16 <n ta Forensics (Muy
exal
mple, a part o f cardboard ard t to be utiliz,
‘I.
© Itisacrime : to avoid or disable antipiracy functionality i jit into an object. sf the possibility of al andEthical
Ein, ig
built: in ; i wee: : _ ofthe fact th a bit of
ed as q bookmark would not be a conceivable contend
© Though these devices can be used for research and educational purp ‘ardboard would be Obvious to practica
, against
1 patent registration process lly any reader, et fora Patentin gh
9° Itisall right to make a backup copy of a digital object as a protection hard ware or software failure or to
Store copies in an archive. 7 a To regi ister a patent the inventor fj
© Ubraries can make up to three copies% of a it to other I ibraries.
digital object for lending
rst has to Convince
i the patent and Trademark
patent. office that the invention dese
i i tem failures. If a systemj
rves ‘4
— Auser can make sensible copies
of an object for normal use and
for
patent attorney will research the Patents
regularly backup and so digital object like software program is copied protecti on oe
onto various backup:we ; . alread
arama
then it is not a violation of Issued for same inventions for this they will charge
the check that the invention to be patented is n fees. in this fi
" first,
‘ot patented by someone earlier.
— iis
There is uncertainty to decide what piracy is? A disassembler or decompiler iler iis use id to and improve
camaa program, If Then the Patent Office compares an application with all other similar patented inventions and decides whether the
|| someone decompiles an executable program, study it and infer its method and then alter application covers something to you
Original and non-obvious,
ne omevt. ri esuit
is misusing the compiler. But, it is difficult to differentiate, as the use is depend on the intent and the ‘ xt. is as if ifthe office decides that the invention is
Original then the patent isgranted.
there was a law saying it is legal to sell a knife to cut vegetables but not to hurt people. Knives do not Usually inventor writes some patent applica
know their Uses; tion which lists many claims of novelty from
the users decide intent and context, very general to very specific.
The patent office disallow some of the general
= Suppose, you have bought a music CD to listen to again and again. If you want to listen to the Music on your Mp3
claims while upholds some of the specific ones
the patent is value for
player, a sensible fair use. But the CD is copy protected, so you all the upheld claims.
cannot download the music to your computer to
transfer it to your MP3 player. You have been prohibited The patent application States the originality about the invent
from reasonable fair use. Furthermore, if you try to carry
out ion with sufficient detail which allows the patent office
anything to avoid the antipiracy protection, you violate and the court to judge the originality.
the antipiracy provision, nor can you buy a tool or program
that would let you download your own music to The degree of details of the patent reveals the world how
your own MP3 player, because such a tool would the invention works, so it also opens the possibility of
Provision. infringe that
infringement.
— Digital objects are more challenging
than paper ones as they can be copied
exactly. Copyright protects the right Patent infringement
inventor to profit from a copy of an object, of an
even if no money changes hands.
— Apromising principle is that software,
like music, is obtained in a style
A patent holder can oppose ail the infringement.
more like rental than purchase.
hot a piece of software, but the You purchase
right to use it. It is a criminal offense With the help of copyright the A patent holder can ignore the small infringements but he can prosec
software or digital recordings, to duplicate or distribute copyright
ed works, like ute in the court
even without charge. for the serious infringement where he can ensure the success in the court.
— It is not sure what features of a computer
work are subject to Copyright. Courts Ifa patent holder failed to sue small patent infringement or the one the patent holder does not know about
may lose
design can be Copyrighted but that have ruled that a computer menu
"look and feel” cannot. the patent rights completely.
— . Copyrights do not tackle all :
the Serious computing system Unlikeike copyrigight infringement it is not necessary for the patent holder to prove that the infringer copied the invention.
elements that need protection
might feel like to Protect
an algorithm, not the way . For exa mple, a programmer
that algorithm was expre Tab
ab patent
patent infri
infringem ent can occur even if someone independently invents the same thing without knowledge of the
language. Unfortunately, it ssed in a particular programming
may be hard to get copyr ‘
ight protection for an algor atented invention. '
Currently understood. ithm; at least as copyright
law i . i . :
:
itis possible to * prosecute evel ry infringement but the prosecution is expensive and time consuming. In worst case iti
2. Patents
can lose the patent.
— be possible that the patent holder
Patents protect inventions as a defense against the ch f
tangible objects or Ways iinfringement can argue the following points
to make them. Patents do Person ith
w 1 I is chargrged with
- _wietetence betw not protect work s of the
een pate nt and copyright is Patents are mind . infringement.
‘ngin eerin g; intended to apply i infrin
on the othe r hand Copyrights cover
works in the arts, liter
to the resul ts of Science Technology
and © :
.The allege ‘1 that both inventions are different so no infringegement
: occurred. :
— ature, and written scho d infring er claims + opposed then the patent rights
The laws of nature larship. may no longer be valid. It means the patent is
and Men tal proces ses res gement are not 0
Copyright 3+3=9 as are excluded from copy © If earlier infrin s 4
this expression is in ht and patent. For example. You cannot patent
public domain, or invalid,
~ Apatent does t the Invention is not novel by providing that the patent office
not prot ect the idea itself b s e that = acted
° If the infringer convince the se that the invention is nothing worthy of patent.
— Ifsame song is comp osed by two compos correctly in granting the P ater fst then he wil gett he
composers to copyright their i invention rights.
Songs.
— If the same invention is inve i
has invented t he object Novelty of the inv
he invention. ; But the other three defenses can
nted by the two inv
first, despite of who first filed the patent entors then t! The first defense in in the court does not damage
©othe ences are used every time, the patent holder sues someone for
the
. 3
There is Only one he patent goes to the Person who invented the invention | the four iffer
— An object patented must also patent for one
invention. destroy the patent right. When all
be Intell ble. Obviou s inventions b ¥ infringement. al fees.
@ person with Ordinary skills St ome substantial leg
are not patented. For
To obtain and defend depen dent needs ys
Pepiications
TechKnowledyd
cations
advanced System Security & Digital Forensics (Mu)

y= 5-19
5-18
Legal and Ethical Issueg
Sty applicability to computer objects Ets
BZ Advances System Security & Digital Forensics (MU)
Cc.
Applicabitity of patents to computer objects . its novelty depends o puter software, The fundamental algorithm of a com,
\
put its n ity MNO one else's kn owing it

Puter program, is novel
Computer software patents are not encouraged by the patent office, ; ot subject to patent.
secreteprotection
designssecret
trade permits sharin 8 Ofof the result of a
Computer programs are the representation of an algorithm andaiggrtions are 1 into binary in the patent case of d. secret (the executable program) but keeping the progra
m,
Supreme Court rejected the claim of the patent of corverting decimal Oe in other words an algorithm. But trade secret protection does not cover Copying a F " 7
Gottschalk vs. Benson by saying that it is an attempt of patenting an abetrest somebody else's program with no permission, Product, , thus thusi it cannot protect against a pirate who sells copies of
Many e software developers would like to protect the underlying algorithm. scxsimaresiitiigas vest
won the patterns for el re for It is illegal to steal a secret algorithm and use it in another product.
In the two cases Diamond vs. Bradley and diamond vs. diehr they © cure
temperature sensors, and a computer ngineering is th in i i
computer software Where a well known algorithm, i was for the @ p process that USés the yneeine . vain a . ter 'ssue with computer Programs. A source version of an executable program can be
claim
rubber seals. In this case the court upheld the right to a patent because the produced by 7 i
eo ler and disassembler ?
Programs. Certainly, this source does not have the descriptive
software as one of its steps, and not for the software on the algorithm alone. variable names and the comments which explain
software, recognizing that algorithms, such
the code, but it is a correct version that somebody else can learn,
So since 1981 the patent law has expanded to include computer reuse, or extend.
as processes and formulas are inventions.
Difficulty of enforcement
Trade secrets
9
Trade secret protection is of no use when someone deduces a Program's design by studying its output or decoding the
Trade secret is not like patent copyright trade secret must be kept asecret. object code. These both activities are legal, and cause trade secret protection to disappear.
In trade secret information has value only if it is kept as a secret.
The privacy of a trade secret must be ensured with sufficient protections. If source code is distributed loosely or if the
In this infringer is the one who reveals the secret. Once the secret is revealed then the revealed information cannot be
owner fails to impress on employee the significance of keeping the secret, any suit of infringement will be damaged.
made secret again.
Employment contracts usually comprise a clause stating that the employee will not reveal any trade secrets received
A trade secret is information that gives one company a competitive edge Over the Other companies. For example, the from the company, even after lea g a job, Extra protection, for example, marking copies of sensitive documents or
formula for making a soft drink a trade secret. controlling access to computer files of secret information, may be essential to impress people with the significance of
The most important characteristics of trade secret is it must always be kept secret. So it is very important that the confidentiality.
employees and the outsiders who are aware about the secret must not reveal it.
Protection for computer objects :
The owner has to take precautions to protect the secret like storing secrets in a safe, encrypt it in a computer file, or
making employees to sign a contract that they will not reveal the secret. © Copyright
‘Patent ° * fo hae Trade Secret
If someone acquires a trade secret inappropriately and earns profits from it, the owner has the right to recover profits, not Invention the way something | A secret, competi
Protects It protects Expression of idea,
damages, and legal costs. works advantage
idea itself
The court will do whatever it can to return the trade secret owner to the same competitive position it had while the is filed. No
Protected object | Yes; intention is to promote At patent office design
information was secret and may give damages to pay compensation for lost sales. tion
[publica
But, the trade secret vanishes if an individual independently discovered the secret then there will be more instrument made public No
|
to | Yes No
and trade secret rights are gone. Requirement
One more method distri bute |
by which trade secret protection can vanish is by ie siroent d | No filing is needed.
ght, | It is very complicated. You nee
reverse engineering.
Assume
a ph ii 7 bestsppreach to pack tissues
i ini a cardboard box to make one spring up as another tmtt ine | Itisi very easy to file for copyri
eae is pulled e of filing
: Oe 7 — the = and concentrate lf.
on the procedure. In this manner, competitive innovation is you can do ityourse
ee J.
guring
urin
out, one examination
i i
a completed article
i,
to decide how it is produced or how itil
ee ce aaa : 19 years Indefinite
originator plu
Through fi Duration Life of human
i
sane nd howe fiero eal find how a phone is constructed; the plan of the phone is clear from the years, or total of 95 years for @
e el
company i invention | Take legal action s if
8 frcok
So, a patent is the proper way to guard an invention. For example, action if i eect
a telephone. tion
A _| Take > lee@! | actio’ ifunauthorized Takeie = obtained
On the other hand, something like a soft drink isnot Legal protection copi
Just the mixture of its ingredients, Soft drink making
time, temperature, presence of ‘oxygen or
es, and related factors that may eng28° copy 50Id
other gas:
chemical breakdown of the product. A soft drink reci could not be learned from a straight
Pe is a very much prote:
works best when the secret is not e lent in the product, Protected trade secret. Trade secret prote!
ction ee
SS eee Ue
wne
pannic
¢ Advanced System Security & Digital Forensics (W) 521
Legal and Ethical Issueg
=e Lega i and Ethical — ~
WwW a free economy was somehow related to its a
Advanced System Security & Ppeal to the buyer and the seller. For exam iple, the denti — est
Digital Forensics (MU) — sella certain amount of time, reservini g the rest of the day for ather activities. d
5.5.1 Guldelines for Using the Law to Prote
‘er Objects W2S TESL willingto
ct iad Today we have to take into account the third cate
‘ the proposal that information is ‘gory for sale that is information. No one would fight against th
The following are the guidelines for using law toprotect computer objec ts :
chips, flopbY k media. The medium can be valuable. For exampl le, businesses pay for marketing advice, credit feports, lent lists,.
ware ° like disk drives, gut information does not fit the recognizable Profit lable models with which we have dealt for many years. Let us
— Protecting hardware : It is possible to patent hard study ’
nalso be patented. why information is different
Patented as well as the new process for manufacturing itca A special purpose chip
from other commercialt gs.
red can be patented.
s on which the micro code is sto the devices. You cannot
— Protecting firmware : The physical device contaidned in acs
t data nie Information is not reducable :
can also be patented. You cannot paten
which performs a one specific task cron
secret protection can be done for the co Information can be sold again and again without reducing the stock and diminishing quality. For example, ‘a credit
copyright computer firmware. Trade :
distributed for profit. The Sm a wor “ origina! ty a agency can sell the similar credit report on an individual to an unlimited number of requesting clients. Every client
— Protecting object code software : Object code is copied and
ht application is pays for the information in the report. The report can be delivered on some tangible medium, like paper, but it is
tion seems proper. A copyrig
it is acceptable medium of pu ation, so the copyright protec
the information, not the medium, that has the value. :
in printed or re corded format; . An appropriate medium in which
accompanied by a copy of the object being; protected abject: t
Copyright Office. It can be a bina ry listing of object code withou This attributes separates information from other tangible works, like books, CDs, or art prints, Every tangible work is a
to’ accept object code is not yet decided by the
people may argue that source code listing is oa equal to single copy, individually numbered or accounted for. A bookshop can always order more copies of a book if the stock
4 acknowledging the listing to be acceptable or sufficient. Few
(English). It is difficult to becomes used up, but it can sell only as many copies as it has.
object code listing likewise Hindi translation of a novel is different from its original language
compare two binary files if the original source code is notavailable. b, Information can be replicated :
| silent
code to the mass market, they are
— Protecting source code software : When the Software developers Sel th information then the
The information value is based on what a buyer is paying to the seller. When buyer buys the
a few lawyers also encourage that it
about their source code distribution. The code is treated as a trade secret, though the information is not exhaustible,
buyer can become the seller and can remove the original seller for further sell. As
| be copyrighted. A copyright does not prevent someone from reimplementing an algorithm, expressed through a
copyrighted computer program. Embedding small errors or identifiable peculiarities in the source (or object) code ofa
the buyer can use the information and can also sell it a lot of times over, maybe even
making revenue.
program may be more useful in determining copyright infringement. Information has a minimal marginal cost :
is selling
— Protecting documentation : The nonfiction written work documentation is also protected using copyright. one another having made some already. if a newspaper
The marginal cost of an item is the cost of making
Documentations are different from program, so the-program and its documentation must be copyrighted separately. day’s cost of all the writers, editors, and
the
one copy on a spe! cific day, then it will be expensive as it has to cover
but the
If someone illegally copies your documentation as well as program then you can claim it and win the judgment. of all equipment for its making. Cost for producing first copy id fixed
production staff, plus a share of the cost
of a cop y of a newspaper could print: and sell other copies of
— Protecting web content : Copyright protects the web contents as well as the software which is written to animate. If cost ent copies i is very small, So, the buyer .
t law. There are some purchasers which do this for 4 reasons :
the web page contains any malicious code then your copyright covers that also. but doing so ° would violate copyrigh
of suse
thatst copy,
— Protecting domain names and URLs : Trademark protects URL,s domain name, company name and commercial by copyright law.
1. The newspaper is enclosed
‘symbols. a profit.
. average person to make
2. The cost of copy is too hig! h for the
5.6 _ Information and the Law Itis not fair to copy the newspaper that wav-
3.
| Fi " degradation
uality
Source code, object code, and even the “look and feel" of a computer screen are identifiable, , of information same
if not tangible, objects. + TEs ess the copy is equivalent to the original. The cost
The aw a sensibly weil, albeit to some Many people prefer to buy or! inalia pau ed cost is large and the cost of copy is less.
degree too late, with these things. In any case, processing is experiencing
: .
: 1 t
plus cost! stor .
on fixed costs
sea change e another class of object, with i
new lawful assuranc
way depends
e prerequisites, Electronic trade, electronic
pendent :
often time de
distributing, electronic voting, electronic
The value of information is
banking these are the new difficulties qd,
to the legal system
aware that Microsoft is going to announce
5.6.1 Information as an Object hen yo u know it. If you are
n is dependin — it will help to know the
The value of informatio tits today’s and tomorrow's share price then
— The shopkeeper used to stock "things" in the alre aware abo ut from this information.
store, for example, bulbs, fans and pounds of sugar. The purchasers something in next week and you can earn profit
clients. At the point whena thing was sold toa
were YO
oft stock pI rice. 5
yu
a nt, the shopkeeper's stock of that thing was decreased exact price of the Micros
the client paid for and left with athing.
and then the client could exchange the t ing to by one,and tangibly * ; .
or less than the client initially paid. another person, for more Information Is often transferred in rk, tis not printed on the paper. If the bits are clearly defective,
ation is wrong, of no use,
: Inf del its across 4 netw tion copy is correct but the original inform
Other types of shops gave services that could be distinguished a Information is del formal ;
services had a set price,
s things, for example, a haircut, and root canal. Some
: asy. But the ln m that the|! formation is damaged.
although one provider charges more fo) representing such fault is €
r that service than another. A “shopkeeper” basically claii
sold time. For instance, the price of a haircut generally relatedt 0 tl the cost of the stylist's time. justify @
it ishard to
The value of a servic ein or not as expected,
ea
anced System Security & Digital Forensics wy)

y Adv 5 -23,
Legal and Ethical Issues case, a person, organization com
Yad
: manced System Security & Digital Forensics (MU) 5-22 Pany, ar group claims it has been harmed.
il cases goal compensation. it makes the victi
ii i c t m "
“whole” again by repairing the harm. For instance, a
6.2
Information gills Anthony.
Legal Issues Relating to
Since Vijay has infringe upon a | ‘@W against
.
er having violated the law and iit d
right or homicide, the government will indict Vijay eee
to the trade secret, copy
' ction. Informati
ion can be related or. While the vendor has
Ini ‘
formation has limited legal basis for the prote information vend the enduring spouse may be = he autat
intrade of the
to pr ‘ofit from information. the criminal preliminary, wanting to see is fe request for society. Merry, ikewi 3 Ness
dese For example, in stock trade, information is the stock riightful ability ae : . 'Y put in prison. ;
. it may, she may likewise sue him in Civil court
usly to the seller's for illegitimate demise, looking for installment to teh ber ms re
@ information, trade secret protection applies obvio luring kids,
Therefore, the courts identify that information has value.
information requirements are set
will see some examples whel re the 2 Tort
Law
mite a eaten
legal system.
to place important burden on the form of commerce. In reerale
as it has value and basis of some
1. Information commerce : Informat jon is also traded
giving enough payment to those who actually deserve to be paid, Atortifis harm not occurri en breach of a faw or from breach of a contract but instead from being counter to the
ibadyat
n is copied without
software piracy informatio are used. One more
, freeware, and c controlled distribution accumula’ ly of examples. Therefore, law is written by legislators and is interpreted by the courts.
To avoid this many approaches like copy protection
cally as needed. But, it is a
r applets, supplied e Jectroni Tort law is unwritten. It evolves during court decisions that become examples for cases that follow.
approach, software is being delivered as mobile code o
costly approach. The basic test of a tort is what a sensible person would do.
on the Internet, For
zines post a version of their content The example of tort law is fraud, where one person lies to another, causing harm.
Electronic publishing ; Many newspapers and maga:
have a major web presence. We should expect that some news formation is completely suitable to tort law. The court just has to decide what is reasonable behavior, not
example, the British Broadcasting Company (BBC) Compute
and information will eventually be published and distributed exclusive
ly on the Internet. Certainly, encyclopedias
whether a law covers the activity. Example of , acquiring information from someone without permission and selling
delivered as the large number of book the information to someone is a fraud.
like the Britannica and Expedia are web-based services. Sooner than being
of ensuring the fair compensation.
volumes they used to engage. Again the pul isher’s are having the problem In tort law based cases the lawyer can try2 approaches :
this problem.
Cryptography-based technical solutions can be used to address that it is not what a fair, sensible person would do.
1. He will argue that case is clear violation of society norms
of
Protecting data in a database ; Databases have posed problems for legal interpretation. It is a particular form or more examples, maybe drawing a similar between
a computer
He might argue that case is si lar to one
»
software. The courts are facing difficulties in deciding which protection laws apply to databases. It is difficult to the judge has to decide whether the compari
son is apt.
program anda work of art. Here,
determine that a set of data came from a particular database. If the database is public then who owns that
database? 3 Contract Law
agreement between two parties. A
on-for computer objects. A contract is an
4. Electronic commerce : There is laws from the centuries for trade in goods. These laws that gives enough Contracts are the third form of protecti
protection to cover defective goods, fake payment, and tangible goods delivery failure that are bought through contract must have three things:
traditional outlets like stores and catalogs. But, when the good is traded electronically this situation becomes less ° An offer
clear. For electronic good digital signatures and other cryptographic protocols can give a technical protection. ° An acceptance
5.6.3 Protecting Information ° Aconsideration second
this computer program for some amount, the
r example, | will write
: > Incontract, one party offers something, fo simply ignore i it. To make a contract
only an
; , e 4 ¢ ounter offer or
Copyri
pyright, trade secrets and patents gives protection to some information but not all the issues related to the rej ected, or mak
party then accept the offer, n of m oney or other val
uable.
informa n. For this legal system have some mechanisms. es consideratio
acceptance is required. A contract includ value, like as time traded for money,
tech
ie ss excvrhange things of
1. Criminal and Civil Law nd contact is that part
The main idea behi | w' car, if you feed me
lunch.
ing SKIS: For example,
- Statutes are la ws that state openly that certaini actions
jt are illegal. It is the result of a legislative process where the knowledge for market conditi ons qualifying the offer and the consid
eration.
governing body states that the new law will be in force after a designated time of terms and
dreds of pages oth the parties enter into the contract voluntarily.
Fe ‘or example, ” the parliament may Y argue A Written contract has hun the contract as b
arg issues associated to taxinig Internet t transactioy
actions and pass a law about whe!
Freedom is the most important aspect of on owe not enforced. 7 ‘
XK a ith fake action
the transfer of information as they can
in criminal trials a violation of a statute isi seen. Here, the government fights A contract signed und ler threat OF with fas ntracts are ide al for protecting
for punishment because an illegal act has ; ight to use the material but not modify the information” or “you
harmed
; the preferred nat ure of society. For instance,
i under ¢o' tracts. CO
the government will prose Information is exchanged you have ther :
i —
le,
specify any condition. For examp tlhe
a law passed by the government. Sadana
e,
information.
wner of Information.
i
Criminal laws need high standard of proofs of guilt have the right to use but notresale rest of an ©
ercial inte!
Civil law does not require a high standard of proofs of gui
¥ advanced System Security & Digital Forensics (MU) 5-25
Legal and Ethical Issues Legal andEthical lesues
Advanced System Security& Digital Forensics (MU) _ 5-24
<a
3
ownership of a Copyright SUC
to
riz el d data.\. There are
rules about who has the right
The computer contracts make the use of software are. owning a copyright is same as to owning a patent,
and compute nal ble expectations of software’s quality
Contract for software employers or employee and what the ep fulfilled and the other side disagrees. The author or programmer is the assumed owner
i . of the work. The owner has all rights to an object.
In contract the problem arises when one sidei feels t he term you
have been ful
agreed to sell i But, a unique
me @ gold necklace and | find it is made situation known as work for hire applies to many copyrights for developing software or other products,
The most common legal medicine in contract lawiis Oh cape and the court will decide which claims are
valid ang
Up of silver, | sue you. The argument will work for Hire
take place in the
the compensation amount.
ina work for hire situation, the employer considered the author of a work.
5.7 _ Rights of Employees and Employers It is difficult to identify the Work for hire and depends in part on the laws of the state in which the employment takes
place.
Employers hire employees for creating ideas and making the products. The protections such as SORYTENES, patents,
and trade secrets requests to employer a apply to the ideas and products. But the . issue is who owns the ideas and the The relationship between an employee and employer is considered a work for hire if a few or all of the following
\
Product is difficult, Ownership is @ computer security worry as it relates to the rights of an employer to protect the conditions are true.
confidentiality and integrity of the work produced by the employees. Here we are going to study the individual rights of the The employer has a administrative relationship, supervising the way in which the creative work is done.
90
employers and employees to their computer products.
The employer has the right to fire the employee.
09
1. Ownership of Products The employer organizes the work to be done prior to the work was produced.
9
— Let's say Rohit works for a software company. As a part of his job, he has developed a program. The program belongs A written contract between the employer and employee states that the employer has hired the employee to
o
.
to his company because it pays Rohit for writing the program. He has written the Program as a part of his work perform certain work.
assignment. So, Rohit cannot market this program himself. He could not sell it even he works for his employer will certainly claim a work for hire
a In the situation in which Rohit develops a program on his job,
non-software related company but developed the software as a part of his job.
i
a tionship . Then, 1» the employer owns all copyright
relati rights and should be recognized in place of the author on the
— Assume that Rohit develops the program in the evening at home, it is not a part of his job then he tried to market the copyright notice.
Product himself. If Rohit work as a programmer his employer will probably say that Rohit profited from the training
and experience gained on the job. At the very least, Rohit possibly Licenses
conceives or thought about the project while at
work. So, the employer has an interest in the rights to his program. software.
But the situation wi change if Rohit’s primary job i a work for hire arr. angement is licensed
does not involve programming. If Rohit is a televi lon newscaster his employer may not have contributed related the software. In response for a fee, the
to ae mmer deve! lops and holds full ownership of
computer product. If Rohit job does not involve
programming then he is In these circumstances, the progra
free to market product. to use the program.
— Finally, suppose if Rohit is not an employee of
the company, whether he is a consultant with programmer allows to a compan y a license
fee writes customize Programs for his self-employed and for a <a or for an unlimited number, to use at
ne copy
or limitless period of time, for one
clients. Think about the legal position in this situation. He may want to use the The license can be granted for a spec ic nine oral
basic program design, generalize it somewhat, at specified or unlimited times.
one location or many, to use on one mac’
in of
and market it to others. Rohit can argue that he thought, wrote, and
tested the program, therefore, it is his work pro; grammer, just as a work for hire arrangement is extremely
and he owns it. His client may argue that antageous to the
Program, and it owns the program. it paid Rohit to develop the This agreement is extremely adv
- Clearly, all ome
the above situations are different advantageous to the employer. to.
an id interpreting the laws of ownership is not easy. Let i two parties will agree
8!
of protection in turn, us think each type hire and license is mainly what the
he choice between wo! k for
2. Ownership of a Patent
Trade Secret Protection
— The person who owns a 2 patent a nd a copyright.
programmer
work under patent or co
or the employer. Pyright law is the inventor. In the above examples, the owner is the A trade secret is different from
7 ered inv entor oF au! thor.
— Under patent law, In trade secret there is NO regist
itis Signi ficant to know who files ts. .
the patent application. office for tra! e owner suffered. But first thing is
- If an employee gives Perm There isi no registra’ tion ne jn bring to° court the revealer for damages
ission to an e
and therefore the rights to the invention. mployer patent an inventi ealed, th
vention, then the employer is the owner of the patent In case, if a trade secret Is rev y the own! er can be harmed.
.
- The employer can also ‘i ge : to establish the ownership a5
onl
of its busines: s-confidential data. Once a secret is developed, the company
posal ne fe‘comp e pate if the . ts
employee's job functions included ‘trad je secre ¢ figures are C collected, a company has trade secret right to them,
i i , may be hired to perform research and development
inventing the product. For ~ > Let’s say a company owns tl few ce the sale by way of copyrights,
; and the results of t!his becomes the owner. For ot He,nai On
Jed, printed, or distributed. As
summarized,
inventive
for a right work become the property compl‘l he de velopment
the f usethe ofemployer.
of trade secrets.
to invention based on the resourcf ces
the employee has patents something, the employer can argue to
(lib. . e
ul raving contribute’
though the figures are ne i"
invention. Uierary, databases, computer time etc.) in developing th
an employer may argue abo!
i
wren vent
¥ advanced System Security & Digtal Forensics (MU) 5.27
Legal and Ethical Issues Legal and Ethical Issues
o The second possi vi is that the
ity software is
i work
vy Advanced System Security & Digital Foransics (MU) 5.26 ing
i properlyerly bubut you do° not like the ftware whenyou tried
it means that there Some attributes of the so Outried it,
software, which disappointed you.
7 Employment Contracts va while the software developer and is not like as it was show n The attri butes likethe Sha nk e
. in the adve rtis emen t, you d lo not like the look and feel of the software, 7 software|
once i
es and employers with the goal
case,
slo wer than expectpected, or software work only with the European phone iS
A work contract regularly spells out rights of ownership. oe luring both for employe numbers not the phone system in your
alll
conceivable employer have no contract. Having 2 contract is country.
that both will comprehend their rights and duties. as 4 programmer fully for
the
o The last possibility is that the software malfunctions, zi in thi is case
e be hired to work you do not want to use the
es that the employe: The organization guarante
es all
Typically, an employment contract deter! this is a work for hire situation.
wish to return it. y software and you
benefit of the organization. The organization tells that ' tise. The contract may further state
includin d the
g i copyright rights ts anand t right to adver agrees not to Refund
rights to any projects created, oyment, and the employee
to certain trade secrets as a piece of empl
that the employee is getting access
Incase of radio you have the opportunity to look and listen to it in the shop, check its sound quality, measure size, and
disclose those secrets to anyone.
to the employer rights to all inventions (patents) inspect it for flaws.
More prohibitive contracts (from the employee's perspective) assign
ly uter. Even if you get
and all creative works (copyrights), not simply those that
pursue straightforwardly from one's job. For example, But in case of software you cannot try out the software before purchase particular on your comp
cations
for an automobile company. While at work, the employee
designs the chance to try the software in the store you may not have been able to check how it works with other appli
assume an employee is procured as an accountant would argue that the
fuel in an automobile engine. The employer with which it must interface.
an increasingly proficient approach to consume qualified for this ns between buyers and sellers in the United States.
the issue, and accordingly the organization was As per the U.S. Uniform Commercial Code (UCC) rules transactio
employee utilized organization time to consider orm to the contract, the buyer
ns to the employer would fortify the case much more. the goods or the tender of delivery fail in any respect to conf
product. A employment contract moving all rights of innovatio Section 2-601 says that
.
ted into a contract. The employee expresses that may reject them."
An agreement to avoid contending is now and then incorpora does not fit your needs. Reasonable
the worker truly profitable to a contender. The employee When buy and take home software only to find that it is free from flaws but
essentially having worked for one employer will make the
its features. If within a given period you decided that
makes a.deal to avoid contending by working in a si ilar field for
period of time after termination. For instance, a period is given to you to inspect the software, to check
§2-601 to get a refund.
software engineer who has a high position including the design of operating
systems would naturally be acquainted product is not for you, you can refer to UCC
may remember the main parts of a
with a huge group of operating system design techniques. The employee Quality
lar one for a competitor in a very small time. To prevent this,
proprietary operating system and be able to write a si of software. Quality demands for
is difficult to enforce legally the correctness
the employer may need the employee not to work for a competitor. Agreements to avoid
competing are not always Many customers want good software. It .
of legal enforcement for quite a few reasons
enforceable in law; in certain states the employee's right to acquire a living outweighs the employer'
s rights. mass market software are typically outside the range
es from
not work, and faults may stop some featur
total ly bad. Assured features may
Mass-market software is rarely users.
are works for the majority of its many
5.8 Redress for Software Failures tised. But thesoftwi
working as given or as adver ys. If an individual sue a
t legal staff of di lozens i of attorne
he has a tea m of permanen
So far we have seen that data, algorithms, and programs as object of ownership. However, objects vary in quantity The manufacturer is i ing a suit is too expensive.
ibs co st to the individual of bring
and some legal issues are involved with them the level to which they function correctly or fine. Everyone admits that major manufacturer then the order to fix the faul
ty software.
uinely harm a
all vendors should produce good software, but that does not always happen so the difficult concern arises in the Legal remedies gives es the the monetary
compensation forcebut tonotfixa little issues. Except if an issue will gen
ies giv
is little avocation to fix
ao
development and maintenance communities about what to do when false are discovered.
The manufacturer has ™ rer open to huge harm sums, there
i in
oo ave he manufactu
In this section, we are focusing on
manufacturer's image oF
potential 7 don't make the item unfit for general use.
ni
j t few
users OF that nts a large class of
© The legal issues in selling correct and usable software fluence jus m government or from one who represe
issues that in mplaints,
like
aon usable for its intended
for large co that the product must be
Legal remedies are suitabl le
it says
© The moral or ethical issues in producing correct and usable software
~ provision.
UCC has “ffitit for use’ money back, but you may
UCC cal n help you obtain your
© The moral or ethical issues in finding, reporting, publicizing, and fixing flaws dissatisfied, and vocal users: he clearly not
usable. The au
nm work is
Purpose; software that doesn
Selling Correct Software orking software: At the point when flaws are found, the
manufacturers quickly
Not essentially finish uP with w'
maybe holding ler ethers for a later release, These
Software is a product and It Is built keeping in mind the audience. Software is purchased by the consumers with ~ A few manufacturers are mindful to thei
mitment than by legitimate necessity.
intended use in an expected context. Consumers also expecta reasonable level of quality ‘ nd fix gem
and function. manufacturer made a
for example, if you bought a radio but you find something wrong with the radio then you will have three reactions. The guarantee would express that the
San ee seller will keep on
d 7 known basic ones. Moreover, the
First you want your money back, second you want a different radio, and "
. i third you want someone to fix your radio. Organizenions.are ise
Trope [TRO04] proposes any basic ones, will contact influenced parties with
, : ~ learning of ble coming up
Like radio for software also we consider the same three possi ities. ¥ x is conceivably obligated for every single imagina
persistent quest for securly . i) around exorbitant. Trope's methodology restricts the
exposure
o First we will investigate ane nature of the defective code. It means We check why the software is bad. For Scanning for vulnerabl ities on
example, there is a fault in a CD and you are not able to load the software on your computer, In this case, arY
mputer. In Patches and work-around. oe asic f abe?
with little argument
trader will exchange the faulty copy with the new one short, and noteworth D bly inst antly.
to tending to know" defe
Ween
pul
dvanced System Security & Digital Forensics (MU) 5.29
Legal and Ethical Issues 2
iat solution is to put pressure on the ven Legal and Ethical | ssueg
dor. He declared hi
W_Aavanced System Security & Digital Forensics (MU) 5-28 : il ty before publicizin : eo.te would Id ones
off vendors ong week
yulnerability p 8 the vulnerability but not the particulars of how to exploit it to hgh * nese ofa
D. Reporting Software
Flaws
the manufacturer. There t »pesponsible" Vulnerability Reporting
ing to publish it, the user Or
lie else will
then someone ae
nition o|SE 1g a flaw. aIf you delayspe
delay r releasing ame
in in len the flaw itis necessary to meet the conflicting interests of vendors and users at some negotiation position.
are some users who want the recog
an i f finding ate
A ility reporting
vulnerability rep 18 pr.
Process was proposed by ‘
Christey
get the credit. It may happen that manufacturer may want to Ignore ye faws and Wysopal, that meets constraints of timeliness, fair
. play, and liability. 7 ae, the users “reporter”, manufacturer
are different viewpoints on how to report the as “vendor” and a third party computer emergency
could say that the other was wrong. There
. response center called a "coordinator". The coordinator plays a role when a conflict or power issue arises between
1, What you don't know ean hurt you id . reporter and vendor. Fundamentally, the process needs reporter and vendor to perform the following
3" and the 4 variants were powerful.
In 2001 Code Red releases several variants. The first variant was gentle but the o The vendor must admit a vulnerability report in private to the reporter.
analyst including eEye Digital Security. The eEye
When the first variant came out it Ws as studied by many security
vendors and software managers to take The vendor must agree that the vulnerability exists in private to the reporter.
carried out full disclosure of what it knows about security flaws to pressure
°
seriously the threats they represent. The vendor has to notify users of the vulnerabi ity and any available countermeasures within 30 days or request
of the methods that allow malicious code extra time from the reporter as needed.
The code red ignites the debate about whether should allow full disclosure
what enables
to enter and prosper in our systems. Some viewers say that such open sharing of information is exactly After notifying users, the vendor can demand from the reporter a 30-day quiet period to permit users time to
hackers to study about vulnerabilities and then exploit them. Some developers believe that eEye's openness about install patches.
Code Red permitted the more powerful variants to be written and distributed. a date at which time the
At the ending of the quiet period, the vendor and reporter ought to agree upon
‘The Microsoft's manager of Windows security distinguished between full disclosure and full exposure. There is aneed vulnerability information may be released to the general public.
to protect code or detailed explanations of vulnerability’s concept. And a lot of security analysts encourage users and
The vendor is supposed to credit the reporter with having located the vulnerability.
managers to apply patches immediately, closing security holes before they can be exploited. But, the patches require
and may introduce other problems while fixing the first one. Each organization which uses software must examine If the vendor does not follow these steps, the reporter should work with a coordinator to decide a responsible
and balance the risks and cost of not acting with the risks and costs of acting immediately. way to publicize the vulnerability.
nly agreed-on process, as there is no authority that can impose
2. The vendor's Interests = Such a proposal can only have the status ofa commor
loyalty on either users or vendors.
Microsoft fights that it is unproductive for both the vendor and the user to create one patch for each exposed
vulnerability. F. Quality Software
The vendor may wish to bundle a number of patches into a single service pack or, for noncritical vulnerab the software with zero bugs.
jes, to
- Itis theoretically unachievable to dispatch
hold them in anticipation of the next version. So, Microsoft would like to control if or when the report of vulnerability
vendors find. Send notices, include
goes public. Shi ith zero bu; gs. Be open about the bugs with the users which
in with and open about what is tested and what is
honest
ip the software with nds when vendor: shave them, be
18 minimize disclosure of vulnerability information Microsoft's Chief Technology Officer, Craig Mundie suggests that bud list, publish the workarou nea :
do and don't plan to test in the
Every time we become explicit about a problem that exists in a legacy product, the response to our disclosure is to Not tested yet and when we
The world needs better software
focus the attack. In essence we end up funneling them to the vulnerability.
~The main , debate is when and how to close vulnerabilities avoids the real issue.
st patches.
Scott says that “a vendor's responsibility is to its customers, not to a self-described security community.” He and less vulnerabilities, it does not need fa
late corporate and
a what he called information anarchy,.., the practice of deliberately publishing explicit, step-by-step The most major threat and vu g the Wired Warld is continuing to accept and regu
~ Inerability facin ; time and again to be insecure, unbalanced, and full
arr for exploiting security vulnerabilities without regard for how the oat that's cl onfirmed
information may be used." He computer environments on tet chnology .
Consumer risk
acknowledged the process of developing, distributing, and
applying patches is defective, and his own company "needs the ernet community at
to make it easier for users to keep their bugs that routinely place was his highest
systems secure." of undocumented roduce quality software with minimal defect
ann of XP to be
Users interests In 2002, Bill Gates, Microsoft CEO, ae al he needs programmers involved in development
system an! patches
Priority. His manager o! f XP operating y time in June 2002, Microsoft released six separate
In one five-da
a
A security researcher announced in Ma 'Y 2002 that he would onth patch releases and has circulated an
no lon gramming. ‘went t ¢ once-a-m
ger mechanicai lly wait for a vendor's patch before Present at a course in secure prol Mic! rosoft
going public with a vulnerability announcement. in Novembe! 7 2004,
Litchfield criticized the approach of holding 8 fifixes of a number of vulnerabilities for security vulnerabilities. |! patches & ach
month si ince
then.
ility
single service pack. He says that publicize or not, a average of two to three new critica ; ty is patche d or how much detail is released with a vulnerab
nerabili ed, the penetrators always found other old
the vulnerabilities still exist. Mpa isle a flaw is P atch
EN ‘ patch", after
If one reporter has found the problem, it may be possible that Many malicious attackers may have found
it too. If a
vendor is aware about the patches and failed to give timel announcement. The |ss¥
ly patches to vul i the Cc 2
customers wide open to attacks of which the user may be unaware. nerabiltigs then: the Vendor leaves flaws or new flaws lau inched be
peter tions
W Techinen tedet
reat
po
i ss System Security & Digital Forensic (MU) 5.34
Legal and Ethical |
< Legal and Ethical Issues | acceptance of Computer Terminology
BE :
=
BE Advanced System Security & Digital Forensics (MU)_ 5-30 he law is lagging behind technology in
5.9 its acceptance of definitions of computing
Computer Crime s terms. Computers and thei
software, media, and data must be understood and accepted by eir
gory of computer crime.
the legal system.
the separate cateegory
er is new area of the law. We need
The crimes involving comput yy computer crime Is hard to define ?
e is needed ?
Why a separate category for computer crim \
murder, and littering. We need specia| Many people in the legal process do not know computers and computing, so crimes involving computers are not
Crimes are organized into certain recognized categories, including robbery, Bast reated appropriately. Making and changing laws are slow processes, planned to involve large
thought about the
laws relating to com puters as subjects and objects of crime.
as fast
effects of proposed changes. This deliberate process is very much out of pace with a technology that is progressing
A. Rules of Property
ascomputing. Computers are used to attack, can be attacked and used as a means to commit crime, Computer crime laws
Ifa theft of a trade secret proprietary software package is done and this theft
is occurred across state boundaries by
evils.
must address all of these
—
i
means of a telephone line, but the court ruled this as software acquisition was not th eft because in Section 499c(a} it
i
ecute ?
is given that it must be something tangible and based on the record the defendant did not carry any tangible thing. Why computer crime is hard to pros
— are explicit
There rules in the legal system about the property. Usually, property is tangible, un! ike magnetic impulses.
The computer crimes are hard to prosecute for the following reasons.
For example, if a computer professional take a copy of a software package without permission is
clear-cut theft. 1, Lack of understanding
Asame problem is arises with computer services. Accessing a computing system in an unauthorized way is a crime. For judges began practicing law
—
Courts, lawyers, police agents, or jurors don’t essentially understand computers. Many
example, a access by computer does not involve a physical object, not all courts punish it as a serious crime. use of the personal computer. luckily,
before the inven tion of computers, > and most began before the extensive
use computers in their everyday
B. Rules of Evidence is improving as judges, lawyers, and police officers
computer literacy in the courts
- In many successful prosecution a computer printouts have been used as evidence. Frequently-used are computer activities.
records produced in the ordinary course of operation, like system audit logs.
Lack of physical evidence
rt
- Under the rules of evidence, courts prefer an original source document to a copy. It assumes that the copy may be
to solutions to the
wrong or may have been modified in the copying process. ded on tangible evidence like fingerprints. Tiny clues can lead
For-years;Police fd courts nee. mes there simply are no fingerprints and no physical clues of
- Showing the authenticity of the evidence is the biggest challenge with computer-based evidence in court. of comp! ter crit
Most complicated crimes but with a lot
- _ Law enforcement officials operate under a chain of custody requirement. From the moment a piece of evidence is any sort.
taken until it is presented in court, they track clearly and entirely the order and identities of the people who had
personal custody of that object. i ssets , :
‘t know that the value of 20 invisible magnetic spots is equal to
»
leer Ghepaghiiien ofa ,
- The reason for the chain of custody is ta make sure that nobody has had the chance to change the evidence jn i of
in any People know what cas h, diamond is but time of the theft then what is the value
way before its appearance in court. It is difficult to establish a chain of custody with computer-based
evidence.
If the sy tem is idle during the
asset.mee
million dollars. Computer time is alse
C. Threats to Integrity and Confidentiality
Stolen computer crime.
The integrity and confidentiality of data are issues in a lot of court cases. If a computing system is accessed remotely
Lack of political impact‘ . pbery is we iked with the public, and so it gets high priority with
>
by trespasser. The computing system contains confidential records about people, and the integrity of the data is urder oF FO conviction for an difficult to understand high-tech crime,
important. In this case the prosecution of this case had to be phrased in terms of theft of computer
time and valued as
" Solving and obtaining @ convict aining 2
‘, alvin get less attention. However, as computing becomes more
such, even though that was insignificant compared with loss of Privacy prosecutors and police chiefs: S mal y
and integrity.because the law as written ignific
recognized theft of computer time as a loss, but not loss
acy or destruction of data, Some federal and state laws
of pri Particularly one not invo! wing clear and sie
ct of com
identify the privacy of data about individuals Pervasive, the vis fity and imp
D. Value of Data ing, or auto theft. These crimes are easy to prosecute. A
Complexity of case ae murder BT all to present to a jury because jurors have a hard
s
ore :
If a person is found guilty for ste; ing a large amoun a y bem ta high-tech crime, described, ;
for example, as root
t of data from a com
puter data bank. But the court determined Everyone understands the g © or epresem the attacker to
that the “value” of that data was the cost instructions, which permitted
of the Paper on which it was
complex money-launderin un sing 173 oa el by other
of such valuatio Printed, which was only a few dollars. Becaus? es of entry.
n, this crime is classified as a wrong and inatin, g all trac
. A 0!
considered to. bea minor crime. Luckily, the courts have since time following a twisty an ach meme"
determined that information and other intangibl yw I ¥, Teck Kaoatedge
es can have significan t value. The concep t of what we value and how access by a buffer overflo apricatiens
we determine its value Is key to understa
nding the Problems with computer. Pt based la Copy and execute code a
We ° "
¥ atari
nced System Security & Digital Forensics (MU) 5.93
n2aland Etica Issues,
7
cations Privacy Act - This. law protects against electronic wiretapping. 1a
Legal and Ethical Issues Electronic Communi
WF aay anced System Security & Digital Forensics (MU) _§-32 Z US. Te ‘some
significant qual
6. Age of defendant (4 law enforcement agencies are always permitted to get a court order to access communications or recordsof
even very serious:
Several computer crimes are committed by juveniles. Society understands i
imma turity and ignores
ago problem is them. And an amendment to the act needs Internet service providers to install equipment as needed to permit
impact of their actions. Amore serious, related
crimes by juveniles because the juveniles did not realize the
modern equivalent of tipping over an these court-ordered wiretaps.
that a lot of adults perceive juvenile computer crimes as cl Idhood pranks, the t
commu ications to maintain service or to
The act permits Internet service providers to read the content of
outhouse. 7 e
2,
but the victim does not want to prosecute due to negative for example, a provider could monitor traffic
for viruses.
— In many cases clear evidences of a crime are available will be reduced if protect the provider itself from damage. So,
companies etc thinks that their trust by the public
publicity. Many organizations like bank, insurance
a
copycat of financial institutions. Every institution has
fear repetition of the same crime by others: so-called act covers privacy of dat a for customers
computer vulnerability is exposed. They may also
Act : This
t GrammLea chBliley be given the op| portunity to refuse any
use of
crimes. Due to this reasons, computer crimes are often not prosecuted. rms its customers, and customers have to
i privacy policy 0 ¢ which it info
private data were collected.
\ essential business uses for which the
the
5.9.1 Examples of Statutes the data beyond States. The first part of the
Act, ): HIPPA was passed in United
] HIPAA (Health insurance
Portability and Accountability terminated. The
In this section a few of the laws defining aspects of crime against or using computers
are highlighted.
+ s of workers to maintain
health insurance coverage
after thei 1 service was
‘ law concerned the right iduals’ medical records.
4. U.S, Computer Fraud and Abuse Act on of the privacy of indiv
law required protecti tifiable healthcare
second part of the on of individually iden
This law prohibits: dards or der protecti
its imple! mentation stan
associated Healthcare providers have
to
defense or foreign relations concerns. HIPAA and identifiable indi idual.
Unauthorized access to a computer containing data protected for national can be relate d with an
Medical data that rity practices are as
—
information. It means acy of ind uals, The standard secu
— Unauthorized access to a computer cont ing certain banking or financial information. ectin g the priv
rity pr actices for prot
or disclosure of a computer or information in a computer perform standard secu
— Unauthorized access, use, modification, destruction,
operated on behalf of the U.S. government. follows :
which the courts now interpret to include any computer
= Accessing without permission a “protected computer," Impose need to know
connected to the Internet.
Make sure minimum necessary disclosure.
— Computer fraud.
Assign a privacy officer.
Transmitting code that causes damage to a computer system or network.
—
on security practices.
Document informati esanarination.
— Trafficking in computer passwords. /
rmation.
is higher or ~ Track disclosures of info an and copying of their
patients' inspection a
range from $5,000 to $100,000 or twice the value obtained by the offense, whichever
Penalties
imprisonment from 1 year to 20 years or both.
- Develop a method for
s:
~ Train staff at least every three year
to benefit a foreign country unications.oeUnder
a. U.S. Economic Espionage Act : This law prohibits use of a computer for foreign espionage ss to electronicic co! comm
rting [aw enforcement’S2 acce to 6!
or business or theft of trade secrets. USA Patriot Act t of a foreign power
* ;, most likely an agen
stolen, changed, essititiies SUPP i puter Fraud and Abu
se
b. U.S. Electronic Funds Transfer Act : This law prohibits use, transport, sale, receipt, or supply of fake, i i amendment to the Com
vince 4 cou of the ? oe
thatpatriot Act IS an
lost, or deceitfully obtained debit instruments in throughway or foreign commerce. on a on rovision _
eo
access to information collected by the executive branch of etarcemen’
age ity P
c. U.S. Freedom of Information Act : This act provides public | ; a Se
| Wietap p or order. The m ain
computer secur sn damage to @protected computer is a crime. ’
several : :
the federal government. The act requires disclosure of any available data, unless the data fall under one of ission of code resulting
in equence of unauthorized access is also a crime.
intent was to release to individuals t ns
specific exceptions, such as national security or personal privacy. The law's original i ! puter isa wrong.
| system as a c0! rotected com
any information the government had collected on them. However, more corporatio
ns than individuals file requests for ely causing the cae
information as a means of obtaining information about the workings of the government. Even
foreign governments Carelessly causing damage and Mar! keting)
ic is spam-
nt agencies, although similar laws could require disclosure Causing damage as 2 res"
It of UN! tion 70 percent of all e-mail traff
can file for information. This act applies only to governme e Assaul jysts aP|
roximal ements of
M Act. Key requir
. passed the CAN SPA
The CaN spam act (controlling
for sensitive information.
from private sources. The law's effect is to require increased classification and protection anil
collected by the government. A person is allowed to
isaP
d. U.S. Privacy Act : This act protects the privacy of personal
data
whom such information has been > Unwanted "junk" e-mal uae
on him or her, for what purpose, and to
determine what data have been collected m thei
agency from accessing data collected by another agency for another
To address pressure fro!
distributed. It also prevents one government
_ the law are as follows :
purpose.
© {t prohibits false O°
ced System Security & Digital Forensics (MU) 5.35
Legal and ety
i L i e
° , china
“onto S SOcial order or undermines social stability. Tunisia has a T
banson critical speech as for other that applies the same
WF ad vanced System Security & Digital Forensics (MU) 5-34 Legal and Ethic! [asus iti media forms
been Proposed to make iti legal to transmit banned content
© It prohibits misleading subject lines. sup!plemen tary vy laws have througha Country, A
in spite of
recipients an opt-out method.
© Itneeds commercial e-mail to provide he source OF destination of the content is in that country.
out. ether t
It bans sale or transfer of e-mail addresses of people who have opted ty: com puter criminals are hard to catch ?
i as an advertisement.
© It needs that commercial e-mail is reco. gnized from
5 to Control the spam that comes for law enforcement agencies. There are 2 major reasons for this:
It permits the c commerciali e-mail i as lon; g as
the mail is not deceptive. It trie:
m ore interested in making ttis di fficult to catch computer criminals
a foreign mailer, maybe in a country
offshore. A spam sender just sends spam from Computer ¢ rime is a multinational activity that must usually be pursued on a national or
local level. There are no
worldwide junk e-mail.
business for its national ISPs than in controlling industrial nations cooperate very effectively on tracking
international laws on computer crime. Even though the major
The volume of spam has not declined since
the law. from which they cannot be caught.
computer criminals, criminals know there are "safe havens"
are hard to trace and investigate
International Dimensions isas more important factor than country of origin. Networked attacks
Complexity "bounce" an attack through many places to obscure the
trail.
will
be thinking that why we should learn about laws from a foreign olve $0 mi any steps. A smart attacker
We have seen the laws of Unite d States, You might as they can inv
complete more legal steps.
country. There are two answers for this question. Each step along the way makes the investigator
1. Technically, computer security laws in the United States
other countries: legi
are same to those in many
¥ i ee
i
vat computer crime does not address ? and
or enforcement difficulties from laws passed in other watches, microwave ovens, automobiles,
every country learn about slight le; gal points and understanding in man ry devices, like robots, calculators,
Computer technology is used
laws. These laws cover offenses like fraud,
countries. Many other countries have recently passed computer crime medical instruments. leaves it up to
looks for to include as computers and
includes the types of devices the leg lature
r misuse,
unauthorized computer access, data privacy, and compute
The language of law
in one country are affected by users in other fic case.
The second reason is the Internet is an international entity. Citizens the court to rule ona speci rule in a different way in
which cases, and different court s might ‘
pat tern ern ofof cases,
countries, and users in one country may be subject to the laws in other countries. Therefore, you want to know Ashort time is taken by th
e court to build up a ‘ i l b for some time to come.
F ted i conditions will be unsettled
ime
may affect you. : The international nature of com puter crime
i: much more complica
m makes life understanding of each of these
laws . similar situations. The min separating the basic value
of an object from its
have proble!
In some c ases courts
Council of Europe Agreement on Cybercrime Value presents a Sa) me problem.
the Council of Europe cost to reproduce. data about a person are
even less established.
In Novemberon 2001, the United States, Canada, Japan, and 22 European nations marked and allegation crosswise Both the value of a individual's privacy and the
secrecy of
Agreement Cybercrime to characterize cybercrime exercises and bolster their examination
over national limits. The importance of this arrangement isn't so much that these exercises are unlawful however that
the nations recognized them as violations over their outskirts, making it simpler for law requirement offices to 510 Ethical Issues in Computer Security
parvlpate and for lawbreakers to be removed for offenses against one nation submitted from inside another nation.
ree Ao ry Peer the examination, arraignment, and conviction of computer crooks, something other than these 25
Diferences between the law and ethics
n behavior. Law cann
ot P' revent the events which we
issues of huma
y to deal with
> Law is not always the suitable wa
. elated rcement of law is
i s
The tre: aty requiri es nation that confirm it to embrace comparative criminal laws on hacking, computer-r
: to computer affairs. Enfo
” wish it to.
5 whi le drafting
a! aw relating
.
misrepresentation and imitation, unauthorized access, encroachments of copyright, organize disturbance, and child all theaspect . g for minor infr ingement
is time consuming.
Lawmakers have to think from nd conc
ed. Prosecutin|
ener en ly contains treaty on insightful forces and techniques, for example, the pursuit of to society.
difficult although it is well written 4! behavior satisfactory
and requires cross-fringe law authorization collaboration rce all for ms of
be aens ond solars _ —_ —_ essand en fo s oper behavior
.
7 laws to expr erally acceP ted standard of pr
dvistaitionctinmverackran dead . The firstsettlement has been enhanced by an extra convention making any Itis not possible to develop \ down ee
ist purposeful publicity by means of computer arranges a criminal offense. Asa substitute, society
hics to set
relies on et! htand wrong.
ard of rie
E.U. Data Protection Act ned stand gn one aim.
* An ethic is an impartially def t focus for all the
as et decide the suitable action
A 4 . tic principles ple have t0
ri
This act establishes privacy Y rights and protection responsibilities for all citizens of member countries. The act governs Ethical standards are 9 ften idealis
the collection and storage of per indivi
individual address, and identification numbers. 5 The law
name,disclosu
s, likeagainst rat objectives behavior; finally every
person is
. f ge of personal data about and
the data, it controls ain standards of ethical
requires a business purpose for collecting re. pee are a number =
‘ons promotecert
objectives.
Restricted Content jtuation- pical practices:
eligious groups and professi
. Religi,
hat tod
tri
A few countries have laws to control Internet content allowed in their countries, accountable for deciding “’
in Through ‘ every On
Singapore needs service providers to filter content allowed is our choices,
' , ;
javancad System Security & Digital Foren, ics (MU) 5-37
. Legal %
Ww Adv:
anced System Security & Digital Forensics (MU)__ 5-35 Loge
and Ethical Issues
Gea nareigion a
Aset i ee ethics isa set of principles or norms for justifying what is right or wrong in a given situation,
of ethical principles is called an ethical system.
— An ethic is
ical principles are different from religious beliefs, ,
ifferent from a law in a number of significant ways : eth
law, but that is not an nis based on personal thinking about the creation of the world and the existence of controlling forces,
_ 2b laws are applicable to everyone: One may disagree with the intent or the meaning of a Re
excuse for disobeying the law. 7 Many moral principles are come to religions,
life in the major religions, and the basis of personal morals is a matter
of belief and
the same as for
2. The courts have a regular process for deciding which law replaces which if two laws conflict. con fidence, much
yowever, two people with different religious backgrounds may develop the same ethical philosophy, while two
3. The laws and the courts discover certain actions as right and others as wrong. Anything which is legal is right. ons in a particular situation.
exponents of the same religion might reach opposite ethical conclusi
4. Laws are enforced to correct wrongs done by unlawful behavior.
{tis essential to distinguish ethics from religion.
On the other hand ethics are personal.
gical principles are not universal
1. Two persons have different viewpoints about the morals. What one feels is correct, other would not feel so.
, in western culture concept of
Ethical values differ by society, and from person to person within a society. For example
2. — Ethical positions can and frequently do come into conflict. For example, Human life value is important in ethical privacy is not desirable because people associate privacy
privacy i is important, on the other hand in Eastern cultures ‘
system, many people do not cause the sacrifice of others life. However in the correct context some would agree So, the pi eople’s attitudes are affected by the culture or background
with having something to hide.
of sacrificing one person to save another. There is no ethical position that is when two ethical goals bump into,
A person from large family may put greater
The past events in life also affect person’s standards of behavior.
of property than would an only child who rarely had to share.
every individual must select which goal is main. ,
importance on personal ¢ control and ownership
position.
3. There is no universal standard for right and wrong. Two people may evaluate ethical values differently. One close contact with others can also shape one's ethical
The major events and close Maj ‘or events or
Person cannot simply look to what another has done as guidance for choosing the right thing to do. , principles all can accept.
distrust ethics because it is not founded on basic
The above aspects make people to
4. universality.
Inethics, there is no enforcement for ethical choices. b ackground expect exactness and
People from a scientific or technical
The following Table 5.10.1 gives the difference between laws and ethics.
tthics does not provide answers
so in a given
Table 5.10.1 : Difference between laws and ethics may be ethically justifiable even equally
that more than one position
Ethical pluralism is identifying
| _ Law 2 tits nz . Ethics situation. on issues of ethics. Such disagreement is
lly disagree
two people may lega
{a are described by formal, written documents, Ethics are described by unwritten principles. Pluralism is one more way 0! f noting that
: i igion
religio
accepted in the areas like politics and
guous, and clear answers.
Laws are established by legislatures representing all} to find unique, unambi
Ethics are presented by religions, philosophers, professional people look ahead
Inthe scientific and technical fields, sense. Scien ce has provid
ed life with fundament
al
people. groups, ct or demonstra ble in some
< e.
In science, one answ' er must be corre! no underlying structur
is soft meaning that has
'
Laws are interpreted by court in science asiti
Ethics are interpreted by individual explanations. Ethics are rejected i ably" false, or not proven,
™ A statelme! nt is likel
y to be provably true, prov
med to be “truth. n differences; due to this
The science basis is presu' oes not provide these clea
Laws are applicable to everyone Ethics are applicable on personal choice. q false. Ethics
true an
but a statement can never be b
oth
Priority determined by the courts if two laws conflicts ‘
Scientists i et!hics.
are uncomfortable with — ee
people disagree on theiraS opinion ics ofo a situation cannot
of the ethics
Priority determined by an individual if two principles
conflicts ical
rityi of ethical
truth.
“ K e
:
. ji
There is no higher authority sion of WHO is “right.” frequently, maybe dally. For example, Is it better to
Court is the final judge of right There is no external judge a peal for afinal determina! Je make ethical sal it
jude ents %
hical choice, we should make clear how we perform this
4
the majority Se ie we all engage In ethic ‘stutions, s We do in private life.
~ Ethical Reasoning i
Enforceable by police and courts Limited enforcement sual ethies in; professiojona i
|. buy from supermarket or from shop?
Studying ethics ly the prin |
results: nat is Wrone, ethics should help us justify our choice.
. pay & a a” 0 itive 5 and wha hies can help ” us recognize the issues involved
5 so that
= — Studying Ethics is difficult as issues are very complex. Study of ethics can give in two P' rom what isright
— Some religion have their own future for making ethical choices so People get confused ethics with religion ich we alreadY
iy
situation, & thic:
| i Insituations in which jon t0 take ina
A seal action Fy
ON Kromtedst
But ethics can be studied apart from any religious connection. i
—
If we don’t know he ethica
udgment’- Miion
- If Universal set of ethical principles is available agreed by everyone then difficult choices will become easy. sonedJ
we can make rea
ean
We pupsica é
tions
t
ed System Security & Digital Forensics (MU) 5.39
advance Legal and Ethical Issues
Legal and Ethical Issues olen is the school of ethical reasoning that believes certain universal, self-evident,
we¥ Advanced System Security & Digital Forensics (MU) __5-38 * ledproper conduct. Natural rules spe ify
Examining a case for 0 nba moral principles are adhered to because
ethical Issues of our responsibilities to one another;
these Principles are often
Following are the steps for justifying an ethical choice :
ee
state as rights: the right to know, the right to privacy, the right to fair compensation for work.
i
Understand the situation. Study the facts of the situation. Ask questions i i
of interpretation or explanation. . Attemptpt to ore school of reasoning is based on rules resulting by each individual. Religion, teaching, experience, and
find out whether any significant forces have not been considered. one n lead each person to a Set of personal moral principles. The answer to an ethical question is found by
ctio
believes to be right behavior.
2. Know several theories of ethical reasoning. To make an ethical choice, you have to know how those choices can be as
eighing va lues in terms of what a person
justified. F fol lowing Table 5.10.2 shows the difference between consequence based and rule based ethical theories.
The
3. Qutline the ethical principles involved. What different philosophies could be applied in this case? Do any of these Table 5.10.2
include others ? Rule based |
/ Consequence based
4. Decide which principles are more important than others. This - 0 f
is a personal evaluation. It often involves extending a Based on rules obtained by the individual from religion,
on consequences to individual
Based d on
Principle to a logical conclusion or determining cases in which one principle clearly succeeds another. experience, analysis.
persis
— The first and the third step are most important. Many times it happens that people judge to every
eryone
a situation on incomplete jased 0 on unive: i
ive ‘sal rules, obvious
information. Considering all the different ethical issues raised forms the basis for evaluating [universal | Based id on ci onsequences to all of f soc! society | Based
the al interests of step
four.
5.10.1 Examples of Ethical Principles 511 Case Studies of Ethics
There are two different schools of ethical reasoning. Case |: Use of Computer Services
an inquiry
0} f computer time. Utilization of computer time is
is a fitting utilization
- Based on the good that results from actions, This case concerns choosing wh at The individual included is
ual and of access! :
ity f the quality of service to other people.
— _ Based on certain prima facie duties of people. toth of access by one ind on an unwritten standard of
:
fic reason. Numerous or ganizations depend
lowed to access processing offices for a speci framework. The moral
5.10.1(A) Consequence-Based Principles hi av e authentic access to a registering
individuals who
tonduct that administers the act!
that unwritten standard.
ee. a compreh ension of
— The teleological theory of ethics focuses on the conseque nces of an action. The action to be chosen issues associated with this case can PI rompt
is that which
results in the greatest future good and the
least harm. For example, if a fellow student
asks you to write a program he The case
was assigned for a class, you may think the u ity programs, for example,
ip
good against the bad ation. He composes and tests
The negative consequences obviously be more Dave fills in as a developer for a hug eran" Oren gram advancement and “online applications
re SI
important than the Positive, so you would ~ ft: During the day pro:
general name applied to many theories of behavior, reject. Telealogy is the proces: SII at hand
all of which focus on the goal, outcome, or consequ compilers. His orga’ ation works two nt a 5 are finished. Dave approaches remaining task
action. ence of the 0c cupatien:
: clum| p creation ponding to daytime programming
undertakings; that is,
are run; around evening time runs are corres
There are two important forms of teleology. tion of the
Egoism is the form that eit move would not antagonistically influence the presenta
benefits to the person taking the action.
says a moral judgment is based on the positive information and discovers that t! he night lumP
An egoist considers the outcomes of all
that creates the most Personal good for probable acts and selects the ane
him or her with the least negative i: own io.
stock portfolio. channel
HisHis cha on the
consequ ence, eae; Beene " a build uP
i
2 program to a supplies, for example printer paper. Is Dav e's conduct,
The principle of utilitarianism is an evaluat Computer to different clients. it
ion of good and bad re: sults; however, Ee
the reference group is the whole
universe, Dave returns after typicalical hours to Y nonessen
The utilitarian selects that action
that will brin, ig the greatest combined 800d framework is negligibli e, an id he
for all people with the least possible
negative for all.
— In this situation, the utilitarian . jed u underneath.
ded
would evaluate Personal good and bad, Qualitiei s issues 2 .
=
iated witht case are recor P own figuring
ts and gives them to its needs
for the customer, and, perhaps, good good and bad for the company, good and bad
and bad for society at big.
A portion of the moral staindards oe ocessing =
gram coul
id antagonistically influence ferent clients,
5.10.1(B) Rule-Based Principles disappointment.
it g 2 frameworl k
ganiz4
Ownership of assets.Thehe or fetch fr ol mM securin
int of the fact thatfactory, it ought to likewise be adequate for
- Another ethical theory is deontology, which is established in Effect on othe venting evepresén
a sense of duty. This ethical principle states that certain ing th ty Is se tatives working at night could dimi
things are good in and of themselves, ! ers, Albeit be
ie number
ne hi off chance
— These things that are obviously maybe notwithstanding rhe
. good
= are good rules or a cts, which need no higher Universalism standard: 0" as it my
explanation. Something just is good; je that
it does not have to be judged for its effect, .
Others to do likewise: B
framework viability.
; nced System Security & Digital Forensics (MU) 5-41
i pavencee
rty conditions to people.)
Legal and Ethical Issues prop el
wY Adv; a -40 i
nced System Security & Digital Forensics (MU)_5. buse : In spite of the fa ct that he trusts Ethel's intentions are legitimate, Donald can't
ht or right whenever found possible @ ‘ yP : things. Ensure that Ethel with
Possibili ;
Wy he typi location, discipline. Dave
does not know whether his activity
would not be rig
could be rebuffed.
the information just to catch up on fascinating information
utiliz4 e
lize,e, Dave
i e to utiliz a
tion chose it was inappro| priat
Organization. In the event that his organiza i y ;: Had Eth Ethel been expected to have names and addresses, they would have been given at first,
are to other people?
confiden tialit
Whi at diffe 7
i rent issue s are included? Which standards could easily comp tion
s
n conceded authorization to access portions of these record for rese
arch
authoriza : Ethel has bee
Talcit ei
to approach total her exploration.
Examination so she OV! ght
over awful for all individuals. Dave gets unds that the names and addresses
The utilitarian would think about the absolute overabundanc
e of good propriety : Since Ethel has no expert to get names and addresses and on the gro
application the measure of time isn't tation for access.
of computer time, in spite of thi e fact that for this fied piece of the information, Donald ought to deny Ethel's solici
advantage from the utilization hurt speak tot he classi
that as improbable. The organization is neither
enormous. Dave has a plausibility of discipline, yet he may rate
reasonable.
arian could contend that Dave's utilization is
nor helped by this, Along these lines, the uti not to abuse the
investigation that one ought
issue in light of the fact that obviously if everybody did that security is an inborn decent and
The universalism standard appears as though it would cause an A standard deontologist would contend
each new client needs to gauge great and
this, the quality of service would corrupt. An utilitarian would state that this manner, Donald ought not to
discharge the names.
the machine, and neither may Ann's; " however wh on : protection of an other. In
awful independently. Dave's utilization probably won't load
that ation would influence other individuals. the basic case
needs to utilize the machine, it is intensely enough utilized t Augmentations to
test other moral issues
to the situation. These expansions
Elective situations we can think about a few poten' ial augmentations
qualities were considered ?
the accompanying activities or ed?
of the circumstance if any of case. moral issues would be
Would it influence the morals associated W' h this to the documents. What
ding permissible access
Dave started a business overseeing stock portfolios for
some individuals for profit. e in charge of deci
" ; use as an Suppose Donald wer access to et hel?
. expected the computer sing whet her to give
Dave's paypa’ was beneath normal for his experience, suggesting that Dave was associated with hischoo being office discharge peopl
e's
? That is,
ct the people included
incidental advantage. 7 should Ethel be permitted to conta e to consider?
.
implicitly endorsed by not looking s for the wellbeing offic
about if
diffe rent representatives doing comparative things and What are the moral issue g consent, 33% react
Dave's manager knew names to an analyst? and 33% of them react
to g
theil r authorization, to make
to stop them. the peo! ple to ask of the people are expected
Suppose Ethel contacts l claims tha!
any event one-portion
owned business and contemplated that the computer don't react. Ethe ciate d with choosing which
in
Dave worke d for an administration i
i office rather than a privately
denying consent, and 33% e the moral issues asso
to Ethel? What ar
had a place “to the general population. What ch es are accessible
a legitimate report.
mstance. Notice
of these choices to seek after? cel rtain varieties of the circu
Case Il: Pri let us think about access to individual
g subordinate, | jal inqui
vacy Rights can be settin r not the essen
4 iis the person's entitlement to security.
iFor this situation, 1, the focali issue H Pr Protection
i oth a a legiti
is both im:
legitimate and mi moral issue
i o d demonstra’ e that moral is space 0
hi e ue, howeve
that these prog! essions IN! c e the
: ue h relevant laws examined in the past segment.
to the aeons ; om would initially think
ecured by HIPAA, thus we
e would be st upon the
records, the cas
information.
rusively relying
the case changes unobt
In the event that the area S it no"!
anal
Notice, 10 theless, how (colds, broken
legs, muscle
isi dard” conditions
Donald works for the ro i cords manage “stan likewise achieve
division as a computer records representative, where he approaches re
the explicit or AIDS. You may
dscornents'oF prsperty eee pees
about iiev
a 5 lawful issue, net ® achieve one end iffor ly transmitted sicknesses
: nt records. For a logical report, a specialist, Ethel, has been conceded access to the ‘
ailment included. You may ct might be ignor
ant (for instance,
e C2 ses ar 5 of which the subje
numerical
bi rds. e end ifi th tary stat
mes of certain reco udes heredi
not the relating na
cal bit yetsome a a ami ination incl
anee
relating with specific for an
Ethel discovers data th at she
properties, Ethel asks Donald to ne see uti
i
might il
a vi she needs the names and addresses
an alternate end if the ex ropen sities. On the off chance
that Donald works
ee-and.addves being 7 : rter for Huntington onable for unveil?
aid for consenttto‘dofurther canon ses so she can contact these individuals for more data a transpo!
fing P' ited, would that be reas
dividual had
t again, 2
Ye
> Yet, change the setting ould decid
Ought to Donald discharge the names and addresses ? Internet service supplier and © the developer, the business, the chief,
or all. From a
A few principles involved , Case Ill: Ownership of Programs exhibited prior in this
part. Be that as it may,
this
ized to help positions for this
Here are a portion of the moral stand ards as: sociated
i with
i thisi: case, What are other moral standards? Which F ‘or r thisthis situation
situation we th!ni tions that may be uti
ous, and costly to
S
most rig!ight! ics ams can be con founded, tedi
standards are subordinate to which others ? to engage th e lawful
a legitimate point of view, wil t can countel ract the need
- Job obligation : Donald's main responsibility is to oversee individual record: ontrols | ant
TROTE Facognizable s, not to make judgments of suitable use- oral
Strategy choices ought to be made by sorriabiidy’ct
specialist. situation. As portrayed in # ‘TechKnowledga
a
pupiicatiaas
Use : The records are utilized for genuine logical examination 7 not for profit i
i ere data that For this situation we
. . touchy
tor to uncover for yi ting “Poly.
as it may, @ Ethel's entrance is approved uniquel
thi
quely for the numerical information, not e private data relat
fram
lework,
7
ce d System Security & Digital Forensics (MU) 5.43
oo L298 and Ethical eoueg
¥ Advanced System Security & Digital
Forensics (MU) Legal and Ethical Issues D What could Purple have done another way after discovering that it had items from Ce
_5-42. (or from Greg)?
a,
what could Greg and Cathy have done another way after Greg addressed Cathy at Purple?
The case
i what could Star have done another way to forestall Greg from inclination that he possessed his items? What
‘
Greg is a software engineer working for an enormous aviation i
firm, Star Computers, which tak es a shot at numerous
administration Contracts; Cathy is Greg's boss. Greg is doled out to program different a of coon ee example . could Star have done any other ‘way to forestall Cathy from taking the items to Purple?
capacities, Greg keeps in touch with some programing cheers ee ~
To improve his programming
e ero
Review Questions
cross-reference office and a program that naturally extricates documentation from source ¢
relegated undertakings for Greg; he keeps in tauch with them freely and utilizes them ances ye’
enlighten anybody regarding them. Greg has kept in touch with them in the nights, at home, on his * 7 what is cybercrime? Explain the cybercrimes in detail,
‘ * what is intellectual property? What
are the types of intellectual property?
Greg chooses to advertise these programming helps without anyone else. At the point when piece administration
knows about this, Cathy is told to disclose to Greg that he has no option to advertise these items
, Write a short note on Digital
ce, when he was Millennium Copyright Act (DMCA).
Utilized, he marked a structure expressing that all creations become the property of the organization. Cathy does not
“ concur with this position since she realizes that Greg has done this work alone. She reluctantly reveals to Greg that he
F Write a short note on Digital Rights Management (DRM).
can't advertise these items. She additionally approaches Greg for a duplicate of the items.
;, Write a short note on privacy.
Cathy stops working for Star and takes a supervisory position with Purple Computers, a contender of Star. She takes
with her a duplicate of Greg's items and circulates it to the general population who work with her. These items are 06 Write a short note on Ethical Issues.
fruitful to the point that they considerably improve the viability of her representatives, and Cathy is applauded by her
administration and gets a sound reward. Greg knows about this, and contacts Cathy, who battles that on the grounds Q7 Write a short note on copyrights.
that the item was resolved to have a place with Star and in light of the fact that Star worked to a great extent
on Q8 Write a short note on patents.
government financing, the items were truly in the open area and accordingly they had a place
with nobody
specifically. Q9 Write a short note on Trade Secrets.
2
law to protect computer objects?
it
b, . Investigation Q10 What are the guidelines for using the
This case surely has major lawful ramifications. Most likely everybody could sue every Whatis the legal issue relating to formation?
other person and, contingent Q11
upon the sum they are eager to spend on lawful costs, they could keep the cases es and employers.
in the courts for quite a while. Likely Write short note on rights of employe
no judgment would fulfill all. Q12
.
software failures.
Give us a chance to put aside the legitimate perspectives and take a gander
at the moral issues. We need to figure out 'Q13 Write short note on redress for
who may have done what, and what changes may have been conceivable r crime.
unscramble.
to forestall a tangle for the courts to Q14 — Write short note on compute
In the first place, let us investigate the standards included. Q15 Write difference between law and ethics.
Rights : What are the individual Privileges of Greg, Cathy, Star,
and Purple ?
°
Basis : What gives Greg, Cathy, Star, and Purple those rights?
What standards of reasonable play, business,
°o
Property rights, etc are engaged with this case ?

© Priority : Which of these standards are second rate compared
to which others? Which ones outweigh everything
else? (Note that it might be difficult to look at two changed rights,
so the result of this examination may yield a
few rights that are significant yet that can't be positioned first, second, third.)
Additional data : What extra real ies do
you need so as to examine this case? What suspicions would
you are making in playing out the examinatio you say
n ?
© Next, we need to think about what occasions Prompted the’ circumstance portrayed and what elective activities
could have anticipated the Negative results.
© What could Greg have done any other way
before beginning to build up h item? In the wake of building up the,
item? After Cathy clarified that the item ~ oF
had a place with Star? : L
© What could Cathy have done any other way
when she was advised to reveal to Greg that his items had a place
with Star? What could Cathy have done any other way to turn away this choice by her administration? What
could Cathy have done another way to counteract
the conflict with Greg after she got down to business
7s Purple?
een
at
Fs A tectrnemtedgi
ions
Publicat
javanced System Security & Digital Forensics (MU) 6.0
collection
_. : Thisis is the first Phase
phase in; forensic; process. In this phase data is identified, labelled
set ; ing the data and
! physical
y: evi idence related to the —incident and re
being invested is done. Simultaneo nett and
! pe chain off custody is also preserved, SN te
pamination : In this phase from the collected data identify and extract the pertinent informati ON, Using proper
d techniques and al intai
forensic tools and techniques and also maintain integrity of the evidence.
analysis In this phase results of the examination Phase are analyzed. From the analysis useful answers to the
Unit vi. [S~ questions are generated which are presented in the previous phases. Most probably the case gets solvedin this phase,
Syllabus : peporting In the reporting phase the results of the analysis are done, which contains :
Introduction to Digital Forensics, Acquiring Volatile Data from Windows and Unix systems, Forensi Duplication
Investigating logs from Unix and o The information pertinent to the case.
Techniques, Analysis of forensic images using open source tools like Autopsy and SIFT,
windows systems, Investigating Windows Registry. Actions that have been accomplished actions left to be performed.
Moves left to be performed.
Advocated enhancements to processes and tools.
6.1 Introduction to Digital Forensics
What things are we investigating ?
6.1.1 Digital Forensic
Investigating the identity theft.
Digital forensic is collection, preservation, analysis and presentation of computer-related evidence. It determines the
past actions that have taken place on a computer system using computer forensic techniques. Investigating the fraud and embezzlement.
g.
Digital/Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, Investigating the software piracy and hackin
etc.) for evidence. Investigating the blackmail and extortion.
and exploitation.
6.1.2 Why is digital forensics important ? Investigating the child pornography
ity, domestic violence.
Investigating the prostitution, infidel
A few criminals are becoming smarter. So data-hiding techniques which includes encryption and steganography. The
evidence of criminal activity is placed in such a way where traditional search methods cannot able to find it. Investigating the terrorism and national security.
lectual property and trade secre
ts.
1, Encryption ; Scrambling data, for example an e-mail message, so that it cannot be readable to the interceptor. Investigating the theft of intel
of investigati jon 7
2 Steganography : It is nothing but hiding a message into a larger file, typically in a photographic image or sound What evidence can we recover at the time
file,
Investigation of computer fraud
Computer forensics isn't just about “detective work” = searching for and trying to find out information. Computer
g information :
followiinng
forensics is also worried with ; ‘ While investigating the computer fraud we recover
o Sensitive data handling responsibly and confidentially.
Credit card data
Taking precautions to not nullify findings by corrupting data.
Financial and asset records
Taking precautions to make certain the integrity of the information.
Email, notes, and letters
Staying within the regulation and guidelines of evidence.
Accounting software and files
6.1.3 Digital Forensic Process Steps Account data from online auctions
For forensic investigation there are following four common steps:
Investigation of child exploitation ver following information:
1. Collection 2. Examination While investigating the Child exploitation we 2?
3. Analysis 4, Reporting Photos and digital camera software
Internet activity logs
Movie files / -p imag
classify images
User-created directory and filenames '°
Chat logs Tech Knouled,
Tentlons
x are
Fig. 6.1.1 : The forensic process Staphic editing and viewing softw:
| anced System Security & Digital Forensi
— cs (Mu)
6-4
ww
ma
A
Advanced System Security & Digital Forensics ‘al Forensics A al evidence
cz aras: Real evidences are Something
h ciiSt ipowa that one
rW site. a can carry ty i into courtroom
(MU) _6-3 iden and show tini fro,
3. 7 ®S. This evidence ty ally “speaks
Investigations Of network intrusion and hacking for itself.”
Par e ntary evid ence : The evide nce w h i c h hich j
isc ;
in the i en form is nothing
While investigating the network Intrusion and hacking we recover the following information. writt but the documentary evid
a ple server
logs, email, database document et tc. dene
For
Names of the Network Documentary evide nce
users might be faked via abtofessionl
Rd therefore must be authenticated to be admissi User
Internet Protocol (IP) addresses le in courtroom. 9 Continualh ly produce
ig
the original docu IMENt, dc
Executable files which also includes viruses and spyware
not use the copy.
a
Security logs and Configuration files testimonial evidence : Testimonial
evidence is Nothing but the statement of a witness, underneath
5 court 35 : . oath, either in
Text files and other documents containing sensitive information such as passwords. oF by deposition. This sort of evidence Normally helps
or validates the alternative types.
Investigation of identity theft I Demonstrative evidence : Demonstrative evidence recreates or explains different evidence. Demonstrative evidence
Investigation of Identity Theft will recover the following information.
does not “talk for itself” and is used to demonstrate and make clear previous points. This sort of evidence is
Credit card numbers and the credit card readers, writers and scanners maximum helpful in explaining technical topics to non-technical audiences.
Identification Templates such as driving license, birth certificates etc. 422 Evidence Characteristics
Images of the electronic signatures
Information of online trading. There are five characteristics of evidence. They are as per following :
Investigation of harassment and stalking 1. Admissible 2 Authentic
While investigating the Harassment and Stalking we recover following information : Complete 4. Reliable 5. Believable
Research of the victims background
{ Admissible : Evidence ought to be acceptable, if the proof you reveal won't stand up in court, you have squandered
Victim’s location maps
Photos of the victim .
your time and conceivably allowed a guilty party to gounpunished
Diaries of the victim investigated. The
1. Authentic : Evidence ought to be Authent ‘Authentication is directly related to the incident being
Internet activity logs , . 7
| investigation5 may reveal evidence
i “ that isisi interes ing but not relev:
levant.
E-mails, notes, and letters.
ali ought to approach the; case wit ith no assumptio
tla about
ns
The spi ecialist
Investigation of software piracy a1 Complete : Evidence ought to be Complete.
Suspects and clarifications until
. cal routines ought to take out option
vestigating the Software Piracy we recover following information : bla
: dy's s bl: blame or blamelessn
somebody' ess. Criminologi
an unmistakable conclusion is come to. ; eke _
Serial numbers of the software
aR hi be Reliable. There ought to be no doubt about reality of the ™ ecialist's =decisions.
ies for the software cracking . ellable ble :: Evidence
Evi ougl
ught to “ardidedtard
be iques. QualiQualification of a specialist as an
. verified forensic: tools and techniques.
Image files of software licenses liability originates from standa i.
‘1
. a
bility and reliabil
iability.
Binary files which are required for software installation expert wi
(pert witness for a cas e will set up believal sss i create
results that are clear and straightforward,
Chat logs and Internet activity logs. © Relievable: Evidence oughtto be accelptable. The investi Have different agents have used the same forensic
duals fro m a jury.
€ven among the most nontechnical individual
«al individuals
6.2 Evidence ions?
| techniques and reached similar conclusions?
Evidence is any information of supporting value, that means which proves something or helps to prove something
relevant to the case.
23 Challenges in Evidence Handling
:
The challenges in evidence ndling are
6.2.1 Types of Evidences cial procet
d ata judi
authenticate
The types of evidences are : The evidence gathered: must be bemaintain
ed.
nce must
1. Real evidence 2. Documentary evidence
The chain-of-custody for the evide
3. Testimonial evidence 4. Demonstrative evidence The validation of the evidence
nsics (MU)
stern Security & Digital Fore
Digital Forensics \e
ww -8
Advanced System Security & Digital Forensics (MU)_6
| quetteme"*
Authentication of evidence intrusions into computing systems
ui nlawful
nt introduced ani d material reco
rded shoul: d be authenticated.
Authentication means
| ipaanorized or
Every time when an ion is what the
direct examination tha’ tt the informat attacks
veethe evidence should testi fy during
that whomever gathered : pprit
| of Se rvi ce (DoS)
defender claims.
as to the origins of that piece
a witness who has personal knowledge ptortion
Anather way to authenticate evidence is to have Such inadmissible evidence on computer media for example fraud,
threats,
is inadmissible id it cannot be authenticated. the evidence of such action may be stored
of evidence : provide testimony. Evidence any unl . when
lawful action
cannot be presented to the judging body.
to ensure that whoever collected the evidence
is a matter of i and traditional crimes.
To meet the demands of authentication it is necessary graph y.
document that records the way in which evidence
is collected. be session of dissemination of child porno
record. For this purpose develop some type of internal |
Response
Chain of custody i! Goals of Incident
p of a
all changes in the control, handling, custody and ownershi as follows :
Chain of custody means documentation that identifies dent Response are
| the goals of the Inci
Piece of evidence. .
means that evidence cannot be accessed by , no cohesive response
The gathered evidences should stored in a tamper - proof manner | Toprevent a disconnected
obtained item a complete ened.
unauthorized person, it helps in maintain the chain of custody. For each ther an incident happ
| Confirms ordispels whe
chain-of-custody record is kept. ion.
of accura' te informat
ce from the instant it was collected to the instant it { Promotes gathering
Chain of custody needs that you can trace the place of the eviden handling of evidence.
ement agencies have property proper retrie yal and
was presented in a judicial court. Many police departments and federal law enforc | Establishes controls for
policy.
y
departments that store evidence in a secure place to meet the chain of custod requir
ement.
established by law and
| Protects privacy rights
reviewing the evidence then check-out the evidence, k operations.
Whenever the Experts and law enforcement officers required business and networ
Minimizes damage to
and then check-in the evidence every time it is returned to storage. rits.
action against culp
Organization's best evidence should be stored in a safe room or storage so that is inaccessible to anyone other
than || Allows for criminal or civi ions.
dat
ts and useful recommen
the appointed evidence custodians. This storage area is also known as “evidence safe.” Access to evidence safe is | Provides accurate repor
.
n ment.
| Provides quick detection and contai
controlled by the evidence custodians. |
Evidence validation proprietary data.
1. Minimizes exposure and compromise of
Evidence validation is another challenge where the gathered information should be identical to the information which i an \d assets.
ion
L Protects your organization's reputat
you present in the court. MD5 hash is used to meet the challenge of the validation. sinthe future.
2 Educates senior manag ement.
MDS hashes of the original data matches with the forensic duplicated data. Generate MDS hash values for every file such incident:
ention of
which is a part of the case. 8 Promotes quick detection and/or prev
se process ? l, legal counsel,
Ihols Involved In the Incident respon
FeSO urces personne
6.2.4 Ethical Issues i speci!ial ist, Human other
nnical sk workers, and
= é
sion eof Tecl : a users, helpde
e isayincluoffic ers, end
The digital forensic investigator must maintain absolute objectivity. Inthe incident response method ne business manag
Security professionals, cor e secu Incident Response
Team
It is not the investigator's job to determine someone’s guilt or innocence. puter'Security
red as a Com le; gal and other
¢ people. This teamis refer IRT consist ol pro
per technical,
It is the investigator's responsibility to accurately report the relevant facts ‘mployees. of peop inc INE CsI
The
a team iputer security incident.
of a case.
nizations establ sh i
i| Some orga
he investigator must maintain stririct confidentiality,
fi ds to ary CO
(CSIRT' ), This team respon
discussing the results
ults of of an investigation
igati on ot ly a “need to
know” basis. = oF an investiga 7 jncident-
Specialist necessary to resolve 2”incl s and unix systems
winindo w: mn Windows system
Introduction to Incident valle
le Data from
6.3
E Acquiring Volati ile Da! Data
ction fro!
Computer security Incident is any unta
y
.
wil, Unauthorized, or unsuitable activity that includes a computer system or 4 May Initial Response and Volatile
computer network. Such an activity can incorporate an y of the following * earoree
events
ponse isdua! seaneryou pon
2. Theft of the Trade secrets The objective of an initial res! in arrive ¥ TechKnowledg’
‘ ident . that willl, 0 ever aga!
ation
1 Confirm there is an incid
ile inform
2 Recover the systems volatile!
rity && Digital Forensics (MU)
(MU
orcad system Security Dig 6-8| Digital
1 Foresia
I
RF¥ _Advanced System Security & Digital Forensics (MU)_6-7 Digital Forensics an |.
Description
0
During your beginning, hands-on response, you need to perform as couple of oper: ations as would be possible to
A system tool that displays interface configuration information.
ic
Bather enough data to make decision whether the incident ication. taaemiahniincee
permitsi forensici duplica'
peor fi
ing t! the initial
In this unit, we layout the steps to take when performing t response to a Win ’
i iicakabicu? tie A service that collects information about the local system build.
whether the Geum was utilized by an attacker or was the victim of an attack. We start by talki : a aa ppnfo
Pre-incident preparation and the making of a response toolbox. After that we will see how to 7 es —s
A utility that shows files that are opened remotely.
information in a way that minimizes the modification of the system. Lastly, we address making a decision abou
Performing a forensic duplication of the evidence. A utility that shows information about current processes and threads.
6.4.1(A) Creating a Response Toolkit
A utility used to display the current security audit settings.
For an initial response, you have to plan your access to access all the information without affecting any dormant
evidence. A live investigation is not the time to create or to test your toolkit for the first time. The tools required for the Asystem tool that displays the command history for an open cmd.exe shell.
response toolkit are depicted in Table 6.4.1.
It ig used to dump the memory allotted to a process intoa file for later analysis.
Table 6.4.1 : Tools of response toolkit for windows
traffic flowing
Tool | It It checks
checl whether the network card is in promiscuous mode and reads all network
Description i
by.
omd.exe l It is a command prompt for Windows.
PsLoggedOn | A utility that shows all users connected locally and remotely. bps to prepare the response toolkit :
i for initial
initi respo! nse:
| rasusers There are several steps to prepare toolkits
| A command that shows which users have remote-access
privileges on the target system.
Label the response toolkit media
ey
| netsers | It is used to add, remove, and make changes to the
uses account ona computer.
Check for dependencies with Filemon
Y
[Newsae | Asystem tool that enumerates all itening ports and ail current connections to those
Ports, Create a checksum for the response toolkit
Fport A utility that enumerates all Processes that
opened any TCP/IP ports on a Windows NT/2000 4. Write-protect any toolkit floppies or CDs
system.
RR
PsList Acommand that enumerates all
running processes on the target
system.
ListDLLs og ateatieeggente ORE meas gitself. Your response toolbox CD-ROM or floppy disk
Acommand that lists all running processes, ing is to ar' chive thegathel
their command-line arguments, and An initial phase in evidence gathering 's "0 sami
the Dynamically igation. / _
Linked Libraries (DLLs) on which each
Process depends.
ought to be labelled, to identify this portion ©
CDs, we make a
label that has the following data on it like,
partiticular
A system tool that lists the recent ies 4 and
NetBIOS connections for approximatel For instance, for our response floppies
y last 10 minutes.
A system tool that shows the
a. Write the Case number.
MAC addresses of systems that the target system has been
communicating with, in the media.
last minute. de or created the response
1 ; Write the Time and d2te leo 7
A command that term “ miner who ma! is,
inates a process.
Rinse ee aioing the response media r evidence from the victim system.
4. Name of the examiner utilizing 5 output files 0 °
A utility that creates MDS dia (cD) con! tain:
hashes for a given file.
®& — Whether or not the response me
A command that displays the
shares accessible ona remote t ith Fillemon end on. We use Filemon
il to determine all the
machine. | Ch “Neck for dependencies Ww! se tools dep ow which tools change access times on
A command use. d to createa i I is good to,kn tera lot of the target sys tem.
communicarae
tion channel
between two different OUT toolkit.ud”
Kisi important to determine whichich O DLLsthe utilities in 9 our tools that alte
systems. |
Acommand u: sed
to create an encryp files accessed and affected by each o t, we can avoid using
ted channel of com | files 6 n the target system. When we want,
munications, [kit he commandsds on it. To create this file
PsLoglist A command use
d to dump the
Contents of the
4 Create a checksum sponse 10 0
for the res?’ an a checksum of all the
event logs. seisatexrfle Ea
ri file is created 35 fo :
TecMtaosintys
" our floppy, CD and USB drive aan . teas
’
Z¢5sum comman che
d is used. The
Security & Digital Forensi i :
nced System tye ee (MU) 6-10 Digital Forensics
* a
for analysis.
3F_ Advanced System Security & Digital Forensics (MU)__6-9 ysed cat is an IP address on the objective system and a laptop system
Creating checksum for tesponse toolkit using mdSsum with enoy igh storage
.
eto hold the data you accumulate.
E:\>IRResponse>mdSsum *.4>checksum.tct ng netcat permits you to exchange all the pertinent system data and files you require to verify regardless of
E:\>IRResponse>type checksum.txt her an incident happened. This strategy of data social event advances two sound practices :
wl jet
Where the checksum.txt is the text file with a checksum of all the commands. em kly.
a
Itallows you to get on and off the target syst quic
Write-protect any toolkit floppies ion obtained.
Itallows you to perform an offline review of the informat
the response b.
It is very important to write-protect the floppy disks after it is created. If evidentiary files are stored on onse, To use netcat,
4.1 illustrates the process of using netcat during initial resp
floppy during an incident, then it is necessary to write-protect it after you accumulate data and begin the chain of Fig. 6.
er on the forensic workstatio n and redirect all incoming data toa file.
Custody. The chain of custody tags should be filled out for each response floppy or CD, whether or not it contains a it nitiate a netcat listen
evidence file.
n listening for incoming connections on port 2222. It will write the information received
b, The forensic workstatio
6.4.1(B) Storing Information Obtained During the Initial Response file called pslist. Type the following command
for it :
on that port to a
A lot of information is gathered during the initial response from the live framework or system. The term live is used to d : |
a system that is admissible to an investigation, whether it is currently powered on system, attacking system or the
E :\> IRResponse> nc -1-p 2222>pslist
the output t ‘oO the response commands to the forensic
victim. Netcat is used on the target system to channel
Then run the pslist command as:
]
There are four options for retrieving information from a live system : workstation,
1. Save the data which you retrieve on the hard drive of the target system.
E © 2222
Ay>\ pslist : ne 192.168.0.20
Record the retrieved data by hand in a notebook. at IP address
and is send to the forensic workstation
c The output which we get after executing this comm
Save the retrieved data onto the response floppy disk or other
removable media.
Use netcat and cryptcat to save the data retrieved on a remote forensic framework. .168.0.20. ;
when the data transfer is
Do not save the data on the hard drive because it modifies ~ problem in transf ‘erring the he file
fil in this way is, " netcat command does not know
the system. If the volume of the data is big then recording The
er t he connection should be break by pressing CTRL-
data by hand is not practical. As the size of the floppy drives are completing the data transf
usually not big so using floppy drive is not advisable, complete. So the soluti ion is after
better use other removable, writable media which are having / /
larger capacity than a floppy, like removable USB drive. i ation.
Despite the growth of USB ports, there is still need of saving or when the file size is no longer growing
on the
data across a network. So netcat is used to transfer the ——— pinning on
i the target syste
information from the target system to a remote
forensic system. ® When the floppy or CD-ROM stops s
ip! te.
ns data transfer isis comple
Transferring data with netcat forensic workstation it mea
ence integrity
2 Use md5sum to ensure evid response using md5sum. Run the
;are retri eved during the
2
F ‘
ity of th files which which is also known as the
Time | ltisimportant to preserve the integr on in the presen
ce of
ee MdSsum on the files stored he
on the forensic workst
ati
S_teggedon
eo | ‘Wo-man integrity rule.
8is¢ | Encrypting data with crypteat the data may be visible to networ
k spies. Syntax and
are The disadvantage of transferring 43} na across 2
etwork is that
the data transfe
rred is encrypted. There are two benefits
Forensic System SS erence
ine at but the nly ly
diff
ion of cryptcat is similar to netc :
1: Run trusted commands on
NT Server Hen i ati arget syst
em
2: Send output to forensics
box crypting the data when sending files from " the information you obti
.3: Perform off-line review mdSs via netcat promise ction of data.
1. An attacker's sniffer cannot com|
um output files.
isk of inje
2 Encrypting the data nearly eliminates he" .
Fig. 6.4.1: Transf erring \ (C)— ile Data ith us, now it is important exactly which data to
Netcat’
ae is used to create a channel of Commun
data using netcat
optaining volatile D4 ogy we rior to turning off that system is necessar
y.
ication } between h oolkit an da methodol
during initial response
;
to create a re! ial
le TCP connection between oe
i is freely available tool. We use netcat Till Now we have our PI repare' d forensic t
pa data fort the windows
r/2a00 system PI ‘cation:
the target e forensic dupli
t systems, and the forensic workstation Collect, Obtaining the volatile cted befor WY Techtnewtedga
The following minimum vola
Forensics (MU) 6-12 Digital Forensicg
ed System Security & Digital

s given above :
how to perform 10 step
ing sections describe
Digital Forensics
Run command on Windows system to open a trusted
sted Cmd.exe : Click on Start button type
:
BF _Advanced System Security & Digital Forensics. (MU) aol y drive or CD drive.
cmd.exe application. Use date
and date commands are a part of the
1. Date and time of the system. g the system time; and date : The time
gecorain in date.txt.
Currently logged on users list. nd to write the date and time
atime comma
2.
gedOn, a utility that shows all users
Entire file systems time and date stamp. system and remote-access users : PsLog
peter mining who Is logged in to the
3.
can log in to a system via RAS is
d-line tool to enumerate the users who
4. Currently running processes list. locally and remotely. The comman
| epnne cted
5. Currently open socketslist.
i alled rasusers. a directory listing of all
On | pen sackets. : Use the dir command to get
The applications listening ion, and access times of all files
6.
or had recent connection
s to the system. 1 eo ding modification, creat , modification, and creation times.
that have c urrent is requirement of more fies onthe target system, recording their
size, access
7. A list of the systems duplication, then there \
tful to require forensic
your investigation is doub
If you are aware that ng of all the access times
on the C: drive
ecursive directory listi
data collection. | provides 2"
stigation
umenting Your Inve
Organizing and Doc
need methodology. There
are two reasons for thor
oughly
Geivajalslodc\ drive
the’ investigation you tion times on the D:
listing of all the modifica
ing
For organizing and document victim system = y
at the console of a ides a recursive director
documenting your actio
ns when responding
. || prov
st an individual
may become evidence again /t:w /a/s /o:d d:\
1. Togather information that dir E: drive
tion times on the
organization. ting of all the crea
2. To protect your own mentation properly then ive directory lis
but if we have done the docu } provides a recurs
from the server if it crashes,
In case while retrieving the data to have MD5 sum file with the
the machine. It is necessary
dirftc fa /s ford e\” dows command that
we have the detail information
of the steps performed on tat, a standard Win
open, use nets
collecting data. which ports are
checksum of each tool we use before s : TO determine
igation purpose, record the start
time of the \ Determining open port ent © connections
to those ports.
binaries during response. For invest g ports and all curr min ated.
Record full path name for untrusted ted binary. enumerates all listenin that have just ter
whether we ran a trusted or untrus ns and connectio
ns
nd line entered and also document a such ascurrent con
nec tio
command executed and the comma rding volatile dat: es listen on which spec
ific ports.
any relevant comments. netstat is useful for reco set
obtained by each command and add pitis helpful to
know which
= Thengenerate an MDS sum of the data processes.
| ciated with open ports m proper miss
io n-critical
{ Listing applications asso processes
fro
Collecting Volatile Data e to se arate rogue on a Windows
will not be abl
all processes
ing ports for
ready to retrieve the volatile data. There Otherwise, you erates li sten
to document your response, you are which enum
Now you know what to collect and how called Fport,
foundstone supplies a fre e tool
are 10 steps for data collection, they are as follows: t conne! tions to that process, you
5 curren
NT/2000 system. ions, 2M
d netstat show: =
by unauthorized
5 actions taken
g for con nect tially maliciou
ocess Iistenin
Execute a trusted cmd.exe.
e m from poten!
na
s a rogue pr t your syst :
Record the system time and date. port reveal the proces
s to protec
ate 06!
processes:
in i
"
rminate d to term esses n the target
system.
ccess users, if applicable). want to te kill comman nning proc
Determine who is logged into the system (and remote-a intruders. when necessary, use th e
| may ate all ru ing who is connec
ted
to enumdner
btstat are useful utl
, i ! id
1 esses * pstist utility ity is Use
Record modification, creation, and access times of all files. P Usting all running proc «ne « n e t s t a t , arP 2” ni
ons :netst
‘ and recent connecti
Determine open ports. I Usting current system. gystem con
nectin g toa workstation.
orhas recentl ly connected to @ Fport lists the
‘List applications associated with open ports. rts on a system. since
pereaee ions and the
ty way t identiify @
List all running processes. These three utilities may be YOU jalists
t oneach port,
it current and recent connections. netstat ; Many compu! ter securi y a MAC address for
icati dito vi maps the IP address to the phys ical
° currel *" minut?
gis
Record the system time and date. pen portsiand the tho: se in the [as
remote IP addresses of
an
‘cating with '" Techtnauledge
Document the commands used during initial response.
Qrp : This command i mun
dgt
the systems that the tare®
¥ Techinewle
pupieations
6-14
d system Security & Digital Forensics (MU) Digital Forensieg
Se Bs a
s the difficulty of recoverin, 8 ———
1 differen
e between working with Windows and Unix system is deleted files on some
vanced System Security & Digital Forensics (MU)
i9
Digital Forensics 0 i yariants- ‘when you execute a process in the Windows environment, you cannot delete the fil corr espondingto
i ‘
= ing process from the hard drive. However, the Unix operating system allows you to delete 3 program afterit
the recent NetBIOS connections
the remote NetBIOS name cache, listing m’s file has been deleted from the hard drive,
nbtstat : This command is used to access nexecuted the process is running, yet the progra
for approximately the last ten minutes.
eating a Response Toolkit
Recording the system time and date
time and date that you completed the live
wa) oF toolkit is more difficult and time-consuming than it sounds, because practically every variant of
Type the date and time commands on command line to record the rusted
—
prepar'> ring
your t -
data collection, . . unique toolkit. Since many of the tools recommend in this chapter are not included with the standard
Unixrequire: ¢ a code on your own.
— This ensures that you have a record of when you were on the system, so that if anything is changed on the system ing systems, you must compile the source
Unix operat!
Outside this timeframe, you will know that you are not responsible for the alteration. release OF all server running Solaris 2.8, you need to compile
your tools ona clean copy \
the victim machine isa Sp arc
10. Documenting the commands used during Initial response rorexample, if tecture.
system with the same archi
of Solaris 2. gona compatible. For example, progr
ams \
— Use the doskey/history command to display the command history of the current command shell on a system (if the ons are not backward or forward
further, many Ul nix versi
it more difficult tly o n Solaris 2.7, and vice versa
.
situation warrants). To stem may not work correc
Solaris 2.6 sy
comr piled to un on a onse toolkits.
creating your UNIX resp
— Wealso use doskey/history to keep track of the commands executed on the system during a response. and time requi red for
nt 0 f resources and
i increase the amou
one
not have the time to create
Nl these issues response toolkits pri ior
to an incident. You may
ntiai] l to create the
Scripting Your Initial Response
therefore, it i is esse
urs.
after an incident occ
— Many of the steps taken during the initial response can be incorporated into a single batch script. First script the
response kit of UNIX
Table 6.4.2 : Tools for
response then use netcat to transfer the results of the script to a forensic workstation. Simply do the following things :
1. Create a text file and add .bat extension to it to make it a batch file.
2. Name the file irsp.bat.
Rm
3. Runit on target systems.
To redirect the output of a script of multiple commands to single netcat socket the following command is used at ifconfig
command line on the analysis system,
| ne.exe -L -p 2222 >> irspoutput.txt
: |
Here is a sample script that can be used when responding to incidents on Windows
systems :
time /t
date /t
psloggedon se
tial Respon a
dir /t:a ford /a /s ¢:\
ation © ptained
ined During th e Inistore information retrieved during the i
84218) Storing Inform
:
dir /t:w /o:d Ja /s c:\ her! eto
4 ust choose W
dir /tze Jozd Ja /s c:\ d incident, you ™
When you respon to an
nelstat -an *
‘ You have the following storage options
fport
py disks, usp drives, OF tape drives.
pslist 1. Store the data on the local hard drive.
nbtstat -¢ 2. Store the data to remote media ener - orkstation over the network.
;
time /t
3. Record the information by wv the retrieved cate ive; . om data eee ii aananlor
senuen
date /t
fee oe
:
doskey /history «a support USB drives. To
isadvantage © d dal :
ere i it’s better to use
6.4.2 ne i nes will overwrite pelete’ paeause only newer vera |
Initial Response and Volatile Data Collec
tion from UNIX System usp drives arerevere sp drives 0”
evidentiary value.
The initial respons: ive incit
Windows vine . a ae incidents on UNIX systems is similar to the initial response for incidents on Techtanoietnd
g0al is to obtain the volatile system data before forensic response. wrnieat!
scope of your initial res; Ponse to obtainit log files,
duplication. You can expand the pot e Bai
lercom l
this probie! ons t0east
provi le
configurati ker
ici
tools and suspicious 4 confirm ‘ iguration files, system files, i !
programs} to fapidly whether or not an incident ee, aiid ai Linux on forensic workstat
i

ad System Security & Digital Forensics (MU) 6-16
ne
A Advanced Syst te
™ Security
f & Digital
. Forensics (MU) _6-15 Digital Forensics r ste id shell
6.4.2(¢) oO , ereou!ting a tru:
btaining Volatile Data Prior to Forensic Duplication nd to a target system running UNIX, you will encounter one of two scenarios:
When you i vibes YOu respo
ac
to it over ween Volatile data, you'll want to respond to the target device at the console, in preference to get access ng in console mode.
network, This eliminates the possibility of the attacker monitori 4, The sy; stem is runni
are running
i trusted commands. ‘oring 1B ¥! your respon:
ponse and ensures that you
Windows, a GUI similar to the Windows desktop.
2, Thes' ystem is running X ;
Ifyou are i
aiiee Certain that you may be doing i a forensic duplica common X Windows-based vulnerabilities that 4
response, it helps to av
tion of the target device, you have to focus on obtaining th i
isthe X windows bef ‘ore you initiate your \
sinc be able to switch to another
are respondin ig to a Linux system, you may
ystem data before poweri ng down the system. The
to log keystrokes. If you
risky inform ation consists of presently open 5 :
allot the attacker
16 Approaches, the content ° Ee,
s of system RAM, and the location of unlinked documents
pn ae ssing ALT-F2.
The u unlinked fjiles are docu
atec ment
n s aman marked for deletion whil @ Proc virtual console by pre s. Now mount the trusted
Rat marked for deletion will “disappear
esse s that get entry to it to i fic Log on locally at th e victim console with root-level privilege
” while the syst To avoid generating traf to mount a floppy drive when responding \
following is the command s' yntax
em is powe red down. Ther efor atin ime
. ions have to get better, each type of tools. The
unstable proof inclusive of the docu
ments mmatked fe wae ! oa
ary toolkit
0 and respond with trusted
ve you some grief, because getti
ng a deleted report in maximum flavo
leletion This could
i :
undeletion devor tool.
ice
urs of U! i ‘tas simple ao as running a report toaLinux system =
men
Collecting the Data mount /dew/fd0 /mnv/floppy
t point /mni t/floppy.
trust ed toolkit on the moun
1, Date and time of the system. Thiscommand mounts your
e t he directory
to /mnt/floppy-
2. - Currently logged on users list Toaccess the trusted file chang command shell.
e! xecutin| g a trusted
be cel rtaini you are e\
or to perform immoral and
i
Thefirst st step p inin all response !s to
3. Entire file systems time and commands executed
date stamp. ttackers to log all the
4. Currently running Processes The Unix
i shells can be trojaned by a
list, igator. set your PATH|
operations invisible to the invest uted your trusted shell,
e you have exec
:
5. Currently open sockets list. sted shell. Onc
ecute your own tru
6.
Therefore, you wil want to ex executing untrusted CD mmands that are in the target system's |
The applications listening
on Open sockets. environment variable equal to dot (.)- |
s of someone accidentally
This wil decrease the chance
,A : list of tl ‘he systems that
“tha have current or had recen
N
t Connections to the
Collect the live data in syst em. | PATH.
this list, you can take
these steps 5:
and they also show when you
Execute a trusted shell,
4 Recording the system time and date at ion of time/dat
e stamps,
important for later correl
2. Record the system time
and date, The local date and time setting s are
3. Determine who is logg were on the system.
ed onto the system. date command :
4 Record mod To capture this information, ‘use the
ication, Creation, and
access times of all
file: ot
5. Determine open ports
.
[root@conan Jroot# dale
° Bete ae 3 UTC 2003
6. List applications asso |
ciated with open sy: fem they
Ports, to the system d on user
IDs, and from
whichich syst
7. Determine the runn jay: the logge
lays
ing processes, ed on. It disp
8 List current and rece ;
nt connections, ~The w (what) command . the date and system time.
9. Record the system have logged on. uting on the system with
time.
e current i exee
y
oF je times
home window 5 structures, unix
10. Record the steps take
n,
E 'talso shows what they a d In ode chang
cess an AS wit
“ Recording file modifica
tion, ~ ps at the fil e device. e (atime),
amendment
right of entry to tim
11. Record Cryptographi
c checks ums , sed to
d listing: Bet
r every file an in U nix which isu
— Keep in mind that the steps
Inode is data structure
we Outline are
mere} ly aga :
You may need to retrieve time (ctime}
tools used based on the totality of the ¢
daa will certainly need to tailor the order and the structures have 3 time/date st°™ th s for art
file.
a different manner: Stier:i Hoc
col nd luct your steps inoe
to obtain
those tii me
maY opt to include toats we do not ment
ion, as well as or modification time {rmtime}and ine argum na truste
d floppy
disk:
roper command the output 0
| - < Tepresent file system oblect* ith wl the
ith ate stamps 2 ind show Oe
rt in the time/¢
{ You can use a dep’
TechKnowladgé The subsequent strains
Pupiications
ity & Digital Forensics (MU) __6-18

em Securl :
| yes ced syst BGA Forge,
same directory as th,
as win! ce your script in the 8 tesponse:
tem are same dows system. Pla AGU ang
oe of unix sys!
ols.
Wa Advanced S Jocal to
ls rhe
s
ion Technique
we (MU)__ 6-17 it al
”
lem Security & Digital Forensics
st
Is 's ~ -alRu/ > /floppy/atime For
ensic Duplicat th
tn many cases, the
ems.
ha’ ve seen how to obtain / volatile
data from Windows and Unix syst
1s -: sections We : n
s-alRe/ > /Mloppy/
ctime
inthe previous . on decision of whento pert oa
0 ic duplication. Forensic dup ati
rt for eeteinea a forens tion we will first see the
ter ms relate .
Is -alR/ > Hfloppy/
mtime
poser process IS a sta eady formulated. In this sec
rategy that which is alr ms and sor
5. S D eterm ining which ports are open im on the response st ence and define related ter
a can be used as legal evid
e
—
ports. By using netstat— an comman
dis used to view all open
w forensic du ication dat e.
@ netstat com mand nd i is used to determine
i the open
jest duplication, then ho lly sound duplicate imag
to obtain a forensica
parte. .
and techniques used
which reduces the impact on the system and speeds the pel accepted tools
tells netstat tos not resolve hostnames, ible
icates as Admiss
- The i
- 1 option
execution of the command.
ist Forensic Dupl
6. i
Listing applications associated with open ports y to know that, i nvestigative pro
cess?
itisvery neces: sar es a part of your
a tool before it be com
the application
applic: and its Process ID ( (PI 1D) to the need to be m et by
ith the netstat command -p option
With ap: the name name of of the
is used which maps quirem ents th at may be pres
ented at a trial.
1 What re you with evidence to
Open ports. imately provide an item or Ww! ing
process mus! t ult the mi mum criteria
to be me tt for
7, The too | or ndards that define of accumulating
Determining the running processes ed ° r legal sta data, the acti ion
.
of acknowledg ch we acces! g the s to
the manne rin whi play. This ap plie
N
there is a set rmore, due to ce rule c comes into

= Taki
‘aking a snapshot of all the running processes duri initial response is critical. This can be done by using th ie
eviden' ce. Furthe ates, the best evi
den
be accepted into to forensit ic duplic
standard ps (process status) command meine | ec tion. \n att ention ed.
also falls under
in sp issues ar" e bas presented in cou
rt must be
e fa cts of the case or mor information
i a biti among the different UNIX flavours.
The output varies on on which th that the ite! te often, the
| any info mati 1002, states
there ar e alwa
.
ys exceptions Qui
Evidence (FRE)
Federal Rul es of legal issues,
1. Use ps -eaf on Solaris systems, ,
_ The rule, U.S. les governing
as with most ru
2. ,
Use ps -aux on FreeBSD and Linux systems. tunately for us, busin ess needs.
| the original. For obt aine d due to
lves cannot be two rules:
8. Listing current and recent connections . | originals themse ined in device, anY pri
ntout or other
pose: s are def puter oF similar
vant f ‘or our pur
— The netstat com mand provides inf formation
i about another aspect : of se:
live response. Current and recent connections.
i |- The exceptions rele are stored by com!
icates - aif data .”
tions an' d Dupl , is an original
- The comma nd u: sage isis identical
identi for determining which port '§ are open.
| 4.FRE §1001-3, Defini eflect the da
ta accurately an original unle
ss
t, shown tor extent as
e
tot fhe sam
Recording system time | output readable by sigh! e is admissible
“p duplicat
ibility of Duplicates* of the original.
Use the date comi mand again (repeat st time. Th ls FRE §1003, Admis
wi ep 2) to record the current system th # Mesteasen fer-another.umestamp
— nticity .”
2. the 2 uthe of the original
so that you will know the exact time you manipulated e system. tion israis e! d as to
t he duplicate in lieu qualified fore
nsic
e window during which | {a) Agenuine ques be unfail rto
admit
gather for
ensic duplicates,
in volved.
ms Thi lus, any changes
hi thi that take place
I i
outside thisis titime window
i investigati tion.
are not due , to your your inve ances it wo uld orage systems
(b) In the circumst accuracy i and data st
ical file system
onto
Recording the steps taken 5 from the logi
+ This concept of representation@l ent, logical g discrete file
=
S
oan ext
dt duplication.
Finally, , record all of the com al possi duplicates, mirror images, 2" 5 to forensic
- Fistoryor everdiW you eth mands you livehave edi m. . Th There are sever
issued to the syste ies here: use script,
response from the “logical cop
performed your editor.
Inthis definition, we
Use
> ess. Let's
— Since you issu ed all command: Is froma tr collection pro“ mat. A 5GB
Media during the
ws
-
using the history comm and will record all of the commands you've
urce, ina ra
w bit stream for
ex
choice is i shell,
comma nd, which will record
case where errors
a better you’ script except in th e
rokes and the output. If you
ecuted.
ch }joose to use theer,script
Howev command, and before y your keyst
, you'll need to run this comm wo! uld have
ou perform the liv e response. is put where
the bad data
ate are <
11, Re cording cryptographic checksums sic duplicate | is s tha t create a foren: sic duplic
rr... A foren @ 56B
- Finally, record tl the cryptographic | hard drive would result in sat The tor
ptographicchecksums
check: of f all recordeded dat.ata. from the 0"
- Simply run the md5sum program against 5 Seurred in a read operation
jon of the dd command).
all files in the data di rectory, as shown here
my be compressed
| root@conan /root]}# mdSsum * > mdSsums.txt | teen. A forensic duplicate C1 er Forensics Lab
version of
4 ae 1 d.
Unix dd comman po?) wre
12. Scripting the initial response
dfcldd (U.S. Departme
- Write asim, ple shell script
i to automate the live data collection.
col pata
Open-source O| pen
‘ CT TechKnewledgi
publications
ity & Digital Forensics (MU) 6-20
BW Fv enicg
nation drive, it would not upga KE THe cory
ensic duplicate to a large desti ae,
are rest ored the for: processing software will detect this dy;We Weta software:
ly useless. Most forensic
Y Fr Adi vanced S)
stem Security & Digital
Di ic (MU)
Fe ‘orensics Z
6-19
igital ‘orensi image rel ative
) a igi
; 1
estored image- e:
qualified forensic duplicat
ualified Forensic Duplicate
ored image from the
but may be stored in an re used to create a rest
A qualifi ied fi i ; contain: 5 every bit of information from the source,
aiterea or Chavpads duplicate is a file that are in-band hashes and Empty Quarte
r compression.
or ged form. Two examples of altered paperwork
generate a hash from that group
of sectors, and cgfeBack
White the ul
ee will examine in some of sectors from the supply, :
to the output d
- This ap organization, accompanied via the hash value encase
spe
ing i i or recovery of the se, the Forense
proach works very ry w wel if something is going wrong in the course of the duplication be restored. Enca
may not need to
faili to fit the hash cost generated for it, a the recovery can conti inue, and the analyst is se and dd images
hi i:
dd
reproduction . If a quarter groups
of analysis, EnCa
gro
on your method ation.
. If a similar state of affairs came about with a pend need for restor
s, eliminating the
consciied
o: that records from that area organization may be inv
es as virtual disk
it, treats the imag
uplicate file, the pl place of the mistai ke may be unknown, probable invalidating th e entire ir reproduction.
iquee for minimizi
ailszahng the dimensio a the output document. If the
ns of dware
ve to ano’ ther. Har
— Empty
fal Qua rter
one ough is : a not
compression weno techniqu
tetatiin ecielt !
ol ames
jake a unique entry inside the output file th 0) Mirror Image it cop y from one hard dri
vrsaier sl rSeS. t does a bit-by-b SCSI interfaces.
m hardware tha rate of the! DE or
i s created fro! maximum data the forensic proces
s,
i
Three tools that create qualified forensic duplicate output files are :
_ Ijmirror image ng the theor etical extra ste] p in
ry fast, PU shi
an
use it introdu
- ices ability to
|gtions are ve e very often, beca er. If your organi
zation has the
mirror imag' mann . if
1. SafeBack
\pesigator s do
not make a a forensically so und can €@ jy make
working copies
wi orking copy in tigat ed, you g COPY
m1
e rto create a tem b eing inves creat e a workin
2. EnCase requiring the examin th e com| puter sys s be required to
ve, seize d fr
om the an alyst will
3. FTK imager |feep the or! inal dri (or never
taken 0! ffsite),
t be returned g CoP y.
We will
the original drive mus a 5 cond workin
6.5.1(C) Restored Image lysis. ad of making ly simp! le to
afthe mirror image for ana d by ¢‘he ! overhe ators ar e relative
is overs! hadowe war e duplic
saved 0! nsite here. Most hard
- Arestored image
ge isi what you get
when ic du i ed forensic duplicate to another The small amoun' t of time r image of e
enc e
storage medium. The
.
Th restoration vou festoreid forens! eating a mirro! Solo-2
oo
process is more complicated th an it sounds, notcover the process of cr ge MASSter
Sol lutions’ Ima
Computer
d Inte! gent a true mirror
image.
- etn
For example, , ot one method em
involve: S a blin
i seihe oignal ied dee sore le to the destination stup and operate. $F-5000 an ly ¢ yeates
e’s Forensic ling
hard drive. if tual
Two such duplicators are LOB cub duplicator ac them for instal
ies W ho use
the destination hard drive is the same athe wien i”hed ten eneyeparn e hardware ae
to ensure th at th
. The information in th je
ion compan ically alter
etry of the hard dri ‘ ma wereioe. he 3 Professional Plus. You do need for system
s integrat
e hardware
levi ice will typ
are made capacity,
th
e market ed inthis
- Partition tables wi | be accurate;
Ti i if tlthe
3 if th table | le sayssays that that p pa n 2 starts on cylinde: Many duplicating machines ©! n th When us der bounda
ries.
al. AS :
inder 20, , head
ea 3 , and sector 0 that i is rd drives. fall on cy al f the origin
numbers of ha e partitions
where the data a
ctually resides, . Bi But what i inati
destination hard drive is not the sa me as the original h
Operating systems on large ure thatt ‘h th an ex act
duplicate
blocks to en offsite wi
restore the forensic duplicate of a 2. _ rive to a 20GB d
tems in the boot and partition
i
aldicrive tEVoU walk
r e, then the geometri jetries do not mat ch. :
- In fact, all of the data from the origi al drive
ms a that start
i mai
Y occupy only thi i i's alters the resulting image,
drive. ive. Th The efore you
‘ed on cyli cylinders of the 20GB destination ess, test it thoroughly bi
partition
ylinder 20, head 3, and sector
0. on af 6 ree inal dri ive may actually start on cylinder 2, head 9 With any proc rements ffirmation, we U rus
t that 2 legal
and sector 0.
a Forensic‘ Duplication To° | Requi e toll erability
oF expert a
w
The software e would look in the wi rong loc: i : ntro! th
.
-
results. H
. re set
up to co
ndards tha ta
Xpanding on the legal sta
connipen
dupl en and give inaccurate a ration: software ie . ying ar
ea s:
ae for this? As the forensic nullow,drive, th -
ation hard doesithe:resto compa di um:
e itself in the a
ar upd to the destinati me
plicate isarerestored
orisi and partition bi Oot sectors) storaee
ihe jPlcation tool must prov
.
of the pareiconiaaten non the rage medium
Is theAh restored image an exact
ed
Wplicaté boot record the new j valu
with estored form atio al stot ter repeat
duail
gene Pdated
8 GEthe:r t e of the or
gin
ocess fails af
iginal? If the analyst al of in e event th at
a pr
} The tool must be able to imaBe
no ‘0 iin both cases. Is the data le
answer is sail - they match the original? The or imag’ the output fi
on image, will e or mir be placed in
On the r estored image still a true L a forensic duplicat older might ived in
and accurate representation of the original? } Thetool must make
@ purposes of analysi ie st be arch
aceholde' mu
ft his pl
ors in Apia ol
he tool must handle read er"
, TI
The method of updating the Partitio
n table: S On the destination hard
drive isi not reliable. . Wh When hard drives gr Te conten
ed an :
beyond 512 MI B, the PC-BIOS i = ®Ndeavours, the error is not
e ird
ognize such huge drives.
up witha iy wea scrambling toethupdate their soft ware:tp recogni
Hard drive m janufacturers camemanufacturers ith the same dimensions 2s *h® rtain bya th
j 5 able and ce
‘ound the probl st be repeat
i everyone to buy new moth
Instead e forcing
t
t
th
@ tool's documentation. =
_ Results mu
oda
ke wit
ith updated BI
; los) This software would
“push” 10S,
code, they released software that emulated T he tool must not make any c
partitio: aableof wothe real data on the drivei dow
mation in sector 1. The real and Store its program and T
n uld be at cylinder 0, head 0, . ies sector he tool must be able to P?'
, and sector 2.
Party, if essential.
) 6-22
tal Forensics (MU
Pysecurity g Digi
is processing.
ice the next step
rches and extractsce at
ms simple string sea
ic image and perfor ; in which give fer
Dl igital Forensi he forensi
es using the Notes plug TALON The hey
o manage som! e not
ATNANY
Wa dvanced S\ stem Securit .
curity& Digital Forensics
(MU) 6-21
time, and
.
the system description.
a = 4
operatio! n, the less actual date and
by the tool amid and time, the oming data steam, ty
The more data lo gged puters date of bytes from the
inc
e
gs are crucially im| portant also.
record the procedure to extract @ cer
tain number
oncet he duplic
ation has Snie: ic Ales
demandinIng your oct tion will be the point at which you
‘cupatio e Cary plug-in for extraction,
ed gif and jpg
¢ reati ing a Forensic Duplicate of Hard Drive we have select
65.3. s, FOr example, server.
on the ODD
ina directory Drive
| lowing tot ols to ls are
ar d.
ust ed. of a Hard
it e of hard diri ive the followi
ic Duplicat e
the fe forensic
‘0 Create the forensi duplicat following
Forens metia can
i. dd and dcfidd ing qualified evidence drive.
Many ite ms on the evidence
er boot fr om the
gator tha’ t nev the hard drive.
ODD (Open Data Duplicator) as an inv esti the boot blo ck on
2.
must to kn ow OS exec utes figuration Ales
, and
ment the BI Registry, con
Crea ti ing forensic duplicate using dd and defldd
tis from tl he mo on informati on,
the
isa tuecony,
1. ; starting timestamps,
P24 iti that the COPY
pealt ered file access sic” imp! 5
process, qualifier “foren can compare the
The dd tool i is the part of the GNU itial DOOt of seconds. The tify this, one
In order to cer
—
—i a=
In the inl d ina matter hash. &
be chan ge are the s ame. known as @
SS to createi ciate
the ns rensic. ———E
duplicate.
re-released as dcfldd. | TI The dd tool iis very reliable
log files may the duplicate by usin g sig
natures, also
simi
using the dd t 0 ol si imply Ti transposing a single
importa nt iginal and s of a sector
, 3
from the or the process
h
y-bit ce copy of the
e ;bi it-by-bi original. While
he . dd tool perf . a complet
performs ; the cont ent
n spe ed up
;
=
bit stream ulated ft rom
efore using it as wi Il as with th ie that is, the , OF one ca tes long calc
" me e bit-by-bit en 4 and
22 by
d duplicat
bes cue foot ,
pically b etwe
wun
Unix environment address storage devices. ‘
original an e of data, ty plicated that
it is
e s a small piec is so com
i require f for duplicating hardrd drive
he steps ps require dri using dd are signatur i rd drive. e the sign
at ures tl hat has the same
awh ole ha to g en er at oF file that
Create a boot media. track, afile, or us e an algorith
m
a sector, bl
ock, track,
proving that
the
codes SHA1
1.
me way of
i . ic edundancy s too long
) to will have 50
2. ',
|
Perform du
the e duplication in wi wi dd. Ins ome situations
ith i red
i Nn: the duplication n is stored in in th the series of the files which are = 32-bit cycl it just take du
lly impos: sible (i.e.
ationa file. A good
fi me ns a fi
pe or file system type, we call | this egmented image.
thi as segmented im. ge. S Sodlo he followin ig comput track, OF
sized: d to to fitfit on: a specific
3 give n sector
, block,
e gnature.
signatur as ul at ing the
si
Back
e pically by ca
lc s like Safe
duplicat is tru e, ty aP| plication
imag! ing DOS copy
|
- Write the script to perform hard drive duplication.
ical
For doin g the mmand WI
| format and
1 Creating a Boot Di
sk ga syste m. allowing CO
- h source d device name. 5
Wi rite d down the
4 for imagin' disk. The f
tis require pos boot
Aclean operating e'
nvironmen
must cre
ate an MS
t yOu
- Us se the dd command.
mm: eee it mean 5 tha
or EnCase is used e computer
tul ning,
the output file in Li te @ floppy * je to get th
i
It is also possible to cre te the dupli wi
in © without
i
splitting of duplica the system files to contail VSPACE.B
IN.
calcul, jate MDS sum of the
duplicate
3 entiree drive
e pass over the s ‘ource hard drive
. inti: Telcreat @ such type yy. These
file s
M!
DR
ns to
the flopP’ S and CO Sand begi
e root dir ectory of wspos.s¥
2. Creating 9 forensicIe dup.
duplicate wit! fh Open
en Data Di uplicator
i (ODD) files in th are: \ 0.S¥S, loads th
e
se four fi
le
There should be fou preter,
ch foll mand the mand in
ter
The Open D; ata Duplicat D) is an opepen-nsource tool whi ‘ollows the client server modelel
sei
(OD a minimal operating syst the com
the investi tor to‘or perf form forensic duplicati
iaallows e investiga
mod
sysrtem
com, puter rve
el. This client
s si
simultan ously over a loc
al the 10.5%:
a number of firstprocess
plications on The computer
N.
drivers. test> al
ensi initialize device
We can use the soft F
for h h er system: .
ware on a single forensic system because bot alves ca be run on the same comput During the process
ODD can perform additiitional functi ions on the data as it is bein; : processed. ODD
l-
s
cludes module 10.S¥5 1026 driver file
(plug-ins) .
oe th: at wi calculate checksums and hi ashes, perform string searches, » and and extract files b: ased on the file software then ressed the loading of the
DRVSPACE-BIN
with an
present the operating gystem on ne a
- The ODD package
package is Is having
naving th three Portions
i
portions
chaneges the time/date stamps
itea ecoie of “
: the strings
disk, YOU 4 hex editor and alter
load JO.SYS into
0 you. cleanbet d stat but
© Bootable CD-ROMs: These are si Li x distribution
wi the _ Trinuxtinux Linu When you boot from your
er to 3
Server-side application : The serv , n the fil le Is ? gon for a
o perform inos t of the 7 the
t
fail Is. Simp
ly removing Continue to
search the file
calculation of f hashes, string search:
pl : ssing
i
of the duplicate image, including |
joading of? °ecutable file.
$V the file
ches, and the st 01
forensic duplicat partitions for the file.
t
oni yent the 10a!ation 5|
Client-side appl be run teat ofthe true | hen you are finished,
ee : Thisdi portioni may
o pre
ii ”on a forensic workstation:
When we perform th nae
J juplicat! ing drives {
of h: a if nee
‘ locally
han drive
= sa ie forensic
¢ duplication
iesgasiiededea the location of the ODD server
Then the ODD server
‘
which we can use topias it detects
for the i i
of some portions.
ODD duplication
Technet gt
vee cad
gystem Security & Digital Forensics (MU) __6-24
~~
giFT
+: Adv: anced System Security & Digital Forensics (MU)__
6-23
Digital Forensics
intu, tu, SIFT has all the import
needed to carry out a detailed forensic anaiyss
ant tools )
orn
A an
mat (AFF), expert witi ness format (EDN and any
gased on Ub nalysis in Advanced Forensic For :
e the hex editor. ine ne ft from sy: stem logs, ; examinetecc
imeleli ye eaNyy
boot floppy, ir supporests wit @ h tools to carve data files, generate tim
On the safer side remove the DRVSPACE.BIN file from the floppy as w After you've created the clean quay com
:
es on the computer system under format. Itc
Copy over any DOS mode drivers that you will need to access tnelherdi?
investigation. t
| more: available tools and their usage,
n ustomed to the heer i ss
The best source for bos drivers is the web site for each hardware manufacturer, rather than on the driver CD
that i mo «tas user documentatio that allows you to get acc opened manually from edo
tem. Tools can be
| SFT provides idence can be found on a sys *
ships
h the product. eviden
| explai‘ag ns W where
2. Use Encase Tool bar. ourc e forensic and indent
of the making of the help 00,000 downloads to date, SIFT continues to be a widely used open-sE
i
— Encase. is a totally high-priced, but very surprising windows based Forensics suite that consists 100;
¢
certified forensics duplicates. Being home windows based totally makes Encase easy to apply, however it adi nally i more than
Having
ee |
their
introduces a few issues, approximately the OS spotting suspect drives and inside the procedure changing response too
l.
contents. This doesn't imply - of direction - that Encase should ever generate person information.
— — Encase strength lies in their seamless integration of all forensics investigation obligations. Encase generates a certified
reatures Of SIFT:
[ e
forensics duplicate. L ubuntu LTS 16.04 Bas
j
3. Use Safe Back Tool em
|. 6+bit base syst
customization
\
— Safe back is small software program software that is po: ned on a DOS boot disk (normally a floppy, however this e update and
Auto-DFIR packag
could be changing as floppy drives die out). ics
YMware appliance r'
eady to tackle forens
— It offers options on the kind of duplicate, a real forensics duplicate or a reflect. We will need to have a clean DOS
dows andLinux
environment ready an a boot floppy. lity between Win
compatibiibili yer/Worksta tion
e via VMware Pla
via (.iso) or us
6.6 Analysis of Forensic Images Using Open Source Tools like Autopsy and SIFT to install stand-alon e
Choice..
eadthedocs.0re/
ect athttp /Jsift
6.6.1 Autopsy Online documentation proj
3 d file system SUPPO rt.
|Advantages of SIFT = echniques, expande
Autopsy is a digital forensics platform that efficiently analyzes smartphones and hard disks. It is used worldwide by a
z.. foren: sic tools and t tion, ). Start Autopsy b y clicking
large number of users, including law enforcement agencies, the military, and corporations to carry out investigations on a |~| Better utilization of memory, modern (SIFT workstat!
workstation
computer system. It has an easy-to-use interface; processes data fast, and is cost-effective. Sleuth Kit is a collection that ative Forensit icToolkit
} Autopsy is built into th e SANS investi 6
|=
consists of command line tools and a C rary allowing the analysis of disk images and file recovery. It is used at the back corner.
| onthe magnifying glass in the upper ght ; ct to the Autopsy service |i
end in the Autopsy tool. ~ will conne ;
Features of Autopsy : Mep 1 Start the autopsy forensic brows?
r
(forensi
or
c Toolkit. BY default,
i You step 2. F Autopsy is available
qin
| to the FSK
Autopsy is a web based front end he gefault
stat page 'sig cisplave |
Timeline Analysis : Advanced interface for graphical event viewing.
|
Hash Filtering ; Flags known bad files and
i
| “sing the URL;http://localhost:299999.
overlook s known good files.
begin,
Keyword Search : Indexed keyword search begin adding evidence. To
makes file search easier,
E hf sleutitor/au2? allow you t0
~ Web Artifacts : Extracting bookmarks,
history, and cookies from web folder to the system and
_hP2: Start a new case
browsers.
Data Carving : Recovering deleted files
from unallocated space by using PhotoRe a new case
c. | Glick New Case. This will add
— Multimedia ; Extracting EXIF from pictures and
watching videos,
| cick New Case.
— . Compromise Indicators : Scanning a computer using STIX.
Advantage of Autopsy :
Good documentation and support
Disadvantage of Autopsy :
It requires special user skills because
(MU)

m security & Digital Forensics
: Digital Forensics
87 Advance: d System Security‘i & Digital Forensics (MU) 6-25
Step'as
Ss ee
te A NEw CASE
SRT CREA!
n only letters, numbers. ne
1, Cage Nam name of this Investigation. [tcan contai
Thee: -
computer.
_ symbols. :
nal one-line description ot rote about this
‘An optional
description of this case.
2 Description: An optional, ‘one fine
ori
oe uts 10 the local
K dafan,
ESTSEDT).# not give
value (16.
- optional fimezone We
ofthe inves 3. Tine zone: An be ound inf fa
Names: The optional
names twith no spaces) stigatars for this 3. Te at tina zones can
ae +. Invesifgetor : arr
oe :
: case.
ie cine
ee
0 arn ES
“omen h a cans
«fogesh Teh a
S
jr bad fie
bane: oath eet
—
: ou ot Art an
cription. AS
a host anda des
¢ o add the
that allows you
en (above ) known bad hashes.
—
i
Begin by entering the detailails about the case. This include the name of the Case itself and a descripti iption of f the case.
l be presen
ted witl ha scre li ist of known goo
d or
lines of t" and you wil add and use a files. Lists of
For this, you should have a means of identifying cases. An
example could be something along the Click "Add Hos
ur ed. Also, you
c@ n "known goo! a"
P : as do or i it couldId be be rela ted d tl to specific
fic desi ith fi a
i ns within
designatio | dske w can be config own organizations
"<Company>.<Instance>" if you do external consultinging itstates, the Timezone 4! hed list of your
simple a5 @has!
company. lists oF as
aS th e NSRL
d
i ayed in Step 4) when the case file is createed. Ihiscan be as complex wn bad list
will see the message (displ
Youwi added as@ kno!
ware can be
-
‘own rootkits and other Mal ina vance.
Step 4: Note where the evidence directory is located iso add this
\Wherea time skew is ki nown, you canal
Bice elie ea rirazas is located
Go Bookmarks Tools ‘Help
Sen 6: Note where the ho: st
File €dit View
eo: AI os gm | httpi/localhost:9999/autopsy 7mod=0 dview=2&c ase=Ct
: @ efense @ Helix™ forensics Jids 4 wireless _)pentest = crypto t i_}sniffer *
Creating Case: curz
Casent directo vi fhome/xnepp4.
G f ; PP: en ay = a id
or ntiguration file (‘nome /knoppix
PP: PY: flag/evidence.
ig nee/CHFI/case. : aruy t) cre eated
2
CHFI-img- Autops' .
y allows you t0 use an
: us must now create a host for this case. ; ‘also
example [home/| for instance). You 2"
|| using the dd command
: ang the Add image Butte” i
}
ean meg! pee
| Next, add the disk image PY pressing d- 7 wered in this post
“a | Mage that you have already © pture
bi icdihinesctunbecsda s!
al an imal ge, bur thisree
ben tmnt
re
\ iS Autopsy t ‘o capttuure
In the example above evidence
:
is tocated.on the System:
1, We See an example
ple ‘ed. Thi This displays where the
case | created for a CHFI course I created. I
t
W TechKn owledgt {t
pubiieations I
ity & Digital Forensics (MU) __6-28
Digital Forensics
Advance dS stem Security & Digital Forensics (MU) 6-27
Step P7:A
7; ddan image to
analyze
Case: CHFI i have been added to this host yet
Host: host1 No images
below to add one
Select the Add Image File button Description
RODIMAGERLE) ©(_cuosenost None Provided
ST
TIME LINES) (IMAGE INTEGRITY) (_HASH DATABASES _)
(EMLEACTIVITY
C_viewnoTes _) EVENT SEQUENCER to the Case Gallery
n you now gO back
"Case Gallery”. Whe
will be displayed in the
case, these
sts to the played in Step 10.
jsyou add ho h tl he options dis
presented wit
s, you will be
i to analyze in Autosp yy.
The " "Add Image” 0 screen allows us to import the image that we are going few your option
tions
Step 8: Select the location of the image to analyze the other op
bu: Now try
Case: CHFI
Host: host?
liar
1. Location to become fami
these in order
GS iainae path (starting with /) to the image file. rimen t with
ension.
is spilt (either raw or EnCase), then enter ™ for the extensi wser 2 nd expe the tool.
o| psy bro erience with
eee | You should work with various
fe atures of Aut
ions and ana
lyze an imal
ge to gain exp
TY the othe r opt
and functionality.
E the options Autopsy Kit
Analysis Techniaves i
2. Type in the Sleuth
i a front end to
ora soge partion. he The Evidence
t
. if this
Please select im: age Me isi for a disk
" a graph cal
© Disk o wser are tO act as manag' eme
nt in a sim|
ple but
Forensic Br d case
e Autopsy search an'
| nctions of th analysis: vensic anal platform.
| The primary modes and fu es of
& Import Method the capabil werful fo
in order to provide yet po
0 analyze th be import
ae r. It can that
locke ed ‘ed fiemfromim its
its ); Mother telated tools tools creates 4 simple,
yooeae
ao the
st,a then the
copyingin cxl evid
i icc ence
omeren eae if a syst
This collection of ect § stem. Whe
n
ng thetemove
pealrsonduriwhy Prchensive package. from a susp
. by
eaI luree occu rupt. ine the da
am
ta d TSK prov
ides
73 7 0 ex Autopsy an
© symlink Copy lysis Modes in Autopsy m is used t ly ina Jab.
® syste
2 dedicated analvsina truste’ denvironm
: ent, typ
Adthi: :eaoccu is occuy rs when
d anrs,alysAut case, Auto
psy and The
ops and Th while the
‘ile i ponse
port for raw, Expert Witness,
g incident res
used durin,
aquen tly
re rformed.
se dead analysis pe
jred and @
7 CD in
run from a
SI
‘
Eeincident Kit; are med. Followin
im
Th is will allow us to to import int o1 ir evidence
an image ige i into vi rking on the original ima im. ge, you car
locker. Rather than worki Cident is being confir
hea hniques
select the move option t 0 copy the i im: age to the analysisi host and have a separat‘ate copy of the ima ge for use ininA Autopsy. | Evidence Search Tec ang evi
| te following
Browser provides inclu
4KRThe Autopsy . ectories:
s and dir
file
e Usting : Analyze the
ensics (MU)
6-30
ity & Digital For
mercial offs
programs and com
activities i elated to user on that oe sas
ati
errors oF inform
s inclu de any ngges
ted bY window usage, 2nd obbeti
a
\ogons,
amount of disk ye
‘clude the number oF faled F
@
Seeing
— and the security pro
ces ses used byarn
.
and directo ron
ealee
Forensics oe:
oe system auditing the audit policy, file
) aS en data is
.
privileges, changes "" re
& as ees acivanced System Se
curty & igi! Foronles MU raw, hex, oF te Ascii string. s can be extnotracteduse. anyWh client-side de enanges © user
rs et read the Security Ne
can S
:
— be vie “ed in tem: Autopsy does logofts- m logs, but ont
8 Nyai nocatoust
administr NINE oes
contents of files can to the local malysis sys and ape 6:
File Content : The
Fi ma ge icati _
2.
y sanitizes it to preven
t da the Application res pon se: nin ee
interpreted, Autops .
. Autopsy uses
the NIST st yseful 108
during incident
evidence that
they contain files spetocHEN
cing
ispR
ifate
ges. identify fy Iit as good OF bad recognize the ows system uti
lities create 108
scripting langua «wy
abase to quickly
identi
and known bad
files. these 085 to ications andwind
files in a hash dat of known good
: Lookup unknown
:
d databases | pe tt e"tomany third-party app
3. Hash Databases rar y (NS RL) and user create of known type. Autopsy can ealstoo or
identify files
Lib |
ware Reference @
i natures to identify files ofo be compared to the file
typ
National Soft i ernal sig | maton
based on their int
als | host.
the file w
g : sort the files extension of a r alocal
File Type Sortin (including thu
mbnails). The em the audit logs 0"
4.
graphic images e them. on alive syst Viewer to access om
extract only changed to hid n evidence.
| y called Evert during 4
their extension that may contai \ lob odes? wcilit a Terie networ
k
t M2Y have had of 8 file system '
ine review across
identify files tha identify areas .
(MAC) times of
both allocated windows p perform 28 aff fog use The
ivity can help After gumping the
line of file act , ess and Change —
10 UP ane Toes:
File Activity: A time z the Modified,
Acc
«exe/st003P axe
5
Timeline of t contain entrie
s for
\ pent lo8 du
mps
ate timelines tha ; ular victim syste g
Autopsy can cre
; s and greP reg nt logs from the pe’ .exe/e . ' i
,
be performed
usi ng ASCII string t optain the eve incident use psLoglistj or dum
ed files.
tem image can An index file across the ne
and unallocat sys llocated space. | i ponse
toan
) £0 gend them licr ate
ait
ge or just the una
*
rches of the file
‘
Autopsy for cat the forensic dup
: Keyword sea full file system ima
i
Keyword Search figured into Pital tS ; cevenrexe
ses
6. med on either the be easily con © rye view the jog files
es can be perfor rch ed for can
er tool-(netofcattoes offlin: e files then you can
expressions. Search ings that are
frequently sea \ge transtest , appevert.ext,
and s¥! ext files
searches. Str \\ iav igation fthe se cevent evt
d for faster ‘ w
all the three |
can be create ; i Autopsy allows you to vie B n e you recovel
rching.
i
files and direct
ories:
psy will \ ; cop ies OF ffline system. Onc
automated sea i i
details about d content. Auto || tis necesser¥ to obtain :
s contain the recovering delete an offlin
ist : Meta Data structure
This is useful for nt logs from
the file system- i
ysis
Meta Data Anal \ <i
7.
a structure in ted the struct
ure.
\helps to view the
eye
the details of any meta dat path of the file
that has alloca ts of any i cation. \
ntify the ful ows you to vie
w the conten | forensic work
st? temsmaidone,n° 38
ows sysei
search the dir
ectories to ide
tent is stored
. Autopsy all z opsy will
.
atall. the win“ddo
e the file con given and Aut nt log, drawba
cks
«jog nothin
Units are wher type is also Eve : ause of th is
GE
ings. The file ‘ follows t events: Bec
Data Unit Ana
lysis : Data xdump and str event logs ig as ings IS agi moo ran |
The drawback of
he
g, s inc luding ASCH, event og setting: .
variety of for
mat data unit. ult secutit ng and
data unit in a allocated the s mode provides : tern’s defa ad many © sghich iS time-consumi
ures to identi
fy which has
es of activity. Thi 7
k layout and tim
ki
search the met
a data struct
, including on-dis fndows SYSte! jes accesses a
s can be viewed
{i
s ghutdownss \
= File system detail successful logo / Thisa helps in
9, image Details estigatio™
sayes gemore syste
data recovery. lenge for inv YOU to view ntl
that is useful during become 3chal . ermits
information
i and Windows Systems ewer e seochiné tie
Logs from Unix
| eine event Vi
cme
Investigating 21. Windows log BIOS name,
6.7 You
Pil 4 the 99 urce Net
ing these logs,
System Logs ty log. BY review \ tts
connections ¥°window
s
6.7.1 Windows
‘
on log, and Securi
ee log files: Sys
tem log, Applicati
The evet nt logs on recor re mote
tem maintain thr cginntt files maxirnum™
_— In wii ndows sys on :
woo
ation af
lowing informati \ making identific ag each 108
may obtain thefol specific files. andiscleare :
been accessing
i t setting © josed
4, Determine who have tem. |4 Inwindows defi art ye is OS E’
an (085 offline 1
ging on toa sys tmnt of fixed size, the tog file
n successfully log
.
has bee | limit ing Syste jo) files-
Determine who system. iewin€ uot
2, fully to Jog on toa antabe of rev
been trying unsuccess \} 5. The disadv inked
3, Determini e who has :
j ication toe
cific applications: from various py
namically u ai
4, Track usage of spe but the Apr 10.00
-a, 4 at
icy.
x to the audit pol messages ar
5, Track alterations windows
sions. tem evel nts au
dited by messages th
to user pe mis ver activities. Sys pausing,
6. Track changes s' es and device dri e starting,
ed System proces addresses; and th
ontains the record failures; duplicate IP
System log © perly; hardwar e
that fail to start pro
ce drive rs
contail in devi
f services- Knowle
reaieas
and stopping ©
ed System Security & Digital Forensics (MU) _6-32
¥ A vane
A Digital Forensics attacker can add spurious entries to the remote syslog server; however the attacker COUGH alte
S_ Advances System Security & Digital Forensics (MU) _ 6-31 - v
Ot remove Entrieg,
US logs wi ithout
first compromising
; the ;remote server. Thus, the remote syslog aserver ought to be a soliidifie d (s ec ure hos”
ith insignificant access ideally, just reassure or secure shell (ssh), which likewise expl ts system, lo gg in
wil g, The servers
\tis necessary to review the log files for each IIS service, especially the web server. These logs are ordinarily located in 3 ms
to avoid access taking into account t he
rec ‘ords and passwords ought to be remarkable,
trade off of Pa
sswords from,
Log Files directory, in the corresponding subdirectories of each service. s.
different system
For US, the default log filename is based on the current date, in the format exyymmdd.log. Anew log file is generated ¢, TCP Wrapper Logging
each day. You can activate and configure IIS logging through the Web Site Properties settings of the IIS Manager.
tcp Wrappers is a host-based access control for TCP and UDP services. Any connection attempts to “wrapped”
The default log file stores the time, client IP address, method, URI stem and HTTP status (a numerical status code). IIS
ices are logged via syslog. Notice that the log entry provides a lot of valuable information: the time and date of the
wil be present.
e
logging is enabled by default, so these log files probably the system that attempted to log on.
the hostname, the service, the account, and the IP address of
Most of the log fields are self-explanatory, but the HTTP Status field requires some explanation. In general, any code in attem| ed logon,
the 200 to 299 range indicates success. The common 200 code indicates that the client request was fulfilled. Codes in p, Other Network Logs
the 300 to 399 range indicate actions that need to be taken by the client to fulfil a request. This usually means an
the log files for web servers. This log entry provides the
automatic redirection, such as when a web site’s content maves to another location.
Other network logs are primarily service-specific, such as
Codes in the 400 to 499 and 500 to 599 ranges indicate client and server errors, respectively. Among the two most following information :
common 400 series codes are the 404 code, indicating that the requested resource is not found on the server, and the The time and date that the transfer occurred
403 code, indicating that retrieving the requested resource is forbidden.
2. The number of seconds that the transfer took
6.7.2 Unix System Logs
The remote host ‘
UNIX operating systems have different log files like System activities log such as logons, startups, and shutdowns
The number of bytes transferred
logged and events associated log with Unix network services. Some log files are located in common directory and some on \
The name of the transferred file
alternate directory or some logs are place in non-intitutive locations. Logs file on the system are not i question but
relative logs on network server security device like firewall and IDS are important to review. The type of file transfer
=
A. Network Logging Aspecial action flag
In Unix operating system most useful logging capability is the syslog (system log) file. This file captures events from The direction of transfer
Programs and subsystems within Unix, The activities of syslog are controlled through the syslog configuration 3 The access mode
file.
A syslog daemon, syslogd, runs on the system to log messages. Syslog also offers the abil ity to log messages remotely,
The username |
across a network. The logging capability provided by syslog is extremely powerful and flexible.
The syslog
configuration file controls which types of messages are sent to which logs.
Each line in the configuration file contains
lL. The service name i
three fields : 12 The authentication method ;
0° The facility field denotes the subsystem that produced the log file. For example, sendmail logs with
the mail 8. The user ID
facility.
o The priority field indicates the severity of the log. 14. The status of the transfer .
© The action field specifies how the log will be recorded. BR Host Logging some of the mere useful logs record su command
,
B. Remote Syslog Server Logs ck hostoperations. n
Unix provides a variety of log files
1
th ai t tra job {sch eduled program) executio
n
ie log document s Produced locally by the syslog daemon are text files that are normally world-decipherable yet §ecution, z rs, logon attempts, 20 d cro ediincoinand |
, logged-on users,
writable just by root. This implies any attacker oe
‘imes us
me:
who has picked up director - level access can without much of a stretch, ing on,
a session. Attackers someti
alter the syslog log records removing selected the system i
entries, modifying selected entries, or adding misleading
the tr
a mandidceon Ne
entries. emPe
x records every attwe xecute pe
oa SU com
These adjustments are about difficult to identify. In the event that you think that an attacker
| aThe su command allows a user to SW Uni mg another i ich the us!
has picked up root-level
access on the system where the logs are put away, don't believe monn t was su
the logs. The best way to tell for certain if an a“ eth er the attemp tte opt
changed the log records is to perform repetitive | attacker
Shows the time and date of thenae Wl d er the sua
s¥ sere t, aa
logging to a safe, remote syslog server if we maintain the remote T T
syslog server, the entire host should log to the sam: e syslog ei
server. In the event that the attacker deleted/erase ID ye
the log ‘tempted to execute su, and the User
document then a flawless duplicate ought to exist on the remote syslog
server.
WE Techinemlatgt
a

d System Security & Digital Forensics (MU)
6
. pdvane
WZ Advances System Security & Digital Forensics Digital Forensics v dvantages of windows registry are :
(MU) 6-33 - the 2 the registry editor the can use the Edit, Find menu commands to locate
Logged-on User Logs the entries whi
Ch tig, have the
cr trace evidence like information identifying the last person who logged on to the comp, A, Wich say
i The utmpor, wtmpfile is used to store information
about users currently logged on to the syste m. The log file is named ount information.
. stored isi the name of the user,
differently and stores slightly different Information. The basic information ser, the terminal used s tored in user acc
dows 9x systems don’t record a user’s logon information reliably, but you can find related user information
indo’
to log on, and the time of the logon. The file is stored in a binary data. satiate o
as network logon data, by searching for all occurrences of “username” or application licenses,
Psuch h as
3. Logon Attempt Logs
also use the Registry to determine the most recently accessed files and peripheral devices,
You can tn addition,
In most of the Unix systems Logon attempts such as failed and successful are recorded by default.
all instatalled programs store information in the Registry, such as Web sites accessed, recent files, and even chat
Cron Logs coms accessed.
: e
ems Ona live en
systems. be careful
Unix has a feature called cron. It t allows users to schedule programs for future execution. It is frequently used for : m1 uting investigator, , you should explore the Registry of all Windows
and possibly making it unboota’
attacks. All executed cron jobs are logged in default logging directory called cron. toa ber any Registry setting to avoid corrupting the system
not al
on
F. User Activity Logging 8.1 Windows Registry Organizati
registry
i Bi
term: inologies.
Unix logs also record other types of user activities. The commands executed by users are recorded by Process fore re fe focusin.ing on the
Befo! Tr of all we will understand some Windows
egistry ry first it
accounting logs and shell history files.
Table 6.8.1
1. Process Accounting Logs
See Description - -
ql Terminology 4
In the process accounting every command run by every user is logged. This type of logging is not enabled by default,
and user in ‘ormation.
To use this feature in Unix you need to have acct or pacct
log file on your system Registry A collection of files containing system
otherwise you will not be able to use this
feature. if Registry. Therere a are two Registry
istry Editors:
any one of the file is exists then you can use the fastcomm or acctcom command to review A Wind
ndows an modifying data a i in the the Registry
iewing and
iewi
utility f for viewing
the contents of the Regist Y
file The attacker would need to delete the log file
to remove this evidence. Regedit and Regedt32
Editor
2. s 9x systems have six
Shell Histories 4 i 0 ries with the prefix HKEY_. Window
HKEY Windows splits the Registry into categ e. Windows programmers refer to the i,
“H”as
2000 and later have Five
Unix systems use shell command. These
shells provide the ca pability to log all commands,
HKEY categories and Windows
command-line options. Typically, along with their
the history file is stored as a hidden file in
the user’s home directory. the handle for the key.
key folders orvalues.
6.8 A red t 0 a: s keys. 4 Keys can contain other
Investigating Windows Registry Each HKEY contains folders refe a subfolder in Windows Explorer.
Subkey a, ther ke’ y is a subkey, similar to
The Windows Registry consists of A key displayed under ano
information, settings , Options,
pa branch in the Registry.
and other u|
on all versions of MS Windo values for programs and hardware installed ing g subkeys, make
ws opera ting system s. For in: its contents, iincludin
stance, when a program is installed, a new |
settings like a program's locati
on, its version, and how to start
subkey containing [ranch and its data7 content.
ilalar to a file rs
it’s simsimi
the Program, are all put into the ue ina key; + it’s
Windo ws Regist ry. — Aname=and vallu
= When windows were at
the start launched i, it relied
i> L
or may t contain data.
value that may
closely on ni files to store have a default CHINE. Hive branches
In
configurations and setti ngs, Despit
window s and window s programs It value | All keys HKEY_LOCAI L_MA
e the fact that Ini files are , USER antnd m. For‘ HKEY_USER,
settings made to the windo still routinely used, most windows
Programs rely on ific
specific n es |in HKEYEY_
branch ents, and Syste
ws Registry after being i ves are Security, Compon
installed, ‘ s re are SAM,
fine MACHINE\SOW2
LOCAL.
At the point when Micro
soft made Windows 95,
7 Ntuser.dadit.
hive linklin to
it com ed instatement (ini) files into the Registr
| t has its ow’ in hive shows the windows
y, a database that e ach user accoun located. Table 6.8.2
stores hardware and software confi
guration data, user Pref > Registry read: s are
erences data files tha’ it the
istry has been updated
,net work Conn ections (counting usernames and Itis important to understand that where
is still utilized as a Part
Windows Registry is containing
of Windows Vista. Version and the files used :
valuable evidence for the Table 6.8.2
investigative Purposes,
One can views the Registry.
By using the Regedit (Regi
stry Editor) Program for Wind
ows 9x.
By using Regedt32 for Wind windows gx/Me
ows 2000, XP, and Vista
d Vista
2000, XP, an
wiinndows NT,
(MU) 6-36
tem Security & Digital Forensics
advanced Sys!
the Windows Registry Editor first time, it displays root keys that toy
| nen we OPE - ; Maina, Ys
Digital Forensics - Jeereton of the root keys is given in the Table 6.8.4
Advanced System Security & Digital Forensics (MU)__6-35 je!
Table 6.3.4
When the number of records the Regi: es relies on upon th e Windows version. In Windows 9x/Me, it u!
n from a
Just two files; in Windows NT, 2000, XP, and Vista, it utilizes six files. Whi looking at Registry informatio Description
you can extract them and Root Key
espe drive, you have to know where these records are found with the goal that
—
for example, AccessData Registry Viewer
investigate their content, You can discover these documents with tools, HKEY CLASSES_ROOT It describes file type, file extension, and Object
explains these files’ purposes in different versions of
6.8.3 shows how Registry data files are organized and
Table
a (OLE) information. rr
Windows. (HKCR) | ied = $$
Table 6.8.3 of currently logged users into Windows ang thai |
his key contains the information
yy CURRENT. - USER
HKEY_!
Windows Sx/Me settings as $$$
Purpose of file
(HKCU) ae
* \
Filename and location the hardware installed,|
key Contains computer-specific information about
User-protected storage area; consist of installed program used d fi for al use! S Wholag |
\
s,, and
ettings oth
and other information. his information is
settings, usernames and passwords associated with installed (HKLM) software setting
Registry.
more commonly accessed areas in the
programs, , and id system
ys settings.
setting: on to this computer and is one of the \
5 — =
the users who log on to the computer, including | \
Most Recently Used (MRU) files list and _____— VC ‘a formation
infor about al
Windows\User.dat Consist of the Thic
\
HKEY_USERS (HKU is key contains Into
Windows\profile\User Account | desktop configuration settings; every user account created information.
neric and user-speciicc NOES Sa
| on the system has its own user data file. —
hardware att ached to
urrent configuration of
Documents and Settings\user-account\Ntuser.dat (in | User-protect
ed storage area; contains the MRU files list and the details about the ¢
desktop configuration settings. HKEY_CURRENT_C
Vista, Users\UserAccount\Ntuser.dat)
| (HKCC) ecom Puce ee
Winnt\system32\config\Default Consist of the computer's system settings. ws 95, 98, and NT this key contained the dynamic status
- —7
as dey vices are
used in Windo
Winnt\system32\config\SAM Consist of user account management and security settings
eh TEATS
HKEY_DYN_DATA (HKDD) used Inst mation may change
- : information This ii nfor
Consist of the computer's security settings. formation and Plug-an d-Play for each devic e includes the
Winnt\system32\config\Security . The infor! mation
d from the: computer
added to or remove l lems.
status,s, including prob
ce's current statu
key and the devi
dered
: usernames and passwords. italated hardware
Winnt\system32\config\System Consist of additional computer system setting. . 7
— i uestions
Review Q
7
Viewing Windows registry
line you wil get the Q41 re the phases of Digital Forensics process?
To view and make changes to the Windows Registry, type regedit or regedt32 at command What is Digital Forensics ? What a
Windows Registry Editor (shown below in the Fig. 6.8.1). This Editor allows you to view all keys and values that are in
Q2 Whats Evidence ? Explain the types of Evidence. before powering ito
ff ?
the Registry as Well as change Windows, program, or driver values you feel are necessary. ws computer system
ae Q3 What is some of the volati le information you would retrieve from awindo
= 4
Ue Ue ,
Ly s > volat :
forensics.
g the volatile data in dig ital
Reaisty Edit View Help process of collectin
Q4 Briefly explain the plicate of a
hard dri ve?
iJ} My Computer Name _|_ Data ill create for
ensic du
a Hike CLASSES_AOOT [ab](Defauit)
| (value not set Bap ative forentc duplicate. Hom YS" prior to forens
ici duplici ati
jon.
ing volatile data
@ HKEVLOCARAIS ae ete crs oe
(9 HKEY_USERS Write short note on windows logs
@@ HKEY_CURRENT_CONFIG
Ga) HKEY_DYN_DATA Q8 Write short nate on Unix logs:
ows registry:
Write short note on wind
|My ComputerSHKEY_CLASSES_ROOT
Fig. 6.8.1 : Windows Registry Editor

ASSDF Searchable

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASSDF Searchable

Uploaded by

Copyright:

Available Formats

Syllabus :

8.29 11 Cyber-attacks, Vulnerabilities, Defence Strategies

Secrecy or confidentiality, means that only

Integrity means that only authorized

Availability means that authorized Peopl

Other important terms :

The process by which computer understands who

“The processes of ensuring only authorized rights

Scanned with CamScanner

Scanned with CamScanner

i. Ce icate Smart or I-card e-Token

protect inf Mates ravibearialewe

Example of of something you have

Scanned with CamScanner

Scanned with CamScanner

introduction and AccegsCn,

6.“Service Provider” verifies

Fig. 1.10.2: A SAML authentication use case

Q.1_ What is a Cyber attack? Explain different types of cyber attack,

Q.2 Define vulnerability and different types of vulnerabilities.

Q.3 Whatare different defence strategies to make system secure

Q.4 Explain different authentication methods.

Q.5 Whatare the different types of authentication protocol?

Q.7 Explain mutual authentication protocols.

Q.8 Whatis the need of Defence in Depth strategies?

Q.9 Explain different access control policies, Explain in detail D AC and M

Q.12 What is the need of Single-sign on method?

Q.13 Explain Federated Identity Management. Explain in detail SAML.

Scanned with CamScanner

2.3 Linux and Windows: Vulnerabilities, File System Security.

2.1 Malicious and Non-Malicious Programming Errors

Scanned with CamScanner

Scanned with CamScanner

abil ty of the syste Standards of programming

, and enforce restrictions on program and user

na sers from accessing hi

Scanned with CamScanner

Scanned with CamScanner

: Certaj attacks allow the browser t

Scanned with CamScanner

Scanned with CamScanner

Scanned with CamScanner

Wi-Fi Security, WEP, WPA, WPA-2, Mobile

. The security problems are posed in

1. Channel : Broadcast communications are

Mobility : As compare to wired devices Wireless

3. Resources : There are many wireless devices (for example:

Scanned with CamScanner

Though organiza tion 2. Client /server traffic security

call and the

Scanned with CamScanner

Qi What are the different wireless network threat?

2 Write short note on wireless equivalent privacy.

Q.3° ‘Write short note on WiFi protected access.

Qs What are the elements of the mobile device

Q6 Write a short note on GSM,

Q7 Write a short note on UMTS,

Q@.9 Write a short note on 802.11i Wireless

Scanned with CamScanner

5.1 Cybercrime and Its Types

Cybercrimes Cyberrelated Crimes

Cyberspecific Cyberexacerbated Cyberassisted |

| Cyberstalking Income- tax cheating

Scanned with CamScanner